Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS Little Snitch's .xpl file format

F

frankpuccino

macrumors newbie
Original poster
Jul 24, 2010
29
0
Has anybody reverse engineered Little Snitch's .xpl file format?

I'm talking about the files:

~/Library/Application Support/Little Snitch/rules.usr.xpl
/Library/Application Support/Objective Development/Little Snitch/rules.xpl

Thanks,

Frank
Email: frankpuccino at hotmail.com
 
A hex dump strongly suggests a 16-byte header followed by binary-plist format.

A quick test removed the first 16 bytes (courtesy of Hex Fiend.app) and renamed it to plist. It then opened fine in Property List Editor. YMMV.

The 16-byte header could be anything: a hash of bplist data, a registration code, random obfuscation, etc. Its significance depends on what you intend to do with the xpl file.


For future reference, it would be best to attach the file you want identified to your post, rather than requiring a potential answerer to download and install a program. I did it this time because I was going to wipe the partition I installed it on anyway.
 
I didn't install the app, but inside "Little Snitch UIAgent.app" there is a factory.xpl which I assume contains the default values, so you could compare what your file is with that. The plist was generated via NSKeyedArchiver. See NSKeyedUnarchiver for reading the file. You may or may not need to implement a custom class depending on how the file was archived. Or it just might be using built-in objects (e.g. NSDictionary/NSArray).
 
Oh yes, of course. I should have recognized the "bplist00."

I'll figure out how the first 4 bytes are computed.

Thanks chown33 and kainjow!

Frank
 
I'm sorry, but why is Little Snitch so special? I have a friend and I know that he has it running in the background all the time.
 
kernkraft said:
I'm sorry, but why is Little Snitch so special? I have a friend and I know that he has it running in the background all the time.
Click to expand...

There's really nothing special about it, except that
a lot of Mac users use it to commit software piracy.

Frank
 
What company do you work for?

frankpuccino said:
Has anybody reverse engineered Little Snitch's .xpl file format?

I'm talking about the files:

~/Library/Application Support/Little Snitch/rules.usr.xpl
/Library/Application Support/Objective Development/Little Snitch/rules.xpl

Thanks,

Frank
Email: frankpuccino at hotmail.com
Click to expand...
 
Based on the intentions you've expressed in this thread, it appears you're trying to build in malware to your product.

frankpuccino said:
There's really nothing special about it, except that
a lot of Mac users use it to commit software piracy.
Click to expand...

People also use the terminal to crack software, perhaps you can engineer a way to block access to that as well...

There are many legitimate uses for LittleSnitch.
 
klaxamazoo said:
What company do you work for?
Click to expand...

What company do you work for so that I know to avoid any of your malware based products? I certainly don't want my computer contaminated with whatever poorly thought out "hooks" you put in to my system.

I have little snitch installed specifically to AVOID malware and scammers. And you sound like a scammer. If you're not a scammer why don't you tell everybody what software company you work for?
 
lloyddean said:
Looking around I'd say he probably (but I'm not 100% sure) up to no good.
Click to expand...

lloyddean,

I work in computer security. I do penetration testing and
vulnerabilities assessments.

This Mac application I have to work on is just part-time,
contract stuff. The application I'm working is
already installed on literally thousands of Mac
OS X machines. If we wanted to be up to
"no good", we wouldn't have any difficulty.

The problem is Mac users who are up to no good and
steal our software.

Frank
 
frankpuccino said:
lloyddean,

I work in computer security. I do penetration testing and
vulnerabilities assessments.

This Mac application I have to work on is just part-time,
contract stuff. The application I'm working is
already installed on literally thousands of Mac
OS X machines. If we wanted to be up to
"no good", we wouldn't have any difficulty.

The problem is Mac users who are up to no good and
steal our software.

Frank
Click to expand...

It's interesting that you still haven't answered the question of what company you work for, nor have you identified the software that performs this clandestine change to Little Snitch's rules.

Since you're in the security business, surely you can appreciate the concept of full disclosure. I, for one, would not accept any app making clandestine changes to my security perimeter, regardless of who thinks it's a good idea, and regardless of what reason they give.

If you decline to identify the product or company on grounds of informing potential attackers, then that tells me your scheme is squarely in the "security by obscurity" realm. It will only be a matter of time until it's broken.

In the meantime, where are your guarantees that your clandestine changes haven't somehow created an exploitable hole that someone else could use to mount an attack?
 
You know... The folks behind Little Snitch have a forum at http://forums.obdev.at you could probably get pointed in the right direction there. However it seems they may be a step ahead of you.

http://forums.obdev.at/viewtopic.php?f=1&t=4755&sid=dc4ea813e98be0a1f5a1bf3d265964fb

The Little Snitch rules file is protected against external modifications. If such a modification is detected, you will get a warning message, asking if you want to accept these external changes.
Click to expand...

Doing this kind of thing through the back door is always an arms race. If they don't want you to exploit their file format, they'll just change it in the next major revision to break your code. Or, as they have apparently already done they will still leave it up to the user whether your rules will be activated or not.

B
 
frankpuccino said:
lloyddean,

I work in computer security. I do penetration testing and
vulnerabilities assessments.

This Mac application I have to work on is just part-time,
contract stuff. The application I'm working is
already installed on literally thousands of Mac
OS X machines. If we wanted to be up to
"no good", we wouldn't have any difficulty.

The problem is Mac users who are up to no good and
steal our software.

Frank
Click to expand...


It is clear his company is already up to no good. There are plenty of good ways to encourage the average user to purchase your product without putting in rootkits into your program. For example, Papers has a one-time validation process. Each serial number is stored on their server and can only be validated by one computer at a time. Sure, there are ways around that, but anybody willing to download cracked software won't care about whatever methods you try and implement, their cracked software will get around those too.

Overall, you are a hack and nothing more. There are millions OSX computers out there, but your penetration rate is so low you only have thousands of users? Your problem isn't hackers, it is either: A) your program sucks and only suckers buy it; B) there are other programs that do what yours does but better; C) your company sucks at marketing. So don't go around installing rootkit like crap on users computers because you can't make a good, marketable product.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back