Little Snitch's .xpl file format

Discussion in 'Mac Programming' started by frankpuccino, Aug 12, 2010.

  1. frankpuccino macrumors newbie

    Joined:
    Jul 24, 2010
    #1
    Has anybody reverse engineered Little Snitch's .xpl file format?

    I'm talking about the files:

    ~/Library/Application Support/Little Snitch/rules.usr.xpl
    /Library/Application Support/Objective Development/Little Snitch/rules.xpl

    Thanks,

    Frank
    Email: frankpuccino at hotmail.com
     
  2. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #2
    A hex dump strongly suggests a 16-byte header followed by binary-plist format.

    A quick test removed the first 16 bytes (courtesy of Hex Fiend.app) and renamed it to plist. It then opened fine in Property List Editor. YMMV.

    The 16-byte header could be anything: a hash of bplist data, a registration code, random obfuscation, etc. Its significance depends on what you intend to do with the xpl file.


    For future reference, it would be best to attach the file you want identified to your post, rather than requiring a potential answerer to download and install a program. I did it this time because I was going to wipe the partition I installed it on anyway.
     
  3. kainjow Moderator emeritus

    kainjow

    Joined:
    Jun 15, 2000
    #3
    I didn't install the app, but inside "Little Snitch UIAgent.app" there is a factory.xpl which I assume contains the default values, so you could compare what your file is with that. The plist was generated via NSKeyedArchiver. See NSKeyedUnarchiver for reading the file. You may or may not need to implement a custom class depending on how the file was archived. Or it just might be using built-in objects (e.g. NSDictionary/NSArray).
     
  4. frankpuccino thread starter macrumors newbie

    Joined:
    Jul 24, 2010
    #4
    Oh yes, of course. I should have recognized the "bplist00."

    I'll figure out how the first 4 bytes are computed.

    Thanks chown33 and kainjow!

    Frank
     
  5. kernkraft macrumors 68020

    kernkraft

    Joined:
    Jun 25, 2009
    #5
    I'm sorry, but why is Little Snitch so special? I have a friend and I know that he has it running in the background all the time.
     
  6. frankpuccino thread starter macrumors newbie

    Joined:
    Jul 24, 2010
    #6
    There's really nothing special about it, except that
    a lot of Mac users use it to commit software piracy.

    Frank
     
  7. klaxamazoo macrumors 6502

    Joined:
    Sep 8, 2006
    #7
    What company do you work for?

     
  8. GorillaPaws macrumors 6502a

    GorillaPaws

    Joined:
    Oct 26, 2003
    Location:
    Richmond, VA
    #8
    Based on the intentions you've expressed in this thread, it appears you're trying to build in malware to your product.

    People also use the terminal to crack software, perhaps you can engineer a way to block access to that as well...

    There are many legitimate uses for LittleSnitch.
     
  9. Cromulent macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #9
    A lot of software developers do stupid things to try and get around piracy. Basically writing malware into their applications in an attempt to "beat" the pirates. Don't be the next EA or Sony.
     
  10. klaxamazoo macrumors 6502

    Joined:
    Sep 8, 2006
    #10
    What company do you work for so that I know to avoid any of your malware based products? I certainly don't want my computer contaminated with whatever poorly thought out "hooks" you put in to my system.

    I have little snitch installed specifically to AVOID malware and scammers. And you sound like a scammer. If you're not a scammer why don't you tell everybody what software company you work for?
     
  11. lloyddean macrumors 6502a

    Joined:
    May 10, 2009
    Location:
    Des Moines, WA
    #11
    Looking around I'd say he probably (but I'm not 100% sure) up to no good.
     
  12. frankpuccino thread starter macrumors newbie

    Joined:
    Jul 24, 2010
    #12
    lloyddean,

    I work in computer security. I do penetration testing and
    vulnerabilities assessments.

    This Mac application I have to work on is just part-time,
    contract stuff. The application I'm working is
    already installed on literally thousands of Mac
    OS X machines. If we wanted to be up to
    "no good", we wouldn't have any difficulty.

    The problem is Mac users who are up to no good and
    steal our software.

    Frank
     
  13. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #13
    It's interesting that you still haven't answered the question of what company you work for, nor have you identified the software that performs this clandestine change to Little Snitch's rules.

    Since you're in the security business, surely you can appreciate the concept of full disclosure. I, for one, would not accept any app making clandestine changes to my security perimeter, regardless of who thinks it's a good idea, and regardless of what reason they give.

    If you decline to identify the product or company on grounds of informing potential attackers, then that tells me your scheme is squarely in the "security by obscurity" realm. It will only be a matter of time until it's broken.

    In the meantime, where are your guarantees that your clandestine changes haven't somehow created an exploitable hole that someone else could use to mount an attack?
     
  14. GorillaPaws macrumors 6502a

    GorillaPaws

    Joined:
    Oct 26, 2003
    Location:
    Richmond, VA
    #14
    You don't work in the Root-kit department for Sony by any chance?
     
  15. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #15
    You know... The folks behind Little Snitch have a forum at http://forums.obdev.at you could probably get pointed in the right direction there. However it seems they may be a step ahead of you.

    http://forums.obdev.at/viewtopic.php?f=1&t=4755&sid=dc4ea813e98be0a1f5a1bf3d265964fb

    Doing this kind of thing through the back door is always an arms race. If they don't want you to exploit their file format, they'll just change it in the next major revision to break your code. Or, as they have apparently already done they will still leave it up to the user whether your rules will be activated or not.

    B
     
  16. klaxamazoo macrumors 6502

    Joined:
    Sep 8, 2006
    #16

    It is clear his company is already up to no good. There are plenty of good ways to encourage the average user to purchase your product without putting in rootkits into your program. For example, Papers has a one-time validation process. Each serial number is stored on their server and can only be validated by one computer at a time. Sure, there are ways around that, but anybody willing to download cracked software won't care about whatever methods you try and implement, their cracked software will get around those too.

    Overall, you are a hack and nothing more. There are millions OSX computers out there, but your penetration rate is so low you only have thousands of users? Your problem isn't hackers, it is either: A) your program sucks and only suckers buy it; B) there are other programs that do what yours does but better; C) your company sucks at marketing. So don't go around installing rootkit like crap on users computers because you can't make a good, marketable product.
     

Share This Page