Gabriel Biondo

Security Researcher • macOS Specialist • Exploit Developer

5 minute read

layout: single title: “After OBTS 8.0” author_profile: true read_time: true share: true related: true —

Introduction

This post is not the usual Byte Architect post. Everything must start somewhere, and we all hate steep initial curves. Better off starting gently.

So this is the story of a lovely week in Ibiza, at the Objective By The Sea 8.0 (website) conference. It has been a great experience, and I definitely look forward to attend next year’s edition.

Context

A few months ago I finally decided to attend Objective By The Sea, regarded as the most important, really independent Apple Security conference. This time it would have been Ibiza.

Now, I never felt the charme of the hippie subculture, and the temples of the music I love are definitely not in the Balearics. Long story short, I have never been to Ibiza before. Never felt attracted by it. I told myself “Why not? After all, it’s like four years I don’t take any time off”.

So off I went. I flew with jet2 (jet2.com): despite the very aggressive price, a great service. Kudos! Also, Ibiza airport is neat. Tidy, well organised. As soon as you land, you immediately feel the party atmosphere: DJ’s posters and ads take the place that in other airports is taken by the landscape pictures. I wondered what happened if I went to a church - instead of devotional images would I find David Guetta ones?

Thirty minutes of taxi, and you get to Santa Eulalia’s Melia Hotel. A little jewel on the coast. Breathtaking sights, warm welcoming staff. All great, really!

As I arrived a bit too early to check in, I dropped off my luggage and headed downtown to grab something to eat. Had some great fish. Back to the hotel pool, since my course would start the next day.

The (main?) course

My primary goal was to take a course held by Patrick Wardle: “The Art of Mac Malware: Detection & Analysis”. For those who don’t know who Patrick is—well, it’s a long story (all Apple Security people have long stories to tell, indeed), but think of it this way: if Apple Security has rockstars, Patrick would definitely be one of them.

The course is based on his books “The Art of Mac Malware”. The synopsis can be found here, whilst the books are freely accessible online here. But don’t be a scrooge—buy the books, FFS!

Let me preface this: I am not a malware analyst. I’m a (good?) reverse engineer who doesn’t believe too much in himself and doesn’t take himself too seriously. Thing is: malware is software. I can “spipple” software, therefore I can “spipple” malware. (Obviously, “to spipple” doesn’t exist in English. It’s a verb I forged from the Italian word “spippolare”, which doesn’t officially exist in my native language either, but it’s used pretty much to describe the compulsive action—sometimes mechanical, apparently useless—that in fact changes stuff. For the best, or the worst).

So, let’s spipple some malware!

I think that the value of a course goes far beyond the knowledge passed from teacher to student. That’s only techniques, and techniques can be learned in many ways. What Patrick gave me (or at least, what his approach transmitted) is curiosity for the topic, and ideas.

Ideas are the most precious things you can get from a course, as a student— but also as a teacher: if you’re able to sow new ideas in your students, you’ve gone far beyond the call of duty. And Patrick definitely did.

In this series of articles I will discuss some techniques and especially some ideas that came to life between a mojito and a caipirinha.

Usual disclaimers

There are three main types of security-related documents. Theoretical manuals: venerable and yet too abstract to be dangerous. Product documentation: dangerous for your nervous system, but potentially harmless. And what we can call “juicy stuff”: documents that teach you things for real. Now, I tend to write the latter.

But writing good things comes at a price: the world is full of idiots, and idiots with hacking techniques are like monkeys with hand grenades—dangerous for themselves, dangerous for the community. As if idiots weren’t enough, another scourge befalls us: the cybercriminals (or cybercriminals-wannabe.

We’ll show how macOS malware writers are—in a consistent part of cases—quite weak in coding.)

I always end up with this asymmetric dilemma: should I write working exploits or harmful code? If not, what should I give to the community?

This is nothing new—other people have undertaken this path and, like me, have been caught in this dilemma: giving working exploits and permitting the community to grow at the price of some risks, or talking high level, hoping that some enlightened minds understand?

Well, this is the asymmetry of security: as defenders, we need to cover the attack surface as much as we can. As attackers, it’s sufficient to find only one weak point and mount a precise attack targeting that point.

My position? I don’t want to give hand grenades to monkeys, and I am not paid enough to teach malware writers how to do their job, so I decided to approach this series of articles as follows:

  • If the code I analyse is old, well known, already “contained”: I publish the parts in an almost integral way
  • If the community already knows how to mitigate or contain the threat: I publish the parts in an almost integral way
  • If I am dealing with something potentially dangerous but not critical: I publish the stuff omitting the damaging part
  • If there’s something really dangerous: I just tell the idea behind. If you want to know more, get in touch with me. Try to circumvent my misanthropy.

Next

In the next article of this series, I’ll reverse our first malware, and I’ll give you the point of view from the exploit writer angle.

Want the deep dive?

If you’re a security researcher, incident responder, or part of a defensive team and you need the full technical details (labs, YARA sketches, telemetry tricks), email me at info@bytearchitect.io or DM me on X (@reveng3_org). I review legit requests personally and will share private analysis and artefacts to verified contacts only.

Prefer privacy-first contact? Tell me in the first message and I’ll share a PGP key.

Subscribe to The Byte Architect mailing list for release alerts and exclusive follow-ups.

Gabriel(e) Biondo
ByteArchitect · RevEng3 · Rusted Pieces · Sabbath Stones

You May Also Enjoy

Introduction to registers

5 minute read

Before we can reverse anything, we need a precise mental model of how ARM64 actually works. In this first lesson we cover the essential foundations: data siz...

Preparing to Reverse

2 minute read

Assembly is the only place where software stops lying. High-level languages hide the truth; instructions expose it. Understanding AArch64 gives you the abili...

Reversing 101 - introduction

2 minute read

A quarter century in pentesting taught me one thing: real reversing knowledge is intentionally rare. Not because it’s hard — but because people want to keep ...