----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- |arg|name|(for) objc_msgSend| |---|---|---| |0|RDI|class| |1|RSI|method name| |2|RDX|1st argument| |3|RCX|2nd argument| |4|R8|3rd argument| |5|R9|4th argument| ----- ----- |beginnin|ng a debugging session|see: "Gdb to LLDB Command Map"| |---|---|---| |command|description|example| |r|launch (run) the process|| |b|breakpoint on function|b system| |br s -a |breakpoint on a memory add|br s -a 0x10001337| |si/ni|step into/step over|| |po|print objective-C object|po $rax| |reg read|print all registers|| ----- ----- ----- ----- ----- ``` D EMO ATEKEEPER B YPASS (G ) ``` ----- ----- ----- ----- ----- ----- ----- credits images resources iconmonstr.com http://wirdou.com/2012/02/04/is-that-bad-doctor/ thesafemac.com "Mac OS X & iOS Internals", Jonathan Levin http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malwareand-affected-ios-apps/ http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf -----