Analysis of iTunes Antidebug and Parental Controls

Target: Apple Itunes 8.0.0.35
Filename: iTunes.exe
File MD5: 8b8ea6aff1e43b927e49228287f9711b

The antidebug features has not change that much since version 7.6.1.9. There are still the 3 IsDebuggerPresent API calls and 1 of them terminates iTunes if it detects a debugger. I still haven't figured out how the other two are called. Anyway, it still checks for the presence of SoftICE by querying the registry.
Here is the section of code that terminates iTunes if a debugger is detected:

004FC80E |. 74 08 JE SHORT iTunes.004FC818
004FC810 |. 6A 00 PUSH 0 ; /ExitCode = 0
004FC812 |. FF15 C863E200 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
004FC818 |> 8935 E0AB0701 MOV DWORD PTR DS:[107ABE0],ESI
004FC81E |> 5E POP ESI
004FC81F \. C3 RETN

To get around this, just change JE SHORT iTunes.004FC818 to JMP SHORT iTunes.004FC818 and save the file or you can use a plug in to hide Ollydbg from this type of detection technique. Anyway, it looks like iTunes could care less if it was patched since I was able to run the patch executable. Anyway, I was looking over iTunes to see what I can do with it and I found out a way to bypass the parental controls password check, however there is a catch (which I will explain later). Three jumps must be patched in order for this to work. I will list my method below in order for others to reproduce:

1. Search for the text "ParentalAuthDialog" and scroll down to see the code below.
2. NOP out the JNZ Short after the two loops.
3. After TEST AL, AL change JNZ to JMP

00717240 |. 68 2CA3E700 PUSH iTunes2.00E7A32C ; UNICODE "ParentalAuthDialog"
00717245 |. E8 1660D0FF CALL iTunes2.0041D260
0071724A |. 83C4 0C ADD ESP,0C
0071724D |. 66:3D 6500 CMP AX,65
.
. Boring code edited out
.
.
007172C0 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172C3 |. 83C0 01 |ADD EAX,1 ; Body
007172C6 |. 83E9 01 |SUB ECX,1 ; Body
007172C9 |.^75 F5 \JNZ SHORT iTunes2.007172C0 ; Loop Condition
.
.
007172D7 |> C600 00 /MOV BYTE PTR DS:[EAX],0 ; Loop Begin
007172DA |. 83C0 01 |ADD EAX,1 ; Body
007172DD |. 83E9 01 |SUB ECX,1 ; Body
007172E0 |.^75 F5 \JNZ SHORT iTunes2.007172D7 ; Loop Condition
007172E2 |. 3BF7 CMP ESI,EDI
007172E4 75 16 JNZ SHORT iTunes2.007172FC ; NOP out this line of code
.
.
.
007172F3 |. 84C0 TEST AL,AL
007172F5 75 2F JNZ SHORT iTunes2.00717326 ; Change JNZ to JMP

4. Search for the API "LogonUserW" and after the CMP EAX, EBX instruction change the JNZ to JMP. You can search for this API on MSDN, but it is interesting that the password appears in plaintext here.

0062FD05 . FF15 3060E200 CALL DWORD PTR DS:[<&ADVAPI32.LogonUserW>; ADVAPI32.LogonUserW
0062FD0B . 3BC3 CMP EAX,EBX
0062FD0D 75 2F JNZ SHORT iTunes2.0062FD3E ; Change JNZ to JMP
0062FD0F . FF15 D465E200 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError

5. Save file.
The MD5 hash that I got for the patched file is 74721636e344bfe16d2a7860c82b7e7f

To unlock the parental controls, you type in an administrator account and any random password. Before the patch, one must know the correct password to lock/unlock the parental controls.

CAVEAT - In order for this bypass to be successful, one needs access to an administrator account to replace the original one in the Itunes folder (which may require social engineering). It seems that the parental controls can only be bypassed if you are logged in with an account with administrator privileges. I tried bypassing it from a limited account and it will not work. I may look into this matter later.