Immediate Download The Mac Hacker S Handbook 1st Edition Charles Miller Ebooks 2024

Get ebook downloads in full at ebookname.
com
The Mac Hacker s Handbook 1st Edition Charles

Miller
https://ebookname.com/product/the-mac-hacker-s-handbook-1st-
edition-charles-miller/
OR CLICK BUTTON
DOWNLOAD EBOOK
Explore and download more ebook at https://ebookname.com

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...
The Web Application Hacker s Handbook Discovering and

Exploiting Security Flaws 1st Edition Dafydd Stuttard
https://ebookname.com/product/the-web-application-hacker-s-
handbook-discovering-and-exploiting-security-flaws-1st-edition-
dafydd-stuttard/
Miller s anesthesia Miller
https://ebookname.com/product/miller-s-anesthesia-miller/
Handbook of Metacognition in Education Educational

Psychology 1st Edition Douglas J. Hacker
https://ebookname.com/product/handbook-of-metacognition-in-
education-educational-psychology-1st-edition-douglas-j-hacker/
The Stories of Ernest Dowson Mark Longaker (Editor)
https://ebookname.com/product/the-stories-of-ernest-dowson-mark-
longaker-editor/
An Akkadian Handbook Helps Paradigms Glossary Logograms
and Sign List 2nd Edition Douglas B. Miller
https://ebookname.com/product/an-akkadian-handbook-helps-
paradigms-glossary-logograms-and-sign-list-2nd-edition-douglas-b-
miller/
The Breakthrough of Kampfgruppe Peiper in the Battle of

the Bulge 1st Edition Hugues Wenkin
https://ebookname.com/product/the-breakthrough-of-kampfgruppe-
peiper-in-the-battle-of-the-bulge-1st-edition-hugues-wenkin/
An Introduction to Macroeconomics A Heterodox Approach

to Economic Analysis 2nd Edition Louis-Philippe Rochon
https://ebookname.com/product/an-introduction-to-macroeconomics-
a-heterodox-approach-to-economic-analysis-2nd-edition-louis-
philippe-rochon/
The Cambridge Companion to Vygotsky 1st Edition George

B. Dantzig
https://ebookname.com/product/the-cambridge-companion-to-
vygotsky-1st-edition-george-b-dantzig/
Room Temperature Organic Synthesis 1st Edition

Brahmachari Goutam
https://ebookname.com/product/room-temperature-organic-
synthesis-1st-edition-brahmachari-goutam/
International Review of Cytology 260 1st Edition Kwang
W. Jeon (Eds.)
https://ebookname.com/product/international-review-of-
cytology-260-1st-edition-kwang-w-jeon-eds/
The Mac® Hacker’s Handbook
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright 2009 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-39536-3
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Library of Congress Cataloging-in-Publication Data is available from the publisher.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to
the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc.,
111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.
com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-
ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all
warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be
created or extended by sales or promotional materials. The advice and strategies contained herein may not
be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. If professional assistance is required, the services
of a competent professional person should be sought. Neither the publisher nor the author shall be liable for
damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation
and/or a potential source of further information does not mean that the author or the publisher endorses the
information the organization or Web site may provide or recommendations it may make. Further, readers
should be aware that Internet Web sites listed in this work may have changed or disappeared between when
this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department
within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permis-
sion. Mac is a registered trademark of Apple, Inc. All other trademarks are the property of their respective
owners. Wiley Publishing, Inc. is not associated with any product or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not
be available in electronic books.
viii Contents
QuickTime 47
.mov 47
RTSP 52
Conclusion 61
References 61
Chapter 3 Attack Surface 63
Searching the Server Side 63
Nonstandard Listening Processes 68
Cutting into the Client Side 72
Safari 75
All of Safari’s Children 77
Safe File Types 79
Having Your Cake 80
Conclusion 81
References 81
Part II Discovering Vulnerabilities 83
Chapter 4 Tracing and Debugging 85
Pathetic ptrace 85
Good Ol’ GDB 86
DTrace 87
D Programming Language 88
Describing Probes 89
Example: Using Dtrace 90
Example: Using ltrace 91
Example: Instruction Tracer/Code-Coverage Monitor 93
Example: Memory Tracer 95
PyDbg 96
PyDbg Basics 97
Memory Searching 98
In-Memory Fuzzing 99
Binary Code Coverage with Pai Mei 102
iTunes Hates You 108
Conclusion 111
References 112
Chapter 5 Finding Bugs 113
Bug-Hunting Strategies 113
Old-School Source-Code Analysis 115
Getting to the Source 115
Code Coverage 116
CanSecWest 2008 Bug 121
vi + Changelog = Leopard 0-day 122
Apple’s Prerelease-Vulnerability Collection 124
Fuzz Fun 125
Network Fuzzing 126
File Fuzzing 129
Conclusion 133
References 134
Chapter 6 Reverse Engineering 135
Disassembly Oddities 135
EIP-Relative Data Addressing 136
Messed-Up Jump Tables 137
Identifying Missed Functions 138
Reversing Obj-C 140
Cleaning Up Obj-C 141
Shedding Light on objc_msgSend Calls 145
Contents ix
Case Study 150

Patching Binaries 154
Conclusion 156
References 157
Part III Exploitation 159
Chapter 7 Exploiting Stack Overflows 161
Stack Basics 162
Stack Usage on PowerPC 163
Stack Usage on x86 164
Smashing the Stack on PowerPC 165
Smashing the Stack on x86 170
Exploiting the x86 Nonexecutable Stack 173
Return into system() 173
Executing the Payload from the Heap 176
Finding Useful Instruction Sequences 181
PowerPC 181
x86 182
Conclusion 184
References 184
Chapter 8 Exploiting Heap Overflows 185
The Heap 185
The Scalable Zone Allocator 186
Regions 186
Freeing and Allocating Memory 187
Overwriting Heap Metadata 192
Arbitrary 4-Byte Overwrite 193
Large Arbitrary Memory Overwrite 195
Obtaining Code Execution 197
Taming the Heap with Feng Shui 201
Fill ’Er Up 201
Feng Shui 202
WebKit’s JavaScript 204
Case Study 207
Feng Shui Example 209
Heap Spray 211
References 212
Chapter 9 Exploit Payloads 213
Mac OS X Exploit Payload Development 214
Restoring Privileges 215
Forking a New Process 215
Executing a Shell 216
Encoders and Decoders 217
Staged Payload Execution 217
Payload Components 218
PowerPC Exploit Payloads 219
execve_binsh 221
system 223
decode_longxor 225
tcp_listen 231
tcp_connect 232
tcp_find 233
dup2_std_fds 234
vfork 235
Testing Simple Components 236
Putting Together Simple Payloads 237
Intel x86 Exploit Payloads 238
x Contents
remote_execution_loop 241
inject_bundle 244
Testing Complex Components 254
Conclusion 259
References 259
Chapter 10 Real-World Exploits 261
QuickTime RTSP Content-Type Header Overflow 262
Triggering the Vulnerability 262
Exploitation on PowerPC 263
Exploitation on x86 273
mDNSResponder UPnP Location Header Overflow 276
Triggering the Vulnerability 277
Exploiting the Vulnerability 279
Exploiting on PowerPC 283
QuickTime QTJava toQTPointer() Memory Access 287
Exploiting toQTPointer() 288
Obtaining Code Execution 290
Conclusion 290
References 290
Part IV Post-Exploitation 291
Chapter 11 Injecting, Hooking, and Swizzling 293
Introduction to Mach 293
Mach Abstractions 294
Mach Security Model 296
Mach Exceptions 297
Mach Injection 300
Remote Threads 301
Remote Process Memory 306
Loading a Dynamic Library or Bundle 307
Inject-Bundle Usage 311
Example: iSight Photo Capture 311
Function Hooking 314
Example: SSLSpy 315
Objective-C Method Swizzling 318
Example: iChat Spy 322
Conclusion 326
References 326
Chapter 12 Rootkits 327
Kernel Extensions 327
Hello Kernel 328
System Calls 330
Hiding Files 332
Hiding the Rootkit 342
Maintaining Access across Reboots 346
Controlling the Rootkit 349
Creating the RPC Server 350
Injecting Kernel RPC Servers 350
Calling the Kernel RPC Server 352
Remote Access 352
Hardware-Virtualization Rootkits 354
Hyperjacking 355
Rootkit Hypervisor 356
Conclusion 358
References 358
Index 367
xii Foreword
with a Unix terminal a click away. Here was a box I could run Microsoft Office
on that came with Apache by default and still held full man pages. As I delved
into Applescript, plists, DMGs, and the other minutia of OS X, I was amazed
by the capabilities of the operating system, and the breadth and depth of tools
available.
But as I continued to switch completely over to Apple, especially after the
release of Intel Macs, my fingers started creeping around for those cracks at the
edges again. I wasn’t really worried about viruses, but, as a security professional,
I started wondering if this was by luck or design. I read the Apple documenta-
tion and realized fairly early that there wasn’t a lot of good information on how
OS X worked from a security standpoint, other than some configuration guides
and marketing material.
Mac security attitudes have changed a fair bit since I purchased that fi rst
Mac Mini. As Macs increase in popularity, they face more scrutiny. Windows
switchers come with questions and habits, more security researchers use Macs
in their day-to-day work, the press is always looking to knock Apple down a
notch, and the bad guys won’t fail to pounce on any profitable opportunity. But
despite this growing attention, there are few resources for those who want to
educate themselves and better understand the inner workings of the operating
system on which they rely.
That’s why I was so excited when Dino first mentioned he and Charlie were
working on this book. Ripping into the inner guts of Mac OS X and fi nding
those edges to tear apart are the only ways to advance the security of the plat-
form. Regular programming books and system overviews just don’t look at any
operating system from the right perspective; we need to know how something
breaks in order to make it stronger. And, as any child (or hacker) will tell you,
breaking something is the most exhilarating way to learn.
If you are a security professional, this book is one of the best ways to under-
stand the strengths and weaknesses of Mac OS X. If you are a programmer, this
book will not only help you write more secure code, but it will also help you in
your general coding practices. If you are just a Mac enthusiast, you’ll learn how
hackers look at our operating system of choice and gain a better understanding
of its inner workings. Hopefully Apple developers will use this to help harden
the operating system; making the book obsolete with every version. Yes, maybe
a few bad guys will use it to write a few exploits, but the benefits of having this
knowledge far outweigh the risks.
For us hackers, even those of us of limited skills, this book provides us with a
roadmap for exploring those edges, finding those cracks, and discovering new
possibilities. For me, it’s the literary equivalent of sliding that beige plastic cover
off my childhood friend’s first Apple and gazing at the inner workings.
—Rich Mogull
Security Editor at TidBITS and Analyst at Securosis
xiv Introduction
How This Book Is Organized

This book is divided into four parts, roughly aligned with the steps an attacker
would have to take to compromise a computer: Background, Vulnerabilities,
Exploitation, and Post-Exploitation. The first part, consisting of Chapters 1–3,
contains introductory material concerning Mac OS X. It points out what makes
this operating system different from Linux or Windows and demonstrates the
tools that will be needed for the rest of the book. The next part, consisting
of Chapters 4–6, demonstrates the tools and techniques necessary to identify
security vulnerabilities in the operating system and applications running on
it. Chapters 7–10 make up the next part of the book. These chapters illustrate
how attackers can take the weaknesses found in the earlier chapters and turn
them into functional exploits, giving them the ability to compromise vulnerable
machines. Chapters 11 and 12 make up the last part of the book, which deals
with what attackers may do after they have exploited a machine and techniques
they can use to maintain continued access to the compromised machines.
Chapter 1 begins the book with the basics of the way Mac OS X is designed.
It discusses how it originated from BSD and the changes that have been made
in it since that time. Chapter 1 gives a brief introduction to many of the tools
that will be needed in the rest of the book. It highlights the differences between
Mac OS X and other operating systems and takes care to demonstrate how
to perform common tasks that differ among the operating systems. Finally, it
outlines and analyzes some of the security improvements made in the release
of Leopard, the current version of Mac OS X.
Chapter 2 covers some uncommon protocols and file formats used by Mac
OS X. This includes a description of how Bonjour works, as well as an inside
look at the Mac OS X implementation, mDNSResponder. It also dissects the
QuickTime file format and the RTSP protocol utilized by QuickTime Player.
Chapter 3 examines what portions of the operating system process attacker-
supplied data, known as the attack surface. It begins by looking in some detail
at what services are running by default on a typical Mac OS X computer and
examines the difficulties in attacking these default services. It moves on to
consider the client-side attack surface, all the code that can be executed if an
attacker can get a client program such as Safari to visit a server the attacker
controls, such as a malicious website.
Chapter 4 dives into the world of debugging in a Mac OS X environment.
It shows how to follow along to see what applications are doing internally. It
covers in some detail the powerful DTrace mechanism that was introduced in
Leopard. It also outlines the steps necessary to capture code-coverage informa-
tion using the Pai Mei reverse-engineering framework.
Chapter 5 demonstrates how to find security weaknesses in Mac OS X soft-
ware. It talks about how you can look for bugs in the source code Apple makes
available or use a black-box technique such as fuzzing. It includes detailed
instructions for performing either of these methods. Finally, it shows some tricks
Introduction xv
to take advantage of the way Apple develops its software, which can help find
bugs it doesn’t know about or give early warning of those it does.
Chapter 6 discusses reverse engineering in Mac OS X. Given that most of the
code in Mac OS X is available in binary form only, this chapter discusses how
this software works statically. It also highlights some differences that arise in
reverse engineering code written in Objective-C, which is quite common in Mac
OS X binaries but rarely seen otherwise.
Chapter 7 begins the exploitation part of the book. It introduces the simplest
of buffer-overflow attacks, the stack overflow. It outlines how the stack is laid
out for both PowerPC and x86 architectures and how, by overflowing a stack
buffer, an attacker can obtain control of the vulnerable process.
Chapter 8 addresses the heap overflow, the other common type of exploit.
This entails describing the way the Mac OS X heap and memory allocations
function. It shows techniques where overwriting heap metadata allows an
attacker to gain complete control of the application. It finishes by showing how
to arrange the heap to overwrite other important application data to compro-
mise the application.
Chapter 9 addresses exploit payloads. Now that you know how to get control
of the process, what can you do? It demonstrates a number of different possible
shellcodes and payloads for both PowerPC and x86 architectures, ranging from
simple to advanced.
Chapter 10 covers real-world exploitation, demonstrating a large number of
advanced exploitation topics, including many in-depth example exploits for
Tiger and Leopard on both PowerPC and x86. If Chapters 7–9 were the theory
of attack, then this chapter is the practical aspect of attack.
Chapter 11 covers how to inject code into running processes using Mac
OS X–specific hooking techniques. It provides all the code necessary to write
and test such payloads. It also includes some interesting code examples of
what an attacker can do, including spying on iChat sessions and reading
encrypted network traffic.
Chapter 12 addresses the topic of rootkits, or code an attacker uses to hide
their presence on a compromised system. It illustrates how to write basic kernel-
level drivers and moves on to examples that will hide files from unsuspecting
users at the kernel level. It finishes with a discussion of Mac OS X–specific root-
kit techniques, including hidden in-kernel Mach RPC servers, network kernel
extensions for remote access, and VT-x hardware virtual-machine hypervisor
rootkits for advanced stealth.
Who Should Read This Book

This book is written for a wide variety of readers, ranging from Mac enthusiasts
to hard-core security researchers. Those readers already knowledgeable about
Mac OS X but wanting to learn more about the security of the system may want
xvi Introduction
to skip to Chapter 4. Conversely, security researchers may fi nd the first few

chapters the most useful, as those chapters reveal how to use the OS X–related
skills they already possess.
While the book may be easier to comprehend if you have some experience
writing code or administering Mac OS X computers, no experience is necessary.
It starts from the very basics and slowly works up to the more-advanced topics.
The book is careful to illustrate the points it is making with many examples,
and outlines exactly how to perform the steps required. The book is unique in
that, although anybody with enthusiasm for the subject can pick it up and begin
reading it, by the end of the book the reader will have a world-class knowledge
of the security of the Mac OS X operating system.
Tools You Will Need

For the most part, all you need to follow along with this book is a computer with
Mac OS X Leopard installed. Although many of the techniques and examples
will work in earlier versions of Mac OS X, they are designed for Leopard.
To perform the techniques illustrated in Chapter 6, a recent version of IDA Pro
is required. This is a commercial tool that must be run in Windows and can
be purchased at http://www.hex-rays.com. The remaining tools either come
on supplemental disks, such as Xcode does, or are freely available online or at
this book’s website.
What’s on the Website

This book includes a number of code samples. The small and moderately sized
examples are included directly in this book. But to save you from having to
type these in yourself, all the code samples are also available for download at
www.wiley.com/go/machackershandbook. Additionally, some long code samples
that are omitted from the book are available on the site, as are any other tools
developed for the book.
Final Note
We invite you to dive right in and begin reading. We think there is something
in this book for just about everyone who loves Mac OS X. I know we learned a
lot in researching and writing this book. If you have comments, questions, hate
mail, or anything else, please drop us a line and we’d be happy to discuss our
favorite operating system with you.
Chapter 1 ■ Mac OS X Architecture 5
system, networking, and I/O, to run as user-level Mach tasks. In earlier Mach-
based UNIX systems, the UNIX layer ran as a server in a separate task. However,
in Mac OS X, Mach and the BSD code run in the same address space.
In XNU, Mach is responsible for many of the low-level operations you expect
from a kernel, such as processor scheduling and multitasking and virtual-
memory management.
BSD
The kernel also involves a large chunk of code derived from the FreeBSD code
base. As mentioned earlier, this code runs as part of the kernel along with Mach
and uses the same address space. The FreeBSD code within XNU may differ
significantly from the original FreeBSD code, as changes had to be made for it
to coexist with Mach. FreeBSD provides many of the remaining operations the
kernel needs, including
■ Processes
■ Signals
■ Basic security, such as users and groups
■ System call infrastructure
■ TCP/IP stack and sockets
■ Firewall and packet filtering
To get an idea of just how complicated the interaction between these two sets
of code can be, consider the idea of the fundamental executing unit. In BSD the
fundamental unit is the process. In Mach it is a Mach thread. The disparity is
settled by each BSD-style process being associated with a Mach task consisting
of exactly one Mach thread. When the BSD fork() system call is made, the BSD
code in the kernel uses Mach calls to create a task and thread structure. Also, it
is important to note that both the Mach and BSD layers have different security
models. The Mach security model is based on port rights, and the BSD model is
based on process ownership. Disparities between these two models have resulted
in a number of local privilege-escalation vulnerabilities. Additionally, besides
typical system cells, there are Mach traps that allow user-space programs to
communicate with the kernel.
I/O Kit
I/O Kit is the open-source, object-oriented, device-driver framework in the XNU
kernel and is responsible for the addition and management of dynamically loaded
device drivers. These drivers allow for modular code to be added to the kernel
dynamically for use with different hardware, for example. The available drivers
6 Part I ■ Mac OS X Basics
are usually stored in the /System/Library/Extensions/ directory or a subdirectory.

The command kextstat will list all the currently loaded drivers,
$ kextstat
Index Refs Address Size Wired Name (Version) <Linked
Against>
1 1 0x0 0x0 0x0 com.apple.kernel (9.3.0)
2 55 0x0 0x0 0x0 com.apple.kpi.bsd (9.3.0)
3 3 0x0 0x0 0x0 com.apple.kpi.dsep (9.3.0)
4 74 0x0 0x0 0x0 com.apple.kpi.iokit (9.3.0)
5 79 0x0 0x0 0x0 com.apple.kpi.libkern
(9.3.0)
6 72 0x0 0x0 0x0 com.apple.kpi.mach (9.3.0)
7 39 0x0 0x0 0x0 com.apple.kpi.unsupported
(9.3.0)
8 1 0x0 0x0 0x0
com.apple.iokit.IONVRAMFamily (9.3.0)
9 1 0x0 0x0 0x0 com.apple.driver.AppleNMI
(9.3.0)
10 1 0x0 0x0 0x0
com.apple.iokit.IOSystemManagementFamily (9.3.0)
11 1 0x0 0x0 0x0
com.apple.iokit.ApplePlatformFamily (9.3.0)
12 31 0x0 0x0 0x0 com.apple.kernel.6.0 (7.9.9)
13 1 0x0 0x0 0x0 com.apple.kernel.bsd (7.9.9)
14 1 0x0 0x0 0x0 com.apple.kernel.iokit
(7.9.9)
15 1 0x0 0x0 0x0 com.apple.kernel.libkern
(7.9.9)
16 1 0x0 0x0 0x0 com.apple.kernel.mach
(7.9.9)
17 17 0x2e2bc000 0x10000 0xf000 com.apple.iokit.IOPCIFamily
(2.4.1) <7 6 5 4>
18 10 0x2e2d2000 0x4000 0x3000 com.apple.iokit.IOACPIFamily
(1.2.0) <12>
19 3 0x2e321000 0x3d000 0x3c000
com.apple.driver.AppleACPIPlatform (1.2.1) <18 17 12 7 5 4>
…
Many of the entries in this list say they are loaded at address zero. This just
means they are part of the kernel proper and aren’t really device drivers—i.e.,
they cannot be unloaded. The first actual driver is number 17.
Besides kextstat, there are other functions you’ll need to know for loading
and unloading these drivers. Suppose you wanted to find and load the driver
associated with the MS-DOS file system. First you can use the kextfind tool to
find the correct driver.
$ kextfind -bundle-id -substring ‘msdos’
/System/Library/Extensions/msdosfs.kext
Now that you know the name of the kext bundle to load, you can load it into
the running kernel.
$ sudo kextload /System/Library/Extensions/msdosfs.kext
kextload: /System/Library/Extensions/msdosfs.kext loaded successfully
It seemed to load properly. You can verify this and see where it was loaded.
$ kextstat | grep msdos
126 0 0x346d5000 0xc000 0xb000
com.apple.filesystems.msdosfs (1.5.2) <7 6 5 2>
It is the 126th driver currently loaded. There are zero references to it (not sur-
prising, since it wasn’t loaded before we loaded it). It has been loaded at address
0x346d5000 and has size 0xc000. This driver occupies 0xb000 wired bytes of
kernel memory. Next it lists the driver’s name and version. It also lists the index
of other kernel extensions that this driver refers to—in this case, looking at the
full listing of kextstat, we see it refers to the “unsupported” mach, libkern, and
bsd drivers. Finally, we can unload the driver.
$ sudo kextunload com.apple.filesystems.msdosfs
kextunload: unload kext /System/Library/Extensions/msdosfs.kext
succeeded
Darwin and Friends

A kernel without applications isn’t very useful. That is where Darwin comes
in. Darwin is the non-Aqua, open-source core of Mac OS X. Basically it is all
the parts of Mac OS X for which the source code is available. The code is made
available in the form of a package that is easy to install. There are hundreds of
available Darwin packages, such as X11, GCC, and other GNU tools. Darwin
provides many of the applications you may already use in BSD or Linux for
Mac OS X. Apple has spent significant time integrating these packages into
their operating system so that everything behaves nicely and has a consistent
look and feel when possible.
On the other hand, many familiar pieces of Mac OS X are not open source.
The main missing piece to someone running just the Darwin code will be Aqua,
the Mac OS X windowing and graphical-interface environment. Additionally,
most of the common high-level applications, such as Safari, Mail, QuickTime,
iChat, etc., are not open source (although some of their components are open
source). Interestingly, these closed-source applications often rely on open-
source software, for example, Safari relies on the WebKit project for HTML
and JavaScript rendering. For perhaps this reason, you also typically have
many more symbols in these applications when debugging than you would
in a Windows environment.
Tools of the Trade

Many of the standard Linux/BSD tools work on Mac OS X, but not all of them. If
you haven’t already, it is important to install the Xcode package, which contains
the system compiler (gcc) as well as many other tools, like the GNU debugger
gdb. One of the most powerful tools that comes on Mac OS X is the object file
displaying tool (otool). This tool fills the role of ldd, nm, objdump, and similar
tools from Linux. For example, using otool you can use the –L option to get a
list of the dynamically linked libraries needed by a binary.
$ otool -L /bin/ls
/bin/ls:
/usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current
version 5.4.0)
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version
1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version
111.0.0)
To get a disassembly listing, you can use the –tv option.

$ otool -tv /bin/ps
/bin/ps:
(__TEXT,__text) section
00001bd0 pushl $0x00
00001bd2 movl %esp,%ebp
00001bd4 andl $0xf0,%esp
00001bd7 subl $0x10,%esp
…
You’ll see many references to other uses for otool throughout this book.
Ktrace/DTrace
You must be able to trace execution flow for processes. Before Leopard, this
was the job of the ktrace command-line application. ktrace allows kernel trace
logging for the specified process or command. For example, tracing the system
calls of the ls command can be accomplished with
$ ktrace -tc ls
This will create a file called ktrace.out. To read this file, run the kdump
command.
$ kdump
918 ktrace RET ktrace 0
918 ktrace CALL execve(0xbffff73c,0xbffffd14,0xbffffd1c)

918 ls RET execve 0
918 ls CALL issetugid
918 ls RET issetugid 0
918 ls CALL
__sysctl(0xbffff7cc,0x2,0xbffff7d4,0xbffff7c8,0x8fe45a90,0xa)
918 ls RET __sysctl 0
918 ls CALL __sysctl(0xbffff7d4,0x2,0x8fe599bc,0xbffff878,0,0)
918 ls CALL
__sysctl(0xbffff7cc,0x2,0xbffff7d4,0xbffff7c8,0x8fe45abc,0xd)
918 ls CALL __sysctl(0xbffff7d4,0x2,0x8fe599b8,0xbffff878,0,0)
…
For more information, see the man page for ktrace.
In Leopard, ktrace is replaced by DTrace. DTrace is a kernel-level tracing

mechanism. Throughout the kernel (and in some frameworks and applications)
are special DTrace probes that can be activated. Instead of being an application
with some command-line arguments, DTrace has an entire language, called
D, to control its actions. DTrace is covered in detail in Chapter 4, “Tracing and
Debugging,” but we present a quick example here as an appetizer.
$ sudo dtrace -n ‘syscall:::entry {@[execname] = count()}’
dtrace: description ‘syscall:::entry ‘ matched 427 probes
^C
fseventsd 3
socketfilterfw 3
mysqld 6
httpd 8
pvsnatd 8
configd 11
DirectoryServic 14
Terminal 17
ntpd 21
WindowServer 27
mds 33
dtrace 38
llipd 60
SystemUIServer 69
launchd 182
nmblookup 288
smbclient 386
Finder 5232
Mail 5352
Here, this one line of D within the DTrace command keeps track of the num-
ber of system calls made by processes until the user hits Ctrl+C. The entire
functionality of ktrace can be replicated with DTrace in just a few lines of D.
Being able to peer inside processes can be very useful when bug hunting or
reverse-engineering, but there will be more on those topics later in the book.
Objective-C
Objective-C is the programming language and runtime for the Cocoa API used
extensively by most applications within Mac OS X. It is a superset of the C
programming language, meaning that any C program will compile with an
Objective-C compiler. The use of Objective-C has implications when applica-
tions are being reverse-engineered and exploited. More time will be spent on
these topics in the corresponding chapters.
One of the most distinctive features of Objective-C is the way object-oriented
programming is handled. Unlike in standard C++, in Objective-C, class meth-
ods are not called directly. Rather, they are sent a message. This architecture
allows for dynamic binding; i.e., the selection of method implementation occurs at
runtime, not at compile time. When a message is sent, a runtime function looks
at the receiver and the method name in the message. It identifies the receiver’s
implementation of the method by the name and executes that method.
The following small example shows the syntactic differences between C++
and Objective-C from a source-code perspective.
#include <objc/Object.h>
@interface Integer : Object
{
int integer;
}
- (int) integer;
- (id) integer: (int) _integer;
@end
Here an interface is defined for the class Integer. An interface serves the role
of a declaration. The hyphen character indicates the class’s methods.
#import “Integer.h”
@implementation Integer
- (int) integer
{
return integer;
}
- (id) integer: (int) _integer

{
integer = _integer;
}
@end
Objective-C source files typically use the .m file extension. Within Integer.m
are the implementations of the Integer methods. Also notice how arguments to
functions are represented after a colon. One other small difference with C++ is
that Objective-C provides the import preprocessor, which acts like the include
directive except it includes the file only once.
@interface Integer (Display)
- (id) showint;
@end
Another example follows.

#include <stdio.h>
#import “Display.h”
@implementation Integer (Display)

- (id) showint
{
printf(“%d\n”, [self integer]);
return self;
}
@end
In the second file, we see the first call of an object’s method. [self integer]
is an example of the way methods are called in Objective-C. This is roughly
equivalent to self.integer() in C++. Here are two more, slightly more compli-
cated files:
@interface Integer (Add_Mult)
- (id) add_mult: (Integer *) addend with_multiplier: (int) mult;
@end
and
#import “Add_Mult.h”
@implementation Integer (Add_Mult)

- (id) add_mult: (Integer *) addend with_multiplier:(int)mult
{
return [self set_integer: [self get_integer] + [addend get_integer]
* mult ];
}
@end
These two files show how multiple parameters are passed to a function. A
label, in this case with_multiplier, can be added to the additional parameters.
The method is referred to as add_mult:with_multiplier:. The following code
shows how to call a function requiring multiple parameters.
#include <stdio.h>
#import “Add_Mult.h”
#import “Display.h”
int main(int argc, char *argv[])

{
Integer *num1 = [Integer new], *num2 = [Integer new];
[num1 integer:atoi(argv[1])];
[num2 integer:atoi(argv[2])];
[num1 add_mult:num2 with_multiplier: 2];
[num1 showint];
}
Building this is as easy as invoking gcc with an additional argument.

$ gcc -g -x objective-c main.m Integer.m Add_Mult.m Display.m -lobjc
Running the program shows that it can indeed add a number multiplied
by two.
$ ./a.out 1 4
9
As a sample of things to come, consider the disassembled version of the

add_mult:with_multiplier: function.
0x1f02 push ebp

0x1f03 mov ebp,esp
0x1f05 push edi
0x1f06 push esi
0x1f07 push ebx
0x1f08 sub esp,0x1c
0x1f0b call 0x1f10
0x1f10 pop ebx
0x1f11 mov edi,DWORD PTR [ebp+0x8]
0x1f14 mov edx,DWORD PTR [ebp+0x8]
0x1f17 lea eax,[ebx+0x1100]
0x1f1d mov eax,DWORD PTR [eax]
0x1f1f mov DWORD PTR [esp+0x4],eax
0x1f23 mov DWORD PTR [esp],edx
0x1f26 call 0x400a <dyld_stub_objc_msgSend>
0x1f2b mov esi,eax
0x1f2d mov edx,DWORD PTR [ebp+0x10]

0x1f30 lea eax,[ebx+0x1100]
0x1f36 mov eax,DWORD PTR [eax]
0x1f38 mov DWORD PTR [esp+0x4],eax
0x1f3c mov DWORD PTR [esp],edx
0x1f3f call 0x400a <dyld_stub_objc_msgSend>
0x1f44 imul eax,DWORD PTR [ebp+0x14]
0x1f48 lea edx,[esi+eax]
0x1f4b lea eax,[ebx+0x10f8]
0x1f51 mov eax,DWORD PTR [eax]
0x1f53 mov DWORD PTR [esp+0x8],edx
0x1f57 mov DWORD PTR [esp+0x4],eax
0x1f5b mov DWORD PTR [esp],edi
0x1f5e call 0x400a <dyld_stub_objc_msgSend>
0x1f63 add esp,0x1c
0x1f66 pop ebx
0x1f67 pop esi
0x1f68 pop edi
0x1f69 leave
0x1f6a ret
Looking at this, it is tough to imagine what this function does. While there
is an instruction for the multiplication (imul), there is no addition occurring.
You’ll also see that, typical of an Objective-C binary, almost every function
call is to objc_msgSend, which can make it difficult to know what is going on.
There is also the strange call instruction at address 0×1f0b which calls the next
instruction. These problems (along with some solutions) will be addressed in
more detail in Chapter 6, “Reverse Engineering.”
Universal Binaries and the Mach-O File Format

Applications and libraries in Mac OS X use the Mach-O (Mach object) file for-
mat and may come ready for different architectures, which are called universal
binaries.
Universal Binaries
For legacy support, many binaries in Leopard are universal binaries. A universal
binary can support multiple architectures in the same file. For Mac OS X, this
is usually PowerPC and x86.
$ ﬁle /bin/ls
/bin/ls: Mach-O universal binary with 2 architectures
/bin/ls (for architecture i386): Mach-O executable i386
/bin/ls (for architecture ppc7400): Mach-O executable ppc
Each universal binary has the code necessary to run on any of the architec-
tures it supports. The same exact ls binary from the code example can run on
a Mac with an x86 processor or a PowerPC processor. The obvious drawback is
file size, of course. The gcc compiler in Mac OS X emits Mach-O-format binaries
by default. To build a universal binary, one additional flag must be passed to
specify the target architectures desired. In the following example, a universal
binary for the x86 and PowerPC architectures is created.
$ gcc -arch ppc -arch i386 -o test-universal test.c
$ file test-universal
test-universal: Mach-O universal binary with 2 architectures
test-universal (for architecture ppc7400): Mach-O executable ppc
test-universal (for architecture i386): Mach-O executable i386
To see the file-size difference, compare this binary to the single-architecture

version:
-rwxr-xr-x 1 user1 user1 12564 May 1 12:55 test
-rwxr-xr-x 1 user1 user1 28948 May 1 12:54 test-universal
Mach-O File Format

This file format supports both statically and dynamically linked executables.
The basic structure contains three regions: the header, the load commands, and
the actual data.
The header contains basic information about the file, such as magic bytes to
identify it as a Mach-O file and information about the target architecture. The
following is the structure from the header, compliments of the /usr/include/
mach-o/loader.h file.
struct mach_header{
uint32_t magic;
cpu_type_t cputype;
cpu_subtype_t cpusubtype;
uint32_t filetype;
uint32_t ncmds;
uint32_t sizeofcmds;
uint32_t flags;
};
The magic number identifies the file as Mach-O. The cputype will probably
be either PowerPC or I386. The cpusubtype can specify specific models of CPU
on which to run. The filetype indicates the usage and alignment for the file.
fat_magic 0xcafebabe
nfat_arch 2
architecture 0
cputype 7
cpusubtype 3
capabilities 0x0
offset 4096
size 36464
align 2^12 (4096)
architecture 1
cputype 18
cpusubtype 10
capabilities 0x0
offset 40960
size 32736
align 2^12 (4096)
Looking at /usr/include/mach/machine.h, you can see that the first architec-

ture has cputype 7, which corresponds to CPU_TYPE_X86 and has a cpusubtype
of CPU_SUBTYPE_386. Not surprisingly, the second architecture has values
CPU_TYPE_POWERPC and CPU_SUBTYPE_POWERPC_7400, respectively.
Next we can obtain the Mach header.
$ otool -h /bin/ls
/bin/ls:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedface 7 3 0x00 2 14 1304 0x00000085
In this case, we again see the cputype and cpusubtype. The filetype is MH_
EXECUTE and there are 14 load commands. The flags work out to be MH_
NOUNDEFS | MH_DYLDLINK | MH_TWOLEVEL.
Moving on, we see some of the load commands for this binary.
$ otool -l /bin/ls
/bin/ls:
Load command 0
cmd LC_SEGMENT
cmdsize 56
segname __PAGEZERO
vmaddr 0x00000000
vmsize 0x00001000
fileoff 0
filesize 0
maxprot 0x00000000
initprot 0x00000000
nsects 0
flags 0x0
Load command 1
cmd LC_SEGMENT
cmdsize 260
segname __TEXT
vmaddr 0x00001000
vmsize 0x00005000
fileoff 0
filesize 20480
maxprot 0x00000007
initprot 0x00000005
nsects 3
flags 0x0
Section
sectname __text
segname __TEXT
addr 0x000023c4
size 0x000035df
offset 5060
align 2^2 (4)
reloff 0
nreloc 0
flags 0x80000400
reserved1 0
reserved2 0
…
Bundles
In Mac OS X, shared resources are contained in bundles. Many kinds of
bundles contain related files, but we’ll focus mostly on application and frame-
work bundles. The types of resources contained within a bundle may consist
of applications, libraries, images, documentation, header files, etc. Basically, a
bundle is a directory structure within the file system. Interestingly, by default
this directory looks like a single object in Finder.
$ ls -ld iTunes.app
drwxrwxr-x 3 root admin 102 Apr 4 13:15 iTunes.app
This naive view of files can be changed within Finder by selecting Show
Package Contents in the Action menu, but you probably use the Terminal appli-
cation rather than Finder, anyway.
Within application bundles, there is usually a single folder called Contents.
We’ll give you a quick tour of the QuickTime Player bundle.
$ ls /Applications/QuickTime\ Player.app/Contents/
CodeResources Info.plist PkgInfo Resources
Frameworks MacOS PlugIns version.plist
The binary itself is within the MacOS directory. If you want to launch the
program through the command line or a script, you will likely have to refer to
the following binary, for example.
$ /Applications/QuickTime\ Player.app/Contents/MacOS/QuickTime\ Player
The Resources directory contains much of the noncode, such as images, mov-
ies, and icons. The Frameworks directory contains the associated framework
bundles, in this case DotMacKit. Finally, there is a number of plist, or property
list, files.
Property-list files contain configuration information. A plist file may contain
user-specific or system-wide information. Plist files can be either in binary or
XML format. The XML versions are relatively straightforward to read. The fol-
lowing is the beginning of the Info.plist file from QuickTime Player.
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleDocumentTypes</key>
<array>
<dict>
<key>CFBundleTypeExtensions</key>
<array>
<string>aac</string>
<string>adts</string>
</array>
<key>CFBundleTypeMIMETypes</key>
<array>
<string>audio/aac</string>
<string>audio/x-aac</string>
</array>
<key>CFBundleTypeName</key>
<string>Audio-AAC</string>
<key>CFBundleTypeRole</key>
<string>Viewer</string>
<key>NSDocumentClass</key>
<string>QTPMovieDocument</string>
<key>NSPersistentStoreTypeKey</key>
<string>Binary</string>
</dict>
Many of the keys and their meaning can be found at http://developer

.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/
PListKeys.html. Here is a quick description of those found in the excerpt:
■ CFBundleDevelopmentRegion: The native region for the bundle
■ CFBundleDocumentTypes: The document types supported by the
bundle
■ CFBundleTypeExtensions: File extension to associate with this docu-
ment type
■ CFBundleTypeMIMETypes: MIME type name to associate with this
document type
■ CFBundleTypeName: An abstract (and unique) way to refer to the docu-
ment type
■ CFBundleTypeRole: The application’s role with respect to this docu-
ment type; possibilities are Editor, Viewer, Shell, or None
■ NSDocumentClass: Legacy key for Cocoa applications
■ NSPersistentStoreTypeKey: The Core Data type
Many of these will be important later, when we’re identifying the attack
surface in Chapter 3, “Attack Surface.” It is possible to convert this XML plist
into a binary plist using plutil, or vice versa.
$ plutil -convert binary1 -o Binary.Info.plist Info.plist
$ plutil -convert xml1 -o XML.Binary.Info.plist Binary.Info.plist
$ file *Info.plist
Binary.Info.plist: Apple binary property list
Info.plist: XML 1.0 document text
XML.Binary.Info.plist: XML 1.0 document text
$ md5sum XML.Binary.Info.plist Info.plist
de13b98c54a93c052050294d9ca9d119 XML.Binary.Info.plist
de13b98c54a93c052050294d9ca9d119 Info.plist
Here we first converted QuickTime Player’s Info.plist to binary format. We then

converted it back into XML format. The file command shows the conversion has
occurred and md5sum confirms that the conversion is precisely reversible.
launchd
Launchd is Apple’s replacement for cron, xinetd, init, and others. It was intro-
duced in Mac OS X v10.4 (Tiger) and performs tasks such as initializing systems,
running startup programs, etc. It allows processes to be started at various times
or when various conditions occur, and ensures that particular processes are
always running. It handles daemons at both the system and user level.
The systemwide launchd configuration files are stored in the /System/

Library/LaunchAgents and /System/Library/LaunchDaemons directories.
User-specific files are in ~/Library/LaunchAgents. The difference between
daemons and agents is that daemons run as root and are intended to run in
the background. Agents are run with the privileges of a user and may run in
the foreground; they can even include a graphical user interface. Launchctl is
a command-line application used to load and unload the daemons.
The configuration files for launchd are, not surprisingly, plists. We’ll show
you how one works. Consider the file com.apple.PreferenceSyncAgent.plist.
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http://
www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>Label</key>
<string>com.apple.PreferenceSyncAgent</string>
<key>ProgramArguments</key>
<array>
<string>/System/Library/CoreServices/
PreferenceSyncClient.app/Contents/MacOS/PreferenceSyncClient</string>
<string>--sync</string>
<string>--periodic</string>
</array>
<key>StartInterval</key>
<integer>3599</integer>
</dict>
</plist>
This plist uses three keys. The Label key identifies the job to launchd.
ProgramArguments is an array consisting of the application to run as well as
any necessary command-line arguments. Finally, StartInterval indicates that
this process should be run every 3,599 seconds, or just more than once an hour.
Other keys that might be of interest include
■ UserName: Indicates the user to run the job as
■ OnDemand: Indicates whether to run the job when asked or keep it
running all the time
■ StartCalendarInterval: Provides cron-like launching of applications at
various times
Why should you care about this? Well, there are a few times it might be handy.
One is when breaking out of a sandbox, which we’ll discuss later in this chapter.
Another is in when providing automated processing needed in fuzzing, which
we’ll discuss more in Chapter 4’s section “In-Memory Fuzzing.” For example,
consider the following plist file.
Exploring the Variety of Random
Documents with Different Content
Kesselring has already been asked about this, but did not answer.
However, it stands to reason that the Führer, as Supreme
Commander of the Armed Forces, could not issue orders through
Jodl to himself in his capacity of Commander-in-Chief of the Army
and then have them carried out through Generaloberst Zeitzler.
Consequently a separation came about. From that moment on he,
with the General Staff of the Army, directed the entire Eastern Front,
while the Armed Forces Operations Staff became responsible for the
general staff work of all the other theaters of war.
DR. EXNER: Now, the witness Field Marshal Paulus stated
before the Tribunal that the OKW was responsible for the order to
hold Stalingrad; and, as a matter of fact, both Keitel and Jodl have
been repeatedly accused by the foreign press of having given that
disastrous order. Is that true?
JODL: No, that is not true. The witness, for whom I feel the
deepest sympathy and with whom I have worked in the most
comradely fashion possible, could not have known anything at all
about it. The facts are as follows: The moment danger threatened,
the decision that Stalingrad must be held was made by the Führer
during a private conversation with Generaloberst Zeitzler and
contrary to the latter’s advice. Zeitzler told me so himself on his
return from this interview. At a later stage, when blizzards were
already raging across the steppes of the Don, the question of a
break-through by the Stalingrad garrison was discussed again. Field
Marshal Keitel, Generaloberst Zeitzler, and I were present on this
occasion.
THE PRESIDENT: Dr. Exner, I do not quite see how that is
relevant, although Field Marshal Paulus may have said something
about it. I mean, he may have given some evidence on the fighting at
Stalingrad, and he undoubtedly did; but I do not see how it bears
upon the case before us, or how it bears upon the case for Jodl.
DR. EXNER: Mr. President, this has already settled the matter. It
was necessary to clear up Field Marshal Paulus’ error. But this has
already settled the matter.
[Turning to the defendant.] We now come to the time when you
were recalled from Vienna to Berlin in 1939. What state of affairs did
you find in Berlin on your arrival?
JODL: I found a completely incomprehensible state of affairs in
Berlin—at least it was incomprehensible to me. Nobody knew what
was really true or what was bluff. The pact with Russia sustained all
our hopes for the preservation of peace, hopes which were
immensely increased and strengthened by the surprise cancellation
of the attack ordered for 26 August. None of the soldiers to whom I
spoke expected a war with the Western Powers at that time. Nothing
had been prepared except the operations for the attack on Poland.
There was only a defensive deployment of troops on the West
Wall. The forces stationed there were so weak that we could not
even man all the pillboxes. The actual efforts for the preservation of
peace, however, efforts I have heard about here from the Reich
Marshal, the name of Dahlerus—all these negotiations remained
unknown to me insofar as they were not published in the press. But
there is one thing I can say in conclusion. When the declaration of
war was received from England and France it was like a blow from a
cudgel for us soldiers who had fought in the first World War. And I
heard in confidence from General Stapf—today the matter is no
longer confidential—that the Reich Marshal reacted in exactly the
same way.
DR. EXNER: Do you know when Poland mobilized?
JODL: That I cannot say. I only know that at the moment when I
arrived in Berlin and was being informed by General Von Stülpnagel
for the very first time about the situation and our own strength, a
Polish deployment was already in progress along the frontier, as well
as the German one.
DR. EXNER: That in itself already answers the accusation
brought against you in the trial brief, namely “planning against
Poland.”
Had you prepared a plan against Poland?
JODL: No. Not by a single stroke of the pen did I participate in
the preparations for the Polish war.
DR. EXNER: Then I am right in saying, to sum up, that when
you left Berlin there was not yet a plan of operations against Poland?
JODL: No.
DR. EXNER: And when you returned to Berlin the plan was
ready?
JODL: Yes. The plan of attack was completely worked out.
DR. EXNER: Did you hear the Führer’s speech of 22 August
1939 which has been so often quoted here?
JODL: No; on that day I was still in Vienna.
DR. EXNER: When did you hear of that speech?
JODL: For the first time here in Nuremberg.
DR. EXNER: Do you remember the meeting in the Führer’s
special train on 9 September 1939, described here by General
Lahousen? Can you remember that?
JODL: Yes, I remember that meeting perfectly.
DR. EXNER: What was the subject of conversation during that
meeting while you were on the Führer’s train?
JODL: I met the Führer in the so-called command car, in the
chartroom, where Field Marshal Keitel, Canaris, and Lahousen were;
and then Canaris made a brief report on the information he had
received from the West and expressed the opinion that a French
attack in the Saarbrücken sector was imminent. The Führer
contradicted this, and so did I. Apart from that nothing else was
discussed.
DR. EXNER: Then Lahousen’s statement is correct that you
were only present during that particular part of the discussion?
JODL: As far as I am concerned I have not a word of objection
to raise against Lahousen’s statement. Absolutely correct.
DR. EXNER: Frequent mention has been made during this Trial
of the artillery and air bombardment of Warsaw. Did you participate
in the giving of the orders for this?
JODL: Yes, I participated insofar as the Commander-in-Chief of
the Army had applied to the Führer for permission for the artillery to
bombard Warsaw as soon as the deployment of artillery units had
been completed. The Führer refused this. He said, “What is
happening here because of the Poles is madness.” He ordered me
to draft new leaflets—which I did personally and immediately—and
have them dropped again over the city of Warsaw. It was only when
this renewed demand to cease the hopeless resistance had proved
absolutely unsuccessful that he sanctioned artillery bombardment
and air attacks on the fortress of Warsaw—and I emphasize the
word “fortress.”
DR. EXNER: When issuing orders, did you have anything to do
with the co-ordination of German and Soviet Russian operations?
JODL: Yes. When we were still 3 days’ march away from the
Vistula, I was informed to my great surprise—by, I believe, the
representative of the Foreign Office—while I was entering the
Führer’s headquarters, that Soviet Russia would occupy the Polish
territories...
THE PRESIDENT: Defendant, if it is convenient to you, I think
you might speak a little faster.
JODL: ...that the Polish territories east of an agreed
demarcation line would be occupied by Soviet Russian troops at the
appointed time. When we were approaching this agreed demarcation
line, which was shown to me on a map—the line was the East
Prussian Lithuanian border, Narew, Vistula, San—I telephoned to our
military attaché in Moscow and informed him that we could probably
reach individual points of this demarcation line in the course of the
following day. Shortly afterwards I was informed over the telephone
that the Russian divisions were not yet ready.
When, the day after the next, we reached the demarcation line
and had to cross it in pursuit of the Poles, I once again received
news from Moscow, at 0200 hours, that the Soviet Russian divisions
would take up their position along the entire front at 0400 hours. This
maneuver was punctually carried out, and I then drafted an order to
our German troops that wherever they had contacted the troops of
the Soviet Union, and in agreement with them, they were to withdraw
behind the demarcation line.
DR. EXNER: Do you know on what day all this happened?
JODL: I cannot tell you exactly when the troops reached the
line, but I would say it was about 14 or 15 September.
DR. EXNER: We shall now deal with aggressive wars against
the neutral countries...
THE PRESIDENT: Dr. Exner, now all that the defendant has just
been telling us seems to be to me a simple waste of our time, with
absolutely no relevance to this case at all; and why you let him do it,
I do not know.
DR. EXNER: You have been accused of having used your
personal influence and your close relations with the Führer to attack
a whole series of neutral countries. Tell me, is that true?
JODL: No, it is untrue. I remember that a witness here spoke of
a sinister influence, of a key position of a sinister kind—at any rate,
something sinister. But my influence on the Führer was unfortunately
not in the least as great as it might, or perhaps even ought to have
been in view of the position I held. The reason lay in the powerful
personality of this despot who never suffered advisers gladly.
DR. EXNER: When did you first hear of a plan for a possible
occupation of Norway?
JODL: The Führer first spoke to me—I think it was in mid-
November 1939—at any rate, a fairly long time after Grossadmiral
Raeder had first spoken to him. At that first conference, which I
believe took place on 10 October, I had not yet heard of anything nor
did the Führer give me any information. But in the middle of
November he spoke to me about it. I first learned the details during
the oral report made by the Commander-in-Chief of the Navy, which
took place on 12 November and at which I was present.
DR. EXNER: In this connection I would draw your attention to
Document C-64, Exhibit GB-86, Page 46 of the document book. But I
do not need to read it aloud. Volume I, Page 46.
What was the Führer’s point of view?
JODL: The general attitude of the Führer at that time was—it is
also established in writing: “I am not at all interested in extending the
theaters of war, but if the danger of an occupation of Norway by
England really exists and if that is true, then the situation would be
quite different.”
DR. EXNER: Was anything ordered at that time?
JODL: Nothing was ordered at that time, but he merely
instructed me to think this problem over generally. The preliminary
work, as has been proved by documents, began on 27 January
1940.
DR. EXNER: That may be seen from Document C-63, Exhibit
GB-87.
Were you at that time of the opinion that the assurance given by
Hitler in December and October 1939 that Norwegian neutrality
would be respected—were you of the opinion that this assurance
was given for the purpose of lulling Norway into a state of security,
as has been alleged by the Prosecution?
JODL: That allegation can be definitely refuted, and by means of
a few dates which I shall now enumerate. These assurances, these
political assurances, were given by the Führer—or by the Reich
Government, I do not know which—on 2 September and 6 October.
On 9 October the Führer read and signed the famous memorandum
known as Document L-52. I do not know whether the Tribunal is
aware of the fact that it is a personal memorandum by the Führer.
DR. EXNER: That is Document L-52, Exhibit USA-540. It is
printed on Page 48, Volume I, of my document book.
In this memorandum—for whom was the memorandum
prepared?
JODL: This memorandum, as I think is obvious from the
document, went out to the three Commanders-in-Chief and to the
Chief of the High Command of the Armed Forces. It was dictated
word for word by the Führer himself and was completed in 2 nights.
DR. EXNER: I shall read Paragraph 2, printed on Page 48 of my
document book:
“The Nordic States.
“Their neutrality, provided no completely unforeseen
circumstances arise, may be assumed also for the future.
The continuation of German trade with these countries
appears possible, even if the war is of long duration.”
JODL: It is quite out of the question that the Führer, in this
extremely secret memorandum, could have mentioned anything but
his true purpose at that particular time. That, however, is all the more
comprehensible since it was not until 1 day later, namely 10 October,
that Grossadmiral Raeder first mentioned these fears to the Führer.
DR. EXNER: Was the occupation of Norway a very weighty
decision for the leadership?
JODL: It was a terribly weighty decision. To put it shortly—it
meant gambling with the entire German fleet. The result of it was
that we had to defend a coastline of over 3,000 kilometers, and that
meant that nearly 300,000 men were lying idle there. The decision,
therefore, depended on really reliable information that Norway was
threatened by actual danger. That is the reason why no definite date
was fixed for this operation “Weserübung,” and the reason why I at a
later date suggested that the forces for the Norway operation, in
case it became necessary, and for an attack in the West, should be
completely separate from each other.
DR. EXNER: What were the reasons why the occupation had to
be prepared in every detail?
JODL: The reasons are quite openly and definitely stated in the
order of 1 March 1940 which is Document C-174...
DR. EXNER: That is Exhibit GB-89.
JODL: Yes; we had to be prepared in any case.
THE PRESIDENT: Is that Document 174-PS, or what?
DR. EXNER: It is not printed in my document book. It refers to a
document which the British Prosecution has submitted under Exhibit
GB-89.
THE PRESIDENT: But 174 must mean something, must it not?
The document said Document 174.
DR. EXNER: Document C-174.
MR. ROBERTS: My Lord, it is C-174.
THE PRESIDENT: C-174. Very well.
MR. ROBERTS: And it was put in by Mr. Elwyn Jones, in
Document Book 3.
THE PRESIDENT: Yes.
DR. EXNER: Now, you say in your diary that the Führer was
searching for a justification. The meaning has already been
explained here; but you yourself should know best what the meaning
is, since you wrote it yourself. What does it mean?
JODL: The Führer said in those days, when I wrote it—not in a
diary, but in my notebook, my memorandum book—he said: “To
carry out a decision of this kind I need absolutely reliable information
with which I can really justify this decision before the world and prove
that it was necessary. I cannot tell, I only heard the following from
Herr Quisling...” And for this reason he kept the Intelligence Service
in particular very busy at this time, in order to get even more precise
information for the Führer about these many reports which we
received...
DR. EXNER: Now, Grossadmiral Raeder has explained the facts
from which England’s plans could be deduced. Have you anything to
add to that, or is the question settled?
JODL: On the whole, Grossadmiral Raeder has already
submitted all the information. There is one thing which remains in my
memory and which is also written in my notebook. That is the special
insistence, quite openly advocated in the French press, that under all
circumstances Germany must be cut off from the Swedish ore
supplies. Then came the mine-laying in Norwegian territorial waters;
and then came the Altmark case which, according to my study of
international law, was a flagrant breach of the agreement ruling the
rights and duties of neutral states in naval warfare, and Articles 1
and 2...
DR. EXNER: Regarding the first two points which the witness
has mentioned, I should like to draw attention to Document 1809-PS
—that is, his diary, Exhibit GB-88, Page 53 of Volume I of my
collection. There is an entry on 10 March:
“The news about the Finnish-Russian negotiations is very
gratifying from a political point of view. The French press is
furious about it, because it considers it necessary to cut
Germany off from Swedish ore.”
And then the entry of 25 March:
“The English have begun to molest or to fire on our
merchantmen in Danish and Norwegian territorial waters.”
Now, please tell us what gave rise to the decision to attack?
JODL: The Führer’s final decision was made on 2 April and was
made on the basis of two pieces of information. First, the reports
from the Navy regarding repeated firing on German merchant ships
both in Norwegian and Danish territorial waters. Second, a report
from Canaris that British troops and transports were lying in a state
of readiness in the northern part of the English east coast.
DR. EXNER: What would have been the consequences for us if
England had got there first?
JODL: As to that I can refer to Grossadmiral Raeder’s testimony,
and can only say that once Norway was in British hands the war
would have been half lost for us. We would have been strategically
encircled on the northern flank and because of the weakness of our
fleet we would have been incapable of ever rectifying this again.
DR. EXNER: Was indisputable proof found later that the British
plan really existed?
JODL: We captured the entire records of the British brigade
which landed in Namsos and in other places. We surprised and
captured the British war correspondent Romilly in Narvik, where he
expected anything rather than the arrival of German ships, otherwise
he could have escaped capture. To the question what he wanted to
report about the war in peaceful Narvik he could not give us any
information at all.
Later on we captured all the records of the French General
Staff, a part of which have already been presented by Admiral
Raeder’s counsel. Particularly instructive, and of great interest to me,
were the diaries carried by the English officers and some of the
noncommissioned officers whom we captured in Norway. At least
they proved one thing, namely, that all these troops had already
been embarked and had been put ashore again the moment our
German fleet advanced towards Norway.
DR. EXNER: I should like to refer again to two entries in the
diary, Page 54, Volume I of my document book, the entry of 24 April
and the entry of 26 April. There it says:
“Major Soltmann reports on the interrogation of the
Englishmen and submits additional important documents,
among them the secret Army list. At noon the first prisoners
arrived in Berlin. They are being interrogated in the
Alexander Barracks and confirm the authenticity of the
orders. All the material is being handed over to the Foreign
Office.”
In conclusion, I also draw your attention again to Soltmann’s
interrogatory. It is Document AJ, Number 4, Exhibit Jodl-57, which I
now present; Page 173 of Volume II. I need not read it aloud; I
merely draw your attention to Soltmann’s answers to questions 4
and 5.
Now, one last question about this Norwegian affair. The English
representative of the Prosecution has said that this shows how
honorable the soldiers were who attacked Norway and then made
use of lies and excuses. What do you say about this?
JODL: The Prosecution has thereby placed a purely operational
problem on the level of soldierly or human honor. Until now that has
never been the custom in this world. I can only say that I neither
attacked Norwegians, nor did I resort to lies or excuses. But I did use
all my strength to contribute to the success of an operation which I
considered absolutely necessary in order to forestall a similar action
on the part of the English. If the seals of the archives are ever
broken, the rightness of my attitude will then be clearly shown. But
even if it were wrong, the honesty of my own subjective opinion at
that time cannot for that reason be changed in any way.
DR. EXNER: We will now talk about the war in the West. After
the end of the Polish campaign, was there already an operational
plan for attacks in the West?
JODL: No. To begin with, there was no plan of attack in the
West; but, on the contrary, there was, particularly in the Army, a
widespread opinion that the war would die a natural death if only we
kept quiet in the West. That went so far that the Commander-in-Chief
of the Army transformed even mobile infantry divisions into fortress
divisions, and took away all their mobile equipment from them.
DR. EXNER: Did you already know during the Polish campaign
what the Führer’s intentions were concerning the West?
JODL: The Führer himself had his doubts during the Polish
campaign. He too could find no plausible explanation for the
complete inactivity of the French and English forces in France, who
only staged a kind of a sham war with the help of their war
communiqués. In reality not a single shot was fired at the front. But
by the end of September, if I remember rightly, the Führer did realize
that once England enters a war she fights it out to the bitter end.
DR. EXNER: As an officer of the General Staff you should be
able to answer the following questions better than anybody else.
Could we, from a purely strategical viewpoint, have remained purely
on the defensive as far as the West was concerned?
JODL: I shall be very brief since such problems are not directly
connected with the Trial. I will only say that it would have been the
greatest possible error of strategy, because the superiority we
possessed at that time would necessarily have diminished in
proportion to our delay in making aggressive use of it; for England
was continually bringing further divisions over to France, just as the
French were from their colonial empire.
I believe I need say no more about that.
DR. EXNER: I draw your attention to Document C-62, Exhibit
GB-106, Volume I of my document book, Page 56. I need not,
however, read it aloud. It is a directive for the conduct of the war, and
contains the basic ideas which we have already heard expressed.
JODL: One thing more is perhaps important. The Führer took
such a serious view of this danger, that we might not maintain our
superiority in the long run, that he actually wanted to attack in the
winter, although all soldiers without exception advised him against it.
DR. EXNER: Here attention might be drawn to our document,
Volume I, Pages 48 and 49. It is a memorandum of the Führer on the
conduct of the war in the West, from which Jodl has already quoted
Document L-52, Exhibit USA-540. A detailed justification of this is on
Page 49 of my document book.
Why then was France not attacked without violating the
neutrality of Holland, Luxembourg, and Belgium?
JODL: It was no trifle for the Führer to create new enemies
possessing a strength of 500,000 men, which the Dutch and Belgian
forces represented. It resulted in our having to make the attack in the
West with actually inferior forces, namely, with 110 divisions against
approximately 135 of the enemy. No military commander would do
that except in an emergency.
DR. EXNER: Now, what were the reasons?
JODL: We were not in a position to break through the Maginot
Line at its strongest points, which would then have remained
uncaptured—namely, between the Rhine and the Luxembourg
border, or the Upper Rhine where the Vosges mountains were an
additional obstacle in breaking through this West Wall at these
points, this Maginot Line. For this purpose heavy artillery was
lacking. But that was not a moral reason; it was, in fact, rather an
unmoral one.
The great danger lay in the fact that so protracted an attack on
the fortifications exposed us to an attack in the rear by the combined
English and French mobile forces thrusting through Belgium and
Holland; and they were north of Lille with their engines already
running, one might say, for this very task. And the decisive factor
was that owing to the many reports which reached us, the Führer
and we ourselves, the soldiers, were definitely under the impression
that the neutrality of Belgium and Holland was really only pretended
and deceptive.
DR. EXNER: How did you arrive at that conclusion?
JODL: Individually the reports are not of great interest. There
was, however, an endless number of reports from Canaris. They
were supplemented and confirmed by letters from the Duce,
Mussolini. But what was absolutely proved and completely certain,
which I could see for myself on the maps every day, were the nightly
flights to and fro of the Royal Air Force, completely unconcerned
about neutral Dutch and Belgian territory. This necessarily
strengthened the conviction in us that even if the two countries
wished to—and perhaps in the beginning they did so wish—they
could not possibly remain neutral in the long run.
DR. EXNER: What danger would the occupation of Belgium and
Holland by the English and French have meant to us?
JODL: Those dangers were quite clearly indicated by the
Führer, first, in his memorandum, Document L-52, which has been
repeatedly quoted. There, on Page 48 of the document book, in the
last paragraph of the page, is a reference to the enormous
importance of the Ruhr—of which, incidentally, there seems to be
quite sufficient evidence even today.
In his address of 23 November 1939 to the Commanders-in-
Chief—Document 789-PS, or Exhibit USA-23—he describes once
more, on Page 59, Volume I of the document book, precisely how
that danger would be for the Ruhr district if one day British and
French forces were to appear by surprise in that region. He referred
to it there as the “Achilles’ heel,” and that is just what it was for
German war strategy.
DR. EXNER: And he said there, on Page 59 of our document
book:
“We have an Achilles’ heel: the Ruhr district. The strategy
of the war depends on the possession of the Ruhr district. If
England and France thrust through Belgium and Holland
into the Ruhr, we shall be in the very greatest danger.”
JODL: I cannot, of course, or could not at the time, swear to the
absolute accuracy of the numerous reports from Canaris, but the
material we captured afterwards—and in this connection I would
draw your attention to the conference of the Supreme War Council in
London of 17 November 1939—confirmed on the whole the accuracy
of the intelligence reports.
DR. EXNER: Presumably you had no reason at that time to
doubt Canaris’ honesty, had you?
JODL: No. At that time there was not the slightest reason for
doubt.
DR. EXNER: Yes. But now some doubt has arisen as to his
honesty.
Now, the German attack was originally planned for November
1939. Why did the Führer postpone it over and over again? We have
before us no less than 17 orders postponing the attack time and
again.
JODL: It is not quite correct to say that the Führer had ordered
the attack for mid-November, but rather he wanted to order the
attack for a time when the meteorologists could predict about 6 or 7
days of clear, frosty weather. But the meteorologists failed
completely in this. At times they thought they could predict such a
state of the weather, and then all preparations would be made for the
attack. Then they would cancel their weather forecasts again, and
the final preparations for attack would be discontinued once more.
That is why we so often prepared for the attack and then refrained
from carrying it out.
On such an occasion I received a report from Canaris to the
effect that one unit of the French Army had already crossed one part
of the Belgian frontier. I do not know if that is true.
DR. EXNER: You have been accused by the Prosecution of first
deceiving these countries and then invading them. Please tell us
what you have to say on that subject.
JODL: The same applies here as I said before. I was neither a
politician, nor was I the military Commander-in-Chief of the
Wehrmacht. I was under the impression—and, indeed, an
impression which could be proved—that in actual fact the neutrality
of these two countries was no longer being respected. And as for the
ethical code of my action, I must say that it was obedience—for
obedience is really the ethical basis of the military profession. That I
was far from extending this code of obedience to the blind code of
obedience imposed on the slave has, I consider, been proved
beyond all manner of doubt by my previous testimony. Nevertheless,
you cannot get around the fact that, especially in operational matters
of this particular kind, there can be no other course for the soldier but
obedience.
And if the Prosecution today is in a position to indict German
officers here at all, it owes this only to the ethical concept of
obedience of its own brave soldiers.
DR. EXNER: We now come to the Balkans. In your diary,
Document 1809-PS, on 19 March you made the following entry: “The
Balkans should and must remain quiet.” That is on Page 61 of
Volume I of my book, Exhibit GB-88, Document 1809-PS, the entry
of 19 March. It says first:
“The Führer has returned beaming with joy and highly
satisfied from the conference with the Duce. Complete
agreement. ... The Balkans should and must remain quiet.”
What does that mean?
JODL: Herr Professor, I must correct you. This is not my diary.
DR. EXNER: Yes. Well then I must put in another question here.
Your diary and your diaries are always being talked about. Explain
just what this is—what we are dealing with here. Is one a real diary
and the other not?
JODL: There is only one diary, and that is Document 1780-PS,
which is from the year 1937 to 1938, and I used to make entries in it
every evening.
DR. EXNER: And now this diary, Document 1809-PS, what was
that?
JODL: I kept no diary at all during the war, but, of course, I filled
up dozens of small notebooks. When one of these notebooks was
full I marked important passages in red on the margin, and my
secretary copied them out later, as they might be important for
writing the history of the war and for the official diary of the Armed
Forces Operations Staff. An example would be Document 1809-PS.
DR. EXNER: Did you check what your secretary had compiled?
JODL: No, I did not check it, and never saw it again. It fell then
into the hands of the Prosecution.
DR. EXNER: Now, there is still a third one which is always
quoted here as a diary. That is the Diary of the Armed Forces
Operations Staff.
THE PRESIDENT: You said it fell into the hands of the
Prosecution. Do you mean it was not one of the documents that you
handed over to the Prosecution?
JODL: No. I did not know at all where those extracts from my
notebook had gone. The Prosecution captured it somewhere or
other. The remainder are extracts, and partial extracts, from the
official Diary of the Armed Forces Operations Staff.
DR. EXNER: And who kept this, the official Diary of the Armed
Forces Operations Staff? Not you?
JODL: No. It was always kept by a highly qualified expert of my
own selection.
DR. EXNER: Did you check it?
JODL: The final check was made by Dr. Schramm, a professor
at the Göttingen University.
DR. EXNER: We shall hear him as a witness.
Did you check the entries made in that official diary, or did you
not?
JODL: I usually did not have the time; but if General Scherff
read through it and discovered anything in particular he would draw
my attention to it.
DR. EXNER: Well, so much for clearing that up.
We now come back to the Balkan question again. It says in your
so-called diary, “The Balkans should and must remain quiet.” What
was meant by that?
JODL: That was a brief note on the statement by the Führer—
namely, that he was in perfect agreement with Mussolini that the
Balkans must be kept quiet.
DR. EXNER: And did we not actually try to keep the Balkan
states as quiet as possible?
JODL: Yes. We made unremitting endeavors for that. Our
attitude toward Yugoslavia was as considerate as if we were dealing
with a prima donna. Matters went so far that when we had to prepare
the Greek campaign the Führer even refused a proposal from the
Quartermaster General of the Army that sealed trains—the supply
trains—should be sent through Yugoslavia, which would have been
permissible according to international law. Moreover, we brought
pressure to bear on Bulgaria so that she should not participate in the
impending campaign against Greece, above all so as not to alarm
Turkey. And even after the Greco-Italian campaign, the Führer still
hoped that a conflict, an actual war, between Germany and Greece
could be avoided.
DR. EXNER: I refer here to Directive Number 18, printed on
Page 66 of Volume I of our document book, which contains an
extract from Document 444-PS, Exhibit GB-116, and here we find
the following statement in the paragraph before the last:
“The preparatory measures of the High Command for the
conduct of the war in the near future are to be made in
accordance with the following guiding principles...”
And it is then stated in the last but one paragraph of that page:
“The utilization of the railway through Yugoslavia may not
be counted on for the deployment of these forces...”
Well, what forced us to give up this program?
JODL: That program was completely wrecked by Italy’s arbitrary
act, about which the Reich Marshal and the Grossadmiral have
already made statements. I have only a brief addition to make. Italy
was beaten, as usual, and sent the Chief of the Operational Staff of
the Supreme Command to me crying for help. But in spite of this
calamity the Führer did not intervene in the war in Albania. He did
not send a single German soldier there, although the matter had
been under consideration. He ordered only an operation against
Greece, starting from Bulgaria, to be prepared for the following
spring. Even that was for the primary purpose of occupying the
Salonika Basin, thereby giving direct relief to the Italians and only in
the event, which to be sure was feared, of English divisions now
landing in the Balkans as the result of Italy’s madness. In that case it
was decided to consider the whole of Greece as an operational area,
since we could not possibly tolerate a Royal Air Force base in the
immediate vicinity of the Romanian oil fields. And this contingency is
shown very clearly in the order which has been submitted to the
Tribunal as Document 1541-PS, Exhibit GB-117, Pages 63 and 64 of
the document book. I should like to quote two passages, two very
brief passages from it. In Paragraph 2, Subparagraph b of Page 63,
it says:
“ ‘Operation Marita.’ My plan therefore is”—I am quoting
—“... to send these forces straight through Bulgaria, for the
occupation of the north Aegean coast and, if necessary, the
entire mainland of Greece.”
I then quote from Page 64, Paragraph 4, Subparagraph a:
“The primary objective of the operation is the occupation of
the Aegean coast and the Salonika Basin. The continuation
of the attack by way of Larissa and the Isthmus of Corinth
may prove necessary.”
It is quite obvious from these conditional orders that the
occupation of the whole of Greece was intended only if we should be
forced to take this measure by the landing of English troops, which at
that time was not yet the case.
THE PRESIDENT: The Tribunal will adjourn now.
[A recess was taken.]
DR. EXNER: You said we had planned to leave Yugoslavia

neutral. Now this plan was apparently changed by the Simovic
Putsch. Why did this event alter our policy toward Yugoslavia?
JODL: This Putsch against a legal government, by officers
meddling in politics, immediately after Yugoslavia had joined the
Tripartite Pact had necessarily an anti-German tendency. We stood
directly on the verge of the campaign against Greece, against the
whole of Greece, for in the meantime English divisions had landed
there, and this campaign could only be waged with a safely neutral
Yugoslavia behind us.
THE PRESIDENT: Dr. Exner, various other members of the
defendants—Defendants Göring and Keitel—have dealt with the
political aspects of the entry of Germany into Yugoslavia. Unless
there is anything new for this defendant to give evidence about it
seems to be entirely cumulative.
DR. EXNER: Then kindly just tell us, if you have anything new to
add—some documents, et cetera.
JODL: I have something to add which concerns myself
personally.
THE PRESIDENT: Nothing is coming through—the English was
not coming through. Please, try it again. Repeat what you said.
JODL: I have something else to add which concerns me
personally with regard to the Yugoslav problem...
THE PRESIDENT: No. There is nothing coming through to us.
Go on then, Defendant. You were asked if there is anything new to
say.
JODL: Yes, I have something personal to add.
DR. EXNER: Yes, do so.
JODL: On this morning when the Führer spontaneously ordered
the immediate preparation of an attack on Yugoslavia, I proposed to
him, or at least I mentioned to him, that after concentrating our
troops we ought first to clarify the real situation, the political situation,
by an ultimatum. He refused to do so. He said, “That will not be of
any use.” Field Marshal Keitel has already confirmed this.
DR. EXNER: Tell me, was that on 27 March?
JODL: Yes, that was on the 27th. May I give proof of this. On the
evening of the 27th the order was issued...
THE PRESIDENT: I do not think it is necessary if the Defendant
Keitel said it, and you say it, and there is no cross-examination about
it.
DR. EXNER: But I feel that there is something important.
JODL: A document was submitted, Document 1746-PS, Exhibit
GB-120, on Page 70 of the document book.
DR. EXNER: Page 71.
JODL: Yes, the text is on Page 71. If the Court will compare this
sentence on Page 71, Paragraph 1, with the sentence on Page 69 of
the document book a difference will be noticed. Page 69 contains the
order signed by the Führer, and it begins with this sentence which I
shall quote:
“The military Putsch in Yugoslavia has altered the political
situation in the Balkans. Even if she makes a declaration of
loyalty, Yugoslavia must be considered as an enemy and
therefore beaten as quickly as possible.”
This, as appears from the date, was issued on 27 March. I
worked that whole night at the Reich Chancellery, which is another
proof of the sudden nature of the whole case. At 4 o’clock on the
morning of the 28th, as stated on Page 71, I put the following aide-
mémoire, this operational aide-mémoire, into the hand of General
Von Rintelen, our liaison officer with the Italian High Command. In it I
had written—I quote:
“Should political developments call for armed intervention
against Yugoslavia, it is the German intention...” et cetera.
I must admit that, in this instance, I ventured a little into the
political field, but in so doing I thought that if Germany did not clarify
the political situation beyond any doubt, Italy perhaps might do it.
DR. EXNER: The next document is also evidence of the
suddenness of this decision, and I have had it printed on Page 73,
Volume 1. That is the order issued by the High Command of the
Army on the basis of these directives—the order for deployment of
troops for the operation. That is Document R-95, Exhibit GB-127,
Page 73, of Volume I, as I have already stated, and it says there:
“As a result of the change in the political situation...” et
cetera—and then—“there will be concentrated...”—and then
the last paragraph states—“The operation will be given the
code name ‘Project 25.’ ”
I ask you, Generaloberst, can anything be gathered from this?
JODL: The order issued was not until 3 April...
DR. EXNER: No, 30 March.
JODL: ...30 March.
DR. EXNER: Did the operation receive the code name “Project
25”?
JODL: A code name for this operation was ordered for the first
time 3 days after the Putsch, which proves that it had not been
planned in 1937 as was once stated here.
DR. EXNER: And now, just one last question on this Balkan
matter. Was Greek neutrality still being maintained on 24 March
1941 when we gave permission for the Luftwaffe attack on her

Immediate Download The Mac Hacker S Handbook 1st Edition Charles Miller Ebooks 2024

Uploaded by

Copyright:

Available Formats

Immediate Download The Mac Hacker S Handbook 1st Edition Charles Miller Ebooks 2024

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Immediate Download The Mac Hacker S Handbook 1st Edition Charles Miller Ebooks 2024

Uploaded by

Copyright:

Available Formats

Get ebook downloads in full at ebookname.

The Mac Hacker s Handbook 1st Edition Charles

Explore and download more ebook at https://ebookname.com

The Web Application Hacker s Handbook Discovering and

Miller s anesthesia Miller

Handbook of Metacognition in Education Educational

The Stories of Ernest Dowson Mark Longaker (Editor)

The Breakthrough of Kampfgruppe Peiper in the Battle of

An Introduction to Macroeconomics A Heterodox Approach

The Cambridge Companion to Vygotsky 1st Edition George

Room Temperature Organic Synthesis 1st Edition

Copyright 2009 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

Manufactured in the United States of America

Library of Congress Cataloging-in-Publication Data is available from the publisher.

Case Study 150

How This Book Is Organized

Who Should Read This Book

to skip to Chapter 4. Conversely, security researchers may fi nd the first few

Tools You Will Need

What’s on the Website

are usually stored in the /System/Library/Extensions/ directory or a subdirectory.

Darwin and Friends

Tools of the Trade

To get a disassembly listing, you can use the –tv option.

918 ktrace CALL execve(0xbffff73c,0xbffffd14,0xbffffd1c)

For more information, see the man page for ktrace.

In Leopard, ktrace is replaced by DTrace. DTrace is a kernel-level tracing

- (id) integer: (int) _integer

Another example follows.

@implementation Integer (Display)

@implementation Integer (Add_Mult)

int main(int argc, char *argv[])

Building this is as easy as invoking gcc with an additional argument.

As a sample of things to come, consider the disassembled version of the

0x1f02 push ebp

0x1f2d mov edx,DWORD PTR [ebp+0x10]

Universal Binaries and the Mach-O File Format

To see the file-size difference, compare this binary to the single-architecture

Mach-O File Format

Looking at /usr/include/mach/machine.h, you can see that the first architec-

Many of the keys and their meaning can be found at http://developer

Here we first converted QuickTime Player’s Info.plist to binary format. We then

The systemwide launchd configuration files are stored in the /System/

DR. EXNER: You said we had planned to leave Yugoslavia

You might also like