Pai Mei on Mac OSX 10.8

tl;dr

Pai Mei is an open source windows reverse engineering framework. At one point, it was ported to Mac OSX but the project is not very actively maintained and the current instructions are quite lacking. This post hopes to offer some guidance and reduce some of the frustration involved in installing Pai Mei on Mac OSX.

Getting the libraries

The most difficult thing was finding how to get all the packages working. First and foremost, Pai Mei was designed for a 32 bit windows libary so some trickery is required to get it to work in 64 bit mode (which is necessary, because I could not get the latest wxPython from Homebrew to work in 32 bit mode). I did not realize at first that there was a way to use Pai Mei in 64 bit mode, so I spent a long time attempting to find universal binaries for wxPython and MySql.

Pai Mei depends on a number of packages:

  • mysql-python: I installed via pip install mysql-python.
  • pydasm: I installed via pip install pydasm.
  • ctypes: I believe is included by default in Python 2.5 and higher.
  • MySql: I installed via brew install mysql --universal to have a universal binary (downloading from the MySql homepage means you will get a single architecture binary).
  • wxPython: I installed via brew install wxmac --universal and then manually symlinked it into correct location:
    (I sincerely hope there is a better way, but I couldn’t find one). Note: as of yet, I haven’t found a way to get wxPython to work in 32 bit python. I’ll update the post when I figure that out.

Installing Pai Mei

Pai Mei uses the pydbg library (I believe it is linked incorrectly in the repository as a git submodule). I strongly encourage you this version of pydbg instead, which is a port to 64 Mac OSX by Charlie Miller and fG. Cloning the repository and installing via instructions in the MacOSX/README worked fine for me. Warning: you can only use this library to debug a 32 bit process from 32 bit python and a 64 bit process from 64 bit python: to use 32 bit python, do:

After installing pydbg64, I now had a directory tree that looked like:

I deleted the paimei/pydbg directory and added a symlink to the pydbg64/pydbg directory, then copied the fat libmacdll.dylib from pydbg64/pydbg/libmacdll.dylib to paimei/utils. This left a directory that looked like this:

We now need to install all the Pai Mei packages (utils, pida, pgraph) into the correct place so python can find them.

Running Pai Mei

Before we can run Pai Mei, we must initialize the database:

Next, we have to patch a few bugs in Pai Mei (it calls a deprecated function and the MySql modal tries to helpfully destroy itself after successfully connecting to the database, but unfortunately does so before Python is completely done with it).

Now, we must make sure that python has the appropriate permisisons to monitor other processes before we can use Pai Mei. Unfortunately, this is not so easy anymore – since Snow Leopard, processes must be code signed in order to escalate privileges (a good writeup here). We could possibly patch pydbg to ask for permissions and sign it to work or disabling some system wide setting, but for now we will just run Pai Mei as root.

A last disclaimer: the process stalker uses the name of the executable to find which pida module to load. Unfortunately, it truncates the process name, striping the directory, but insists that the name matches the full path to the pida module. I managed to hard code it to just always use the first pida module, but I don’t know what the correct solution is.

After all this, I finally got Pai Mei (barely) working but I suspect I would have had an easier time and more fun just writing it myself ;-)

Writeup by Alex Reece, see me on Google+.

  1. Nice article.
    I remember it was a mess for me too back in the days to install it, and also play with it.

    Let me know if you wanna work together on a file fuzzer similar to this one, but written in Ruby. It would be some cool research I had in mind for quite some time.

    Cheers
    antisnatchior

  1. January 4th, 2013