DECRYPTING IOS APPS

Decrypt iOS App 可以直接用 Clutch (1, 2), 本文仅为了学习 iOS Binary Manipulation.

下面以 KFC 为例.

1). ssh to your device - Ref
2). Find your target App - Ref

find /private/var/mobile/Containers/Bundle/Application/ -name 'SUPER_APP'  
/private/var/mobile/Containers/Bundle/Application/3FDA7FA6-48BE-4567-94D2-F9AB0AE3D394/SUPER_APP.app/SUPER_APP

3). Find the Binary

$ otool -arch all -Vh SUPER_APP
SUPER_APP (architecture armv7):
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
   MH_MAGIC     ARM         V7  0x00     EXECUTE    65       6380   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
SUPER_APP (architecture arm64):
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64   ARM64        ALL  0x00     EXECUTE    65       7016   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

-V print disassembled operands symbolically
-h print the mach header
-l print the load commands

4). Find the encrypted area

$ otool -arch all -Vl SUPER_APP | grep -A5 LC_ENCRYP
          cmd LC_ENCRYPTION_INFO
      cmdsize 20
     cryptoff 16384
    cryptsize 16220160
      cryptid 1
Load command 13
--
          cmd LC_ENCRYPTION_INFO_64
      cmdsize 24
     cryptoff 16384
    cryptsize 18333696
      cryptid 1
          pad 0

-A, --after-context=NUM print NUM lines of trailing context

  • cryptoff is 16384 which is the start of the encrypted portion
  • cryptsize is 16220160 & 18333696 showing the size of the encrypted area.
  • Note cryptid which is 1. This means the application is encrypted. We will flip this later so iOS thinks it decrypted and won’t try to decrypt the app again.
otool -arch arm64 -Vl SUPER_APP | less

App starts at 0x0000000100000000, our encrypted data starts at 16384. 转换为16进制, 0x4000.

0x0000000100000000 + 0x4000 = 0x100004000

0x100004000 is where we will want to begin to extract a binary dump.

5). Extract unencrypted data

文章提示使用 GDB, 但是似乎 GDB 不再支持fat binary (ref), 需要使用 LLDB.

无法运行以下command:

(gdb) dump binary memory memorydump.bin 0x100004000 (0x100004000 + 18333696)

~~LLDB dump memory 还需摸索. ~~

Update 7 Mar 2017:
Encrypted binary section

(lldb) memory read --outfile /tmp/dump.bin –binary 0x100004000 (0x100004000 + 18333696) 

Bonus - gdb vs lldb

Ref

Show Comments