Tuesday, February 10, 2009

How to decrypt iPhone IPA file

Decrypted IPA
Please take note that you don't need this method to decrypt the IPA file, if you already have the decrypted one downloaded from the net. This method applies to the app that you have directly purchased from App Store and want to decrypt it in order to be useful for others.

One of the decrypt methods is to use a jailbreak iPhone and run the script (source from pr0x.org Forum) below in iPhone to create the decrypted ipa.

To use this method you must have installed the app from App Store in jailbreak iPhone plus the following packages from Cydia
com.ericasadun.utilities gdb gawk zip ldid odcctools

Use the following commands in iPhone to install, if you don't like to use Cydia.
apt-get install com.ericasadun.utilities gdb gawk zip ldid odcctools

To find out the app names that your iPhone have installed, run this command in iPhone
find /var/mobile/Applications/ -iname *.app

and use this command to generated the decrypted ipa e.g.
./DCrypt.sh "Monkey Ball"


DCrypt.sh Select all

#!/bin/sh
#
# DeCrypt - v1.1 (2008-10-21)
# - v1.1 (2008-10-21)
# FloydianSlip
#
# Heavily based on xcrack
#
# Many thanks to:
# puy0, SaladFork, Flox, Flawless
#

echo "DeCrypt 1.1 (2008-10-21)"
echo "FloydianSlip"
echo

if [ ! -e /usr/bin/plutil ]; then
echo "Cannot find plutil (apt-get install com.ericasadun.utilities)"
exit 1
fi

if [ ! -e /usr/bin/gdb ]; then
echo "Cannot find gdb (apt-get install gdb)"
exit 1
fi

if [ ! -e /usr/bin/otool ]; then
echo "Cannot find otool (apt-get install odcctools)"
exit 1
fi

if [ ! -e /usr/bin/ldid ]; then
echo "Cannot find otool (apt-get install ldid)"
exit 1
fi


if [ ! -e /usr/bin/awk ]; then
echo "Cannot find awk (apt-get install gawk)"
exit 1
fi

if [ ! -e /usr/bin/zip ]; then
echo "Cannot find zip (apt-get install zip)"
exit 1
fi

if [ $# -ne 1 ]; then
echo "Usage: $(basename $0) <ApplicationName>"
echo
exit 1
fi

AppInput=$1

if [ -d "$AppInput" ]; then
tempLoc=$AppInput
else
echo "Locating $AppInput"
tempLoc=$(find /var/mobile/Applications -iname "$AppInput.app")
if [ -z "$tempLoc" ]; then
echo "Unable to locate $AppInput"
exit 1
fi
AppCount=$(find /var/mobile/Applications -iname "$AppInput.app" | wc -l)
if [ $AppCount -gt 1 ]; then
echo "Found two installation directories:"
find /var/mobile/Applications -iname "$AppInput.app"
exit 1
fi
fi

AppPath=$(dirname "$tempLoc")
AppName=$(basename "$tempLoc")
AppExec=$(plutil -v CFBundleExecutable "$tempLoc/Info.plist" 2>&1 | awk -F "] " '{ print $2 }')
AppVer=$(plutil -v CFBundleVersion "$tempLoc/Info.plist" 2>&1 | awk -F "] " '{ print $2 }')
AppDisplayName=$(plutil -v CFBundleDisplayName "$tempLoc/Info.plist" 2>&1 | awk -F "] " '{ print $2 }')

if [ ! -d "$AppPath" ]; then
echo "Unable to locate original installation directory"
exit 1
fi

if [ ! -d "$AppPath/$AppName" ]; then
echo "Unable to locate .app directory"
exit 1
fi

if [ ! -e "$AppPath/$AppName/$AppExec" ]; then
echo "Unable to locate executable"
exit 1
fi

echo "Found $AppName"

echo "Creating directories"
WorkDir="/tmp/DecryptApp-$(date +%Y%m%d-%H%M%S)"
NewAppDir="$HOME/Documents/Decrypted"

if [ -e "$WorkDir" ]; then
rm -rf "$WorkDir"
fi

mkdir -p "$WorkDir"

if [ ! -e "$NewAppDir" ]; then
mkdir -p "$NewAppDir"
fi

if [ ! -d "$WorkDir" -o ! -d "$NewAppDir" ]; then
echo "Unable to create Directories"
exit 1
fi

echo "Copying application files"

cp -a "$AppPath/$AppName/" "$WorkDir/"

if [ ! -e "$WorkDir/$AppName/$AppExec" ]; then
echo "Unable to copy application files"
rm -fr "$WorkDir"
exit 1
fi

echo "Analyzing application"

CryptID=$(otool -l "$WorkDir/$AppName/$AppExec" | grep cryptid | awk '{print $2}')
if [ $CryptID -ne "1" ]; then
echo "Application is not encrypted"
rm -fr "$WorkDir"
exit 1
fi

CryptSize=$(otool -l "$WorkDir/$AppName/$AppExec" | grep cryptsize | awk '{print $2}')
if [ ! $CryptSize ]; then
echo "Unable to find CryptSize"
rm -fr "$WorkDir"
exit 1
fi

CryptOff=$(otool -l "$WorkDir/$AppName/$AppExec" | grep cryptoff | awk '{print $2}')
if [ ! $CryptOff ]; then
echo "Unable to find CryptOff"
rm -fr "$WorkDir"
exit 1
fi

echo "Locating and patching CryptID"

# "/System/Library/Frameworks" in hex
PathAsHex="2f53797374656d2f4c6962726172792f4672616d65776f726b73"

# - Convert to hex on 1 long line, only take stuff before the path string,
# - Convert to 1 byte set per line, find 0x01 (line number is offset in the real file),
# - Strip newlines, reverse the order
oneLocations=($(od -A n -t x1 -v "$WorkDir/$AppName/$AppExec" | \
tr -d ' ','\n' | \
sed "s/$PathAsHex.*\$//" | \
sed "s/../&\n/g" | \
grep -n -s 01 | \
cut -d : -f 1 | \
sort -nr | \
tr "\n" " "))

for TryOffset in "${oneLocations[@]}"; do
cp -a "$WorkDir/$AppName/$AppExec" "$WorkDir/$AppName/$AppExec.trying"
foo=$(echo -ne "\x00" | dd bs=1 seek=$((TryOffset - 1)) conv=notrunc status=noxfer of="$WorkDir/$AppName/$AppExec.trying" 2>&1> /dev/null)
cid=$(otool -l "$WorkDir/$AppName/$AppExec.trying" | grep cryptid | awk '{print $2}')
if [ $cid -eq 0 ]; then
break
fi
rm "$WorkDir/$AppName/$AppExec.trying"
done

if [ ! -e "$WorkDir/$AppName/$AppExec.trying" ]; then
echo "Unable to find CryptID"
rm -fr "$WorkDir"
exit 1
fi

mv "$WorkDir/$AppName/$AppExec.trying" "$WorkDir/$AppName/$AppExec"

echo "Dumping unencrypted data from application"

echo -e "set sharedlibrary load-rules \".*\" \".*\" none\r\n\
set inferior-auto-start-dyld off\r\n\
set sharedlibrary preload-libraries off\r\n\
set sharedlibrary load-dyld-symbols off\r\n\
handle all nostop\r\n\
break *0x2000\r\n
commands 1\r\n\
dump memory $WorkDir/dump.bin 0x2000 $(($CryptSize + 0x2000))\r\n\
kill\r\n\
quit\r\n\
end\r\n\
start" > $WorkDir/batch.gdb

foo=$(gdb -q -e "$AppPath/$AppName/$AppExec" -x $WorkDir/batch.gdb -batch 2>&1> /dev/null)

rm $WorkDir/batch.gdb

echo "Verifiying data dump"

DumpSize=$(stat -c%s "$WorkDir/dump.bin")
if [ "$DumpSize" != "$CryptSize" ]; then
echo "Memory dump is not the right size or does not exist"
rm -fr "$WorkDir"
exit 1
fi

echo "Replacing encrypted data with data dump"
foo=$(dd seek=4096 bs=1 conv=notrunc if="$WorkDir/dump.bin" of="$WorkDir/$AppName/$AppExec" 2>&1> /dev/null)
rm "$WorkDir/dump.bin"

echo "Signing the application"
foo=$(ldid -s "$WorkDir/$AppName/$AppExec" 2>&1> /dev/null)
plutil -s 'SignerIdentity' -v 'Apple iPhone OS Application Signing' "$WorkDir/$AppName/Info.plist" 2>&1> /dev/null

if [ -e "$WorkDir/$AppName/SC_Info" ]; then
echo "Removing SC_Info"
rm -fr "$WorkDir/$AppName/SC_Info"
fi

if [ -e "$WorkDir/$AppName/_CodeSignature" ]; then
echo "Removing _CodeSignature"
rm -fr "$WorkDir/$AppName/_CodeSignature"
fi

if [ -h "$WorkDir/$AppName/CodeResources" ]; then
echo "Removing CodeResources"
rm -fr "$WorkDir/$AppName/CodeResources"
fi

if [ -e "$WorkDir/$AppName/ResourceRules.plist" ]; then
echo "Removing ResourceRules.plist"
rm -fr "$WorkDir/$AppName/ResourceRules.plist"
fi

echo "Building .ipa"

mkdir -p "$WorkDir/Payload"
if [ ! -e "$WorkDir/Payload" ]; then
echo "Failed to create Payload directory"
rm -fr "$WorkDir"
exit 1
fi
mv "$WorkDir/$AppName" "$WorkDir/Payload/"

echo "Copying iTunesArtwork"

if [ -e "$AppPath/iTunesArtwork" ]; then
cp -a "$AppPath/iTunesArtwork" "$WorkDir/"
else
echo "Unable to find iTunesArtwork"
fi

echo "Compressing the .ipa"
IPAName=$NewAppDir/$(echo $AppDisplayName | sed -e "s: :_:g")-v$AppVer.ipa
cd "$WorkDir"
zip -m -r "$IPAName" * 2>&1> /dev/null
cd - 2>&1> /dev/null
if [ ! -e "$IPAName" ]; then
echo "Failed to compress the .ipa"
rm -fr "$WorkDir"
exit 1
fi

echo "Removing temporary files"
rm -rf "$WorkDir"

echo "Done"
echo "Created decrypted .ipa at $IPAName"








If you only want to manually get the decrypted binary for reverse engineering. Suppose the Application Executable is called AppExec and installed in /var/mobile/Applications. This is the script and using the gdb to dump the decrypted binary

Let's use a free app AdHoc Helper (by Erica Sadun) as example


otool -l `find /var/mobile/Applications -iname AdHoc` | grep cryptsize

output-> cryptsize 8192

# get the cryptsize say 8192

gdb `find /var/mobile/Applications -iname AdHoc`

(gdb) b *0x2000
Breakpoint 1 at 0x2000
(gdb) r
(gdb) x/20i 0x2000
(gdb) dump binary memory /var/root/dump.bin 0x2000 (0x2000+8192)
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) quit

cd /var/root/
cp `find /var/mobile/Applications -iname AdHoc` .
dd seek=4096 bs=1 conv=notrunc if=dump.bin of=AdHoc

12 comments:

Anonymous said...

i try to get the utility but i get 13 permission denied. what am i doing wrong?

javacom said...

That means you need to login as root in iPhone

Green Environment Web! said...

i have created the .bin file of the app. Now, anybody knows how to open it to reverse engineer? sorry, i'm a bit blank about this....

invis said...

I have an encrypted IPA file a friend sent me. Is there anyway I can decrypt on this file and from this file only ?

Don said...

Thanks for documenting this!

Here are a few hints if it doesn't work. May happen if the app was compiled with a more recent SDK, for example.

For one, check if the TEXT segment really starts at a different offset in vmem than in the executable. It may be possible that both offsets are 0x2000. You can do that using a hex editor. Just check where the random garbage (this is the encrypted code) starts in the file.
If it happens to be at 0x2000, use the following command to write the decrypted code back:
dd bs=8192 seek=1 conv=notrunc if=dump.bin of=AdHoc

Also, if you have a fat binary containing armv6 and armv7 code, I suggest you extract the relevant architecture before writing dump.bin back.
Here's how:
lipo -extract armv6 -output AdHoc.armv6 AdHoc

Anonymous said...

Is there a way to do this on a Mac, without a jailbroken iPhone?

Anonymous said...

antateimHey, nice article! And, I was wondering if it's possible to get the source code for an application out of .app file? Thanks ;)

manos364 said...

HELLO

MY IPOD 2G DISPLAY A MESSAGE AFTER THE COMMAND

{ otool -l `find /var/mobile/Applications -iname AdHoc` | grep cryptsize }

That says { AdHoc no such file or directory } i have installed this app and respringed my ipod tested other apps but nothing

I AM USING MOBILE TERMINAL FOR IOS 4X AND MY IOS IS 4.2.2 BUT WITH MULTITASKING

CAN YOU HELP ME PLEASE?

THANKS YOU manos364

Petrus said...

Hey, I tried to crack an app but the message "unable to locate xxx" after all the steps. What shoul I do? Thanks!

dmkiller11 said...

Hey, I fixed your code for all of the people who cant get it to work...
One of the problems was the extra lines, so i cant post the code here as it will re input the lines. An updated version of the code can be found and my URL or here: http://www.mediafire.com/?l0ev8mni5hgd03b

Anonymous said...

Hello! I run the code and has the error, any suggestion for me?


/////////////////////////////////////////

iPod51beta:/tmp root# ./DCrypt.sh

DeCrypt - v1.2
By: FloydianSlip
Edited by: dmkiller11
Heavily based on xcrack
Many thanks to:
puy0, SaladFork, Flox, Flawless
'/DCrypt.sh: line 127: syntax error near unexpected token `do
'/DCrypt.sh: line 127: `for TryOffset in "${oneLocations[@]}";do

Anonymous said...

my dump.bin file created from this script or manually using "gdb dump memory" command just creates a file the size of cryptsize full of zeros? why? what is going on?