There are many tools available for one-click decryption on iOS, but they generally follow the same principles. These tools involve running the app, dumping the decrypted content from memory, writing it back to the file, replacing the original encrypted binary file, and repackaging it to generate an IPA, thus completing the iOS decryption process.
By understanding the principles of decryption, we can try manual decryption, which will deepen our understanding of iOS reverse engineering.
Difficulty
★★☆☆☆
Tools
- Jailbroken iOS 14.4
- ipatool
- otool
- lldb
- debugserver
- dd
- 010 editor
Tool Installation
ipatool
https://github.com/majd/ipatool
ipatool is a command-line tool that can search for iOS applications on the App Store and download copies of the application packages, known as ipa files. The IPA files downloaded using ipatool are not decrypted, which is convenient for manual decryption.
Install via the command line, then log in with your App Store account.
brew tap majd/repo brew install ipatool
lldb and otool
LLDB stands for Low Level Debugger, a lightweight, high-performance debugger built into Xcode. On macOS, you can use Xcode command-line tools to install LLDB and otool.
xcode-select --install
debugserver
LLDB and debugserver communication process
Installing debugserver on a jailbroken device is very convenient, just search and install it from the Cydia store.
Manual Decryption Process
Download IPA Package with ipatool
Let’s take a hotpot app as an example, use ipatool to search for the keyword to find the corresponding bundleID and then download it.
ipatool --format json search -l 5 海底捞
ipatool download -b app.haidilao.HaidilaoMobileDistribution --purchase
Analyze Mach-O File with otool
After downloading, first unzip the IPA package.
unzip app.haidilao.HaidilaoMobileDistribution_553115181_8.3.8.ipa -d haidilao
Unzip the IPA into the haidilao directory.
cd haidilao/Payload/HaiDiLao.app
The file with the same name as the package is the binary file to be decrypted.
otool -arch arm64 -l ./HaiDiLao | grep -C5 LC_ENCRYPTION
The meaning of each field is as follows:
cmd: This is the type of load command, indicating that this load command contains 64-bit encryption information.cmdsize: Indicates that the size of this load command is 24 bytes.cryptoff: Indicates the offset in bytes where the encrypted data starts in the file. It means the encrypted data starts at the 16384-byte mark of the file.cryptsize: Indicates the size of the encrypted data in bytes. It means the encrypted data is 31014912 bytes in size.cryptid: This is a flag indicating whether the file is encrypted. If the value ofcryptidis 0, then the file is not encrypted.pad: This is a padding field used to ensure data alignment.
The cryptoff and cryptsize are the starting offset address and size of the encrypted portion of the file. These two values need to be noted down for later use.
Listen to Port with debugserver for iOS decryption
Run debugserver on the iOS device to listen to the port. Here we use a USB data cable to connect the iOS device, and use iproxy to forward the port mapping.
// Execute on Mac iproxy 2222 22 & iproxy 8888 8888 & ssh [email protected] -p2222 // Execute on iOS device debugserver 127.0.0.1:8888 -a HaiDiLao
Dump Memory Binary File with LLDB
process connect connect://127.0.0.1:8888 image list -f -o HaiDiLao memory read 0x00000001047f8000+16384 -c 31014912 --force --binary -outfile ./HaiDiLaoDecrypted
Use the memory command to dump the decrypted binary data from memory and save it to a file.
image list -f -o HaiDiLao [ 0] /private/var/containers/Bundle/Application/B24DD689-8666-41FA-AC86-12B0689352A0/HaiDiLao.app/HaiDiLao 0x00000000047f8000(0x00000001047f8000)
Note that here we are not getting the ASLR offset, but the memory load address (0x00000001047f8000).
Fix Mach-O Header
Since the dumped data does not have Mach-O header information, it needs to be fixed to be usable. The quickest way is to rewrite the dumped data back to the pre-decrypted file to replace the encrypted data.
dd if=./HaiDiLaoDecrypted of=./HaiDiLao bs=1 seek=16384 conv=notrunc
Use the dd command to rewrite the file according to the offset.
Here, use the 010 editor to modify the Mach-O header to change the cryptid back to 0.
zip -r haidilao.ipa haidilao/
Use the zip command to repackage the IPA file, completing the manual decryption.