search

JohnCoates / flexdecrypt

Decrypt iOS Apps and Mach-O binaries
667 stars 90 forks source link

Spawn failed with result #86: #2: No such file or directory #11

Closed sponte closed 3 years ago

sponte commented 3 years ago

Hello, I am trying to decrypt a very old Dolry Music app and found your tool which looked promising as it is the only tool I can find that promises to do static decryption. I tried using following command but am getting an error:

iPad:/tmp/Payload/Dolry Music.app root# flexdecrypt file Dolry\ Music  --verbose
Identifying best slice for /private/var/tmp/Payload/Dolry Music.app/Dolry Music
Decrypting slice
Found encryption info
Spawning /private/var/tmp/Payload/Dolry Music.app/Dolry Music
Error: message("Spawn failed with result #86: #2: No such file or directory")

This might be related to the fact that I cannot launch the binary as the binary itself is too old:

-sh: ./Dolry Music: Bad CPU type in executable
file Dolry\ Music
Dolry Music: Mach-O universal binary with 2 architectures: [arm_v7:Mach-O executable arm_v7] [arm_v7s:Mach-O executable arm_v7s]
Dolry Music (for architecture armv7):   Mach-O executable arm_v7
Dolry Music (for architecture armv7s):  Mach-O executable arm_v7s

I downloaded latest version today from github releases, flexdecrypt --version shows 1.0.0.

Is there a way for me to force static decryption? The device I'm trying to run this on is iPad Air.

JohnCoates commented 3 years ago

Which iOS version are you on? Due to kernel restrictions we fall back to spawning the application if the encryption doesn't fall on a page boundary. Someone told me iOS 12 doesn't have that same restriction, so you can try disabling this check https://github.com/JohnCoates/flexdecrypt/blob/642899eeeac739b6afac7b1a1cdc0ec4235db04e/Source/Mach-O/Decrypt/MachOFile%2BDecrypt.swift#L31-L34

sponte commented 3 years ago

I'm on 12.something. I'll try your suggestion soon.

Thanks so much for quick suggestion.

Update: I just tried and got mmapFailed issue:

iPad:/tmp/flexdecrypt root# ./flexdecrypt.app/flexdecrypt file /tmp/Payload/Dolry\ Music.app/Dolry\ Music --verbose
Identifying best slice for /tmp/Payload/Dolry Music.app/Dolry Music
Decrypting slice
Found encryption info
Disabling application check to force static decryption
Opening file descriptor
VM start: 1000
Allocating d9050 bytes
Mapped 100e00000 - 100ed9050
Mapped 100e00000 - 100ea6000
Deallocating d9050 at 100e00000
Restricted allocation to prevent memory mappings.
Error: mmapFailed(segment: "__DATA", error: "#22: Invalid argument")

My sw version is:

ProductName:    iPhone OS
ProductVersion: 12.4.9
BuildVersion:   16H5

I can try downgrading the device to a different version if that would help. What do you think?

JohnCoates commented 3 years ago

Okay that's interesting that __DATA failed to map. Not sure what to do at this point, to be honest.

JohnCoates commented 3 years ago

If you want to look into it, you can download the XNU kernel source for your iOS version.

sponte commented 3 years ago

I tried decrypting an arbitrary app on my iPad and it worked no problem. I think decryption has changed between iOS versions - my app is quite old, been built for iOS 4.3 in 2013