search

KJCracks / Clutch

Fast iOS executable dumper
3.67k stars 646 forks source link

cpusubtype, mysterious debug output and performence #133

Closed stas-smedia closed 7 years ago

stas-smedia commented 7 years ago

i'm getting this mysterious message when running clutch but also the speed of the process is very slow, is this is because of the CPU of the device? here is the message: ClutchPrint.m : 76 | Finding compatible dumper for binary <pokemongo> with arch cputype: 12 ClutchPrint.m : 76 | Segment cputype: 12, cpusubtype: 9 ClutchPrint.m : 76 | Device cputype: 16777228, cpusubtype: 0 ClutchPrint.m : 76 | Dumper supports cputype 16777228 ClutchPrint.m : 76 | why cut a potato with a pencil?

i'm running clutch on an iPad Air 2, will running this on an iPhone make it faster?

Tatsh commented 7 years ago

I get similar output and I can dump Pokemon Go just fine.

The line that causes this:

    if (self.supportedCPUType != _thinHeader.header.cputype) {
        [[ClutchPrint sharedInstance] printDeveloper:@"why cut a potato with a pencil?"];

The thin binary you have has an different CPU type than expected (it is not 0x100000c). I think since iOS 9 Apple has been only providing thin binaries for all devices. iPad Air 2 is arm64 though so it should be fine either way. I am dumping on an iPhone 6s Plus with iOS 9.0.2.

Maybe for iPad Air 2 Apple is setting a different CPU type for who knows what reason. it would be interesting if you could get this to dump the CPU type. If you are building yourself, modify the line after the check:

    if (self.supportedCPUType != _thinHeader.header.cputype) {
        [[ClutchPrint sharedInstance] printDeveloper:[NSString stringWithFormat:"cputype: %d 0x%x", _thinHeader.header.cputype, _thinHeader.header.cputype];
ClutchPrint.m : 76 | using number
Now dumping com.nianticlabs.pokemongo
ClutchPrint.m : 76 | ######## bundle URL file:///private/var/mobile/Containers/Bundle/Application/3923D861-30F6-4D8A-B22F-50FDF090333C
Preparing to dump <pokemongo>
Path: /private/var/mobile/Containers/Bundle/Application/3923D861-30F6-4D8A-B22F-50FDF090333C/pokemongo.app/pokemongo
Zipping pokemongo.app
ClutchPrint.m : 76 | Finding compatible dumper for binary <pokemongo> with arch cputype: 16777228
ClutchPrint.m : 76 | Segment cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 76 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 76 | Dumper supports cputype 16777228
ClutchPrint.m : 76 | Found compatible dumper <ARM64Dumper: 0x137515090> for binary <pokemongo> with arch arm64
ClutchPrint.m : 76 | 64bit dumping: arch arm64 offset 0
ClutchPrint.m : 76 | FOUND __TEXT SEGMENT
ClutchPrint.m : 76 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 33177600 | cryptid 1
ClutchPrint.m : 76 | FOUND CODE SIGNATURE: dataoff 36323616 | datasize 187296
ClutchPrint.m : 76 | found all required load commands for <pokemongo> arm64
ClutchPrint.m : 76 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 76 | got the pid 12483 /private/var/mobile/Containers/Bundle/Application/3923D861-30F6-4D8A-B22F-50FDF090333C/pokemongo.app/pokemongo
ClutchPrint.m : 76 | 0 36323616 738197504
ClutchPrint.m : 76 | Found CSSLOT_CODEDIRECTORY
ClutchPrint.m : 76 | Codesign Pages 8869
ASLR slide: 0x10001c000
ClutchPrint.m : 76 | checksum size 177380
Dumping <pokemongo> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ClutchPrint.m : 76 | Done writing checksum
ClutchPrint.m : 76 | done dumping
DONE: /private/var/mobile/Documents/Dumped/com.nianticlabs.pokemongo-iOS8.0-(Clutch-2.0.1)-2.ipa
Finished dumping com.nianticlabs.pokemongo in 20.6 seconds
Tatsh commented 7 years ago

The binary I got from the App Store is a thin binary just like yours. This is an unfortunate situation making sharing IPAs between devices annoying.

stas-smedia commented 7 years ago

Thanks, the thing is i've installed the app from an ipa i got by reverse engineering the store :), so i'm pretty it's my fault it's stuck when trying to dump the app. i'll change the line you suggested to the to see what cputype i have in the binary.

ofirkris commented 7 years ago

Hi, just tried downloading Pokemon Go, ipa directly from apple (bypassing itunes - here is the direct link)

Same result - app wouldn't open (black screen) - The ipa is signed - so it's really weird, any idea why I can't decrypt it?

Tatsh commented 7 years ago

That link you sent links to an IPA without any FairPlay metadata. As it is still encrypted, it is not going run on any device. The metadata gets added after installation not before download.

ofirkris commented 7 years ago

Thanks Tatsh, is there any way you know of, in order to add the FairPlay MetaData?

ttwj commented 7 years ago

Fairplay metadata is generated by the App Store when you download the app. A quick workaround for the lack of 32bit architectures on newer devices is to download the IPA and install it via iTunes. That message isn't actually an error, but just to indicate that the 64bit dumper class can't dump the 32bit portion

ofirkris commented 7 years ago

Thanks Terence, I understand that itunes generates the FairPlay metadata, Trying to figure out if there is a know way to add it, to an ipa file that's missing that data (without passing by the appstore)

Tatsh commented 7 years ago

@ofirkris do you have more info on how you got the direct link to the IPA?

ofirkris commented 7 years ago

@Tatsh Hi, I've reversed engineered iTunes download process, nevertheless - there's not much you can do with the ipa files from this method.