Tatsh
commented
3 years ago No longer on the store. archive.org has the game and it looks like it is decrypted.
Open gingerbeardman opened 3 years ago
Tatsh
commented
3 years ago No longer on the store. archive.org has the game and it looks like it is decrypted.
gingerbeardman
commented
3 years ago You're correct that it's no longer on the store.
That's my copy on archive and as far as I know it's not decrypted, it was straight out of iTunes.
That's why I'm here 😄 trying to get it in a better form I can share with others.
I've already successfully decrypted another app I uploaded to archive, using Clutch, and that worked OK and I was able to install it on a device that isn't mine.
Tatsh
commented
3 years ago It's failing to disable ASLR for this binary. Not sure why.
Tatsh
commented
3 years ago Try running with --debug and paste the output here.
gingerbeardman
commented
3 years ago OK, here's verbose output from debug version Clutch-2.0.4-Debug
Matts-iPad:~ root# Clutch-debug -v -d uk.co.llamasoft.gridrunner
ClutchPrint.m : 77 | using bundle identifier
Now dumping uk.co.llamasoft.gridrunner
ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654
Preparing to dump <Gridrunner>
Path: /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner
Zipping Gridrunner.app
ClutchPrint.m : 77 | Finding compatible dumper for binary <Gridrunner> with arch cputype: 12
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 9
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Dumper <ARM64Dumper> does not support the armv7 architecture
ClutchPrint.m : 77 | <ARM64Dumper: 0x1291a5c20> cannot dump binary <Gridrunner> (arch armv7). Dumper not compatible, finding another dumper
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 9
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 12
ClutchPrint.m : 77 | God Mode On
ClutchPrint.m : 77 | Found compatible dumper <ARMDumper: 0x1291a5c20> for binary <Gridrunner> with arch armv7
Swapping architectures..
ClutchPrint.m : 77 | (null)
ClutchPrint.m : 77 | wrote new header to binary
ClutchPrint.m : 77 | 32bit Dumping: arch armv7 offset 4096
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 8192 | cryptsize 409600 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 465088 | datasize 8656
ClutchPrint.m : 77 | binary path /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7
ClutchPrint.m : 77 | found all required load commands for <Gridrunner> armv7
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 684 /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7
ClutchPrint.m : 77 | 4096 465088 738197504
ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY
Error: Failed to find address of header!
Error: Failed to dump <Gridrunner> with arch armv7
2021-09-13 13:11:37.248 Clutch-debug[683:60564] failed operation :(
2021-09-13 13:11:37.249 Clutch-debug[683:60564] application <NSOperationQueue: 0x127e556c0>{name = 'NSOperationQueue 0x127e556c0'}
ClutchPrint.m : 77 | operation hash 4984503296
ClutchPrint.m : 77 | operation hash 4983617248
ClutchPrint.m : 77 | operation hash 4201234
ClutchPrint.m : 77 | Finding compatible dumper for binary <Gridrunner> with arch cputype: 12
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 11
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Dumper <ARM64Dumper> does not support the armv7s architecture
ClutchPrint.m : 77 | <ARM64Dumper: 0x1290dce80> cannot dump binary <Gridrunner> (arch armv7s). Dumper not compatible, finding another dumper
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 11
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 12
ClutchPrint.m : 77 | God Mode On
ClutchPrint.m : 77 | Found compatible dumper <ARMDumper: 0x1290dce80> for binary <Gridrunner> with arch armv7s
Swapping architectures..
ClutchPrint.m : 77 | (null)
ClutchPrint.m : 77 | wrote new header to binary
ClutchPrint.m : 77 | 32bit Dumping: arch armv7s offset 479232
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 8192 | cryptsize 409600 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 465008 | datasize 8656
ClutchPrint.m : 77 | binary path /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7s
ClutchPrint.m : 77 | found all required load commands for <Gridrunner> armv7s
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 685 /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7s
ClutchPrint.m : 77 | 479232 465008 738197504
ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY
Error: Failed to find address of header!
Error: Failed to dump <Gridrunner> with arch armv7s
2021-09-13 13:11:37.272 Clutch-debug[683:60564] failed operation :(
2021-09-13 13:11:37.272 Clutch-debug[683:60564] application <NSOperationQueue: 0x127e556c0>{name = 'NSOperationQueue 0x127e556c0'}
ClutchPrint.m : 77 | operation hash 4984503296
ClutchPrint.m : 77 | operation hash 4201234
Error: Failed to dump <Gridrunner>
2021-09-13 13:11:37.272 Clutch-debug[683:60564] failed operation :(
2021-09-13 13:11:37.272 Clutch-debug[683:60564] application <NSOperationQueue: 0x127e556c0>{name = 'NSOperationQueue 0x127e556c0'}
ClutchPrint.m : 77 | operation hash 4984503296
ClutchPrint.m : 77 | operation hash 4201234
FAILED: <Gridrunner bundleID: uk.co.llamasoft.gridrunner>
Finished dumping uk.co.llamasoft.gridrunner in 1.3 seconds
Matts-iPad:~ root# Any further thoughts @Tatsh ?
Tatsh
commented
3 years ago gingerbeardman
commented
3 years ago Will do
Tatsh
commented
3 years ago Try https://github.com/JohnCoates/flexdecrypt (iOS) and https://github.com/subdiox/UnFairPlay (on macOS) if you can. I am curious if these work.
gingerbeardman
commented
3 years ago $ ./unfairplay Gridrunner Gridrunner.out
Assertion failed: (header->magic == MH_MAGIC_64), function main, file unfairplay.c, line 147.
[1] 34894 abort ./unfairplay Gridrunner Gridrunner.outWill try the others soon.
gingerbeardman
commented
3 years ago Error: message("Spawn failed with result #85: #2: No such file or directory")see this issue
gingerbeardman
commented
3 years ago $ r2flutch -i uk.co.llamasoft.gridrunner
[+] Open Application Process uk.co.llamasoft.gridrunner
[r] Cannot open 'frida://launch/usb/644ceeafa65960cb3a2249b2f6a8b7702381d15b/uk.co.llamasoft.gridrunner'
[x] ERROR - Cannot open target process: uk.co.llamasoft.gridrunnerI can't seem to get Frida running correctly. Will try again at some point soon.
Tatsh
commented
3 years ago As far as I can tell, that new method only works on 64-bit binaries unfortunately.
General information
Please delete the example text and fill this in:
https://stek29.rocks/cyrepo/uk.co.llamasoft.minotronClutch -d uk.co.llamasoft.gridrunnerLog