Open ZonD80 opened 1 year ago
@ZonD80 I noticed coming from iOS13->iOS14 that fouldecrypt
and flexdecrypt
weren’t working unless the encrypted app/binary were launched in some form (they need to be catalogued into memory) I wrote a simple tool that achieves this in a non-destructive and unobtrusive way, it basically dlopen
‘s the target binary without having to launch it:
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char** argv) {
for (int i = 1; i < argc; i++) {
void* handle = dlopen(argv[i], RTLD_LAZY | RTLD_GLOBAL);
if (!handle) {
fprintf(stderr, "Error: %s\n", dlerror());
}
dlclose(handle);
}
return 0;
}
build this code as a separate tool and run it on the encrypted binary (linktool <path/to/encrypted_binary>
) after you run it, you should be able to decrypt the target binary without mremap_encrypted
failing.
@dlevi309 The same trick doesn't seem to work for app extension. Is it due to security concerns in the latest system?
It was working (idk why tho), but after some time it is stopped, reboot does not help:
21:02:11.486183 mapping input file: /private/var/containers/Bundle/Application/305BDB97-8F66-4DB9-BDE8-5D34719E942F/agar.io.app/agar.io 21:02:11.488507 mapping output file: /private/var/containers/Bundle/Application/305BDB97-8F66-4DB9-BDE8-5D34719E942F/agar.io.app/agar.io.cracked 21:02:11.490390 copying original data of size 0x36ff9b0... 21:02:11.558694 handling 2 fat arches... 21:02:11.558736 handling fat arch 0, cpuType 0xc, cpuSubType 0x9, fileOff 0x4000, size 0x1997e60, align 0xe 21:02:11.558742 finding encryption_info segment in slide... 21:02:11.558745 found encryption_info segment at offset ce4 21:02:11.558748 decrypting encrypted data... 21:02:11.558750 Going to decrypt crypt page: off 0x4000 size 0x1464000 cryptid 1, cpuType c cpuSubType 9 21:02:11.558764 Already 16k aligned, directly go ahead :) 21:02:11.558773 -->> 16k-aligned mmaping(0x0, 0x1464000, 5, 0x2, 3, 0x8000) mmap: Operation not permitted 21:02:11.558824 <<-- 16k-aligned mmaping(0x0, 0x1464000, 5, 0x2, 3, 0x8000) = 0xffffffffffffffff 21:02:11.558827 <<-- unprotect mremap_encrypted(0xffffffffffffffff, 0x1464000, 1, 0xc, 0x9) mremap_encrypted: Invalid argument 21:02:11.558833 -->> unprotect mremap_encrypted(0xffffffffffffffff, 0x1464000, 1, 0xc, 0x9) = -1 21:02:11.558836 handling fat arch 1, cpuType 0x100000c, cpuSubType 0x0, fileOff 0x199c000, size 0x1d639b0, align 0xe 21:02:11.558841 finding encryption_info segment in slide... 21:02:11.558844 found encryption_info segment at offset fb8 21:02:11.558846 decrypting encrypted data... 21:02:11.558848 Going to decrypt crypt page: off 0x4000 size 0x1608000 cryptid 1, cpuType 100000c cpuSubType 0 21:02:11.558855 Already 16k aligned, directly go ahead :) 21:02:11.558857 -->> 16k-aligned mmaping(0x0, 0x1608000, 5, 0x2, 3, 0x19a0000) 21:02:11.558865 <<-- 16k-aligned mmaping(0x0, 0x1608000, 5, 0x2, 3, 0x19a0000) = 0x4b2e24000 21:02:11.558868 <<-- unprotect mremap_encrypted(0x4b2e24000, 0x1608000, 1, 0x100000c, 0x0) 21:02:11.558911 -->> unprotect mremap_encrypted(0x4b2e24000, 0x1608000, 1, 0x100000c, 0x0) = 0 21:02:11.558915 copying 0x69ec64000 to 0x4b2e24000, size 1608000 21:02:11.565635 copying enc pages, size: 0x1608000.. 21:02:11.568913 cleaning up...
Tried to open app to be cracked - opens successfully.