Support for iOS 14.5

[irworks]

Hi there! While trying out fouldecrypt on iOS 14.5 using the AltStore -> Fugu14 -> unc0ver Jailbreak on an iPhone XR I wasn't able to get fouldecrypt running successfully. Here's the log output of one attempt:

10:29:21.123326 mapping input file: /private/var/containers/Bundle/Application/7384EA7D-A396-4A76-88B6-F102431E33D9_tmp/Discord.app/Discord
10:29:21.128509 mapping output file: /private/var/containers/Bundle/Application/7384EA7D-A396-4A76-88B6-F102431E33D9_tmp/Discord.app/Discord
10:29:21.435733 copying original data of size 0x158c1d0...
10:29:21.454366     not fat binary, directly decrypting it!
10:29:21.454458     finding encryption_info segment in slide...
10:29:21.454467         found encryption_info segment at offset 10f8
10:29:21.454476     decrypting encrypted data...
10:29:21.454481         Going to decrypt crypt page: off 0x356000 size 0x1000 cryptid 1, cpuType 100000c cpuSubType 0
10:29:21.454505         Not 16k aligned, trying to do the hack :O
Error attempting to load plugin /usr/lib/libkrw/libFugu14Krw.dylib: dlopen(/usr/lib/libkrw/libFugu14Krw.dylib, 5): no suitable image found.  Did find:
    /usr/lib/libkrw/libFugu14Krw.dylib: incompatible cpu-subtype: 0x00000000 in /usr/lib/libkrw/libFugu14Krw.dylib
    /usr/lib/libkrw/libFugu14Krw.dylib: stat() failed with errno=60
10:29:21.750269         successfully initialized kerninfra!
10:29:21.750393             processing file off 354000-357000, curPage len: 3000, inPageStart: 2000, inPageEnd: 3000
10:29:21.750489 -->> directly 16k-aligned mmap mmaping(0x0, 0x3000, 5, 0x2, 4, 0x354000)
10:29:21.752934 <<-- directly 16k-aligned mmap mmaping(0x0, 0x3000, 5, 0x2, 4, 0x354000) = 0x1027fc000
10:29:21.752955 <<-- unprotect mremap_encrypted(0x1027fc000, 0x3000, 1, 0x100000c, 0x0)
mremap_encrypted: Operation not permitted
10:29:21.812483 -->> unprotect mremap_encrypted(0x1027fc000, 0x3000, 1, 0x100000c, 0x0) = -1

Especially the part mentioning mentioning /usr/lib/libkrw/libFugu14Krw.dylib gave me the impression, that the issue may be related to the specific Fugu14 exploit method?

[Halo-Michael]

CC: https://github.com/LinusHenze/Fugu14/issues/200 Place the files in libFugu14Krw.zip according to the path.

[irworks]

Thank you for your help! This resolved the libFugu14Krw.dylib loading issue, unfortunately the mremap_encrypted: Operation not permitted persists and the binary remains encrypted.

[dlevi309]

Thank you for your help! This resolved the libFugu14Krw.dylib loading issue, unfortunately the mremap_encrypted: Operation not permitted persists and the binary remains encrypted.

This is how you fix it: first, run the path of the app’s binary path alone in terminal (you’re gonna get a Trace: BPT Trap error, which is expected), then run fouldecrypt normally on the binary, it should decrypt it after that because you’ve forced the app to map itself by executing it directly.

so rehash, say I want to decrypt Discord:

$ /var/containers/Bundle/Application/5C4DC9B2-9056-4717-935E-71CB3C74E9DC/Discord.app/Discord

it should return Abort Trap: 6 or whatever. Then run:

$ fouldecrypt /var/containers/Bundle/Application/5C4DC9B2-9056-4717-935E-71CB3C74E9DC/Discord.app/Discord

Unless it’s a special case, the app should decrypt fine now, this also works on plugins.

[0x5e]

Hi @dlevi309 , how about the dylib decryption? dylib can't be executed and if I directly run fouldecrypt, I will get mremap_encrypted: Operation not permitted again.

[dlevi309]

Hi @dlevi309 , how about the dylib decryption? dylib can't be executed and if I directly run fouldecrypt, I will get mremap_encrypted: Operation not permitted again.

I’ve run into this too. The issue is that on iOS 14, an execute bit set is needed to decrypt dylib / frameworks, this is my own goofy solution:

Let’s pretend that the path of the dylib you’re trying to decrypt is Argo.app/Frameworks/Something.framework/Something

1. run chmod +x on Argo.app/Frameworks/Something.framework/Something
2. Then attempt to RUN Argo.app/Frameworks/Something.framework/Something from the command line (this will obviously fail with a message like abort trap, but it’s enough to load the dylib into memory)
3. NOW run decrypt Argo.app/Frameworks/Something.framework/Something

This isn’t a sure fire for everything, but I’ve noticed that it works most of the time

[0x5e]

@dlevi309 thanks for the reply. in step 2, I still got cannot execute binary file: Exec format error, seems step 1 didn't work for me.

iPhone-7:~/workspace root# chmod +x ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy
iPhone-7:~/workspace root# ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy
-sh: ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy: cannot execute binary file: Exec format error

[dlevi309]

@0x5e no prob, and the app can’t be in a ./tmp environment, chmod +x has to be performed on the original binary within the installed app’s bundle directory. Although, even after doing all the steps correctly, you may still get that cannot execute binary file: Exec format error, and that’s usually an indication that it won’t work on that particular binary. Framework / dylibs sometime definitely work, but can also fail. If you wanna test an example of this that works almost 100% of the time, you can run the steps on app plugins that fail to decrypt (because they may be built for a newer iOS version, etc.)

[0x5e]

@dlevi309 I just unzip the ipa to somewhere else, but I keep the app bundle structure, did you mean the app has to be installed to /var/containers/Bundle/Application/xxxxxxxxxxx by some tools before decrypt the dynamic frameworks? And I miss the step3 log before, after Exec format error, I still got mremap_encrypted: Operation not permitted. So maybe the binary I tested didn't work for this solution?

[Ender890]

@dlevi309 omg i love you ty, and ty nyamisty