search

paradiseduo / appdecrypt

appdecrypt is a tool to make decrypt application encrypted binaries on macOS when SIP-enabled (macOS 11.3 or below)
GNU General Public License v3.0
701 stars 95 forks source link

apps are still encrypted! #11

Open ayouch opened 2 years ago

ayouch commented 2 years ago

I was able to successfully use appdecrypt on my m1 mac but the output binaries are still encrypted anyway! I used otool to check and cryptid is still 1.

paradiseduo commented 2 years ago

what's app

ayouch commented 2 years ago

basically every app I tried, here's an example:

Screen Shot 2021-09-22 at 03 08 58 Screen Shot 2021-09-22 at 03 10 07
paradiseduo commented 2 years ago

App download from mac's App Store?

ayouch commented 2 years ago

yes

paradiseduo commented 2 years ago

I add log to fail reason, and now I try to found why mmap fail.

Dump /Applications/PinTok.app/Wrapper/PinTok.app/PinTok fail, because of mmap fail
ayouch commented 2 years ago

it's not just this app in particular, basically all the apps I tried stay encrypted even after successfully running appdecrypt!

paradiseduo commented 2 years ago

I dump Kugou and DUApp Success, but other app dump fail.

iVoider commented 2 years ago

Post 11.2.3 you can decrypt only those apps, that had been allowed by developer (support Mac tick in Developer Portal). Maybe it is possible to use DYLD_INTERPOSE with mmap to allow decrypting of unsigned binaries? Or some sort of .sinf file generation like in Clutch?

ayouch commented 2 years ago

@iVoider I'm trying to decrypt signed apps that I downloaded from the mac app store and it doesn't work anyway!

paradiseduo commented 2 years ago

I konw why some app doesn't work.

> otool -l PinTok
.......
Load command 10
      cmd LC_BUILD_VERSION
  cmdsize 32
 platform 2   # Platform 2 is iOS
    minos 13.0
      sdk 14.5
   ntools 1
     tool 3
  version 650.9
.......

you can see, this app platform is 2, Platform 2 is iOS. so decrypt it on mac will be fail.

This error corresponds to EXEC_EXIT_REASON_WRONG_PLATFORM in the kernel, and that constant is only referenced in a single function: check_for_signature:

static int

check_for_signature(proc_t p, struct image_params *imgp)

{

    …;

#if XNU_TARGET_OS_OSX

        /* Check for platform passed in spawn attr if iOS binary is being spawned */

        if (proc_platform(p) == PLATFORM_IOS) {

                struct _posix_spawnattr *psa = imgp->ip_px_sa;

                if (psa == NULL || psa->psa_platform == 0) {

                    …;

                            signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                                        EXEC_EXIT_REASON_WRONG_PLATFORM);

                            error = EACCES;

                            goto done;

                } else if (psa->psa_platform != PLATFORM_IOS) {

                        /* Simulator binary spawned with wrong platform */

                        signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                            EXEC_EXIT_REASON_WRONG_PLATFORM);

                        error = EACCES;

                        goto done;

                } else {

                        printf("Allowing spawn of iOS binary %s since

                            correct platform was passed in spawn\n", p->p_name);

                }

        }

#endif /* XNU_TARGET_OS_OSX */

    …;

}

This code is active on macOS and will execute if the platform of the to-be-executed process is PLATFORM_IOS.

hazcod commented 1 year ago

Is there anything we can do about this?

HenryQuan commented 9 months ago

Sorry for bringing this up after 2 years, if I get cryptid 0 instead of 1. Does it mean the executable was cracked successfully? I am trying to fix the issue with mmap.

Please also see https://github.com/paradiseduo/appdecrypt/pull/25.