From 79796d1df6433c077e78df4a08e1e729543070f6 Mon Sep 17 00:00:00 2001 From: Nishaanth Gunasekaran Date: Wed, 25 Oct 2017 02:09:25 -0700 Subject: [PATCH 1/5] Updated procedure to sign the dylib Injecting a dylib file without signing it will fail. Since, have updated the file to sign the same before injecting. --- README | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/README b/README index 8000eb3..ef7449e 100644 --- a/README +++ b/README @@ -8,9 +8,20 @@ First adjust the Makefile if you have a different iOS SDK installed. And then just: make - Usage: +Before running the decryption dumper, the dumpdecrypted.dylib should be signed. + +``` +$ security find-identity -p codesigning -v + 1) 998971859D4D2E74F "iPhone Developer: ..." + 2) CF57726A2BA2D8B57 "Mac Developer: ..." + 2 valid identities found +$ codesign -f -s 998971859D4D2E74F... dumpdecrypted.dylib +dumpdecrypted.dylib: replacing existing signature + +``` + iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan mach-o decryption dumper From eeaa372fef89a00dbda19ffd73f4cbc25caa423b Mon Sep 17 00:00:00 2001 From: Nishaanth Gunasekaran Date: Wed, 25 Oct 2017 02:11:11 -0700 Subject: [PATCH 2/5] Rename README to README.md --- README => README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename README => README.md (100%) diff --git a/README b/README.md similarity index 100% rename from README rename to README.md From 04ecc5eeb5fb962df1951d616e8c1132c52ab54b Mon Sep 17 00:00:00 2001 From: Nishaanth Gunasekaran Date: Wed, 25 Oct 2017 02:12:58 -0700 Subject: [PATCH 3/5] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index ef7449e..25450de 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ dumpdecrypted.dylib: replacing existing signature ``` +``` iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan mach-o decryption dumper @@ -41,3 +42,4 @@ DISCLAIMER: This tool is only meant for security research purposes, not for appl [+] Copying the not encrypted remainder of the file [+] Closing original file [+] Closing dump file +``` From ed0cdc641d47bfcb12a7435e28e08644d3cccbbf Mon Sep 17 00:00:00 2001 From: Nishaanth Gunasekaran Date: Thu, 26 Oct 2017 05:06:14 -0700 Subject: [PATCH 4/5] Update dumpdecrypted.c --- dumpdecrypted.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dumpdecrypted.c b/dumpdecrypted.c index 3313be2..92fbaf2 100644 --- a/dumpdecrypted.c +++ b/dumpdecrypted.c @@ -4,10 +4,11 @@ Dumps decrypted iPhone Applications to a file - better solution than those GDB s (C) Copyright 2011-2014 Stefan Esser iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan -mach-o decryption dumper + DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. +[+] Mach-O Decryption Dumper by Stefanesser [+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1. [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading. [+] Reading header @@ -55,10 +56,9 @@ void dumptofile(int argc, const char **argv, const char **envp, const char **app unsigned int fileoffs = 0, off_cryptid = 0, restsize; int i,fd,outfd,r,n,toread; char *tmp; - - printf("mach-o decryption dumper\n\n"); printf("DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.\n\n"); + printf("[+] Mach-O Decryption Dumper by Stefanesser \n"); /* detect if this is a arm64 binary */ if (pvars->mh->magic == MH_MAGIC_64) { From 9bff3779da45f493078305ae4b6537429485781c Mon Sep 17 00:00:00 2001 From: Nishaanth Gunasekaran Date: Thu, 26 Oct 2017 05:06:46 -0700 Subject: [PATCH 5/5] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 25450de..0392f5a 100644 --- a/README.md +++ b/README.md @@ -24,10 +24,11 @@ dumpdecrypted.dylib: replacing existing signature ``` iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan -mach-o decryption dumper + DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. +[+] Mach-O Decryption Dumper by Stefanesser [+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1. [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading. [+] Reading header