Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
How cracking works
Posted 01 May 2013 - 07:58 AM
From the Hackulous wiki
iOS cracking is the process by which iOS applications are decrypted (cracked) so they may be used on other jailbroken devices. The method used is crude but simple: a debugger is attached to the executable and is used to dump the decrypted segments before the executable launches. The decrypted segments are then transposed onto the original binary, and the LC_ENCRYPTION_INFO load command's cryptid field is changed to 0.
iOS applications are installed into the /var/mobile/Applications/ directory within a randomly named payload directory. This directory will contain the .app directory (application data), the iTunesMetadata.plist dictionary file (containing some sensitive information about the purchaser), and the Documents, Library and tmp directories.
The executable is located within the .app directory, and is always named by the CFBundleExecutable key within its accompanying .app/Info.plist dictionary file. Some parts of this executable will be encrypted if the application has been purchased from the App Store. To check if an application is encrypted, use the otool -l command:
# otool -l iSilo | grep LC_ENCRYPTION_INFO -A 4
In the above output, cryptid is 1, meaning the application is encrypted. After being cracked (decrypted), cryptid is set to 0 to prevent the kernel from trying to decrypt already-decrypted data.
Within the .app directory there is also an SC_Info directory which contains keys used to decrypt the executable. These keys are used by fairplay in conjunction with the iTunes library key list and device's MAC Address and other identifiers. TheSC_Info directory's contents are sensitive and specific to the purchaser, and must be removed or corrupted before distribution.
Executable files on iOS are Mach-O files (also used on Mac OS X), and are documented here. Some executables are fat binaries, meaning they contain multiple mach objects within a single file, each one for a different architecture or platform.
Typical format of an iOS Mach-O file
To detect if an executable is a fat binary, use the otool -f command like so:
# otool -f iSilo
align 2^12 (4096)
align 2^12 (4096)
As you can see, the executable iSilo has two architectures. On iOS devices (which use the ARM processor instruction set) cpusubtype 6 means ARMV6, and cpusubtype 9 means ARMV7. The mach loader will choose the best architecture to match the device (newer devices run ARMV7). ARMV6 devices cannot execute ARMV7 architectures, so on ARMV6 devices the fat binary is usually "thinned" into an ARMV6 binary before cracking begins.
The mach header is not easily readable and poedCrackMod uses a hard and dirty way to detect the various information about the header. Clutch uses native libraries available in iOS to figure out these info. Clutch assumed that armv7 portions always came before armv6 portions, hence causing errors in cracking some apps. ClutchPatched dynamically searches for the various portions and supports 'monster' binaries. Apps that support iPhone 5 have armv7s portion with a cpusubtype of 11, currently both ClutchPatched and the latest version of poedCrackMod support it.
In a fat binary, the fat_header and subsequent fat_arch array are identified using a binary magic (0xcafebabe). Padding is added to round the file to the nearest memory page (0x1000) and the first mach object usually starts at 0x1000 from the start of the file. Files which are thin (only one Mach object) are identified with the mach-o binary magic (0xdeadbeef).
Applications are decrypted by the kernel before the executable is launched. The mach loader identifies the LC_ENCRYPTION_INFO load command and uses the keys within SC_Info (along with other iTunes/device identifiers) to decrypt the segment after it has been loaded in memory. These keys are usually cached by the loader (or the fairplay decryption agent), meaning that cracking both architectures efficiently may require moving these keys and changing the executable's filename. (This is performed by Clutch.)
When the debugger attaches and traps the executable, it will have to dump the __TEXT segment (usually consistent with the cryptoff and cryptsize fields within the LC_ENCRYPTION_INFO load command). The dumped data should be transposed over the original __TEXT segment in the appropriate mach object. The cryptid should also be changed to reflect that the executable has been cracked.
All changes to a Mach object must be reflected within the CodeSignature hash table, located within the __LINKEDIT segment. This can be done automatically with the ldone utility.
Using GDB to Dump
The executable's decrypted segment can be dumped with GDB using a GDB batch script like so:
echo -e "set sharedlibrary load-rules \".*\" \".*\" none\r\n\
set inferior-auto-start-dyld off\r\n\
set sharedlibrary preload-libraries off\r\n\
set sharedlibrary load-dyld-symbols off\r\n\
dump memory dump.bin $(($CryptOff + 4096)) $(($CryptSize + $CryptOff + 4096))\r\n\
quit\r\n" > batch.gdb
gdb -q -e iSilo -x batch.gdb -batch
This method will dump the architecture chosen by the mach loader (the one most appropriate for your device). To dump the other architecture, you will have to change the executable's name (and the SC_Info key names) and swap the ARMV6 and ARMV7 cpusubtypes.
ASLR can be defeated in several ways. The MH_PIE flag within the mach_header can simply be unset before a debugger is used to dump the data, and then set after the data has been dumped. This method, however, requires resigning the binary. posix_spawn can be provided a spawn flag of _POSIX_SPAWN_DISABLE_ASLR (0x0100) to disable ASLR.
Clutch uses vm_region to identify the starting (non __PAGEZERO) region for the image, thus determining the vmaddrslide.
Packaging an IPA
See also: IPA
Cracked iOS applications are packaged into the IPA format, which is also used by iTunes to manage legitimate applications. This format has a unique structure:
-Payload/ contains the .app directory for the application. Remember: the SC_Info directory within the .app directory must be removed or censored, as it contains sensitive keys.
- iTunesArtwork is a 512x512 icon of the application, used by iTunes.
-iTunesMetadata.plist (optional) contains iTunesMetadata used by the App Store app and iTunes to check for updates. This file does not need to be removed, but if it remains several fields (appleId and purchaseDate) must be censored.
Directories located within an installed version of the application (Documents, tmp, or Library) are not included within an IPA file.
- drAdeLante, haen, Sonics and 11 others like this
Posted 04 February 2014 - 09:56 AM
That was quite interesting. I've always been curious how crackers go about doing it. Thanks for the post
- MONGOLO likes this
Posted 22 February 2014 - 05:10 AM
It was quitte a read, but I think at least a part is stuck in my brain, so thankee.
Posted 23 February 2014 - 10:57 AM
If you have any questions I'll try answer some
- hotsjf, MONGOLO and JAVsystems like this
Posted 24 February 2014 - 12:53 PM
Questions i would like answering:
- What is your favourite cheese?
- Do you like apple with cheese?
- can you drink port with cheese?
- Have you ever thought about developing Android apps?
- Whats your favourite colour?
- Do you ever question decisions you have made in life?
- Why are most if not all the girls who talk to on Twitter hot?
- what came first, the chicken or the egg?
- Saveloy or battered sausage?
- prefer: dead, or, alive?
- Kylie or Jason?
- Coronation Street or Eastenders?
I think that is enough questions for now. Please answer swiftly and accurately, do not go off on a tangent on any question.
- hotsjf, MONGOLO and JAVsystems like this
Posted 02 March 2014 - 01:29 PM
Ok from this line below on-topic please, or i'll have to close thread. Good to see you had your opinions. I'm actually splitting this topic so you still have the posts.
the new topic about god and the stuff will be in Off-Topic Section
- MONGOLO and Ak0-Sardashti like this
Posted 02 March 2014 - 02:34 PM
the one after the last comment of Ninja need to be moved too !
- NinjaLikesCheez likes this
Posted 09 January 2015 - 03:44 AM
Posted 15 January 2015 - 01:40 PM
Interesting read. A couple questions about the process...
--How long does it usually take a good cracker to do this (a few minutes, or longer)?
--Why does the same cracked app, but from different crackers, have a different file size when finished? I've seen some apps smaller than the original ipa, while most are larger. But mainly I've seen the finished product vary by quite a few Mb's (just different cracker) and they're the same version number.
Posted 15 January 2015 - 02:35 PM
From 5 to 2 minutes...
It`s not depending on how professional cracker is.. it only depends from device.
Program have option to change default packing parametr.
If you want smaller file you must compress is much longer. It`s like packing files to zip/rar/7z.
So some crackers are using smaller compression rate to increase speed of cracking.
- lookerjdc and cookie7 like this
Posted 15 January 2015 - 06:39 PM
Thanks for the answers alienopo. One more for you (or anyone else). Is all this done on the iOS device itself, or is it done on a computer running Mac OS or Windows? Thanks again!
Posted 16 January 2015 - 12:41 AM
Only with cooperation with iPhone.
Yo can do it remotely, but must use iPhone/iPad.
- MONGOLO, cookie7 and t4ch4_p0k like this
Posted 06 February 2015 - 09:18 AM
Interesting facts,..The whole "crack" process may be quite fast when you know how to do it, but this article just shows how difficult all of this work really is.
Posted 08 February 2015 - 01:27 PM
Its like when you start up a pc. You only see the GUI and buttons, when you get in detail you will see how the process, RAM and all the components fetch and execute codes and pretty much checks everything you need to get it started lol.
- MONGOLO and BexN like this
Posted 26 June 2015 - 07:26 AM
Edit: Never mind. I spoke too soon. Got it now.
Posted 14 August 2015 - 06:14 PM
Thank you, this is the kind of stuff i'm looking for! good info! thanks!!!!