Jump to content

Welcome to AppCake Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

How cracking works


  • You cannot start a new topic
  • Please log in to reply
26 replies to this topic

#1
MONGOLO

MONGOLO

    Un-Certified Troll

  • IC Trusted User
  • 977 posts
    • Time Online: 4d 10h 30m 26s
  • Twitter:@M0NGOLO
  • LocationtheHub
  • Facebook:i use myspace
  • iDevices Owned:iPhone 3GS, iPhone 4, iPhone 5, iHave a PC
  • Donations:BTC 1AE1fiQ4kjxkDf6ZZTrLXwhxvSsBAPDR4y
[posted by ttwj on 08 January 2013]

From the Hackulous wiki


iOS cracking is the process by which iOS applications are decrypted (cracked) so they may be used on other jailbroken devices. The method used is crude but simple: a debugger is attached to the executable and is used to dump the decrypted segments before the executable launches. The decrypted segments are then transposed onto the original binary, and the LC_ENCRYPTION_INFO load command's cryptid field is changed to 0.

Application Analysis
iOS applications are installed into the /var/mobile/Applications/ directory within a randomly named payload directory. This directory will contain the .app directory (application data), the iTunesMetadata.plist dictionary file (containing some sensitive information about the purchaser), and the Documents, Library and tmp directories.
The executable is located within the .app directory, and is always named by the CFBundleExecutable key within its accompanying .app/Info.plist dictionary file. Some parts of this executable will be encrypted if the application has been purchased from the App Store. To check if an application is encrypted, use the otool -l command:
# otool -l iSilo | grep LC_ENCRYPTION_INFO -A 4
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 4096
cryptsize 1347584
cryptid 1
In the above output, cryptid is 1, meaning the application is encrypted. After being cracked (decrypted), cryptid is set to 0 to prevent the kernel from trying to decrypt already-decrypted data.
Within the .app directory there is also an SC_Info directory which contains keys used to decrypt the executable. These keys are used by fairplay in conjunction with the iTunes library key list and device's MAC Address and other identifiers. TheSC_Info directory's contents are sensitive and specific to the purchaser, and must be removed or corrupted before distribution.
Executable files on iOS are Mach-O files (also used on Mac OS X), and are documented here. Some executables are fat binaries, meaning they contain multiple mach objects within a single file, each one for a different architecture or platform.


Typical format of an iOS Mach-O file
Posted Image
To detect if an executable is a fat binary, use the otool -f command like so:
# otool -f iSilo
Fat headers
fat_magic 0xcafebabe
nfat_arch 2
architecture 0
cputype 12
cpusubtype 6
capabilities 0x0
offset 4096
size 1488304
align 2^12 (4096)
architecture 1
cputype 12
cpusubtype 9
capabilities 0x0
offset 1495040
size 1495376
align 2^12 (4096)

As you can see, the executable iSilo has two architectures. On iOS devices (which use the ARM processor instruction set) cpusubtype 6 means ARMV6, and cpusubtype 9 means ARMV7. The mach loader will choose the best architecture to match the device (newer devices run ARMV7). ARMV6 devices cannot execute ARMV7 architectures, so on ARMV6 devices the fat binary is usually "thinned" into an ARMV6 binary before cracking begins.

The mach header is not easily readable and poedCrackMod uses a hard and dirty way to detect the various information about the header. Clutch uses native libraries available in iOS to figure out these info. Clutch assumed that armv7 portions always came before armv6 portions, hence causing errors in cracking some apps. ClutchPatched dynamically searches for the various portions and supports 'monster' binaries. Apps that support iPhone 5 have armv7s portion with a cpusubtype of 11, currently both ClutchPatched and the latest version of poedCrackMod support it.

In a fat binary, the fat_header and subsequent fat_arch array are identified using a binary magic (0xcafebabe). Padding is added to round the file to the nearest memory page (0x1000) and the first mach object usually starts at 0x1000 from the start of the file. Files which are thin (only one Mach object) are identified with the mach-o binary magic (0xdeadbeef).
Applications are decrypted by the kernel before the executable is launched. The mach loader identifies the LC_ENCRYPTION_INFO load command and uses the keys within SC_Info (along with other iTunes/device identifiers) to decrypt the segment after it has been loaded in memory. These keys are usually cached by the loader (or the fairplay decryption agent), meaning that cracking both architectures efficiently may require moving these keys and changing the executable's filename. (This is performed by Clutch.)
When the debugger attaches and traps the executable, it will have to dump the __TEXT segment (usually consistent with the cryptoff and cryptsize fields within the LC_ENCRYPTION_INFO load command). The dumped data should be transposed over the original __TEXT segment in the appropriate mach object. The cryptid should also be changed to reflect that the executable has been cracked.
All changes to a Mach object must be reflected within the CodeSignature hash table, located within the __LINKEDIT segment. This can be done automatically with the ldone utility.
Using GDB to Dump
The executable's decrypted segment can be dumped with GDB using a GDB batch script like so:
$CryptSize=1347584
$CryptOff=4096
echo -e "set sharedlibrary load-rules \".*\" \".*\" none\r\n\
set inferior-auto-start-dyld off\r\n\
set sharedlibrary preload-libraries off\r\n\
set sharedlibrary load-dyld-symbols off\r\n\
dump memory dump.bin $(($CryptOff + 4096)) $(($CryptSize + $CryptOff + 4096))\r\n\
kill\r\n\
quit\r\n" > batch.gdb

gdb -q -e iSilo -x batch.gdb -batch
This method will dump the architecture chosen by the mach loader (the one most appropriate for your device). To dump the other architecture, you will have to change the executable's name (and the SC_Info key names) and swap the ARMV6 and ARMV7 cpusubtypes.
Defeating ASLR
ASLR can be defeated in several ways. The MH_PIE flag within the mach_header can simply be unset before a debugger is used to dump the data, and then set after the data has been dumped. This method, however, requires resigning the binary. posix_spawn can be provided a spawn flag of _POSIX_SPAWN_DISABLE_ASLR (0x0100) to disable ASLR.
Clutch uses vm_region to identify the starting (non __PAGEZERO) region for the image, thus determining the vmaddrslide.
Packaging an IPA
See also: IPA
Cracked iOS applications are packaged into the IPA format, which is also used by iTunes to manage legitimate applications. This format has a unique structure:

-Payload/ contains the .app directory for the application. Remember: the SC_Info directory within the .app directory must be removed or censored, as it contains sensitive keys.
- iTunesArtwork is a 512x512 icon of the application, used by iTunes.
-iTunesMetadata.plist (optional) contains iTunesMetadata used by the App Store app and iTunes to check for updates. This file does not need to be removed, but if it remains several fields (appleId and purchaseDate) must be censored.

Directories located within an installed version of the application (Documents, tmp, or Library) are not included within an IPA file.
  • drAdeLante, haen, Sonics and 11 others like this

#2
Guest_michaellchong_*

Guest_michaellchong_*
  • Guest
{:5_90:} whaaaat

#3
giocake

giocake

    Caker

  • IC Trusted User
  • 60 posts
    • Time Online: 1h 59m 3s



#4
That_Brandon

That_Brandon

    Caker

  • IC Member
  • 49 posts
    • Time Online: 11h 11m 12s

That was quite interesting. I've always been curious how crackers go about doing it. Thanks for the post :)


  • MONGOLO likes this

#5
Guest_ouwerkerkrik_*

Guest_ouwerkerkrik_*
  • Guest

It was quitte a read, but I think at least a part is stuck in my brain, so thankee. ^_^



#6
NinjaLikesCheez

NinjaLikesCheez

    Caker

  • Developers
  • 89 posts
    • Time Online: 1d 6h 19m 5s
  • Twitter:NinjaLikesCheez
  • Location/usr/bin/Clutch

If you have any questions I'll try answer some :)


  • hotsjf, MONGOLO and JAVsystems like this

#7
Cosmicalninja

Cosmicalninja

    Cosmical

  • IC Respected Member
  • 2,405 posts
    • Time Online: 36d 5h 9m 30s
  • Twitter:cosmicaln1nja
  • Locationthe UK
  • iDevices Owned:iPod Classic, iPhone SE, iPad Mini, iPad 4, MacBook Pro
  • Most used iOS:iOS 8

Dear @NinjaLikesCheez,

 

Questions i would like answering:

 

  • What is your favourite cheese?
  • Do you like apple with cheese?
  • can you drink port with cheese?
  • Have you ever thought about developing Android apps?
  • Whats your favourite colour?
  • Why?
  • Do you ever question decisions you have made in life?
  • Why are most if not all the girls who talk to on Twitter hot?
  • what came first, the chicken or the egg?
  • Saveloy or battered sausage?
  • prefer: dead, or, alive?
  • Kylie or Jason?
  • Coronation Street or Eastenders?

 

I think that is enough questions for now. Please answer swiftly and accurately, do not go off on a tangent on any question.


  • hotsjf, MONGOLO and JAVsystems like this

#8
Auroratic

Auroratic

    Since April of 2013

  • iPASTORE
  • 1,434 posts
  • Twitter:@GTXAuro
  • LocationAppCake Community
  • iDevices Owned:iPod Touch 4, iPod Touch 5, iPhone 5, iPhone 6+, iPhone 7+, iHave a PC
  • Most used iOS:iOS 6

Ok from this line below on-topic please, or i'll have to close thread. Good to see you had your opinions. I'm actually splitting this topic so you still have the posts.

 

the new topic about god and the stuff will be in Off-Topic Section

---------------------------------------------------------------------------------------------


  • MONGOLO and Ak0-Sardashti like this

#9
JAVsystems

JAVsystems

    ***ONE CHANCE IS ALL I NEED***

  • IC Respected Member
  • 651 posts
    • Time Online: 16d 15h 7m 26s
  • LocationFrance
  • iDevices Owned:iPhone 3GS, iPhone 4S, iPhone 5, iHave a PC
  • Most used iOS:iOS 6, iOS 8
  • Donations:Eu AppStore Codes ONLY ! Thanks.

the one after the last comment of Ninja need to be moved too ! :)


  • NinjaLikesCheez likes this

#10
Auroratic

Auroratic

    Since April of 2013

  • iPASTORE
  • 1,434 posts
  • Twitter:@GTXAuro
  • LocationAppCake Community
  • iDevices Owned:iPod Touch 4, iPod Touch 5, iPhone 5, iPhone 6+, iPhone 7+, iHave a PC
  • Most used iOS:iOS 6

It was moved. Just left here. Deleted now.



#11
Maicross

Maicross

    Fresh Newbie

  • IC Member
  • 5 posts
    • Time Online: 10m 32s
Thanks a lot .. It shows how complicated your job is!! Thanks for you efforts

#12
cookie7

cookie7

    Getting Known

  • IC Member
  • 22 posts
    • Time Online: 1d 2h 23m 55s
  • iDevices Owned:iPhone 4S, iPhone 5S

Interesting read. A couple questions about the process...

 

--How long does it usually take a good cracker to do this (a few minutes, or longer)?

 

--Why does the same cracked app, but from different crackers, have a different file size when finished? I've seen some apps smaller than the original ipa, while most are larger. But mainly I've seen the finished product vary by quite a few Mb's (just different cracker) and they're the same version number.



#13
alienopo

alienopo

    Quality from Space.

  • IC Uploader
  • 8,080 posts
    • Time Online: 93d 17h 33m 16s
  • iDevices Owned:N/A

From 5 to 2 minutes...

It`s not depending on how professional cracker is.. it only depends from device.

 

Program have option to change default packing parametr.

If you want smaller file you must compress is much longer. It`s like packing files to zip/rar/7z.

So some crackers are using smaller compression rate to increase speed of cracking.


  • lookerjdc and cookie7 like this

#14
cookie7

cookie7

    Getting Known

  • IC Member
  • 22 posts
    • Time Online: 1d 2h 23m 55s
  • iDevices Owned:iPhone 4S, iPhone 5S

Thanks for the answers alienopo. One more for you (or anyone else). Is all this done on the iOS device itself, or is it done on a computer running Mac OS or Windows? Thanks again! :)



#15
alienopo

alienopo

    Quality from Space.

  • IC Uploader
  • 8,080 posts
    • Time Online: 93d 17h 33m 16s
  • iDevices Owned:N/A

Only with cooperation with iPhone.

Yo can do it remotely, but must use iPhone/iPad.


  • MONGOLO, cookie7 and t4ch4_p0k like this

#16
dgh86

dgh86

    Fresh Newbie

  • IC Member
  • 4 posts
    • Time Online: 1h 45m 50s

Interesting facts,..The whole "crack" process may be quite fast when you know how to do it, but this article just shows how difficult all of this work really is.   



#17
Auroratic

Auroratic

    Since April of 2013

  • iPASTORE
  • 1,434 posts
  • Twitter:@GTXAuro
  • LocationAppCake Community
  • iDevices Owned:iPod Touch 4, iPod Touch 5, iPhone 5, iPhone 6+, iPhone 7+, iHave a PC
  • Most used iOS:iOS 6

Its like when you start up a pc. You only see the GUI and buttons, when you get in detail you will see how the process, RAM and all the components fetch and execute codes and pretty much checks everything you need to get it started lol.


  • MONGOLO and BexN like this

#18
justaskdrgiggles

justaskdrgiggles

    Getting Known

  • IC Member
  • 11 posts
    • Time Online: 4h 56m 6s
Very interesting read, thank you! Does one have to manually enter some sort of code or is the process executed by an application?

Edit: Never mind. I spoke too soon. Got it now.

#19
crash

crash

    Fresh Newbie

  • IC Lurker
  • Pip
  • 4 posts
    • Time Online: 33m 17s
  • LocationBoynton Beach
  • iDevices Owned:iPad 3

Thank you, this is the kind of stuff i'm looking for!  good info!  thanks!!!!



#20
Esoy

Esoy

    Fresh Newbie

  • IC Member
  • 6 posts
    • Time Online: 2h 24m 11s
  • LocationLithuania
Interesting information! Thank you for taking time to write about this.