Jump to content

Welcome to AppCake Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Cracking Cydia Apps/Tweaks Tut #1 part 2


  • You cannot start a new topic
  • Please log in to reply
13 replies to this topic

#1
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 43m 33s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

Cracking Cydia Apps/Tweaks Tut #1 part 2

 

By Sacmunraga

 

 

This is part 2 of my Cracking Tutorial #1. If you missed the first part, go and check this out: https://forum.iphone...pstweaks-tut-1/

 

Now I will explain the whole cracking part itself. Now, to become a well versed "cracker", or better stated a "reverser", you need to study Assembly code. We are currently dealing with ARM assembly code, but never fear, because I will be keeping the code to a minimum. Let's get to it.

 

Requirements:

  • Hopper v3 or v4.
  • Filza

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 

If you remember from the first part, once we had installed the "BackupAZ2" app, we had this show up when we launched it: 

IMG_0169.PNG

 

This is the problem we are trying to fix. To actually start reversing, we need to load the executable into our disassembler. I am using Hopper v4, once again, PM me if you need help "acquiring" this. The other thing is that Cydia .deb files usually have multiple executable files. If you are cracking a tweak, then the executably will most likely be in the Library/MobileSubstrate/DynamicLibraries/ directory of the unpacked .deb and the executable will most likely be called Tweakname.dylib. In our case, In which we are disassembling an Application, we will most likely be reversing the executable found in the Applications/AppName.app/ directory and it will be probably called AppName, with a black terminal for its icon.

Example:

Screen%2BShot%2B2017-03-17%2Bat%2B11.12.

|

|

|

V

 

Screen%2BShot%2B2017-03-17%2Bat%2B11.13.

 

In this case, RootBackupAZ2 is the executable we will be reversing. If and When you are going to be doing this, you will find out that there is actually another executable in that folder called BackupAZ2. Don't be fooled though, that isn't the right executable.

 

Now that that is out of the way, we can actually start reversing. To load an executable into Hopper, you drag it onto the Main Hopper Window. You should get a window like this: 

Screen%2BShot%2B2017-03-17%2Bat%2B11.50.

Here are a few things you should know. The "FAT archive" for the Loader option tells us that Hopper recognizes this executable as a FAT archive. This means that during compiling, the executable was set to be compiled for both ARM v7 and AArch64 (a.k.a arm64). Honestly, It doesn't really matter which one you choose. There are minor differences in the code, but it won't make a big difference. For this, I chose the ARM v7 option. After you click "Next", click "Ok" in the next window and now the disassembler will spend a few minutes actually disassembling the code.

 

After the code is disassembled, you should see this: 

Screen%2BShot%2B2017-03-17%2Bat%2B11.58.

If you see "Working" in the bottom right of this screen when your disassembling, then that means that the code is still disassembling. Ok, now we need to locate the UIAlertView or UIAlertController which tells us that we are using a pirated version. Luckily, this dev, (and most other devs), did not obfuscate his code. This means that we can literally search the text from the UIView and find it in the disassembler. To do this, click on the search bar in the upper right of you Hopper view, and search "Pirated_Version" (without the quotes). Remember to put the underscore there, because in Hopper, you use underscores instead of spaces. You should see something like this:

Screen%2BShot%2B2017-03-18%2Bat%2B12.03.

The cfstring_ in front of the "Pirated_version" text tells us that this is a string object. Good, now we have found the text. Now to go further, you have to click on the whole "cfstring_Pirated_version" and it will take you to a part of Hopper where it tells you what functions reference this string.

Screen%2BShot%2B2017-03-18%2Bat%2B12.07.

 

 

The picture is small, but you should see something familiar. Now, if you scroll to the right, you will see what functions reference this string. An example of a function, taken right out of this picture is [MainViewController viewDidLoad]+XXXX. The string of numbers that are at the end of the function are simply offsets of the function, or exact locations where that string is located at. Now, to see the code behind that string you again have to click on the [MainViewController viewDidLoad]+XXXX and it will take you to the whole method. Now we can read some assembly, yay! If you double click on the method, then it will take you to the code, but actually we will go to the very start of the function ([MainViewController viewDidLoad)] and see how the whole DRM works. So to make it short and sweet, the first part of of the Function initializes a bunch of object, and it sets some variables. 

So for the sake of time, You actually have to study the code. One thing that pops up is this command:

Screen%2BShot%2B2017-03-18%2Bat%2B12.24.

 

First of all, /bin/bash is referenced, telling us that a shell script will be run. Then the command itself is given to us - "dpkg --get-selecctions > /var/tmp/1". After some studying, I found out that this command takes the contents of /var/lib/dpkg/status, which is the file that contains a list of packages currently installed on our device, and dumps it into /var/tmp/1 ( ">" in shell mean to create a .txt file). Then, after further studying the code, we see this:

Screen%2BShot%2B2017-03-18%2Bat%2B12.30.

 

So at the top of the picture, we see a @selectore(rangeOfString) call. This calls the rangeOfString function, which is used to compare two strings of text. So the text that is being compared is com.synnyg.backupaz2. So later on, if the string com.synnyg.backupaz2 is found in the /var/tmp/1 file, then the whole piracy method string is skipped. The whole problem is that when we install the file from the hackyouriphone repo, the bundle identifier string turns out to be com.hackyouriphone.backupaz2, not com.synnyg.backupaz2 which we need it to be. This would be different if we had actually bought the tweak from the bigboss repo, which we didn't. So If the string com.synnyg.backupaz2 is not found, then the piracy UIView is called, and we can't do anything, so how do we solve this?

 

Well, here's the solution. Remember when we saw that the command "dpkg --get-selections > /var/tmp/1" was executed, well that simply copied the contents of the /var/lib/dpkg/status file and pasted them into a different file, which was then checked and a decision was made. Well, what if we manually added the string com.synnyg.backupaz2 into the /var/lib/dpkg/status file, so that when it's contents would get dumped, it would be found, and the piracy method would be avoided. To accomplish this, there are actually a couple of methods, but I will show you two for time's sake. The simplest way to do this is just to navigate to /var/lib/dpkg/status , open it up and add the strings "Package:com.synnyg.backupaz2 \n Status: install ok installed \n Priority: standard \n Architecture: iphoneos-arm \n Version 17"

 

(Add it at the bottom or top of the file, No quotes, "\n" means new line, literally a new line.)

 

Now, once you save the file, you run the app and it should work without a piracy alert. Technically this is a job done, because the app has been successfully cracked, and it works. Now, if you are cracking it for a large audience, then you have to automate this process. One way is adding postint and postrm script's, which are scripts which run after a packages installation and after a packages removal, respectively. Another way which is pretty much the same is to make a "patcher". This is accomplished by making a file called crack.sh or something that ends with .sh, and then saving it. To actually write the patcher, we will use shell script itself. Copy and paste this code into the file:

#/bin/bash

#This checks if we're running as root, we can't write to a file if we're not the Root User
if [[ $EUID -ne 0 ]]; then
echo "you need to run as Root user." 2>$1
exit 1
fi

#Now the actual text insertion
sed -i '$ a Package: com.synnyg.backupaz2' /var/lib/dpkg/status
sed -i '$ a Status: install ok installed' /var/lib/dpkg/status
sed -i '$ a Priority: standard' /var/lib/dpkg/status
sed -i '$ a Architecture: iphoneos-arm' /var/lib/dpkg/status
sed -i '$ a Version: 17' /var/lib/dpkg/status

#inform the user that the crack has been applied
echo Crack Applied

#OK, sed is a text editor used in Unix. The command "sed -i '$ a Package: com.synnyg.backupaz2' /var/lib/dpkg/status" will paste "Package: com.synnyg.backupaz2" at the bottom of the /var/libb/dpkg/status file. 
#The next 4 commands do the same thing, just different text.
#Simply put, this makes it look like we have the real BackupAZ2 file installed, the one from BigBoss, when in reality we don't.

Save this text into a file, then move it to your iDevice. Then find out the directory in which it is located in, and then open MobileTerminal or any other Terminal emulator on your iDevice and run "chomd +rx crack.sh" or whatever you named the crack file. This will give the script executable privileges, meaning it can be executed. Once again, don't forget to run as Root user, or the crack won't work.

 

 

Ok, that was like 3 hours of my life, have fun homeboys.

 

Edit!!! BackupAZ3 comes with a new look, but with the same holes. Enjoy.

#/bin/bash

#This checks if we're running as root, we can't write to a file if we're not the Root User
if [[ $EUID -ne 0 ]]; then
echo "you need to run as Root user." 2>$1
exit 1
fi

#Now the actual text insertion
sed -i '$ a Package: com.synnyg.backupaz3' /var/lib/dpkg/status
sed -i '$ a Status: install ok installed' /var/lib/dpkg/status
sed -i '$ a Priority: standard' /var/lib/dpkg/status
sed -i '$ a Architecture: iphoneos-arm' /var/lib/dpkg/status
sed -i '$ a Version: 17' /var/lib/dpkg/status

#inform the user that the crack has been applied
echo Crack Applied

#OK, sed is a text editor used in Unix. The command "sed -i '$ a Package: com.synnyg.backupaz2' /var/lib/dpkg/status" will paste "Package: com.synnyg.backupaz2" at the bottom of the /var/libb/dpkg/status file. 
#The next 4 commands do the same thing, just different text.
#Simply put, this makes it look like we have the real BackupAZ2 file installed, the one from BigBoss, when in reality we don't.

  • hotsjf, AwesomeRob, haen and 5 others like this

#2
hotsjf

hotsjf

    7 years in scene

  • Admin
  • 7,633 posts
    • Time Online: 192d 1h 7m 37s
  • Twitter:@iphonecake_com
  • LocationUSA
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 3GS, iPhone 4, iPhone 5S, iPhone 6+, iPad 1, iPad 3, iPad 4, iPad Air 2, Apple Watch, MacBook Air, MacBook Pro, iMac
  • Most used iOS:iOS 6, iOS 7, iOS 8
Very nice tutorial

#3
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 43m 33s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC
@hotsjf, Thanks, I tried. I don't really know how much knowledge you all have in this, but I hope it'll be a good start for some of you guys.

#4
eclair4151

eclair4151

    Fresh Newbie

  • IC Member
  • 8 posts
    • Time Online: 3h 39m 57s

Thanks this is really helpful. One question. do most apps apply to cracks in the scripts or do they modify the actual binary and patch it back up?



#5
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 43m 33s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

@eclair4151, In this case, we used a script, but there are cracks where the binary is patched up. If we're strictly talking about apps (.ipa), then I would say that binary patching is more frequently used. Why, because there are apps that have some kind of protection (DRM, self-aware, etc) that appear on the Appstore, and they don't really rely on license files on the iDevice. Meanwhile on Cydia, there are a lot of apps as well, but a lot use licensing systems, and the cracker gets two options, either find away to patch the binary or to write a valid licensing system (keygen). On the other hand, if we're talking about tweaks (.dylibs), scripts are more often used than patching, even though the difference isn't that big. The reason for this is because a lot of tweaks use licensing systems, where the license is downloaded onto the device (usually /var/mobile/Library/Preferences/XXX.license), then the tweak verifies the existence of the license file, validates it's contents, and then lets the end user use the tweak. The reverser is then tasked with reverse engineering the program and finding how the licensing system works. Nevertheless, it still is possible to patch .dylibs and circumvent DRM protections on tweaks, its just less popular because some developers set up systems were the program checks the file size of the executable, and if the size is bigger or smaller than what it is supposed to be then it will crash. This system usually works because .dylibs or any executable loses data after reverse engineering.



#6
relo

relo

    Fresh Newbie

  • IC Lurker
  • Pip
  • 3 posts
    • Time Online: 3h 29m 27s

Can i debug with this tut? It is very difficult to just read the arm assembly for complex tweaks



#7
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 43m 33s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

You can debug Apps, but I'm not sure about Tweaks. I have searched ways to do it but have come up with nothing yet...



#8
relo

relo

    Fresh Newbie

  • IC Lurker
  • Pip
  • 3 posts
    • Time Online: 3h 29m 27s

@Sacmunraga I'm having a hard time cracking a tweak. I would like to have a suggestion from you https://

brc.yourepo.com/ 

It is very difficult for me to locate the patch needed

 


#9
relo

relo

    Fresh Newbie

  • IC Lurker
  • Pip
  • 3 posts
    • Time Online: 3h 29m 27s

why i rebuild after patch then the file has been reduced to not be able to run

 

qTNUdP6.png



#10
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 43m 33s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

@relo, After editing the code, the executable always turns out to be a little smaller. Sometimes it has protection and it wont run, while other times it wont run because you have modified certain code which is supposed to stay unmodified.


  • relo likes this

#11
wanbotak

wanbotak

    Fresh Newbie

  • IC Lurker
  • Pip
  • 1 posts
    • Time Online: 15m 46s
  • Locationlocalhost
  • iDevices Owned:iPod Touch 5, iPhone 5, iPhone 5c, iPhone SE, MacBook Air

@Sacmunraga

 

so this tutorial can bypass vip user to free user ?

 

so example i have 2 different tweak but same function.

first vip user can use this tweak with unlimited time.

for free user this tweak only can use for 10minute.

 

this is if you free user , you cant use vip tweak

QJGWyCb.jpg

 

this is free user tweak 

nlpM6eh.jpg

 

so how can i bypass this access denied or remove auth or change from vip user to free user ? because i have free user & vip user tweak too.

this tweak need login to vip account first before can use the function.

 

btw this is my first time to crack and learn :D

 

9hhAoVn.png



#12
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 43m 33s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

@wanbotak I just saw your message lol, sorry about the late reply. I'll take some time to look into this, and maybe figure something out.



#13
Ayatony

Ayatony

    Fresh Newbie

  • IC Lurker
  • Pip
  • 2 posts
    • Time Online: 22m 56s
  • Twitter:ayatony90
@Sacmunraga hi bro is there any way that bypass iosGods login ? or delet the login alert .
Thanks

#14
Ayatony

Ayatony

    Fresh Newbie

  • IC Lurker
  • Pip
  • 2 posts
    • Time Online: 22m 56s
  • Twitter:ayatony90
also is there any tutorial about update tweak to ( arm64e ) ?