Cracking Cydia Apps/Tweaks Tut #1 part 2
This is part 2 of my Cracking Tutorial #1. If you missed the first part, go and check this out: https://forum.iphone...pstweaks-tut-1/
Now I will explain the whole cracking part itself. Now, to become a well versed "cracker", or better stated a "reverser", you need to study Assembly code. We are currently dealing with ARM assembly code, but never fear, because I will be keeping the code to a minimum. Let's get to it.
- Hopper v3 or v4.
If you remember from the first part, once we had installed the "BackupAZ2" app, we had this show up when we launched it:
This is the problem we are trying to fix. To actually start reversing, we need to load the executable into our disassembler. I am using Hopper v4, once again, PM me if you need help "acquiring" this. The other thing is that Cydia .deb files usually have multiple executable files. If you are cracking a tweak, then the executably will most likely be in the Library/MobileSubstrate/DynamicLibraries/ directory of the unpacked .deb and the executable will most likely be called Tweakname.dylib. In our case, In which we are disassembling an Application, we will most likely be reversing the executable found in the Applications/AppName.app/ directory and it will be probably called AppName, with a black terminal for its icon.
In this case, RootBackupAZ2 is the executable we will be reversing. If and When you are going to be doing this, you will find out that there is actually another executable in that folder called BackupAZ2. Don't be fooled though, that isn't the right executable.
Now that that is out of the way, we can actually start reversing. To load an executable into Hopper, you drag it onto the Main Hopper Window. You should get a window like this:
Here are a few things you should know. The "FAT archive" for the Loader option tells us that Hopper recognizes this executable as a FAT archive. This means that during compiling, the executable was set to be compiled for both ARM v7 and AArch64 (a.k.a arm64). Honestly, It doesn't really matter which one you choose. There are minor differences in the code, but it won't make a big difference. For this, I chose the ARM v7 option. After you click "Next", click "Ok" in the next window and now the disassembler will spend a few minutes actually disassembling the code.
After the code is disassembled, you should see this:
If you see "Working" in the bottom right of this screen when your disassembling, then that means that the code is still disassembling. Ok, now we need to locate the UIAlertView or UIAlertController which tells us that we are using a pirated version. Luckily, this dev, (and most other devs), did not obfuscate his code. This means that we can literally search the text from the UIView and find it in the disassembler. To do this, click on the search bar in the upper right of you Hopper view, and search "Pirated_Version" (without the quotes). Remember to put the underscore there, because in Hopper, you use underscores instead of spaces. You should see something like this:
The cfstring_ in front of the "Pirated_version" text tells us that this is a string object. Good, now we have found the text. Now to go further, you have to click on the whole "cfstring_Pirated_version" and it will take you to a part of Hopper where it tells you what functions reference this string.
The picture is small, but you should see something familiar. Now, if you scroll to the right, you will see what functions reference this string. An example of a function, taken right out of this picture is [MainViewController viewDidLoad]+XXXX. The string of numbers that are at the end of the function are simply offsets of the function, or exact locations where that string is located at. Now, to see the code behind that string you again have to click on the [MainViewController viewDidLoad]+XXXX and it will take you to the whole method. Now we can read some assembly, yay! If you double click on the method, then it will take you to the code, but actually we will go to the very start of the function ([MainViewController viewDidLoad)] and see how the whole DRM works. So to make it short and sweet, the first part of of the Function initializes a bunch of object, and it sets some variables.
So for the sake of time, You actually have to study the code. One thing that pops up is this command:
First of all, /bin/bash is referenced, telling us that a shell script will be run. Then the command itself is given to us - "dpkg --get-selecctions > /var/tmp/1". After some studying, I found out that this command takes the contents of /var/lib/dpkg/status, which is the file that contains a list of packages currently installed on our device, and dumps it into /var/tmp/1 ( ">" in shell mean to create a .txt file). Then, after further studying the code, we see this:
So at the top of the picture, we see a @selectore(rangeOfString) call. This calls the rangeOfString function, which is used to compare two strings of text. So the text that is being compared is com.synnyg.backupaz2. So later on, if the string com.synnyg.backupaz2 is found in the /var/tmp/1 file, then the whole piracy method string is skipped. The whole problem is that when we install the file from the hackyouriphone repo, the bundle identifier string turns out to be com.hackyouriphone.backupaz2, not com.synnyg.backupaz2 which we need it to be. This would be different if we had actually bought the tweak from the bigboss repo, which we didn't. So If the string com.synnyg.backupaz2 is not found, then the piracy UIView is called, and we can't do anything, so how do we solve this?
Well, here's the solution. Remember when we saw that the command "dpkg --get-selections > /var/tmp/1" was executed, well that simply copied the contents of the /var/lib/dpkg/status file and pasted them into a different file, which was then checked and a decision was made. Well, what if we manually added the string com.synnyg.backupaz2 into the /var/lib/dpkg/status file, so that when it's contents would get dumped, it would be found, and the piracy method would be avoided. To accomplish this, there are actually a couple of methods, but I will show you two for time's sake. The simplest way to do this is just to navigate to /var/lib/dpkg/status , open it up and add the strings "Package:com.synnyg.backupaz2 \n Status: install ok installed \n Priority: standard \n Architecture: iphoneos-arm \n Version 17"
(Add it at the bottom or top of the file, No quotes, "\n" means new line, literally a new line.)
Now, once you save the file, you run the app and it should work without a piracy alert. Technically this is a job done, because the app has been successfully cracked, and it works. Now, if you are cracking it for a large audience, then you have to automate this process. One way is adding postint and postrm script's, which are scripts which run after a packages installation and after a packages removal, respectively. Another way which is pretty much the same is to make a "patcher". This is accomplished by making a file called crack.sh or something that ends with .sh, and then saving it. To actually write the patcher, we will use shell script itself. Copy and paste this code into the file:
#/bin/bash #This checks if we're running as root, we can't write to a file if we're not the Root User if [[ $EUID -ne 0 ]]; then echo "you need to run as Root user." 2>$1 exit 1 fi #Now the actual text insertion sed -i '$ a Package: com.synnyg.backupaz2' /var/lib/dpkg/status sed -i '$ a Status: install ok installed' /var/lib/dpkg/status sed -i '$ a Priority: standard' /var/lib/dpkg/status sed -i '$ a Architecture: iphoneos-arm' /var/lib/dpkg/status sed -i '$ a Version: 17' /var/lib/dpkg/status #inform the user that the crack has been applied echo Crack Applied #OK, sed is a text editor used in Unix. The command "sed -i '$ a Package: com.synnyg.backupaz2' /var/lib/dpkg/status" will paste "Package: com.synnyg.backupaz2" at the bottom of the /var/libb/dpkg/status file. #The next 4 commands do the same thing, just different text. #Simply put, this makes it look like we have the real BackupAZ2 file installed, the one from BigBoss, when in reality we don't.
Save this text into a file, then move it to your iDevice. Then find out the directory in which it is located in, and then open MobileTerminal or any other Terminal emulator on your iDevice and run "chomd +rx crack.sh" or whatever you named the crack file. This will give the script executable privileges, meaning it can be executed. Once again, don't forget to run as Root user, or the crack won't work.
Ok, that was like 3 hours of my life, have fun homeboys.
Edit!!! BackupAZ3 comes with a new look, but with the same holes. Enjoy.
#/bin/bash #This checks if we're running as root, we can't write to a file if we're not the Root User if [[ $EUID -ne 0 ]]; then echo "you need to run as Root user." 2>$1 exit 1 fi #Now the actual text insertion sed -i '$ a Package: com.synnyg.backupaz3' /var/lib/dpkg/status sed -i '$ a Status: install ok installed' /var/lib/dpkg/status sed -i '$ a Priority: standard' /var/lib/dpkg/status sed -i '$ a Architecture: iphoneos-arm' /var/lib/dpkg/status sed -i '$ a Version: 17' /var/lib/dpkg/status #inform the user that the crack has been applied echo Crack Applied #OK, sed is a text editor used in Unix. The command "sed -i '$ a Package: com.synnyg.backupaz2' /var/lib/dpkg/status" will paste "Package: com.synnyg.backupaz2" at the bottom of the /var/libb/dpkg/status file. #The next 4 commands do the same thing, just different text. #Simply put, this makes it look like we have the real BackupAZ2 file installed, the one from BigBoss, when in reality we don't.