Jump to content

Welcome to AppCake Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

How to crack Apps on iOS 11


  • This topic is locked This topic is locked
126 replies to this topic

#41
Bontek

Bontek

    Caker

  • IC Member
  • 44 posts
    • Time Online: 15h 29m 17s
  • LocationPL
I used new script but i got old issue ;(

Attached Thumbnails

  • 2BE9BB68-7579-4A6D-AE30-4A4A4BF95C45.jpeg


#42
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 49m 3s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

@Bontek, I updated the ghostbin code, I will try TuneIn again. This error occurs because the $EXECUTABLE variable wasn't/isn't a string, making it try to zip up "Radio", but not "Radio Pro.app". Try again and tell me the results.

 

EDIT: Okay, I tried two apps this time, TuneIn Radio and a Tones.app and they both worked after cracking with sacmunCrack, so It *should* work for you hopefully.



#43
Bontek

Bontek

    Caker

  • IC Member
  • 44 posts
    • Time Online: 15h 29m 17s
  • LocationPL
Is this one correct?

https://ghostbin.com/paste/fw9ky

#44
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 49m 3s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

@Bontek, NO! Use this one: https://ghostbin.com/paste/znzvp

 

FFS SMH TBH FML KMN



#45
Bontek

Bontek

    Caker

  • IC Member
  • 44 posts
    • Time Online: 15h 29m 17s
  • LocationPL

@Bontek, NO! Use this one: https://ghostbin.com/paste/znzvp

FFS SMH TBH FML KMN

WOW !!!!! NOW IS WORKING PERFECT thanx bro :)))

Well patched and re-packed.....installed without problem and starting no crash....
So its time that i could now play my loved GRID :) heheh

Thanx again SACMUNRAGA - I CAN CONFIRM : YES - THIS CRACK IS WORKING FINE!!!!

Attached Thumbnails

  • 4836F345-141A-4ECF-AAB0-5233F3A2A496.jpeg

  • Sacmunraga likes this

#46
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 10,534 posts
    • Time Online: 262d 9h 10m 4s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12
/private/var/mobile$ bash bfinject -P XXXXX -L decrypt
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/9EDDE92B-07DA-4F5D-85AD-6780D38DE83A/XXXXX.app/XXXXX'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID 1234567 and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 361.
[bfinject4realz] Calling thread_create() on PID 361
[bfinject4realz] Looking for ROP gadget... found at 0x1853274e0
[bfinject4realz] Fake stack frame at 0x108a6c000
[bfinject4realz] Calling _pthread_set_self() at 0x185567804...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x185327460...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c41f8a00
[+] Decrypting App on Device ...
[+] This may take up to a minute to finish, please wait ...
[*] Moving the Decrypted IPA ...
decrypted-app.ipa
[+] If you see decrypted-app.ipa above we are almost done ...
[+] Attempting to unzip .ipa
[+] Adding cracker credentials to the App
[+] Attempting to sign XXXXX with LDID
[+] Attempting to zip and rebuild the .ipa
[+] Signing completed successfully
[+] Generated signed .ipa in /var/mobile/Cracked/XXXXX.ipa
[*] Done, make sure to test the app


#47
Sacmunraga

Sacmunraga

    Pro Caker

  • IC Member
  • 292 posts
    • Time Online: 6d 3h 49m 3s
  • iDevices Owned:iPad Mini with Retina, iMac, iHave a PC

@user_hidden nice. Did you do some modding to the script?



#48
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 10,534 posts
    • Time Online: 262d 9h 10m 4s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12

@user_hidden nice. Did you do some modding to the script?


if i was part of github i'd push changes to your script :)

send me over a PM, i should be back later today
  • quangcaofgs likes this

#49
Ciappolandia

Ciappolandia

    Caker

  • IC Member
  • 33 posts
    • Time Online: 10h 1m 45s

I'm not able to access the ghostbin link, can you paste the shell somewhere else?

 

I'm trying to use bfinfect with 7wonders.app. The app is installed in the device, but when I run it, it crashed, so the ps command doesn't find it into the active processes.

 

So I modified the shell bfinfect to allow -D parameter to find the app path into the device, like that:

#!/jb/bin/bash

CYCRIPT_PORT=1337

function help {
    echo "Syntax: $0 [-p PID | -P appname | -D DirectoryName] [-l /path/to/yourdylib | -L feature]"
    echo
    echo For example:
    echo "   $0 -P Reddit.app -l /path/to/evil.dylib   # Injects evil.dylib into the Reddit app"
    echo "     or"
    echo "   $0 -p 1234 -L cycript                     # Inject Cycript into PID"
    echo "     or "
    echo "   $0 -p 4566 -l /path/to/evil.dylib         # Injects the .dylib of your choice into PID"
    echo 
    echo "Instead of specifying the PID with -p, bfinject can search for the correct PID based on the app name."
    echo "Just enter \"-P identifier\" where \"identifier\" is a string unique to your app, e.g. \"fing.app\"."
    echo
    echo Available features:
    echo "  cycript    - Inject and run Cycript"
    echo "  decrypt    - Create a decrypted copy of the target app"
    echo "  test       - Inject a simple .dylib to make an entry in the console log"
    echo "  ispy       - Inject iSpy. Browse to http://<DEVICE_IP>:31337/"
    echo
}


#
# check args
#
if [ "$1" != "-p" ] && [ "$1" != "-P" ] && [ "$1" != "-D" ]; then
    help
    exit 1
fi

if [ "$3" != "-l" -a "$3" != "-L" ]; then
    help
    exit 1
fi

if [ "$1" == "-p" ]; then
    PID=$2
elif [ "$1" == "-D" ]; then
    BINARY=`find /var/containers/Bundle/Application/ |grep "$2.app/$2"|tail -n1|cut -d'/' -f-8|cut -d'.' -f-2`
	echo "\"$BINARY\" path found!!"
else
    count=`ps axwww|grep "$2"|grep container|grep '.app'|grep -v grep |wc -l|sed 's/ //g'`
    if [ "$count" != "1" ]; then  
        echo "[!] \"$2\" was not uniquely found, please check your criteria."
        exit 1
    fi
    PID=`ps awwwx|grep "$2"|grep container|grep '.app'|grep -v grep|sed 's/^\ *//g'|cut -f1 -d\ `
    bad=1
    case "$PID" in
        ''|*[!0-9]*) bad=1 ;;
        *) bad=0 ;;
    esac
    if [ "$bad" != "0" ]; then
        echo "[!] Process not found for string \"$3\""
        exit 1
    fi
fi

declare -a DYLIBS

if [ "$3" == "-l" ]; then
    FEATURE=""
    DYLIBS=("$4")
else
    FEATURE="$4"

    case "$FEATURE" in
        cycript)
            DYLIBS=(dylibs/cycript.dylib dylibs/cycript-runner.dylib)
            ;;
        
        decrypt)
            DYLIBS=(dylibs/bfdecrypt.dylib)
            ;;

        test)
            DYLIBS=(dylibs/simple.dylib)
            ;;
        ispy)
            DYLIBS=(dylibs/iSpy.dylib)
            ;;
        iSpy)
            DYLIBS=(dylibs/iSpy.dylib)
            ;;
        default)
            help
            exit 1
            ;;
    esac
fi


#
# Be a good netizen and tidy up your litter
#
function clean_up {
    if [ -d "$DYLIB_DIR" ] && [ "$DYLIB_DIR" != "/System/Library/Frameworks" ]; then
        rm -rf "$DYLIB_DIR" >/dev/null 2>&1
    fi
    rm -f "$RANDOM_NAME" > /dev/null 2>&1
    rm -f /electra/usr/local/bin/bfinject4realz > /dev/null 2>&1
    rm -f /electra/usr/local/bin/jtool.liberios > /dev/null 2>&1
}


#
# Entitlements for dylib injection and for our injector binary.
#
if [ ! -f entitlements.xml ]; then
    cat > entitlements.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>com.apple.system-task-ports</key>
        <true/>
    </dict>
</plist>
EOF
fi


#
# Detect LiberiOS vs Electra
#
if [ -f /electra/inject_criticald ]; then
    # This is Electra >= 1.0.2
    echo "[+] Electra detected."
    mkdir -p /electra/usr/local/bin
    cp jtool.liberios /electra/usr/local/bin/
    chmod +x /electra/usr/local/bin/jtool.liberios
    JTOOL=/electra/usr/local/bin/jtool.liberios
    cp bfinject4realz /electra/usr/local/bin/
    INJECTOR=/electra/usr/local/bin/bfinject4realz
elif [ -f /bootstrap/inject_criticald ]; then
    # This is Electra < 1.0.2
    echo "[+] Electra detected."
    cp jtool.liberios /bootstrap/usr/local/bin/
    chmod +x /bootstrap/usr/local/bin/jtool.liberios
    JTOOL=/bootstrap/usr/local/bin/jtool.liberios
    cp bfinject4realz /bootstrap/usr/local/bin/
    INJECTOR=/bootstrap/usr/local/bin/bfinject4realz
elif [ -f /jb/usr/local/bin/jtool ]; then
    # This is LiberiOS
    echo "[+] Liberios detected"
    JTOOL=jtool
    INJECTOR=`pwd`/bfinject4realz
else
    echo "[!] Unknown jailbreak. Aborting."
    exit 1
fi


#
# Do the actual injection into the remote process
#
for DYLIB in ${DYLIBS[@]}; do
    if [ ! -f "$DYLIB" ]; then
        echo "$DYLIB" doesn\'t exist
        clean_up
        exit 1
    fi
    
    # Use random filenames to avoid cached binaries causing "Killed: 9" messages.
    RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum`
    RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum`"
    DYLIB_DIR="/System/Library/Frameworks/${RAND}.framework"
    DYLIB_PATH="$DYLIB_DIR/$RAND.dylib"

    # We'll give the injector as a random filename
    cp "$INJECTOR" "$RANDOM_NAME"
    chmod +x "$RANDOM_NAME"

    #
    # Find the full path to the target app binary
    #
	if [ "$1" != "-D" ]; then
		BINARY=`ps -o pid,command $PID|tail -n1|sed 's/^\ *//g'|cut -f2- -d\ `
	fi
    if [ "$BINARY" == "COMMAND" ]; then 
        echo "[!] ERROR: PID $PID not found."
        clean_up
        exit 1
    fi
    echo "[+] Injecting into '$BINARY'"

    #
    # Get the Team ID that signed the target app's binary.
    # We need this so we can re-sign the injected .dylib to fool the kernel
    # into assuming the .dylib is part of the injectee bundle.
    # This allows is to map the .dylib into the target's process space via dlopen().
    #
    echo "[+] Getting Team ID from target application..."
    TEAMID=`$JTOOL --ent "$BINARY" 2> /dev/null | grep -A1 'com.apple.developer.team-identifier' | tail -n1 |sed 's/ //g'|cut -f2 -d\>|cut -f1 -d\<`
    if [ "$TEAMID" == "" ]; then
        echo "[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen."
    fi

    #
    # Move the injectee dylib to a sandbox-friendly location
    #
    mkdir "$DYLIB_DIR"
    cp "$DYLIB" "$DYLIB_PATH"

    #
    # Thin the binary so that it's not FAT and contains only an arm64 image
    echo "[+] Thinning dylib into non-fat arm64 image"
    $JTOOL -arch arm64 -e arch "$DYLIB_PATH" >/dev/null 2>&1
    if [ "$?" == "0" ]; then
        rm -f "$DYLIB_PATH"
        DYLIB_PATH="${DYLIB_PATH}.arch_arm64"
    else
        echo "[!] WARNING: Wasn't able to thin the dylib."
    fi

    #
    # Sign platform entitlements and Team ID into our dylib
    #
    echo "[+] Signing injectable .dylib with Team ID $TEAMID and platform entitlements..."
    $JTOOL --sign platform --ent entitlements.xml --inplace --teamid "$TEAMID" "$DYLIB_PATH" > /dev/null 2>&1
    if [ "$?" != "0" ]; then
        echo jtool dylib signing error. barfing.
        clean_up
        exit 1
    fi

    #
    # Sign the randomly-renamed injector binary with  platform entitlements
    #
    $JTOOL --sign platform --ent entitlements.xml --inplace "$RANDOM_NAME" >/dev/null 2>&1
    if [ "$?" != "0" ]; then
        echo jtool "$RANDOM_NAME" signing error. barfing.
        clean_up
        exit 1
    fi

    #
    # Inject!
    #
    "$RANDOM_NAME" "$PID" "$DYLIB_PATH"
done

#
# EOF
#
echo "[+] So long and thanks for all the fish."
clean_up
exit 0

but I got the following error...

"/var/containers/Bundle/Application/7DE84F56-92EF-4775-AAE2-5FEA030400DC/7wonders.app/7wonders" path found!!
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/7DE84F56-92EF-4775-AAE2-5FEA030400DC/7wonders.app/7wonders'
[+] Getting Team ID from target application...
[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen.
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID  and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 0.
[bfinject4realz] ERROR: task_for_pid() failed with message (os/kern) failure!
[+] So long and thanks for all the fish.

What shall I do?



#50
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 10,534 posts
    • Time Online: 262d 9h 10m 4s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12

What shall I do?



app has to be able to run on device while cracking.
if the stock app crashes you obviously have a problem

#51
Ghay

Ghay

    .

  • IC Uploader
  • 21,936 posts
    • Time Online: 106d 13h 39m 20s
  • iDevices Owned:iPhone 6, iPhone 6+, iPhone 7, iPhone 7+, iPad Air, iPad Air 2, Apple Watch, iHave a PC

yep ghostbin link does not work



#52
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 10,534 posts
    • Time Online: 262d 9h 10m 4s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12

yep ghostbin link does not work


just download it from github.

signer: https://github.com/Sacmunraga/signer
bfinject_mod: https://github.com/S...aga/sacmunCrack

#53
Ghay

Ghay

    .

  • IC Uploader
  • 21,936 posts
    • Time Online: 106d 13h 39m 20s
  • iDevices Owned:iPhone 6, iPhone 6+, iPhone 7, iPhone 7+, iPad Air, iPad Air 2, Apple Watch, iHave a PC

just download it from github.

signer: https://github.com/Sacmunraga/signer
bfinject_mod: https://github.com/S...aga/sacmunCrack

Not for me to long winded need a simpler faster all in one method



#54
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 10,534 posts
    • Time Online: 262d 9h 10m 4s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12

Not for me to long winded need a simpler faster all in one method


my hair has already turned grey :)

#55
Ghay

Ghay

    .

  • IC Uploader
  • 21,936 posts
    • Time Online: 106d 13h 39m 20s
  • iDevices Owned:iPhone 6, iPhone 6+, iPhone 7, iPhone 7+, iPad Air, iPad Air 2, Apple Watch, iHave a PC

Will do a lot of work for basically nothing



#56
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 10,534 posts
    • Time Online: 262d 9h 10m 4s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12

Will do a lot of work for basically nothing


you do realize it only takes a minute to crack on os11

#57
Ghay

Ghay

    .

  • IC Uploader
  • 21,936 posts
    • Time Online: 106d 13h 39m 20s
  • iDevices Owned:iPhone 6, iPhone 6+, iPhone 7, iPhone 7+, iPad Air, iPad Air 2, Apple Watch, iHave a PC

you do realize it only takes a minute to crack on os11

looking at instructions looks to long winded then many do not work anyway not worth the time and effort. Something new anti cracking in https://itunes.apple...d971858273?mt=8Feral Fury it reboots your device when trying to carck so you need to rejailbreak tried 5-6 times on ios 10.2 and ios 9.3.1 Give up on it



#58
Ciappolandia

Ciappolandia

    Caker

  • IC Member
  • 33 posts
    • Time Online: 10h 1m 45s

app has to be able to run on device while cracking.
if the stock app crashes you obviously have a problem

 

I downloaded from iPhoneCake

 

https://www.iphoneca...530090434_.html

 

I then moved the app into iPAD with putty connected via FTP and installed with appinst from Cydia. I'm using Electra 1.4 and an iPad Pro2.

 

App is installed, but after run it crashed after the initial scene. I do understand that this is because the app is not signed correctly or because it's cracked with old method, not compatible with iOS11.

 

So can't I do anything in this case?



#59
Ghay

Ghay

    .

  • IC Uploader
  • 21,936 posts
    • Time Online: 106d 13h 39m 20s
  • iDevices Owned:iPhone 6, iPhone 6+, iPhone 7, iPhone 7+, iPad Air, iPad Air 2, Apple Watch, iHave a PC

One thing for sure was cracked the old way as that cracker does not crack for ios 11 and has not cracked for a long time I know was angry about a leech ( TyToV )on this site reposting his cracks on other sites



#60
Ciappolandia

Ciappolandia

    Caker

  • IC Member
  • 33 posts
    • Time Online: 10h 1m 45s

One thing for sure was cracked the old way as that cracker does not crack for ios 11 and has not cracked for a long time I know was angry about a leech ( TyToV )on this site reposting his cracks on other sites

 

I don't understand if it's technically possible to do something or not.

 

Almost all the app I downloaded from AppCake and that worked on iOS9 with jailbreak are not usable on iOS11 with Electra and they crash when you run them, so you don't have a PID --> This procedure cannot be used.

 

Can someone explain technically why and what needs to be done?