Jump to content

Welcome to AppCake Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Cracked Audio Units: Let's make it happen


  • You cannot start a new topic
  • Please log in to reply
4 replies to this topic

#1
victormtz

victormtz

    Fresh Newbie

  • IC Member
  • 9 posts
    • Time Online: 2h 23m 15s

Hello everybody

 

 

The issue of Audio Units within iOS apps not working is very known by now. As I've seen in other posts, there are several folks interested in this topic, coming back every now and then asking for news (VivaLaBamm, I'm looking at you). To them I wanna say, you can do more than you are doin right now! Without a doubt, together we can make it happen.

 

 

It is clear you don't need to know about the technical stuff in order to contribute. If you really don't have a clue, contact to someone that shed some light on the subject, and may be willing to help us, either IRL or thru internet. If you can do a little more than the average PC user, just like me, search for information and share it.

 

 

Having said that, I'll tell you about what can be the starting point. A little story: I was interested in trying out a pricey EQ plugin for Cubasis, and proceeded to download the cracked .ipa file. The app was installed successfully using Filza, but when I finally opened it, app never finished loading. It turned out it was just a container for the plugin, which wasn’t obviously decrypted properly. So I spend around half an hour searching for a solution somewhere in the internet, there was little discussion about it other than posts in this forum.

 

 

Then I realized I had to take a step back and understand how iOS apps and their corresponding Audio Units work.

 

 

After extracting files of the cracked .ipa I observed AUv3 was inside a folder named Plugins, and with an extension .appex, and inside that file there was another _CodeSignature folder, another binary and other identical files as the main app. It just seemed to be clear the plugin was also signed, but proof was needed indeed.

 

 

Apple Developer documentation (https://developer.ap...tyPG/index.html) teaches us that AUs are just a kind of something called App Extensions: code that “lets you extend custom functionality and content beyond your app”. An app extension is also a “separate binary that runs independent of the app used to deliver it”. The link provided explains in a detailed way how these plugins behave and how they interact with the host app, I recommend you to check it out.

 

 

Medium.com, an excellent technical guide for programming and stuff, has a great summary about it (https://everisus.med...le-f340fe074efd).

 

 

Now we can see, looking up not “how to crack iOS apps with Audio Units” but “how to crack iOS apps with app extensions” is the way to do it. And that’s how I came across with this jewel:

https://web.archive....s-applications/

This is a comprehensive guide for security researchers on how to resign apps that contain not only frameworks but also app extensions and even Watchkit apps.

 

 

In the following days I’m replicating the guide’s examples and doing a little bit of testing, I’m hoping you to do the same thing.

 

 

Thank you for reading til here, and hope to read from you soon!

 

 

My very best

Victor M.


  • user_hidden and bresk like this

#2
user_hidden

user_hidden

    Forum Admin

  • Admin
  • 31,246 posts
    • Time Online: 300d 9h 18m 14s
  • iDevices Owned:iPod Classic, iPod Touch 4, iPhone 4, iPhone SE, iPhone 6, iPhone 8, iPad Mini, iPad Mini 2, iPad 1, iPad 2, iPad 5, MacBook Air, iHave a PC
  • Most used iOS:iOS 5, iOS 6, iOS 7, iOS 8, iOS 9, iOS 10, iOS 11, iOS 12

MachO binary (executable)

frameworks

plugins/extensions

 

are all decrypted with CrackerXI



#3
victormtz

victormtz

    Fresh Newbie

  • IC Member
  • 9 posts
    • Time Online: 2h 23m 15s

Update:

 

Okay, in order to do some testing, I decided to use Zero Reverb which is free on the App Store (app size is small as well), and tried a few methods to decrypt the plugin inside of it, but none of them seemed to make a difference. I’d like to remark that I’m not an expert on the subject and couldn’t do much because of that.

 

Also I do confirm, as Auxy posted long before, that if binary of app extension is replaced in the cracked app with the one of the App Store downloaded app, it will work (obviously only in your own device). This made me think at first the problem was a unproperly decrypted binary or something related to it.

 

Furthermore, Audio Units may be not the only plugins that are failing to load, as I tested a cracked version of Chrome app and share extension doesn’t pop up when calling it from Safari. It seems to me its a problem for all app extensions.

 

Let’s keep in mind that app extensions do have their own signing, and do not depend on containing apps at all when called by a host app.

 

After some days of research and learning the basics of this, I believe these are be some of the possibilities and their solutions:

 

 1. (Probably the least likely): App extensions binaries are not decrypted properly using CrackerXL. Hopefully a fix is all that is needed. Many tutorials emphasize on signing first the app extensions (and child before parent) before the main app.

 

 2. The way host apps and app extensions communicate is important, and code needs to be reviewed. Perhaps, code of the host app is written to decrypt the app extension, and therefore binary can be “fake-encrypted” or encrypted in a way it always returns true. Others solutions may include cracking the host app in order not to do this binary decrypting stuff.

 

 3. (I believe this could be the winner): System functions are involved whenever a host app calls an app extension. If you take a look to what Appsync Unified does: https://github.com/akemin-dayo/AppSync#im-a-developer--do-you-have-a-rough-high-level-explanation-as-to-how-this-all-works, not only this library injects code into install functions in order to pass along proper signing information, but also each time an app is opened it forces methods to make believe the system app is valid and hasn’t expired yet. Therefore, an additional library may be needed, one that hooks to this system proccesses and allows to load any app extension, just like Appsync but for app extensions processes.

 

Thank you user_hidden for clarifying that CrackerXL does decrypt entire app, and hopefully, as app extensions are already decrypted, this kind of library is what is needed to open any of them.

 

I know this forum isn’t as active as the old days but if you read this, feel free to leave a comment. I’ll be answering you.

 

See ya later

Víctor M.


  • bresk likes this

#4
jaybe

jaybe

    Getting Known

  • IC Member
  • 23 posts
    • Time Online: 3d 7h 9m 26s

Very interesting info



#5
bresk

bresk

    Caker

  • IC Member
  • 34 posts
    • Time Online: 1d 21h 8m 41s

Great research work !