How to crack Apps on iOS 11

@Bontek, I updated the ghostbin code, I will try TuneIn again. This error occurs because the $EXECUTABLE variable wasn't/isn't a string, making it try to zip up "Radio", but not "Radio Pro.app". Try again and tell me the results.

EDIT: Okay, I tried two apps this time, TuneIn Radio and a Tones.app and they both worked after cracking with sacmunCrack, so It *should* work for you hopefully.

@Bontek, NO! Use this one: https://ghostbin.com/paste/znzvp

FFS SMH TBH FML KMN

@Bontek, NO! Use this one: https://ghostbin.com/paste/znzvp

FFS SMH TBH FML KMN

/private/var/mobile$ bash bfinject -P XXXXX -L decrypt
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/9EDDE92B-07DA-4F5D-85AD-6780D38DE83A/XXXXX.app/XXXXX'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID 1234567 and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 361.
[bfinject4realz] Calling thread_create() on PID 361
[bfinject4realz] Looking for ROP gadget... found at 0x1853274e0
[bfinject4realz] Fake stack frame at 0x108a6c000
[bfinject4realz] Calling _pthread_set_self() at 0x185567804...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x185327460...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c41f8a00
[+] Decrypting App on Device ...
[+] This may take up to a minute to finish, please wait ...
[*] Moving the Decrypted IPA ...
decrypted-app.ipa
[+] If you see decrypted-app.ipa above we are almost done ...
[+] Attempting to unzip .ipa
[+] Adding cracker credentials to the App
[+] Attempting to sign XXXXX with LDID
[+] Attempting to zip and rebuild the .ipa
[+] Signing completed successfully
[+] Generated signed .ipa in /var/mobile/Cracked/XXXXX.ipa
[*] Done, make sure to test the app

@user_hidden nice. Did you do some modding to the script?

@user_hidden nice. Did you do some modding to the script?

I'm not able to access the ghostbin link, can you paste the shell somewhere else?

I'm trying to use bfinfect with 7wonders.app. The app is installed in the device, but when I run it, it crashed, so the ps command doesn't find it into the active processes.

So I modified the shell bfinfect to allow -D parameter to find the app path into the device, like that:

#!/jb/bin/bash

CYCRIPT_PORT=1337

function help {
    echo "Syntax: $0 [-p PID | -P appname | -D DirectoryName] [-l /path/to/yourdylib | -L feature]"
    echo
    echo For example:
    echo "   $0 -P Reddit.app -l /path/to/evil.dylib   # Injects evil.dylib into the Reddit app"
    echo "     or"
    echo "   $0 -p 1234 -L cycript                     # Inject Cycript into PID"
    echo "     or "
    echo "   $0 -p 4566 -l /path/to/evil.dylib         # Injects the .dylib of your choice into PID"
    echo 
    echo "Instead of specifying the PID with -p, bfinject can search for the correct PID based on the app name."
    echo "Just enter \"-P identifier\" where \"identifier\" is a string unique to your app, e.g. \"fing.app\"."
    echo
    echo Available features:
    echo "  cycript    - Inject and run Cycript"
    echo "  decrypt    - Create a decrypted copy of the target app"
    echo "  test       - Inject a simple .dylib to make an entry in the console log"
    echo "  ispy       - Inject iSpy. Browse to http://<DEVICE_IP>:31337/"
    echo
}


#
# check args
#
if [ "$1" != "-p" ] && [ "$1" != "-P" ] && [ "$1" != "-D" ]; then
    help
    exit 1
fi

if [ "$3" != "-l" -a "$3" != "-L" ]; then
    help
    exit 1
fi

if [ "$1" == "-p" ]; then
    PID=$2
elif [ "$1" == "-D" ]; then
    BINARY=`find /var/containers/Bundle/Application/ |grep "$2.app/$2"|tail -n1|cut -d'/' -f-8|cut -d'.' -f-2`
	echo "\"$BINARY\" path found!!"
else
    count=`ps axwww|grep "$2"|grep container|grep '.app'|grep -v grep |wc -l|sed 's/ //g'`
    if [ "$count" != "1" ]; then  
        echo "[!] \"$2\" was not uniquely found, please check your criteria."
        exit 1
    fi
    PID=`ps awwwx|grep "$2"|grep container|grep '.app'|grep -v grep|sed 's/^\ *//g'|cut -f1 -d\ `
    bad=1
    case "$PID" in
        ''|*[!0-9]*) bad=1 ;;
        *) bad=0 ;;
    esac
    if [ "$bad" != "0" ]; then
        echo "[!] Process not found for string \"$3\""
        exit 1
    fi
fi

declare -a DYLIBS

if [ "$3" == "-l" ]; then
    FEATURE=""
    DYLIBS=("$4")
else
    FEATURE="$4"

    case "$FEATURE" in
        cycript)
            DYLIBS=(dylibs/cycript.dylib dylibs/cycript-runner.dylib)
            ;;
        
        decrypt)
            DYLIBS=(dylibs/bfdecrypt.dylib)
            ;;

        test)
            DYLIBS=(dylibs/simple.dylib)
            ;;
        ispy)
            DYLIBS=(dylibs/iSpy.dylib)
            ;;
        iSpy)
            DYLIBS=(dylibs/iSpy.dylib)
            ;;
        default)
            help
            exit 1
            ;;
    esac
fi


#
# Be a good netizen and tidy up your litter
#
function clean_up {
    if [ -d "$DYLIB_DIR" ] && [ "$DYLIB_DIR" != "/System/Library/Frameworks" ]; then
        rm -rf "$DYLIB_DIR" >/dev/null 2>&1
    fi
    rm -f "$RANDOM_NAME" > /dev/null 2>&1
    rm -f /electra/usr/local/bin/bfinject4realz > /dev/null 2>&1
    rm -f /electra/usr/local/bin/jtool.liberios > /dev/null 2>&1
}


#
# Entitlements for dylib injection and for our injector binary.
#
if [ ! -f entitlements.xml ]; then
    cat > entitlements.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>com.apple.system-task-ports</key>
        <true/>
    </dict>
</plist>
EOF
fi


#
# Detect LiberiOS vs Electra
#
if [ -f /electra/inject_criticald ]; then
    # This is Electra >= 1.0.2
    echo "[+] Electra detected."
    mkdir -p /electra/usr/local/bin
    cp jtool.liberios /electra/usr/local/bin/
    chmod +x /electra/usr/local/bin/jtool.liberios
    JTOOL=/electra/usr/local/bin/jtool.liberios
    cp bfinject4realz /electra/usr/local/bin/
    INJECTOR=/electra/usr/local/bin/bfinject4realz
elif [ -f /bootstrap/inject_criticald ]; then
    # This is Electra < 1.0.2
    echo "[+] Electra detected."
    cp jtool.liberios /bootstrap/usr/local/bin/
    chmod +x /bootstrap/usr/local/bin/jtool.liberios
    JTOOL=/bootstrap/usr/local/bin/jtool.liberios
    cp bfinject4realz /bootstrap/usr/local/bin/
    INJECTOR=/bootstrap/usr/local/bin/bfinject4realz
elif [ -f /jb/usr/local/bin/jtool ]; then
    # This is LiberiOS
    echo "[+] Liberios detected"
    JTOOL=jtool
    INJECTOR=`pwd`/bfinject4realz
else
    echo "[!] Unknown jailbreak. Aborting."
    exit 1
fi


#
# Do the actual injection into the remote process
#
for DYLIB in ${DYLIBS[@]}; do
    if [ ! -f "$DYLIB" ]; then
        echo "$DYLIB" doesn\'t exist
        clean_up
        exit 1
    fi
    
    # Use random filenames to avoid cached binaries causing "Killed: 9" messages.
    RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum`
    RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum`"
    DYLIB_DIR="/System/Library/Frameworks/${RAND}.framework"
    DYLIB_PATH="$DYLIB_DIR/$RAND.dylib"

    # We'll give the injector as a random filename
    cp "$INJECTOR" "$RANDOM_NAME"
    chmod +x "$RANDOM_NAME"

    #
    # Find the full path to the target app binary
    #
	if [ "$1" != "-D" ]; then
		BINARY=`ps -o pid,command $PID|tail -n1|sed 's/^\ *//g'|cut -f2- -d\ `
	fi
    if [ "$BINARY" == "COMMAND" ]; then 
        echo "[!] ERROR: PID $PID not found."
        clean_up
        exit 1
    fi
    echo "[+] Injecting into '$BINARY'"

    #
    # Get the Team ID that signed the target app's binary.
    # We need this so we can re-sign the injected .dylib to fool the kernel
    # into assuming the .dylib is part of the injectee bundle.
    # This allows is to map the .dylib into the target's process space via dlopen().
    #
    echo "[+] Getting Team ID from target application..."
    TEAMID=`$JTOOL --ent "$BINARY" 2> /dev/null | grep -A1 'com.apple.developer.team-identifier' | tail -n1 |sed 's/ //g'|cut -f2 -d\>|cut -f1 -d\<`
    if [ "$TEAMID" == "" ]; then
        echo "[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen."
    fi

    #
    # Move the injectee dylib to a sandbox-friendly location
    #
    mkdir "$DYLIB_DIR"
    cp "$DYLIB" "$DYLIB_PATH"

    #
    # Thin the binary so that it's not FAT and contains only an arm64 image
    echo "[+] Thinning dylib into non-fat arm64 image"
    $JTOOL -arch arm64 -e arch "$DYLIB_PATH" >/dev/null 2>&1
    if [ "$?" == "0" ]; then
        rm -f "$DYLIB_PATH"
        DYLIB_PATH="${DYLIB_PATH}.arch_arm64"
    else
        echo "[!] WARNING: Wasn't able to thin the dylib."
    fi

    #
    # Sign platform entitlements and Team ID into our dylib
    #
    echo "[+] Signing injectable .dylib with Team ID $TEAMID and platform entitlements..."
    $JTOOL --sign platform --ent entitlements.xml --inplace --teamid "$TEAMID" "$DYLIB_PATH" > /dev/null 2>&1
    if [ "$?" != "0" ]; then
        echo jtool dylib signing error. barfing.
        clean_up
        exit 1
    fi

    #
    # Sign the randomly-renamed injector binary with  platform entitlements
    #
    $JTOOL --sign platform --ent entitlements.xml --inplace "$RANDOM_NAME" >/dev/null 2>&1
    if [ "$?" != "0" ]; then
        echo jtool "$RANDOM_NAME" signing error. barfing.
        clean_up
        exit 1
    fi

    #
    # Inject!
    #
    "$RANDOM_NAME" "$PID" "$DYLIB_PATH"
done

#
# EOF
#
echo "[+] So long and thanks for all the fish."
clean_up
exit 0

but I got the following error...

"/var/containers/Bundle/Application/7DE84F56-92EF-4775-AAE2-5FEA030400DC/7wonders.app/7wonders" path found!!
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/7DE84F56-92EF-4775-AAE2-5FEA030400DC/7wonders.app/7wonders'
[+] Getting Team ID from target application...
[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen.
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID  and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 0.
[bfinject4realz] ERROR: task_for_pid() failed with message (os/kern) failure!
[+] So long and thanks for all the fish.

What shall I do?

What shall I do?

yep ghostbin link does not work

yep ghostbin link does not work

just download it from github.

signer: https://github.com/Sacmunraga/signer
bfinject_mod: https://github.com/S...aga/sacmunCrack

Not for me to long winded need a simpler faster all in one method

Not for me to long winded need a simpler faster all in one method

Will do a lot of work for basically nothing

Will do a lot of work for basically nothing

you do realize it only takes a minute to crack on os11

looking at instructions looks to long winded then many do not work anyway not worth the time and effort. Something new anti cracking in https://itunes.apple...d971858273?mt=8Feral Fury it reboots your device when trying to carck so you need to rejailbreak tried 5-6 times on ios 10.2 and ios 9.3.1 Give up on it

app has to be able to run on device while cracking.
if the stock app crashes you obviously have a problem

I downloaded from iPhoneCake

https://www.iphoneca...530090434_.html

I then moved the app into iPAD with putty connected via FTP and installed with appinst from Cydia. I'm using Electra 1.4 and an iPad Pro2.

App is installed, but after run it crashed after the initial scene. I do understand that this is because the app is not signed correctly or because it's cracked with old method, not compatible with iOS11.

So can't I do anything in this case?

One thing for sure was cracked the old way as that cracker does not crack for ios 11 and has not cracked for a long time I know was angry about a leech ( TyToV )on this site reposting his cracks on other sites

One thing for sure was cracked the old way as that cracker does not crack for ios 11 and has not cracked for a long time I know was angry about a leech ( TyToV )on this site reposting his cracks on other sites

I don't understand if it's technically possible to do something or not.

Almost all the app I downloaded from AppCake and that worked on iOS9 with jailbreak are not usable on iOS11 with Electra and they crash when you run them, so you don't have a PID --> This procedure cannot be used.

Can someone explain technically why and what needs to be done?