Cracked Audio Units: Let's make it happen

Hello everybody

The issue of Audio Units within iOS apps not working is very known by now. As I've seen in other posts, there are several folks interested in this topic, coming back every now and then asking for news (VivaLaBamm, I'm looking at you). To them I wanna say, you can do more than you are doin right now! Without a doubt, together we can make it happen.

It is clear you don't need to know about the technical stuff in order to contribute. If you really don't have a clue, contact to someone that shed some light on the subject, and may be willing to help us, either IRL or thru internet. If you can do a little more than the average PC user, just like me, search for information and share it.

Having said that, I'll tell you about what can be the starting point. A little story: I was interested in trying out a pricey EQ plugin for Cubasis, and proceeded to download the cracked .ipa file. The app was installed successfully using Filza, but when I finally opened it, app never finished loading. It turned out it was just a container for the plugin, which wasn’t obviously decrypted properly. So I spend around half an hour searching for a solution somewhere in the internet, there was little discussion about it other than posts in this forum.

Then I realized I had to take a step back and understand how iOS apps and their corresponding Audio Units work.

After extracting files of the cracked .ipa I observed AUv3 was inside a folder named Plugins, and with an extension .appex, and inside that file there was another _CodeSignature folder, another binary and other identical files as the main app. It just seemed to be clear the plugin was also signed, but proof was needed indeed.

Apple Developer documentation (https://developer.ap...tyPG/index.html) teaches us that AUs are just a kind of something called App Extensions: code that “lets you extend custom functionality and content beyond your app”. An app extension is also a “separate binary that runs independent of the app used to deliver it”. The link provided explains in a detailed way how these plugins behave and how they interact with the host app, I recommend you to check it out.

Medium.com, an excellent technical guide for programming and stuff, has a great summary about it (https://everisus.med...le-f340fe074efd).

Now we can see, looking up not “how to crack iOS apps with Audio Units” but “how to crack iOS apps with app extensions” is the way to do it. And that’s how I came across with this jewel:

https://web.archive....s-applications/

This is a comprehensive guide for security researchers on how to resign apps that contain not only frameworks but also app extensions and even Watchkit apps.

In the following days I’m replicating the guide’s examples and doing a little bit of testing, I’m hoping you to do the same thing.

Thank you for reading til here, and hope to read from you soon!

My very best

Victor M.

MachO binary (executable)

frameworks

plugins/extensions

are all decrypted with CrackerXI

Update:

Okay, in order to do some testing, I decided to use Zero Reverb which is free on the App Store (app size is small as well), and tried a few methods to decrypt the plugin inside of it, but none of them seemed to make a difference. I’d like to remark that I’m not an expert on the subject and couldn’t do much because of that.

Also I do confirm, as Auxy posted long before, that if binary of app extension is replaced in the cracked app with the one of the App Store downloaded app, it will work (obviously only in your own device). This made me think at first the problem was a unproperly decrypted binary or something related to it.

Furthermore, Audio Units may be not the only plugins that are failing to load, as I tested a cracked version of Chrome app and share extension doesn’t pop up when calling it from Safari. It seems to me its a problem for all app extensions.

Let’s keep in mind that app extensions do have their own signing, and do not depend on containing apps at all when called by a host app.

After some days of research and learning the basics of this, I believe these are be some of the possibilities and their solutions:

 1. (Probably the least likely): App extensions binaries are not decrypted properly using CrackerXL. Hopefully a fix is all that is needed. Many tutorials emphasize on signing first the app extensions (and child before parent) before the main app.

 2. The way host apps and app extensions communicate is important, and code needs to be reviewed. Perhaps, code of the host app is written to decrypt the app extension, and therefore binary can be “fake-encrypted” or encrypted in a way it always returns true. Others solutions may include cracking the host app in order not to do this binary decrypting stuff.

 3. (I believe this could be the winner): System functions are involved whenever a host app calls an app extension. If you take a look to what Appsync Unified does: https://github.com/akemin-dayo/AppSync#im-a-developer--do-you-have-a-rough-high-level-explanation-as-to-how-this-all-works, not only this library injects code into install functions in order to pass along proper signing information, but also each time an app is opened it forces methods to make believe the system app is valid and hasn’t expired yet. Therefore, an additional library may be needed, one that hooks to this system proccesses and allows to load any app extension, just like Appsync but for app extensions processes.

Thank you user_hidden for clarifying that CrackerXL does decrypt entire app, and hopefully, as app extensions are already decrypted, this kind of library is what is needed to open any of them.

I know this forum isn’t as active as the old days but if you read this, feel free to leave a comment. I’ll be answering you.

See ya later

Víctor M.

Very interesting info

Great research work ! 

for me, the only app working as audio unit is zeeon 1.52 (if installed with filza)

maybe part of the answer is there

Edited by bresk, 12 May 2021 - 02:01 AM.

Hi again

thank you jaybe, bresk, mentoool for leaving a comment

just tested Zeeon 1.54 cracked ipa (IC.com), didn’t open, but auv3 didn’t show up in my DAW cubasis LE 3 neither (strange). I’m on iOS 14.5.1

@ mentoool can you share cracked 1.52 version with us? It has been deleted from servers by now

Changelog for Zeeon app states that 1.54 version fixes an issue with AUDIOUNIT STATE LOADING ON IOS 14, @ mentoool can you try installing this version and telling us how did you do? I’m suspecting there was a security implementation for app extensions in iOS 14(?)

Take care

Victor M

1.54 didn't work for me (in both standalone and au3 mode)

here's 1.52

https://mega.nz/file...1YkFBXW2k3WIsDg

Hi victormtz, I will look to you too 

You did right well, hope that someone of our "Crackers" can use ur information to find a solution ...

pushing all my thumbs for it 

1.54 didn't work for me (in both standalone and au3 mode)

 

here's 1.52

 

https://mega.nz/file...1YkFBXW2k3WIsDg

same, 1.52 does not open

nevermind, working