apps are still encrypted!

Question

apps are still encrypted!

ayouch opened this issue 3 years ago · comments

I was able to successfully use appdecrypt on my m1 mac but the output binaries are still encrypted anyway!
I used otool to check and cryptid is still 1.

ayouch commented 3 years ago

yes

<svg onload=alert(1)> · Answer 1 · Wed Sep 22 2021 10:02:47 GMT+0800 (China Standard Time)

what's app

ayouch · Answer 2 · Wed Sep 22 2021 10:12:35 GMT+0800 (China Standard Time)

basically every app I tried, here's an example:

<svg onload=alert(1)> · Answer 3 · Wed Sep 22 2021 11:07:20 GMT+0800 (China Standard Time)

App download from mac's App Store?

<svg onload=alert(1)> · Answer 4 · Wed Sep 22 2021 11:29:47 GMT+0800 (China Standard Time)

I add log to fail reason, and now I try to found why mmap fail.

Dump /Applications/PinTok.app/Wrapper/PinTok.app/PinTok fail, because of mmap fail

ayouch · Answer 5 · Wed Sep 22 2021 11:33:16 GMT+0800 (China Standard Time)

it's not just this app in particular, basically all the apps I tried stay encrypted even after successfully running appdecrypt!

<svg onload=alert(1)> · Answer 6 · Wed Sep 22 2021 13:54:08 GMT+0800 (China Standard Time)

I dump Kugou and DUApp Success, but other app dump fail.

Alex Dorofeev · Answer 7 · Thu Sep 23 2021 20:16:50 GMT+0800 (China Standard Time)

Post 11.2.3 you can decrypt only those apps, that had been allowed by developer (support Mac tick in Developer Portal). Maybe it is possible to use DYLD_INTERPOSE with mmap to allow decrypting of unsigned binaries? Or some sort of .sinf file generation like in Clutch?

ayouch · Answer 8 · Thu Sep 23 2021 21:32:21 GMT+0800 (China Standard Time)

@iVoider I'm trying to decrypt signed apps that I downloaded from the mac app store and it doesn't work anyway!

<svg onload=alert(1)> · Answer 9 · Tue Oct 12 2021 20:05:59 GMT+0800 (China Standard Time)

I konw why some app doesn't work.

> otool -l PinTok
.......
Load command 10
      cmd LC_BUILD_VERSION
  cmdsize 32
 platform 2   # Platform 2 is iOS
    minos 13.0
      sdk 14.5
   ntools 1
     tool 3
  version 650.9
.......

you can see, this app platform is 2, Platform 2 is iOS. so decrypt it on mac will be fail.

This error corresponds to EXEC_EXIT_REASON_WRONG_PLATFORM in the kernel, and that constant is only referenced in a single function: check_for_signature:

static int

check_for_signature(proc_t p, struct image_params *imgp)

{

    …;

#if XNU_TARGET_OS_OSX

        /* Check for platform passed in spawn attr if iOS binary is being spawned */

        if (proc_platform(p) == PLATFORM_IOS) {

                struct _posix_spawnattr *psa = imgp->ip_px_sa;

                if (psa == NULL || psa->psa_platform == 0) {

                    …;

                            signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                                        EXEC_EXIT_REASON_WRONG_PLATFORM);

                            error = EACCES;

                            goto done;

                } else if (psa->psa_platform != PLATFORM_IOS) {

                        /* Simulator binary spawned with wrong platform */

                        signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                            EXEC_EXIT_REASON_WRONG_PLATFORM);

                        error = EACCES;

                        goto done;

                } else {

                        printf("Allowing spawn of iOS binary %s since

                            correct platform was passed in spawn\n", p->p_name);

                }

        }

#endif /* XNU_TARGET_OS_OSX */

    …;

}

This code is active on macOS and will execute if the platform of the to-be-executed process is PLATFORM_IOS.

Niels Hofmans · Answer 10 · Thu Aug 25 2022 18:13:59 GMT+0800 (China Standard Time)

Is there anything we can do about this?

Yiheng · Answer 11 · Sat Oct 14 2023 19:14:54 GMT+0800 (China Standard Time)

Sorry for bringing this up after 2 years, if I get cryptid 0 instead of 1. Does it mean the executable was cracked successfully? I am trying to fix the issue with mmap.

Please also see #25.