11

I've been reading this PDF on reverse-engineering iOS applications and have reached slide 39, decrypting the binary. However, I've been attempting to disassemble and explore the binary in OS X 10.9.5 rather than iOS, since my phone is not jailbroken and I'd prefer not to do so.

I downloaded the IPA file from the App Store by using a forward proxy running locally on my laptop to intercept the download request on my iPhone and replicate it on my laptop. From there I followed these directions to extract the encrypted binary from the IPA file, and used the directions from the PDF file to check whether it was encrypted. I confirmed that it was encrypted because the output from otool was:

Load command 11
          cmd LC_ENCRYPTION_INFO
      cmdsize 20
    cryptoff  8192
    cryptsize 15187968
    cryptid   1

Is there a way to decrypt the DRM using only my Apple computer?

Patrick Roberts
  • 269
  • 1
  • 2
  • 10

2 Answers2

11

Currently you can't decrypt iOS apps without a device. The encryption keys are ultimately protected by an unknown key which is burned into the processor and cannot be extracted using software, that's why no "offline" decryption app has been made.

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
1

Use dumpdecrypted or clutch:

https://github.com/KJCracks/Clutch

https://github.com/stefanesser/dumpdecrypted.git

You could install Clutch on your OS/X, but not sure if you will need a valid Apple developer license to compile for iphone with XCODE. I found much easier to install it through Cydia in a jailbroken device(just look for it in Cydia packet manager and install it).

In relation to dumpdecrypted, you will need to compile it in your OS/X with XCODE command line tools (and IOS SDK included with XCODE). With XCODE, just do a make and it should compile, no modification needs to be done to makefile. Once compiled, you could upload it to your jailbroken device through ssh:

# scp dumpdecrypted.dylib root@192.168.0.192:/Library/

An inject it into the application/process to be decrypted:

# DYLD_INSERT_LIBRARIES=/Library/dumpdecrypted.dylib PATH_TO_YOUR_APP mach-o decryption dumper
evandrix
  • 125
  • 1
  • 4
davidfm
  • 41
  • 4
  • I already tried dumpdecrypted and I'm not sure how to edit the Makefile in order for it to compile on OSX. However I'm trying Clutch right now, I've installed iOSOpenDev and it compiles fine, but at runtime it attempted to access /System/Library/PrivateFrameworks/AppSupport.framework/AppSupport but that's a framework that only exists on iOS, not OSX. I downloaded https://github.com/nst/iOS-Runtime-Headers and put the framework in the directory, but it's still not loaded and I'm not sure how to load it. Can you be more detailed on getting these functional in OSX? – Patrick Roberts Jan 01 '16 at 21:20
  • I included more details about installation in my original answer – davidfm Jan 01 '16 at 22:48
  • These are directions that assume I have a jailbroken iPhone. I explicitly said in my question that I intend not to jailbreak it. If these don't work on OSX only then please delete your answer. – Patrick Roberts Jan 01 '16 at 23:55
  • 1
    AFAIK decription happens on the actual device and clutch just runs the executable under debugger, watching for main() breakpoint and dumping the decrypted executable memory. So you can't decrypt in OSX currently. We should stop using these frustrating, proprietary devices containing digital handcuffs... – k3a Jan 27 '17 at 17:47