Decrypt iOS Executable
Any executable that comes from Apple (either in the OS or from the App Store) will be configured with the FairPlay DRM software which will encrypt a small section of the executable file. FairPlay DRM is how Apple keeps track of the application and the account and device(s) it should run on.
If we want to perform analysis on an “encrypted” file, we must first decrypt the binary. Fortunately, this is easy since iOS will do it for us. When the app is launched on the device, iOS will decrypt the DRM section and load the full binary into memory in its unencrypted state. Using a debugger, we can then pull the necessary bytes from memory and then write them into the binary - overwriting the DRM section.
There are a couple of ways to get the full decrypted binary. We can use the Frida dynamic instrumentation framework. There are also some on-device options depending on the iOS version. Lastly, if the previous examples don’t work, or you can’t actually launch the binary then we can manually decrypt the file.
Mach-O Encryption Header
In the Mach-O binary, the encryption information is stored in the Mach header load command called LC_ENCRYPTION_INFO_64. We can use the otool utility to get the relevant information.
iPhone7-JB:~ root# otool -l $BINARY | grep -A 5 LC_ENC
cmd LC_ENCRYPTION_INFO_64
cmdsize 24
cryptoff 49152
cryptsize 4096
cryptid 1
pad 0
Load Command Relevant Breakdown:
| Data | Description |
|---|---|
cryptid | Boolean value if encryption is enabled. 0 = no encryption, 1 = encryption |
cryptsize | The size of the encrypted section. In this case, 4096 bytes |
cryptoff | The offset where the encrypted segment starts |
The cryptid value is the most important at this point, since it determines if we need to decrypt it or not. The remaining commands are only relevant when we need to manually decrypt the binary.
Decrypt with Frida-ios-dump (macOS Option)
OWASP MSTG (Using frida-ios-dump section)
The frida-ios-dump program is a Python3 script that uses Frida to decrypt the binary and then dump the application into an IPA file. The IPA file is saved locally on the Mac that runs the script.
To run the script, follow these instructions:
First, you need the appname as Frida sees it
- Connect the device to the macOS system
- On the device, launch the application you want to dump
- Run the following command to get the appname (in this example: Gopher)
% frida-ps -Ua
PID Name Identifier
---- ------ ---------------------
1112 Gopher com.forthworks.gopher
With the name of the app, we can use Frida to decrypt and pull the entire application to the macOS host as an IPA file:
cd frida-ios-dump
python3 dump.py -o gopher.ipa Gopher
For output, you can select a directory & filename. In this example, it wrote the IPA file to the current directory. It is important to note that the device must be unlocked, and the target application is running in the foreground!
To validate the binary is no longer encrypted, you can extract the IPA file and check the binary as shown above:
% unzip -qq -d App gopher.ipa
% cd App/Payload/NetGopher.app
% otool -l NetGopher | grep -A 5 LC_ENC
cmd LC_ENCRYPTION_INFO_64
cmdsize 24
cryptoff 49152
cryptsize 4096
cryptid 0
pad 0
We see now that the cryptid value is now a 0 which means the binary is not encrypted!
Decrypt with Clutch (Device Option)
The Clutch program is designed to run on the iOS device. As such, the resulting IPA file will be stored on the device and would need to be manually copied to your Mac. Clutch can be installed through the on-device package manager - probably Cydia or Sileo depending on the jailbreak.
To run the program, follow these instructions:
iPhone7-JB:~ root# Clutch -i
Installed apps:
1: Gopher Client <com.forthworks.gopher>
iPhone7-JB:~ root# Clutch -d 1
Zipping NetGopher.app
ASLR slide: 0x100b08000
Dumping <NetGopher> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
DONE: /private/var/mobile/Documents/Dumped/com.forthworks.gopher-iOS13.0-(Clutch-2.0.4).ipa
Finished dumping com.forthworks.gopher in 0.6 seconds
The Clutch program will show you where the IPA output is stored. You can copy this over to the macOS system for further analysis.
# from macOS:
scp root@ios:/private/var/mobile/Documents/Dumped/com.forthworks.gopher-iOS13.0-(Clutch-2.0.4).ipa .