- macOS 11.2.3 or below
- SIP enabled
$ gcc unfairplay.c -o unfairplay
$ ./unfairplay src dest
- Example:
sudo ./unfairplay /Applications/HogeApp.app/Contents/MacOS/HogeApp ./HogeApp.decrypted
(*) If the decryption fails, you may need to try again a few seconds after.
Decrypt FairPlay encrypted binaries on macOS when SIP-enabled.
By mapping an executable as r-x and then using mremap_encrypted on the encrypted page(s) and then writing them back out to disk, you can fully decrypt FairPlay binaries.
This was discovered independently when analyzing kernel sources, but it appears that the technique was first introduced on iOS (but now works on macOS): https://github.com/JohnCoates/flexdecrypt
This code is re-write of foulplay in apple-tools. Thanks to @meme.