Dumps decrypted mach-o files from encrypted iPhone app extensions and applications.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
dumpdecrypted.xcodeproj Init Commit Feb 4, 2015
dumpdecrypted Init Commit Feb 4, 2015
LICENSE Initial commit Feb 4, 2015
README.md added lipo info to readme Feb 7, 2015

README.md

About

Dumps decrypted mach-o files from encrypted iPhone applications or app extensions to a file.

Usage

  1. # vim dumpdecrypted.plist
{
	Filter = {
		Bundles = ("your.bundle.id");
	};
}
  1. # cp dumpdecrypted.plist dumpdecrypted.dylib /Library/MobileSubstrate/DynamicLibraries/

  2. launch application or app extension

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100020b68(from 0x100020000) = b68
[+] Found encrypted data at address 00004000 of length 294912 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/39B13E69-D80E-4F8B-9635-679607634DE6/xxxxx.app/PlugIns/xxxxxx.appex/xxxxxx for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 655360 in the file
[+] Opening /var/mobile/Containers/Data/PluginKitPlugin/3D7C83EE-B249-45C1-AC8E-DFE896A1F751/Library/Caches/xxxxx for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset a0b68
[+] Closing original file
[+] Closing dump file

Check

$ otool -l xxx.decrypted | grep crypt

  cryptoff  16384
  cryptsize 294912
  cryptid   0

Optional: lipo if you'd like
$ lipo -thin armv7 xxx.decrypted -output xxx_armv7.decrypted
$ lipo -thin armv64 xxx.decrypted -output xxx_arm64.decrypted

Credit

Dumpdecrypted was orignally developed by stefanesser.