bugfix: wrong offset of cryptid

agent/tiny.js

@@ -66,10 +66,14 @@ rpc.exports = {
           fileOffset += HIGH_WATER_MARK;
           send({ event: 'trunk', fileOffset, name: relative }, p.readByteArray(remain));
           recv('ack').wait();
+
+          const zeroFilled = new ArrayBuffer(12); // cryptoff, cryptsize, cryptid
+          send({ event: 'trunk', fileOffset: info.encCmdOffset + 8, name: relative }, zeroFilled);
+          recv('ack').wait();
         }
       }
 
-      send({ event: 'end', name: relative, flagOffset: info.encCmdOffset + 16 });
+      send({ event: 'end', name: relative});
       recv('ack').wait();
     }
 

index.js

@@ -162,10 +162,6 @@ export class BagBak extends EventEmitter {
         } else if (payload.event === 'trunk') {
           await fileHandles.get(key).write(data, 0, data.byteLength, payload.fileOffset);
         } else if (payload.event === 'end') {
-          const fd = fileHandles.get(key);
-          // remove cryptid
-          const zeroFilled = Buffer.alloc(4).fill(0);
-          fd.write(zeroFilled, 0, 4, payload.flagOffset);
           await fileHandles.get(key).close();
           fileHandles.delete(key);
         }

lib/macho.js

@@ -41,6 +41,8 @@ export const MH_DYLIB = 0x6;
 export const MH_DYLINKER = 0x7;
 export const MH_BUNDLE = 0x8;
 
+const LC_ENCRYPTION_INFO_64 = 0x2c;
+
 /**
  * 
  * @param {PathLike} file 
@@ -94,8 +96,7 @@ export async function parse(file) {
     for (let offset = 0, i = 0; offset + 8 < buffer.length, i < ncmds; i++) {
       const cmd = buffer.readUInt32LE(offset);
       const cmdsize = buffer.readUInt32LE(offset + 4);
-      if (cmd === 0x2c) {
-        // LC_ENCRYPTION_INFO_64
+      if (cmd === LC_ENCRYPTION_INFO_64) {
         const cryptoff = buffer.readUInt32LE(offset + 4 * 2);
         const cryptsize = buffer.readUInt32LE(offset + 4 * 3);
         const cryptid = buffer.readUInt32LE(offset + 4 * 4);
@@ -106,7 +107,7 @@ export async function parse(file) {
           id: cryptid,
         };
 
-        result.encCmdOffset = offset;
+        result.encCmdOffset = offset + HEADER_SIZE_64;
       }
       offset += cmdsize;
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "bagbak",
-  "version": "3.0.9",
+  "version": "3.0.10",
   "description": "Dump iOS app from a jailbroken device, based on frida.re",
   "main": "index.js",
   "scripts": {