Palera1n, 16.2, mmap: Operation not permitted

[ZonD80]

It was working (idk why tho), but after some time it is stopped, reboot does not help:

21:02:11.486183 mapping input file: /private/var/containers/Bundle/Application/305BDB97-8F66-4DB9-BDE8-5D34719E942F/agar.io.app/agar.io 21:02:11.488507 mapping output file: /private/var/containers/Bundle/Application/305BDB97-8F66-4DB9-BDE8-5D34719E942F/agar.io.app/agar.io.cracked 21:02:11.490390 copying original data of size 0x36ff9b0... 21:02:11.558694 handling 2 fat arches... 21:02:11.558736 handling fat arch 0, cpuType 0xc, cpuSubType 0x9, fileOff 0x4000, size 0x1997e60, align 0xe 21:02:11.558742 finding encryption_info segment in slide... 21:02:11.558745 found encryption_info segment at offset ce4 21:02:11.558748 decrypting encrypted data... 21:02:11.558750 Going to decrypt crypt page: off 0x4000 size 0x1464000 cryptid 1, cpuType c cpuSubType 9 21:02:11.558764 Already 16k aligned, directly go ahead :) 21:02:11.558773 -->> 16k-aligned mmaping(0x0, 0x1464000, 5, 0x2, 3, 0x8000) mmap: Operation not permitted 21:02:11.558824 <<-- 16k-aligned mmaping(0x0, 0x1464000, 5, 0x2, 3, 0x8000) = 0xffffffffffffffff 21:02:11.558827 <<-- unprotect mremap_encrypted(0xffffffffffffffff, 0x1464000, 1, 0xc, 0x9) mremap_encrypted: Invalid argument 21:02:11.558833 -->> unprotect mremap_encrypted(0xffffffffffffffff, 0x1464000, 1, 0xc, 0x9) = -1 21:02:11.558836 handling fat arch 1, cpuType 0x100000c, cpuSubType 0x0, fileOff 0x199c000, size 0x1d639b0, align 0xe 21:02:11.558841 finding encryption_info segment in slide... 21:02:11.558844 found encryption_info segment at offset fb8 21:02:11.558846 decrypting encrypted data... 21:02:11.558848 Going to decrypt crypt page: off 0x4000 size 0x1608000 cryptid 1, cpuType 100000c cpuSubType 0 21:02:11.558855 Already 16k aligned, directly go ahead :) 21:02:11.558857 -->> 16k-aligned mmaping(0x0, 0x1608000, 5, 0x2, 3, 0x19a0000) 21:02:11.558865 <<-- 16k-aligned mmaping(0x0, 0x1608000, 5, 0x2, 3, 0x19a0000) = 0x4b2e24000 21:02:11.558868 <<-- unprotect mremap_encrypted(0x4b2e24000, 0x1608000, 1, 0x100000c, 0x0) 21:02:11.558911 -->> unprotect mremap_encrypted(0x4b2e24000, 0x1608000, 1, 0x100000c, 0x0) = 0 21:02:11.558915 copying 0x69ec64000 to 0x4b2e24000, size 1608000 21:02:11.565635 copying enc pages, size: 0x1608000.. 21:02:11.568913 cleaning up...

Tried to open app to be cracked - opens successfully.

[dlevi309]

@ZonD80 I noticed coming from iOS13->iOS14 that fouldecrypt and flexdecrypt weren’t working unless the encrypted app/binary were launched in some form (they need to be catalogued into memory) I wrote a simple tool that achieves this in a non-destructive and unobtrusive way, it basically dlopen‘s the target binary without having to launch it:

#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char** argv) {
  for (int i = 1; i < argc; i++) {
    void* handle = dlopen(argv[i], RTLD_LAZY | RTLD_GLOBAL);
    if (!handle) {
      fprintf(stderr, "Error: %s\n", dlerror());
    }
    dlclose(handle);
  }
  return 0;
}

build this code as a separate tool and run it on the encrypted binary (linktool <path/to/encrypted_binary>) after you run it, you should be able to decrypt the target binary without mremap_encrypted failing.

[HenryQuan]

@dlevi309 The same trick doesn't seem to work for app extension. Is it due to security concerns in the latest system?