Permalink
Browse files

various scripts for MISC article

  • Loading branch information...
1 parent f833173 commit 20cefc99edf78657e2a4bee7913f5bde1eddc440 @jan0 jan0 committed Apr 8, 2013
View
@@ -0,0 +1,16 @@
+SDKVER?=5.1
+ARCH?=armv7
+SDK=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$(SDKVER).sdk/
+CC=clang -arch $(ARCH) -isysroot $(SDK)
+CFLAGS=-Wall -O3 -I.
+LDFLAGS=-framework CoreFoundation -framework IOKit -framework Security
+LDFLAGS+= -miphoneos-version-min=4.0
+CODESIGN=codesign -s - --entitlements entitlements.plist
+
+%.dylib: %.o
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^
+ $(CODESIGN) $@
+
+%: %.o
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
+ $(CODESIGN) $@
View
@@ -0,0 +1 @@
+MISC hors série 7 - Reverse iOS
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+if [ ! -f dyld-210.2.3.tar.gz ]
+then
+ curl -O http://opensource.apple.com/tarballs/dyld/dyld-210.2.3.tar.gz
+fi
+
+if [ ! -d dyld-210.2.3 ]
+then
+ tar xvf dyld-210.2.3.tar.gz
+fi
+
+patch dyld-210.2.3/launch-cache/dsc_extractor.cpp dsc_extractor.patch
+clang++ -o dsc_extractor dyld-210.2.3/launch-cache/dsc_extractor.cpp dyld-210.2.3/launch-cache/dsc_iterator.cpp
+
+#./dsc_extractor dyld_shared_cache_armv7 dylibs_folder/
@@ -0,0 +1,27 @@
+diff -r e5140bc8a3c9 launch-cache/dsc_extractor.cpp
+--- a/launch-cache/dsc_extractor.cpp Tue Feb 19 17:45:51 2013 +0100
++++ b/launch-cache/dsc_extractor.cpp Tue Feb 19 17:51:25 2013 +0100
+@@ -50,6 +50,7 @@
+ #include <ext/hash_map>
+ #include <algorithm>
+ #include <dispatch/dispatch.h>
++#include <dlfcn.h>
+
+ struct seg_info
+ {
+@@ -456,7 +457,6 @@
+ }
+
+
+-#if 0
+
+ typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,
+ void (^progress)(unsigned current, unsigned total));
+@@ -484,7 +484,6 @@
+ fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);
+ return 0;
+ }
+-#endif
+
+
+
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<!--empty entitlements template-->
+</dict>
+</plist>
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.springboard.debugapplications</key>
+ <true/>
+ <key>run-unsigned-code</key>
+ <true/>
+ <key>get-task-allow</key>
+ <true/>
+ <key>task_for_pid-allow</key>
+ <true/>
+</dict>
+</plist>
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+GDBPATH=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/libexec/gdb/gdb-arm-apple-darwin
+lipo -thin armv7 $GDBPATH -output gdb
+codesign -f -s - --entitlements entitlements_debugger.plist gdb
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+DEVDISK="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/6.1 (10B141)/DeveloperDiskImage.dmg"
+
+hdiutil attach $DEVDISK
+cp /Volumes/DeveloperDiskImage/usr/bin/debugserver .
+codesign -f -s - --entitlements entitlements_debugger.plist debugserver
+hdiutil detach /Volumes/DeveloperDiskImage/
@@ -0,0 +1,67 @@
+#!/usr/bin/ruby
+
+require 'openssl'
+
+def unhexlify(msg)
+ [msg].pack("H*")
+end
+
+def decrypt(data, key, iv)
+ algo = (key.length == 32) ? "AES-256-CBC" : "AES-128-CBC"
+ aes = OpenSSL::Cipher.new(algo)
+ aes.decrypt
+ aes.key = key
+ aes.iv = iv
+ aes.padding = 0
+ return aes.update(data) + aes.final
+end
+
+def valid(data)
+ return "kernel" if data.index("complzss") == 0
+ return "ramdisk" if data[0x400..0x401] == "H+"
+ return "bootload" if data[0x280..0x284] == "iBoot"
+ return "devicetree" if data.index("serial-number")
+ return "bootlogo" if data.index("iBootIm") == 0
+end
+
+if ARGV.length < 1
+ puts "Usage: img3decrypt.rb file.img3 [KEY] [IV] [output]"
+ exit(-1)
+end
+
+filename = ARGV.shift
+key = unhexlify(ARGV.shift)
+iv = unhexlify(ARGV.shift)
+output = ARGV.shift
+
+output = "#{filename}.dec" if not output
+
+File.open(filename, "rb") { |io|
+
+ magic,fullsize = io.read(20).unpack("A4V")
+
+ raise "3gmI magic not found" if magic != "3gmI"
+
+ while !io.eof?
+ tag, len, len2 = io.read(12).unpack("A4VV")
+
+ raise "Invalid tag length" if len < 12
+
+ data = io.read(len-12)
+
+ if tag == "ATAD"
+ t = valid(data)
+ if t
+ puts "Image is not encrypted (#{t})"
+ else
+ data = decrypt(data, key, iv)
+ t = valid(data)
+ puts t ? "Image decrypted OK (#{t})" : "Bad key/IV ?"
+ end
+ puts "Writing DATA payload to #{output}"
+ File.open(output, "wb") {|f| f.write(data) }
+ break
+ end
+ end
+}
+
Oops, something went wrong.

0 comments on commit 20cefc9

Please sign in to comment.