CrackBot2 icon indicating copy to clipboard operation
CrackBot2 copied to clipboard

verified publisher icon n3d1117

Metadata

A macOS bash script to automate decryption of iOS Apps using a jailbroken iOS device

CrackBot2 🤖

CrackBot2 is a bash script used to automate decryption of iOS apps.

NOTE: for research and reverse engineering purposes only. Do NOT use this for piracy.

Requirements

  • macOS (tested on Catalina 10.15.2)
  • Jailbroken iOS device (tested on iPhone 6s, iOS 11 and 12)

Usage

./bot <iTunes URL>

Setup

Device

  • Set device language to English
  • Connect the device to your computer and make sure to accept the trust dialog
  • Install the following packages from Cydia:
    • OpenSSH
    • bfdecrypt from https://level3tjg.xyz/repo/
    • plutil
    • Open for iOS 11
    • AutoTouch
    • NoAppThinning from https://n3d1117.github.io
    • Activator from https://rpetri.ch/repo
  • Make sure you are logged in the App Store, preferably with US account
  • Disable password requirement for free apps (Settings -> iTunes & App Store -> Password Settings -> Disable Require Password)
  • In bfdecrypt settings, toggle one app on and off (this allows the creation of com.level3tjg.bfdecrypt.plist file in /var/mobile/Library/Preferences)

Computer

  • Install jq with brew install jq (requires Homebrew)
  • Install ios-deploy with brew install ios-deploy (requires Homebrew)
  • Connect your jailbroken device with USB
  • Enable passwordless root login for your device:
    • ssh-keygen -t rsa -P '' -f ~/.ssh/YOUR_DEVICE_NAME (NOTE: you may need to run ssh-add ~/.ssh/YOUR_DEVICE_NAME too)
    • ssh-copy-id -i ~/.ssh/YOUR_DEVICE_NAME.pub root@YOUR_DEVICE_IP (if needed, install ssh-copy-id with brew install ssh-copy-id)
    • You should now be able to connect to your device with ssh root@YOUR_DEVICE_IP without entering the password.
    • NOTE: I strongly recommend enabling SSH via USB so you can connect to your device as ssh root@localhost -p 2222

Getting started

  • Download and install my fork of BishopFox's bfdecrypt: 
    d ~/downloads/
url -L -O "https://github.com/n3d1117/bfdecrypt/raw/master/bfdecrypt.dylib"
cp bfdecrypt.dylib root@YOUR_DEVICE_IP:/Library/MobileSubstrate/DynamicLibraries/bfdecrypt.dylib
  • SSH into your device (ssh root@YOUR_DEVICE_IP) and sign the dylib: 
    did -S /Library/MobileSubstrate/DynamicLibraries/bfdecrypt.dylib
illall backboardd
  • Then create needed folders on device: 
    d /var/mobile/Library/AutoTouch/Scripts && mkdir -p CrackBot2
  • Clone this repo on your computer: 
    d ~/downloads/
it clone https://github.com/n3d1117/CrackBot2.git
  • Copy AutoTouch script to device: 
    d ~/downloads/CrackBot2/AutoTouch 
cp -r appstoredownload.lua images root@YOUR_DEVICE_IP:/var/mobile/Library/AutoTouch/Scripts/CrackBot2
  • On your device open AutoTouch, go to appstoredownload.lua, click (i) -> Playing settings -> Trigger with activator -> Select Hold status bar.
  • Open bot file with a text editor and, if needed, edit DEVICE_IP and DEVICE_PORT parameters with yours.
  • Done! You can now run the script from your computer: 
    d ~/downloads/CrackBot2/ 
/bot

NOTE: Only free apps (or paid ones previously bought) are supported at the moment.

Credits

  • bfdecrypt: Utility to decrypt App Store apps on jailbroken iOS 11.x
  • level3tjg for a preference-based bfdecrypt
  • AutoTouch: Record, playback, simulate human touching/pressing, run Lua scripts.
  • Activator: Centralized gestures, button and shortcut management for iOS

License

Licensed under GNU General Public License v3.0. See LICENSE file for further information.

Metadata

39
Stars
8
Forks
Watchers

Owner

verified publisher icon n3d1117

Metadata

A macOS bash script to automate decryption of iOS Apps using a jailbroken iOS device

Back