MGKeys

Mapping of the obfuscated keys (or questions) used by iOS's MobileGestalt to the de-obfuscated, easier-to-understand ones. To obfuscate a key, Apple calculates the base64 of MGCopyAnswer{theKey}, truncates the last two characters and calculates the MD5 from the resulting string.

It is our job to de-obfuscate them all.

Patterns

There are a few certain patterns of the key names, which can be useful for de-obfuscation.

Kebab case some-key-name
Pascal case of DeviceSupportsXXX (common)
Pascal case of XXXCapability (common)
- FrontFacing(Camera)XXXCapability
- RearFacing(Camera)XXXCapability
Pascal case of SupportsXXX
Pascal case of HasXXX
Pascal case of IsXXX
Pascal case of XXXData (usually come alongside another key without Data suffix in it)

Typical Workflow

Extract libMobileGestalt.dylib from the dyld shared cache of an iOS device
Run deobfuscate.sh script to get the new unmapped obfuscated keys
Throw the dylib into Hopper or IDA to find the human-readable function that is referenced by each key
Verify that the function name converts to the obfuscated key it references to
Update the key mapping in deobfuscated.py
Run deobfuscate.sh again

MGKeys
MGKeys copied to clipboard

Metadata

MGKeys

Patterns

Typical Workflow

Credits (Keys De-obfuscation)

Further Readings

← Metadata

Owner

Metadata

MGKeys MGKeys copied to clipboard

Metadata

MGKeys

Patterns

Typical Workflow

Credits (Keys De-obfuscation)

Further Readings

← Metadata

Owner

Metadata

MGKeys
MGKeys copied to clipboard