appdecrypt icon indicating copy to clipboard operation
appdecrypt copied to clipboard

Published 20 hours ago verified publisher icon paradiseduo

apps are still encrypted!

Open ayouch opened this issue 3 years ago • 12 comments

I was able to successfully use appdecrypt on my m1 mac but the output binaries are still encrypted anyway! I used otool to check and cryptid is still 1.

ayouch avatar Sep 21 '21 23:09 ayouch

what's app

paradiseduo avatar Sep 22 '21 02:09 paradiseduo

basically every app I tried, here's an example: Screen Shot 2021-09-22 at 03 08 58 Screen Shot 2021-09-22 at 03 10 07

ayouch avatar Sep 22 '21 02:09 ayouch

App download from mac's App Store?

paradiseduo avatar Sep 22 '21 03:09 paradiseduo

yes

ayouch avatar Sep 22 '21 03:09 ayouch

I add log to fail reason, and now I try to found why mmap fail.

Dump /Applications/PinTok.app/Wrapper/PinTok.app/PinTok fail, because of mmap fail

paradiseduo avatar Sep 22 '21 03:09 paradiseduo

it's not just this app in particular, basically all the apps I tried stay encrypted even after successfully running appdecrypt!

ayouch avatar Sep 22 '21 03:09 ayouch

I dump Kugou and DUApp Success, but other app dump fail.

paradiseduo avatar Sep 22 '21 05:09 paradiseduo

Post 11.2.3 you can decrypt only those apps, that had been allowed by developer (support Mac tick in Developer Portal). Maybe it is possible to use DYLD_INTERPOSE with mmap to allow decrypting of unsigned binaries? Or some sort of .sinf file generation like in Clutch?

iVoider avatar Sep 23 '21 12:09 iVoider

@iVoider I'm trying to decrypt signed apps that I downloaded from the mac app store and it doesn't work anyway!

ayouch avatar Sep 23 '21 13:09 ayouch

I konw why some app doesn't work.

> otool -l PinTok
.......
Load command 10
      cmd LC_BUILD_VERSION
  cmdsize 32
 platform 2   # Platform 2 is iOS
    minos 13.0
      sdk 14.5
   ntools 1
     tool 3
  version 650.9
.......

you can see, this app platform is 2, Platform 2 is iOS. so decrypt it on mac will be fail.

This error corresponds to EXEC_EXIT_REASON_WRONG_PLATFORM in the kernel, and that constant is only referenced in a single function: check_for_signature:

static int

check_for_signature(proc_t p, struct image_params *imgp)

{

    …;

#if XNU_TARGET_OS_OSX

        /* Check for platform passed in spawn attr if iOS binary is being spawned */

        if (proc_platform(p) == PLATFORM_IOS) {

                struct _posix_spawnattr *psa = imgp->ip_px_sa;

                if (psa == NULL || psa->psa_platform == 0) {

                    …;

                            signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                                        EXEC_EXIT_REASON_WRONG_PLATFORM);

                            error = EACCES;

                            goto done;

                } else if (psa->psa_platform != PLATFORM_IOS) {

                        /* Simulator binary spawned with wrong platform */

                        signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                            EXEC_EXIT_REASON_WRONG_PLATFORM);

                        error = EACCES;

                        goto done;

                } else {

                        printf("Allowing spawn of iOS binary %s since

                            correct platform was passed in spawn\n", p->p_name);

                }

        }

#endif /* XNU_TARGET_OS_OSX */

    …;

}

This code is active on macOS and will execute if the platform of the to-be-executed process is PLATFORM_IOS.

paradiseduo avatar Oct 12 '21 12:10 paradiseduo

Is there anything we can do about this?

hazcod avatar Aug 25 '22 10:08 hazcod

Sorry for bringing this up after 2 years, if I get cryptid 0 instead of 1. Does it mean the executable was cracked successfully? I am trying to fix the issue with mmap.

Please also see https://github.com/paradiseduo/appdecrypt/pull/25.

HenryQuan avatar Oct 14 '23 11:10 HenryQuan