Decryption iPhone executable (MACH-O)

Question

Decryption iPhone executable (MACH-O)

I played with / debugging / disassembling binaries on iPhone.

The first hurdle is that binary files are encrypted and dissembler cannot read them. This can be overcome by dumping the decrypted file contents from gdb.

My question is decrypting binary files (which are executed on the fly when the program starts) for all MACH-O executables that have encryption_id in the LC_ENCRYPTION_INFO section, are set to 1.

Is there a tool that decrypts files for you? Any recommendations?
Is there any information on how this process works? Apparently this is AES encryption? Which key is used? Is it easy to replicate your own program?

Thanks for any pointers!

+5

iphone executable encryption mach-o

pracheta986919 Oct 24 '11 at 4:05

source share

1 answer

Technologeeks · Accepted Answer · 2012-08-24T22:31:22+0000

Ethical questions about hacking / hacking / etc., Discuss the details:

In OS X, binary decryption is performed using Do not Steal MacOS X.Kext (affectionately called DSMOS).
On iOS, binary decryption is done using FairPlay kext.
In both cases, the Mach-O kernel loader is responsible for this. If you really need to go into details, this is an Apple Protect pager that handles decryption. In XNU, a “pager” is a component that is responsible for receiving VM pages and retrieving them from the backup storage (swap, file with memory mapping, etc.). This is the Apple Protect Pager that calls kext (one of the two above)
There's a great book covering the specifics of the kernel - http://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651
, - ( root) API- Mach VM . , ( VM). , Stefan Esser , , .dylib , DYLD_INSERT_LIBRARIES. github.com > stefanesser > dumpdecrypted.

,

Decryption iPhone executable (MACH-O)

More articles: