Login/Register
iPhone executable (MACH-O) decryption
Asked Answered
iphoneencryptionexecutablemach-o
R

1

8

I've been playing around with/debugging/disassembling binaries on the iPhone.

The first obstacle is that the binaries are encrypted and dissembler can not read them. This can be overcome by dumping the decrypted file content from gdb.

My question is about the decryption of binaries (which is done on the fly upon program start) for all MACH-O executable which have the encryption_id in LC_ENCRYPTION_INFO section, set to 1.

  1. is there a tool that decrypts files for you? Any recommendations?
  2. is there info available on how the process works? Apparently it's AES encryption? What key is used? Is it easy to replicate with your own program?

Thanks for any pointers!

Reactivate answered 24/10, 2011 at 4:5 Comment(5)
So what you are asking about is how to crack other developers apps? I'm not sure if StackOverflow is the right place to ask this question since it's main focus is about developing things - not reverse engineering apps developed by other. I think you might be better of at a hacker or piracy site.Softshoe
Really? I thought stack overflow had a reverse engineering sound too it! (as in overflowing your stack with too much data...) On a more serious note, I would think this is good general knowledge for all developers, and not some kind of tabu underground stuff.Reactivate
user986919 is right, you cannot implement security into your app without knowing how a hacker would try to break it. If a typically compiled app can be reverse-engineered, obfuscate it some more on your own.Anacoluthia
I can't really see anything in the question that indicates that the purpose of "disassembling binaries" is for the sake of improving the security of your own app. Knowing how to decrypt these doesn't help in improving the security of your app since the encryption/decryption is done transparently by iOS. If you want to see if there is anything in your own compiled app that is too easy to read by hackers, just disassemble the binary produced by Xcode before submitting it to Apple.Softshoe
There is nothing wrong in the security of a system being transparent. SSL is 100% transparent and yet it remains secure. On on iPhone, once it's jailbroken a lot of the security measures can be circumvented. Suppressing discussion about them on a public forum will not change that. It may make a few developers uneasy as they would prefer to think their apps are 100% impenetrable. Unless they are executed on the server - it's rarely the case.Reactivate
R
0

The short answer

A portion of the main binary's TEXT section in an app downloaded from the AppStore is encrypted as indicated by the load command LC_ENCRYTPION_INFO{_64}.

This encryption is not performed by the developer, the encryption occurs when you download the app. Each app is encrypted for your AppStore account on that device with a public/private key pair created during sign-in.

The binary is decrypted by the kernel when it is loaded, so in essence, when you want to decrypt the binary you dump it from memory after it has loaded. This means you'll need to be 'in the process' which requires a jailbroken device. These days, if you're doing research you would use a tool like Frida to insert yourself into the process and many python scripts and pure javascript tools do exactly this.

The binary image decryption step is succinctly illustrated in C by Stefan Esser's project dumpdecrypted (from 2011).

In any case, getting a decrypted version of the app off the device will break the app since it is no longer validly signed and will require re-signing the entire app bundle. To re-sign the app would require an Apple developer account.

What does this all mean?

All iOS apps are susceptible to repackaging attacks, static and dynamic analysis as long as jailbreaks exist.

Radial answered 30/6 at 8:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.