Since Apple opened the AppStore tens of thousands of application are available for the iPhone and the iPod Touch and it keeps growing. All available apps are protected by Apple’s own DRM system called Fairplay. The binaries are encrypted.
From the jailbreak of the iPhone it only took a short time till Fairplay was broken. An iPhone port of GDB made it easy to crack those apps by dumping the decrypted binary from the iPhones RAM .
After this “breakthrough” a few CLI scripts (xCrack, DCrypt) were created which semi-automated the cracking process. But this was nothing compared to Crackulous, which offers a GUI for automatically cracking bought Apps and making it easy to distribute to all the pirates.
Of course the developers are aware of this and some of them are trying to protect their applications with their own methods. They check for the modifications done to the package because they are not allowed to use serials or other methods to protect their work.
This tutorial focuses on finding and disabling these checks. It is heavily based on Shub-Nigurath’s “Primer on Reversing Jailbroken iPhone Native Applications” which offers a great introduction on the Mach-O file format and the Objective C programming model and how IDA can be used to disassemble those files.
The PDF File Contains
- Jailbroken iPhone or iPod touch
- IDA 5.2 or newer
- Hex editor
- SFtp/ssh client
- Tools on your iDevice
- The file structure of the Applications
- ARM opcode
- THe Process of removing Apple’s DRM
- Modifications to the application package while the cracking process
- Modifications to the Info.plist file
- Removing of the iTunesmetadata.plist
- Presence of the _CodeSignature Folder and CodeResources
- cryptID: LC_Encryption_Info
- Full Screen web browser 1.1
- Robo 1.1.2
- Faces visual dialer 1.2.1
- mBox Mail 2.01
- Exzeus 1.3
- Convertbot 1.1
- Zen Bound 1.2.1
- Download .pdf file here
- The programs used as examples are packed into an unique educational package here