iPhone executable (MACH-O) decryption

Question

I've been playing around with/debugging/disassembling binaries on the iPhone.

The first obstacle is that the binaries are encrypted and dissembler can not read them. This can be overcome by dumping the decrypted file content from gdb.

My question is about the decryption of binaries (which is done on the fly upon program start) for all MACH-O executable which have the encryption_id in LC_ENCRYPTION_INFO section, set to 1.

1. is there a tool that decrypts files for you? Any recommendations?
2. is there info available on how the process works? Apparently it's AES encryption? What key is used? Is it easy to replicate with your own program?

Thanks for any pointers!

Answer 1

The short answer

A portion of the main binary's TEXT section in an app downloaded from the AppStore is encrypted as indicated by the load command LC_ENCRYTPION_INFO{_64}.

This encryption is not performed by the developer, the encryption occurs when you download the app. Each app is encrypted for your AppStore account on that device with a public/private key pair created during sign-in.

The binary is decrypted by the kernel when it is loaded, so in essence, when you want to decrypt the binary you dump it from memory after it has loaded. This means you'll need to be 'in the process' which requires a jailbroken device. These days, if you're doing research you would use a tool like Frida to insert yourself into the process and many python scripts and pure javascript tools do exactly this.

The binary image decryption step is succinctly illustrated in C by Stefan Esser's project dumpdecrypted (from 2011).

In any case, getting a decrypted version of the app off the device will break the app since it is no longer validly signed and will require re-signing the entire app bundle. To re-sign the app would require an Apple developer account.

What does this all mean?

All iOS apps are susceptible to repackaging attacks, static and dynamic analysis as long as jailbreaks exist.