Support for iOS 14.5

[irworks]

Hi there! While trying out fouldecrypt on iOS 14.5 using the AltStore -> Fugu14 -> unc0ver Jailbreak on an iPhone XR I wasn't able to get fouldecrypt running successfully. Here's the log output of one attempt:

10:29:21.123326	mapping input file: /private/var/containers/Bundle/Application/7384EA7D-A396-4A76-88B6-F102431E33D9_tmp/Discord.app/Discord
10:29:21.128509	mapping output file: /private/var/containers/Bundle/Application/7384EA7D-A396-4A76-88B6-F102431E33D9_tmp/Discord.app/Discord
10:29:21.435733	copying original data of size 0x158c1d0...
10:29:21.454366	    not fat binary, directly decrypting it!
10:29:21.454458	    finding encryption_info segment in slide...
10:29:21.454467	        found encryption_info segment at offset 10f8
10:29:21.454476	    decrypting encrypted data...
10:29:21.454481	        Going to decrypt crypt page: off 0x356000 size 0x1000 cryptid 1, cpuType 100000c cpuSubType 0
10:29:21.454505	        Not 16k aligned, trying to do the hack :O
Error attempting to load plugin /usr/lib/libkrw/libFugu14Krw.dylib: dlopen(/usr/lib/libkrw/libFugu14Krw.dylib, 5): no suitable image found.  Did find:
	/usr/lib/libkrw/libFugu14Krw.dylib: incompatible cpu-subtype: 0x00000000 in /usr/lib/libkrw/libFugu14Krw.dylib
	/usr/lib/libkrw/libFugu14Krw.dylib: stat() failed with errno=60
10:29:21.750269	        successfully initialized kerninfra!
10:29:21.750393	            processing file off 354000-357000, curPage len: 3000, inPageStart: 2000, inPageEnd: 3000
10:29:21.750489	-->> directly 16k-aligned mmap mmaping(0x0, 0x3000, 5, 0x2, 4, 0x354000)
10:29:21.752934	<<-- directly 16k-aligned mmap mmaping(0x0, 0x3000, 5, 0x2, 4, 0x354000) = 0x1027fc000
10:29:21.752955	<<-- unprotect mremap_encrypted(0x1027fc000, 0x3000, 1, 0x100000c, 0x0)
mremap_encrypted: Operation not permitted
10:29:21.812483	-->> unprotect mremap_encrypted(0x1027fc000, 0x3000, 1, 0x100000c, 0x0) = -1

Especially the part mentioning mentioning /usr/lib/libkrw/libFugu14Krw.dylib gave me the impression, that the issue may be related to the specific Fugu14 exploit method?

[Halo-Michael]

CC: LinusHenze/Fugu14#200
Place the files in libFugu14Krw.zip according to the path.

[irworks]

Thank you for your help! This resolved the libFugu14Krw.dylib loading issue, unfortunately the mremap_encrypted: Operation not permitted persists and the binary remains encrypted.

[dlevi309]

Thank you for your help! This resolved the libFugu14Krw.dylib loading issue, unfortunately the mremap_encrypted: Operation not permitted persists and the binary remains encrypted.

This is how you fix it:
first, run the path of the app’s binary path alone in terminal (you’re gonna get a Trace: BPT Trap error, which is expected), then run fouldecrypt normally on the binary, it should decrypt it after that because you’ve forced the app to map itself by executing it directly.

so rehash, say I want to decrypt Discord:

$ /var/containers/Bundle/Application/5C4DC9B2-9056-4717-935E-71CB3C74E9DC/Discord.app/Discord

it should return Abort Trap: 6 or whatever. Then run:

$ fouldecrypt /var/containers/Bundle/Application/5C4DC9B2-9056-4717-935E-71CB3C74E9DC/Discord.app/Discord

Unless it’s a special case, the app should decrypt fine now, this also works on plugins.

[0x5e]

Hi @dlevi309 , how about the dylib decryption? dylib can't be executed and if I directly run fouldecrypt, I will get mremap_encrypted: Operation not permitted again.

[dlevi309]

Hi @dlevi309 , how about the dylib decryption? dylib can't be executed and if I directly run fouldecrypt, I will get mremap_encrypted: Operation not permitted again.

I’ve run into this too. The issue is that on iOS 14, an execute bit set is needed to decrypt dylib / frameworks, this is my own goofy solution:

Let’s pretend that the path of the dylib you’re trying to decrypt is Argo.app/Frameworks/Something.framework/Something

1. run chmod +x on Argo.app/Frameworks/Something.framework/Something
2. Then attempt to RUN Argo.app/Frameworks/Something.framework/Something from the command line (this will obviously fail with a message like abort trap, but it’s enough to load the dylib into memory)
3. NOW run decrypt Argo.app/Frameworks/Something.framework/Something

This isn’t a sure fire for everything, but I’ve noticed that it works most of the time

[0x5e]

@dlevi309 thanks for the reply.
in step 2, I still got cannot execute binary file: Exec format error, seems step 1 didn't work for me.

iPhone-7:~/workspace root# chmod +x ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy
iPhone-7:~/workspace root# ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy
-sh: ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy: cannot execute binary file: Exec format error

[dlevi309]

@0x5e no prob, and the app can’t be in a ./tmp environment, chmod +x has to be performed on the original binary within the installed app’s bundle directory. Although, even after doing all the steps correctly, you may still get that cannot execute binary file: Exec format error, and that’s usually an indication that it won’t work on that particular binary. Framework / dylibs sometime definitely work, but can also fail. If you wanna test an example of this that works almost 100% of the time, you can run the steps on app plugins that fail to decrypt (because they may be built for a newer iOS version, etc.)

[0x5e]

@dlevi309 I just unzip the ipa to somewhere else, but I keep the app bundle structure, did you mean the app has to be installed to /var/containers/Bundle/Application/xxxxxxxxxxx by some tools before decrypt the dynamic frameworks?
And I miss the step3 log before, after Exec format error, I still got mremap_encrypted: Operation not permitted. So maybe the binary I tested didn't work for this solution?

[Ender890]

@dlevi309 omg i love you ty, and ty nyamisty