apps are still encrypted!

[ayouch]

I was able to successfully use appdecrypt on my m1 mac but the output binaries are still encrypted anyway!
I used otool to check and cryptid is still 1.

[paradiseduo]

what's app

[ayouch]

basically every app I tried, here's an example:

[paradiseduo]

App download from mac's App Store?

[ayouch]

yes

[paradiseduo]

I add log to fail reason, and now I try to found why mmap fail.

Dump /Applications/PinTok.app/Wrapper/PinTok.app/PinTok fail, because of mmap fail

[ayouch]

it's not just this app in particular, basically all the apps I tried stay encrypted even after successfully running appdecrypt!

[paradiseduo]

I dump Kugou and DUApp Success, but other app dump fail.

[iVoider]

Post 11.2.3 you can decrypt only those apps, that had been allowed by developer (support Mac tick in Developer Portal). Maybe it is possible to use DYLD_INTERPOSE with mmap to allow decrypting of unsigned binaries? Or some sort of .sinf file generation like in Clutch?

[ayouch]

@iVoider I'm trying to decrypt signed apps that I downloaded from the mac app store and it doesn't work anyway!

[paradiseduo]

I konw why some app doesn't work.

> otool -l PinTok
.......
Load command 10
      cmd LC_BUILD_VERSION
  cmdsize 32
 platform 2   # Platform 2 is iOS
    minos 13.0
      sdk 14.5
   ntools 1
     tool 3
  version 650.9
.......

you can see, this app platform is 2, Platform 2 is iOS. so decrypt it on mac will be fail.

This error corresponds to EXEC_EXIT_REASON_WRONG_PLATFORM in the kernel, and that constant is only referenced in a single function: check_for_signature:

static int

check_for_signature(proc_t p, struct image_params *imgp)

{

    …;

#if XNU_TARGET_OS_OSX

        /* Check for platform passed in spawn attr if iOS binary is being spawned */

        if (proc_platform(p) == PLATFORM_IOS) {

                struct _posix_spawnattr *psa = imgp->ip_px_sa;

                if (psa == NULL || psa->psa_platform == 0) {

                    …;

                            signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                                        EXEC_EXIT_REASON_WRONG_PLATFORM);

                            error = EACCES;

                            goto done;

                } else if (psa->psa_platform != PLATFORM_IOS) {

                        /* Simulator binary spawned with wrong platform */

                        signature_failure_reason = os_reason_create(OS_REASON_EXEC,

                            EXEC_EXIT_REASON_WRONG_PLATFORM);

                        error = EACCES;

                        goto done;

                } else {

                        printf("Allowing spawn of iOS binary %s since

                            correct platform was passed in spawn\n", p->p_name);

                }

        }

#endif /* XNU_TARGET_OS_OSX */

    …;

}

This code is active on macOS and will execute if the platform of the to-be-executed process is PLATFORM_IOS.

[hazcod]

Is there anything we can do about this?

[HenryQuan]

Sorry for bringing this up after 2 years, if I get cryptid 0 instead of 1. Does it mean the executable was cracked successfully? I am trying to fix the issue with mmap.

Please also see #25.