https://github.com/leptos-null/inject_decrypt

Decrypt Mach-O executables using injection
https://github.com/leptos-null/inject_decrypt

decrypt ios mach-o

Last synced: 3 months ago
JSON representation

Decrypt Mach-O executables using injection

• Host: GitHub
• URL: https://github.com/leptos-null/inject_decrypt
• Owner: leptos-null
• License: cc-by-4.0
• Created: 2019-05-22T23:28:52.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2019-05-23T20:18:55.000Z (about 6 years ago)
• Last Synced: 2025-03-23T21:35:49.065Z (3 months ago)
• Topics: decrypt, ios, mach-o
• Language: C
• Size: 23.4 KB
• Stars: 20
• Watchers: 1
• Forks: 2
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

        
## inject_decrypt

Decrypt Mach-O executables using injection. 

iOS (and watchOS, and probably tvOS) binaries acquired through the App Store have an encrypted section. When a binary is loaded into memory, and is ready for execution, the section that's encypted on disk is decrypted in memory. This dynamic library can be injected into a process to dump the image with it's decrypted section to a new file on disk. The resulting file has an invalid code signature. 

The App Store typically only serves "thinned" binaries, however I've added support for "fat" (multiple architectures in one file) images just in case. In the case where an image on disk is fat, the entire file is copied, however only the slice loaded in memory is decrypted. 

A binary must be decrypted before meaningful static analysis may be performed on it. 

### Usage

```

DYLD_INSERT_LIBRARIES=inject_decrypt.dylib  [-avvv] 

  -a    all images (out_path should be a non-existant directory)

  -v    verbose mode, multiple increases verbosity

```

### Compile

Using Xcode: `xcodebuild` should create `build/Release-iphoneos/libinject_decrypt.a`, an unsigned dynamic library. Sign with `ldid -S` or similar if needed.

Using Theos: `make DEBUG=0` should create `.theos/obj/inject_decrypt.dylib`, a pseudo-signed dynamic library.

Independent, macOS: `$(xcrun --sdk iphoneos --find clang) -isysroot $(xcrun --sdk iphoneos --show-sdk-path) -arch armv7 -arch arm64 -Os -dynamiclib inject_decrypt/inject_decrypt.c -o inject_decrypt.dylib` should create `inject_decrypt.dylib`, an unsigned dynamic library. Sign with `ldid -S` or similar if needed.

Independent, other (substitute the path to your iOS SDK, and your C compiler, if needed): `$CC -isysroot IOS_SDK_PATH -arch armv7 -arch arm64 -Os -dynamiclib inject_decrypt/inject_decrypt.c -o inject_decrypt.dylib` should create `inject_decrypt.dylib`, an unsigned dynamic library. Sign with `ldid -S` or similar if needed.

### Known Similar Tools

- [dumpdecrypted](https://github.com/stefanesser/dumpdecrypted) uses injection, and only dumps the main image

- [decrypt](https://bitbucket.org/lordscotland/objctools/src/master/decrypt.c) uses injection, and dumps all loaded images

- [Clutch](https://github.com/KJCracks/Clutch) uses spawning, and supports dumping all images