Mach-O remove signature block:
removing LC_CODE_SIGNATURE——————————————————————————————
Make sure you have got the files thinned (ditto --arch i386) before proceeding.
To remove a code signature you need to do the following steps:
- Modify the number of load commands (Starts at offset 0x10, 4B size). Reduce it by one.
==> Run otool -l on binary will result in 1 less load commands.
- Size of the load commands (Starts at offset 0x14/20, 4B size) --> subtract by 0x10
- Modify the 16 Bytes from the load command entry for LC_CODE_SIGNATURE.
Replace them with 16 x 0x00.
Intel: 0x1D00000010000000
PPC: 0x0000001D00000010
- Remove the actual code signature.
This starts with 0xFADE0CC0.
Replace the entire code signature with 0x00 bytes.
otool -l <executable> to list out load commands
eg:
otool -l <app> | grep ENCR -A 4
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 8192 (0x2000)
cryptsize 10715136 (size)
cryptid 1
search for ENCRYPTION like above
if encryptid = 1 --> most likely it is encrypted
0x1000 --> header size
dump memory out.bin (cryptoff+0x1000) (cryptoff+0x1000+cryptsize)
paste it in using HxD, offset (cryptoff+0x1000)
change LC_ENCRYPTION_INFO cryptid to 0 using HxD.
class-dump <executable> is useful once the encrypted executable is decrypted.
ldid and ldone helps signing code.
You may want to restart Iphone/Ipad if you get Killed: 9 error or EXC_BAD_ACCESS in gdb when replacing the executable. Try ldone before reboot.
No comments:
Post a Comment