Decrypting AppStore Apps with rasticrac

This is a video from my coming iOS hacking online course. For more info check it out on Kickstarter: http://bit.ly/ios_hacker Edited by: https://www.facebook.com/Studio-Liliom-1124107740957923/?fref=ts Website: http://aetherlab.net Blog: https://medium.com/@gergely.revay/ Trainings: Web Hacking: Become a Web Pentester - https://hackademy.aetherlab.net/p/web-hacking Learn Burp Suite, the Nr. 1 Web Hacking Tool - https://hackademy.aetherlab.net/p/burp-suite Reverse Engineering with Radare2 - https://hackademy.aetherlab.net/p/radare2 Transcript: Hi In this lecture we ar gonna look at an easier way to decrypt encrypted iOS apps. There are various tools which can decrypt iOS binaries, but I am going to use the rasticrac. It is a pretty handy command line tool what you can install from the cydia appstore. [change to dev] So go cydia on the device, and search for rasticrac. When you found it install it. After the tool is installed ssh onto the device. There should be an rc.sh available, so start it: # rc.sh It lists all possible opetions and at the end the apps you can decrypt. I will test it with the 9GAG. So try: # rc.sh -v 9GAG Check that it is encrypted # otool -arch armv7 -l 9GAG |grep crypt This will tell us a bunch of information about what is happening in the background. At the end it tells us that there is a new .ipa file under … Change to that directory. Make a new folder and copy the ipa in that folder. Go into the folder Rename the ipa to zip Unzip the ipa In the payload folder there is the app folder and in that the new binary. Check the binary with # lipo -info 9GAG We can also check that the app is not encrypted anymore: # otool -l 9GAG |grep crypt cryptoff 16384 cryptsize 15450112 cryptid 0 The cryptid 0 tells us that the binary is not encrypted. Now copy the binary to the folder of the original app: # cp 9GAG /private/var/mobile/Containers/Bundle/Application/D2350720-7754-47F2-9CE5-E13D41F65E8F/9GAG.app/9GAG And start the app on the device. It starts successfully.