dumpdecrypted

dumpdecrypted

---

Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.

Tool name	dumpdecrypted
Author	stefanesser
Website	https://github.com/stefanesser/dumpdecrypted
License type
Download	dumpdecrypted.zip

Dumps decrypted iPhone Applications to a file - better solution than those GDB scripts for non working GDB versions

(C) Copyright 2011-2014 Stefan Esser

Compile:

First adjust the Makefile if you have a different iOS SDK installed.

And then just: make

Usage:

iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1.

[+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a FAT image - searching for right architecture

[+] Correct arch is at offset 2408224 in the file

[+] Opening Scan.decrypted for writing.

[-] Failed opening. Most probably a sandbox issue. Trying something different.

[+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/tmp/Scan.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Closing original file

[+] Closing dump file