- Locate the executable to be decrypted with “ps” command
On iOS 8, all StoreApps are under /var/mobile/Containers/, and TargetApp.app’s
executable is under /var/mobile/Containers/Bundle/Application/XXXXXXXX-XXXX-XXXX-
XXXX-XXXXXXXXXXXX/TargetApp.app/. Since X is unknown, it’d be a great amount of work
to locate the executable manually. But a simple trick will save our days: First close all StoreApps
on iOS, then launch TargetApp and ssh into iOS to print all processes:
snakeninnysiMac:~ snakeninny$ ssh root@iOSIP
FunMaker-5:~ root# ps - e
PID TTY TIME CMD
1 ?? 3:28.32 /sbin/launchd
......
5717 ?? 0:00.21
/System/Library/PrivateFrameworks/MediaServices.framework/Support/mediaartworkd
5905 ?? 0:00.20 sshd: root@ttys000
5909 ?? 0:01.86 /var/mobile/Containers/Bundle/Application/03B61840- 2349 - 4559 -
B28E-0E2C6541F879/TargetApp.app/TargetApp
5911 ?? 0:00.07 /System/Library/Frameworks/UIKit.framework/Support/pasteboardd
5907 ttys000 0:00.03 - sh
5913 ttys000 0:00.01 ps – e
Because now there is only one running StoreApp, the only path that contains
“/var/mobile/Containers/Bundle/Application/” is the full path of TargetApp’s executable.
- Find out TargetApp’s Documents directory via Cycript
All StoreApps’ Documents directories are under
/var/mobile/Containers/Data/Application/ YYYYYYYY-YYYY-YYYY-YYYY–
YYYYYYYYYYYY/. Note that these Ys are different from those previous Xs, and they are not
obtainable via “ps”. So this time we need to mak use of Cycript to reveal the Documents
directory of TargetApp. The commands we use are as follows:
FunMaker-5:~ root# cycript - p TargetApp
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory
inDomains:NSUserDomainMask][0]
#”file:///var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-
2146128611EE/Documents/”
- Copy dumpdecrypted.dylib to TargetApp’s Documents directory:
snakeninnysiMac:~ snakeninny$ scp
/Users/snakeninny/Code/dumpdecrypted/dumpdecrypted.dylib
root@iOSIP:/var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-
2146128611EE/Documents/
dumpdecrypted.dylib
100% 193KB 192.9KB/s 00:00
Here we’re using scp instead of iFunBox, anyway tools don’t matter.