DRM = FAIL
by gaurav on Jul.28, 2008, under iPhone
it’s a sad day for Apple Inc.
they thought they were on top of things when they decided to take a 30% cut from the developers’ earnings from the iPhone App Store..
they really thought DRM would make the applications copy proof.. i mean.. c’mon.. you know better than that Apple…
it’s the basic nature of all software to be crackable.. i’m yet to see an application that’s got no crack to go along with it on the torrent sites…
now that the simple crack to patch the DRM is out.. we should expect to see a great deal of cracked apps to start floating around..
Apple can kiss goodbye to their app store revenue… [well most of it atleast..]
Here’s what you’ll need to break the law [atleast in the US]-
1.GNU Debugger for iphone
2. otool for iphone
3. Legal legitamite app
4. SSH
otool and gdb are availalbe through cydia. gdb is GNU Debugger and otool is located in the toolchain. After downloading, check permissions are set to 755 and reboot you iphone/ipod.
1. First off you will want to run an otool on you app.
This will give you alot on info. The part we are interested in is the LC_ENCRYPTION_INFO. It will look like this-
Load command 9
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 4096
cryptsize 798720
cryptid 1
Load command 10
cryptid means that it is encrypted. 1= encrypted 0= unencrypted
cryptsize is the szie of the encrypted bytes. Notice the first 4096 arnt encrypted (mach-o header).
2. Now we will use gdb to grab a memory dump of the decrypted application from the iphones flash memory.
launch the app from you ipod touch.
the use this command-
this shows us the current running processes on our iphone.
Now we want to attach gdb to an process. PID is the first number on the left.
this will take a while…..
Now to grab the dump. Use this command in gdb to dump the memory. we want bytes from 0×2000 until the end of the encrypted data (which you can calculate by turning cryptsize onto hex and adding the starting address)
the we are done. So quit gdb.
3. Now we must use hex to add it together.
Replace data from 0×1000 on the original exec with the info you dumped. Now we must change crypt id. it is usually around line 0×800. Now save it as a new file. SSH back into ipod. Navigate to the directory and replace with the old exec with the new one. Now use this command to sign it
CREDIT LSEMTEX,F3AR,CDECL,Some unkown guy, call him TNT
Also have a look at this
http://www.246tnt.com/iPhone/#gdb
Leave a Reply
-
Howdy. Welcome to gaurav's rants!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. See ya around!
-
Follow me on Twitter [@grvgr]
July 26th, 2009 on 1:26 am
What I’m curious about is why you need to dump 0×2000+ and then overwrite the original from 0×1000+
Why? O_o
September 17th, 2009 on 8:13 pm
Am using gdb thru WinSCP, but gdb -p
crash the remote terminal. How can I do? Thank You
September 17th, 2009 on 8:14 pm
fw 3.0.1 on Iphone 3gs
September 17th, 2009 on 9:00 pm
solved with PuTTy… thx
October 23rd, 2009 on 4:18 pm
Rotfl, you type like a 5 year old illiterate fuck.