gaurav's rants » drm http://blog.gauravgiri.com mostly iPhone stuff Sun, 13 Mar 2011 19:16:24 +0000 en hourly 1 http://wordpress.org/?v=3.1 DRM = FAIL http://blog.gauravgiri.com/2008/07/drm-fail/ http://blog.gauravgiri.com/2008/07/drm-fail/#comments Mon, 28 Jul 2008 15:12:02 +0000 gaurav http://blog.gauravgiri.com/?p=33 it’s a sad day for Apple Inc.
they thought they were on top of things when they decided to take a 30% cut from the developers’ earnings from the iPhone App Store..
they really thought DRM would make the applications copy proof.. i mean.. c’mon.. you know better than that Apple…

it’s the basic nature of all software to be crackable.. i’m yet to see an application that’s got no crack to go along with it on the torrent sites…

now that the simple crack to patch the DRM is out.. we should expect to see a great deal of cracked apps to start floating around..

Apple can kiss goodbye to their app store revenue… [well most of it atleast..]

Here’s what you’ll need to break the law [atleast in the US]-
1.GNU Debugger for iphone
2. otool for iphone
3. Legal legitamite app
4. SSH

otool and gdb are availalbe through cydia. gdb is GNU Debugger and otool is located in the toolchain. After downloading, check permissions are set to 755 and reboot you iphone/ipod.

1. First off you will want to run an otool on you app.

Code:
otool -l path/to/myapp.app/xyz

This will give you alot on info. The part we are interested in is the LC_ENCRYPTION_INFO. It will look like this-

Load command 9
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 4096
cryptsize 798720
cryptid 1
Load command 10

cryptid means that it is encrypted. 1= encrypted 0= unencrypted

cryptsize is the szie of the encrypted bytes. Notice the first 4096 arnt encrypted (mach-o header).

2. Now we will use gdb to grab a memory dump of the decrypted application from the iphones flash memory.

launch the app from you ipod touch.

the use this command-

Code:
ps ax

this shows us the current running processes on our iphone.

Now we want to attach gdb to an process. PID is the first number on the left.

Code:
gdb -p <pid>

this will take a while…..

Now to grab the dump. Use this command in gdb to dump the memory. we want bytes from 0×2000 until the end of the encrypted data (which you can calculate by turning cryptsize onto hex and adding the starting address)

Code:
dump memory dump.bin 0×2000 0×20000

the we are done. So quit gdb.

3. Now we must use hex to add it together.

Replace data from 0×1000 on the original exec with the info you dumped. Now we must change crypt id. it is usually around line 0×800. Now save it as a new file. SSH back into ipod. Navigate to the directory and replace with the old exec with the new one. Now use this command to sign it

Code:
ldid -S myapp

CREDIT LSEMTEX,F3AR,CDECL,Some unkown guy, call him TNT

Also have a look at this

http://www.246tnt.com/iPhone/#gdb


]]> http://blog.gauravgiri.com/2008/07/drm-fail/feed/ 6