This page has been robot translated, sorry for typos if any. Original content here.

Hacking Applications from the App Store [Instruction]

Complete instructions: How to hack applications from the App Store yourself! Read the instructions further! And who is too lazy to do it yourself, he can download ready-made hacked applications here!

1) Cooking.
You will need:
- iPhone / iPod Touch with firmware 2.0, jailbroken, with installed Cydia;
- Launch Cydia and update everything that she asks for her update;
- Additionally (in the same Cydia) install:
a) Open SSH;
b) GNU Debugger for iphone;
c) iPhone 2.0 Toolchain;
- On a computer (I use a PC with OS Windows XP SP3), I need some kind of terminal.
I am using PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
The terminal must be configured, you must go into the body (root @ alpine);
- Well, directly hacked application. It must be purchased at
AppStore and work fine at the time of the crack.
All preparations are over. Getting started:

2) Collection of information.
In the terminal (everything on the PC) we type:
otool -l {path to your program}
eg:
otool -l /var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test
I will not pee the way here, I will not pee here; you must determine and remember it yourself.
A LOT of information will fall out to you, among which we are looking for approximately the following lines:
Load command 9
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 4096
cryptsize 798720
cryptid 1
Those. section 9 Load Command - LC_ENCRYPTION_INFO.
We write the following values:
cryptoff - offset (dec) from the beginning of the file from which the encrypted data begins;
cryptsize - the length of the encrypted data;
cryptid 1 - indicates that the file has encrypted data (if it costs 0,
it means that all further steps, up to the signature itself, can be skipped);

3) Launching the victim.
Launch your application on the body. Try not to go beyond the initial menu;
Now we need to calculate the process ID. To do this, in the terminal on the PC, type:
ps ax
A large list of processes will be displayed. We are looking for a process that is familiar to us (along the way, there will be
something like):
721 ?? s 0: 00.00 /var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test
so 721 this is the ID we need. Remember it.

4) Skinning.
Launch the GNU Debugger with the process connection option:
gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.

gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.
gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.
gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.

5) Preparation of the victim.
The following steps are performed on the PC in your favorite Hex editor. I used HIEW.
We will need:
- The original program file (/var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test);
- dump.bin obtained in clause 5;
We take the original program file and REPLACE the piece in it from offset 0? 1000 with dump.bin;
Only a little remained - to correct the title. We look for the offset ~ 0? 800 in the resulting file
bytes of the form 0? 01 0? 00 and replace with 0? 00 0? 00
(simply put, we are looking in the vicinity of 0? 800 for a lone unit and replace it with zero);

6) We pump everything from the original application folder
(example: /var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test)
and upload /Test.app to / Applications or /stash/Applications.* (for whom it works)
delete the SC_Info folder (it is no longer needed),
we rewrite the startup file of the program prepared in paragraph 5,
register the rights 755.

7) Signing the application.
We only have to sign the application in a new place:
ldid -S myapp
example:

ldid -S /Applications/Test.app/Test If at some time, the terminal began to respond Killed to your actions, restart the phone and try again.

It will not be superfluous for your friends to learn this information, share an article with them!

Comments Expand / collapse the comment window expand / collapse

When commenting, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet changes not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.
Liked? Subscribe to RSS news,
to be the first to receive information
about all the important events of the country and the world.
You can also support shram.kiev.ua, click: