This page has been robot translated, sorry for typos if any. Original content here.

Hacking Applications from the App Store [Instruction]

Full instructions: How to hack applications from the App Store! We read the instruction further! And who is too lazy to do it himself, he can download already ready hacked applications here!

1) Cooking.
You will need:
- iPhone / iPod Touch with firmware 2.0, jailbroken, with Cydia installed;
- Run Cydia and update everything she asks for her update;
- Additionally (in the same Cydia) install:
a) Open SSH;
b) GNU Debugger for iphone;
c) iPhone 2.0 Toolchain;
- On a computer (I use a PC with OS Windows XP SP3), I need some kind of terminal.
I use PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
The terminal must be configured, you must go to the body (root @ alpine);
- Well, directly hacked application. It must be purchased at
AppStore and work fine at the time of cracking.
All preparations are over. Getting Started:

2) Collection of information.
In the terminal (all on the PC) we type:
otool -l {path to your program}
eg:
otool -l /var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test
How to spy on the path I will not write here, you must define it and remember it yourself.
You will fall out a heap of information, among which we are looking for approximately the following lines:
Load command 9
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 4096
cryptsize 798720
cryptid 1
Those. section 9 Load Command - LC_ENCRYPTION_INFO.
We write the following values:
cryptoff - offset (dec) from the beginning of the file from which encrypted data begins;
cryptsize - the length of the encrypted data;
cryptid 1 - says that the file has encrypted data (if it is 0,
This means that all further steps, up to the signature itself, can be skipped);

3) Launch the victim.
Run your application on the body. Try not to go further than the initial menu;
Now we need to calculate the process ID. To do this, in the terminal on a PC, type:
ps ax
A large list of processes will be displayed. We are looking for a process familiar to us (along the way, there will be
sort of):
721 ?? s 0: 00.00 /var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test
So 721 is the ID we need. We memorize it.

4) Peeling off the skins.
Start the GNU Debugger with the process connection option:
gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.

gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.
gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.
gdb -p PID где PID - ID процесса полученный на этапе 3. пример:
gdb -p 721 Дебаггер загрузится в жертву и расположитя в ней. ВНИМАНИЕ все это время программа-жертва
должна быть открыта на теле.
Теперь надо сделать дамп командой:
dump memory dump.bin 0?2000 {addr2}
где addr2 = (cryptsize + 8192) -> HEX (!) = 798720 + 8192 = 806912 = 0xC5000
вводим:
dump memory dump.bin 0?2000 0xC5000
Лезем по SSH в /var/root/ и вытаскиваем полученный dump.bin на ПК.
Закрываем Debugger (quit) и закрываем жертву на теле. Больше они нам не понадобятся.

5) Dissection of the victim.
Subsequent actions are performed on a PC in your favorite Hex editor. I used HIEW.
We will need:
- The original program file (/var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test);
- dump.bin, obtained in paragraph 5;
We take the original program file and REPLACE it in a piece with an offset of 0? 1000 in the file dump.bin;
Only a little remains - to correct the title. Looking for an offset of ~ 0 × 800 in the resulting file
Baytik type 0? 01 0? 00 and replace with 0? 00 0? 00
(in other words, we are looking for a lonely one in the vicinity of 0 × 800 and replace it with a zero);

6) Download all of the original application folder
(example: /var/mobile/Applications/F02B7479-78DH-4AA2-B33F-D27E098CB478/Test.app/Test)
and upload /Test.app to / Applications or /stash/Applications.* (where someone works)
delete the folder SC_Info (it is no longer needed),
rewrite the program file prepared in section 5,
we register the rights 755.

7) Sign the application.
It remains for us to only sign the application in a new place:
ldid -S myapp
example:

ldid -S /Applications/Test.app/Test If, at some time, the terminal began to respond Killed to your actions, restart the phone and try again.

It would not be amiss for your friends to find out this information, share the article with them!

Expand / collapse Expand / Minimize Comments Window

Comments

Commenting, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance towards your interlocutors even if you do not share their opinion, your behavior in conditions of freedom of expression and anonymity provided by the Internet changes not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.
Now everyone can publish articles.
Try it first!
To write an article
Liked? Subscribe to RSS feeds,
to be the first to receive information
about all the important events of the country and the world.
You can also support shram.kiev.ua, click: