Support for iOS 14.5 about fouldecrypt HOT 9 OPEN

Thank you for your help! This resolved the libFugu14Krw.dylib loading issue, unfortunately the mremap_encrypted: Operation not permitted persists and the binary remains encrypted.

This is how you fix it:
first, run the path of the app’s binary path alone in terminal (you’re gonna get a Trace: BPT Trap error, which is expected), then run fouldecrypt normally on the binary, it should decrypt it after that because you’ve forced the app to map itself by executing it directly.

so rehash, say I want to decrypt Discord:

$ /var/containers/Bundle/Application/5C4DC9B2-9056-4717-935E-71CB3C74E9DC/Discord.app/Discord

it should return Abort Trap: 6 or whatever. Then run:

$ fouldecrypt /var/containers/Bundle/Application/5C4DC9B2-9056-4717-935E-71CB3C74E9DC/Discord.app/Discord

Unless it’s a special case, the app should decrypt fine now, this also works on plugins.

from fouldecrypt.

CC: LinusHenze/Fugu14#200
Place the files in libFugu14Krw.zip according to the path.

from fouldecrypt.

Thank you for your help! This resolved the libFugu14Krw.dylib loading issue, unfortunately the mremap_encrypted: Operation not permitted persists and the binary remains encrypted.

from fouldecrypt.

Hi @dlevi309 , how about the dylib decryption? dylib can't be executed and if I directly run fouldecrypt, I will get mremap_encrypted: Operation not permitted again.

from fouldecrypt.

Hi @dlevi309 , how about the dylib decryption? dylib can't be executed and if I directly run fouldecrypt, I will get mremap_encrypted: Operation not permitted again.

I’ve run into this too. The issue is that on iOS 14, an execute bit set is needed to decrypt dylib / frameworks, this is my own goofy solution:

Let’s pretend that the path of the dylib you’re trying to decrypt is Argo.app/Frameworks/Something.framework/Something

1. run chmod +x on Argo.app/Frameworks/Something.framework/Something
2. Then attempt to RUN Argo.app/Frameworks/Something.framework/Something from the command line (this will obviously fail with a message like abort trap, but it’s enough to load the dylib into memory)
3. NOW run decrypt Argo.app/Frameworks/Something.framework/Something

This isn’t a sure fire for everything, but I’ve noticed that it works most of the time

from fouldecrypt.

@dlevi309 thanks for the reply.
in step 2, I still got cannot execute binary file: Exec format error, seems step 1 didn't work for me.

iPhone-7:~/workspace root# chmod +x ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy
iPhone-7:~/workspace root# ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy
-sh: ./tmp/Payload/xxx.app/Frameworks/yyy.framework/yyy: cannot execute binary file: Exec format error

from fouldecrypt.

@0x5e no prob, and the app can’t be in a ./tmp environment, chmod +x has to be performed on the original binary within the installed app’s bundle directory. Although, even after doing all the steps correctly, you may still get that cannot execute binary file: Exec format error, and that’s usually an indication that it won’t work on that particular binary. Framework / dylibs sometime definitely work, but can also fail. If you wanna test an example of this that works almost 100% of the time, you can run the steps on app plugins that fail to decrypt (because they may be built for a newer iOS version, etc.)

from fouldecrypt.

@dlevi309 I just unzip the ipa to somewhere else, but I keep the app bundle structure, did you mean the app has to be installed to /var/containers/Bundle/Application/xxxxxxxxxxx by some tools before decrypt the dynamic frameworks?
And I miss the step3 log before, after Exec format error, I still got mremap_encrypted: Operation not permitted. So maybe the binary I tested didn't work for this solution?

from fouldecrypt.