iPhone Dev SDK Forum - View Single Post - iPhone Piracy Protection Code

**Shmoopi** · 12-06-2009, 09:58 AM

Quote:

Originally Posted by rocotilos

So what is the method used in Crackulous? Anybody knows?

You can check out the source code online, or you can read this excerpt from Hackulo.com written by KYEK:

Quote:

So here's the scoop on how the App Store works
Apple has every application available in the app store on their servers. You already know that -- it's pretty obvious. You can download it, therefore it's coming from them. But what most people DON'T know is that every app on Apple's servers is already cracked. It's not encrypted. It's not signed. It will work on anyone's phone.

When you download an app from the store, though, Apple doesn't give you one of those programs right away. First, they take the program, and they pick out a chunk of it that the program needs to launch. And then they encrypt it -- turning that section into a code that can only be broken with YOUR iTunes account. Apple keeps the key that breaks it on file -- you don't even get to see it, but it is unique to you. Like a password you're never allowed to know.

Then Apple flips a switch on the program to let the iPhone know that it's been encrypted, Apple "signs" it (like a real signature on it that only Apple can make) so the iPhone knows it's a for-real Apple program, and then they send it to you. All of that happens instantly. You end up with a program that only you can run, since only you have access to your key.

Ok, that makes sense. So how do we crack it?
Before we get into that, you should know that the iPhone (I keep saying phone, but iPod Touch is the same thing) can run any code whether it's encrypted with your key or not -- it just has to be signed. So if you could get the unencrypted copy Apple has on their server, you could run it with no problem. You just have to sign the sucker.

So here's what we do. The iPhone can't actually run encrypted code. No computer can. The computer has to DEcrypt it (using your iTunes account key) as soon as you run it, store that decrypted section in memory, and then run that.

It's a weird concept, I know, but think about it for a second and it makes sense. The phone can't read Apple's code directly, so it decodes it, writes down the decoded version, and runs that. Easy-peasey. And the iPhone holds on to that decoded section the whole time the app is running, because it might need it again. It just stores it in the phone's memory.

What we do to crack it is freeze the phone when the program we want to crack is running, and we dump out all the memory from it. Actually, it's even better than that. We do a few simple calculations and figure out EXACTLY where in memory the decoded stuff is, and we dump JUST that out. We just save it to a file. The iPhone did all the decrypting work FOR us -- we just take what it came up with, and we write it down.

Finally, to crack the app itself, we take advantage of something really cool: The code that Apple sent us is the EXACT same size encrypted as it is decrypted! So all we need to do is take the decrypted stuff we just got from the iPhone's memory, open up the application file Apple sent us, and replace the encrypted stuff with it. The idea is dead easy, right? That's because it is This concept of taking decrypted code from memory and replacing encrypted stuff with it would be on the first page of Hacking for Dummies, if that book existed. EVERY hacker knows it. Most run-of-the-mill developers are fully aware that this is possible. It is not some profound secret that we came up with. To finish the cracking process, all we need to do is turn off that little switch that tells the phone it's encrypted -- because it's not any more. Ta-da!

Cool, but what about the signing?
We can't fake Apple's signature. I could get into how signatures work and why they're so secure, but that doesn't even matter at this point because we just can't do it. But what we CAN do is alter the part of the iPhone's operating system that makes it CHECK for Apple's signature, and make it so that it works with ANY signature -- not just Apple's. If your phone is Jailbroken, you've already done this. This is a small part of what Jailbreaking actually is -- letting your phone run code signed by anyone.

So all we need to do in order to run a cracked program on an iPhone is just sign it ourselves -- and that is the final step of cracking a program. Sign it, and now that no one's phone needs to decrypt the program, anyone with a jailbroken phone can run it!