Help
it's very basic so everyone who doesn't know anything about patching can start learning it.
The tools you'll need:
IDA 5.2 (there are no newer cracked versions :/)
a good Hex Editor (I'm on a Mac using 0xeEd and virtualizing WinXP to run IDA)
on your iPhone: crackulous (cydia.hackulo.us), Link Identity Editor (ldid) from Cydia, mobileTerminal from Cydia
Crackulous to remove Apple's DRM from bought apps to share them with others. What we will do is patch additional protection which more and more developers include in their apps.
In this tutorial I will assume that you did read this primer by the ARTeam I posted here: http://sharebee.com/b1cfeb11
Our Target
Our target is an app called Full Screen Web Browser 1.1. Why did I choose that? because it's easy to patch and because the developer was so "proud" of his protection that he informed the media. Another reason is its instructions are in ARM thumb. Most iPhone apps are in thumb code so you'll learn something about these. The DRM-free but unpatched version is here http://sharebee.com/1bdd6e92.
1.
At first we need to find the nag. After you launch this app (unpatched) 10 times this popup will appear:
you only option is to shut the app down or buy it in the AppStore.
2.
Now that we know the nag we have to get the executable.
Unzip the ipa and get the file named "FullScreen" (these executables have no extension) from the "Full Screen.app".
3.
Fire up IDA 5.2 and open the executable. Don't forget to change the processor type to ARM
4.
We would open the String-View (Shift+F12) search for the string "Crack detected", follow the XREF and and would end up at a function. unluckily the function __BrowserAppDelegate_demoExpired_ doesn't check if it's a DRM-free version so there is nothing to patch here. :(
5.
What we need to know is how Developers check if the app is cracked or not.
They often check for changes to some files which are installed together with the app. These files will be modified if you remove Apple's DRM. For example the info.plist. It contains basic information about the app and if the app is DRM-free a key named SignerIdentity will be added. you can read about this and other stuff here: http://thwart-ipa-cr.../detection.html
So many apps check if SignerIdentity is in the info.plist
6.
Let's go back to the string view and search for SignerIdentity. YES! It's there! double click on it, follow the XREF and you'll end up at the subroutine __BrowserCache_isValidCache_. This is where the app checks if it's DRM-free or not
So what does it do: It checks if R4=0. If it's equal to 0 it branches to loc_7BEA where it's start the check for SignerIdentity.
Now there are 2 places where you can break this check.
a) change CMP R4, #0 to CMP R4, R4 and change BEQ loc_7BEA to BNE loc_7BEA or
b) change CMP R0, #0 to CMP R0, R0
We will go with option a) because the ARM opcode (thumb) is more interesting here.
7.
Now we need to learn something about ARM thumb instructions. Thumb instructions don't translate to hex as "normal" ARM opcode.
normal: CMP R4, R4 -> 04 00 54 E1
thumb: CMP R4, R4 -> A4 42
Since there is no good documentation about the thumb instructions and how they translate to hex I use an ARM assembler (http://sharebee.com/165923ec ; for windows) to generate them:
Quote
translate thumb asm to hex:
1. make text file with asm source, example file test.s:
3. log.txt looks:
1. make text file with asm source, example file test.s:
org 3C026h LDRB R3, [R2] CMP R4, R4 CMP R0, R0 LDR R0 MOV R0, R0 MOVS R0, R4 BNE loc_2E00 BEQ loc_2E00 MOVS R0, #1 org 3c02eh loc_3C02E: nop2. Compile using command as.exe -mthumb test.s -a > log.txt
3. log.txt looks:
ARM GAS test.s page 1
1 org 3C026h
2
3 ???? 1378 LDRB R3, [R2]
4 ???? A442 CMP R4, R4
5 ???? 8042 CMP R0, R0
6 LDR R0
7 ???? 001C MOV R0, R0
8 MOVS R0, R4
9 ???? FED1 BNE loc_2E00
10 ???? FED0 BEQ loc_2E00
11 MOVS R0, #1
12 org 3c02eh
13 loc_3C02E:
14 ???? C046 nop...
ARM GAS test.s page 2
DEFINED SYMBOLS
test.s:13 .text:00000000 loc_3C02E
UNDEFINED SYMBOLS
loc_2E008.
In the hex view in IDA we can see that CMP R4, #0 translates to 00 2C. From our assembler we know that we have to change this to A4 42 (CMP R4, R4). We also know form IDA's hex view that BEQ loc_7BEA translates to 03 D0. We will have to change this to 03 D1 (BNE loc_7BEA)
9.
Launch your hex editor and open the executable "FullScreen". Make sure that the hex editor is set to "overwrite"
go to offset 6BDE and overwrite 00 2C with A4 42
go to offset 6BE0 and overwrite 03 D0 with 03 D1
save it.
Important note:
IDA 5.2 has problems finding the offset if you switch from Graph-View in "IDA View" to "Hex View". So you'll have to change from Graph-View to Text-View first (right click), mark the instruction and then switch to Hex View.
10.
Now we have a patched executable. But it won't work on your iPhone because it has to be signed (even though our device is jailbroken). We'll do that with the Link Identity Editor (ldid) which will pseudo-sign our executable.
For that ssh the executable to your iPhone (I prefer /User/). Now launch mobileTerminal (from Cydia) and execute
ldid -s /User/FullScreenif you are trying to patch an executable with a space in it's name you can use "" (example: ldid -s "User/Currency Converter")
11.
The executable is now signed and we can overwrite the original one. To do that find the folder (on your iPhone) which contains "Full Screen.app". it's in /User/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (where X stands for letters and numbers)(check the date to find it easier). overwrite the original file "FullScreen" in "Full Screen.app" with the patched one.
12.
Voilą! you're almost done. Now test the app. Launch it 10 times and no popup will appear and you can surf as much as you want. IT'S PATCHED!
13.
Replace the original "FullScreen" executable in the "Full Screen.app" (on your desktop) with the patched AND signed one from your iPhone and repack the ipa. test it and then it's ready to distribute
This tutorial is probably far from perfect. Please post suggestions or questions :)
I will continue making tutorials with more complex apps but from my experience about 30% of the Apps can be patched using this simple method
This post has been edited by Reilly: 28 March 2009 - 12:52 AM
Back to top
MultiQuote
