OS X | @sskaje

unzip with lzfse support

By @sskaje
Link: https://sskaje.me/2017/08/unzip-with-lzfse-support/

LZFSE is a compression library introduced by Apple.

LZFSE is a Lempel-Ziv style data compression algorithm using Finite State Entropy coding. It targets similar compression rates at higher compression and decompression speed compared to deflate using zlib.

Github: https://github.com/lzfse/lzfse

Apple uses LZFSE compressing its ipa packages.
I downloaded an ipa directly from appstore, named like pre-thinned xxx .thinned.signed.dpkg.ipa, e.g. pre-thinned12345678.thinned.signed.dpkg.ipa

I tried to decompress this ipa, with unzip, 7-Zip on windows, many many other archiver management tools, all failed.

   skipping: Payload/.......  unsupported compression method 99

1	skipping: Payload/....... unsupported compression method 99

unsupported compression method 99

I integrated lzfse into unzip based on unzip-6.0.
Github: https://github.com/sskaje/unzip-lzfse

Steps:
1 Build and install lzfse

$ git clone https://github.com/lzfse/lzfse.git
$ cd lzfse
$ make
$ sudo make install

$ git clone https://github.com/lzfse/lzfse.git

$ cd lzfse

$ make

$ sudo make install

2 Build unzip-lzfse

$ git clone https://github.com/sskaje/unzip-lzfse
$ git checkout lzfse
$ cd unzip-lzfse
$ export LZFSE_PATH=/usr/local
$ make -f unix/Makefile all

$ git clone https://github.com/sskaje/unzip-lzfse

$ git checkout lzfse

$ cd unzip-lzfse

$ export LZFSE_PATH=/usr/local

$ make -f unix/Makefile all

3 test

$ ./unzip -d test ../pre-thinned12345678.thinned.signed.dpkg.ipa

1	$ ./unzip -d test ../pre-thinned12345678.thinned.signed.dpkg.ipa

Tested under macOS 10.12.6

unzip with lzfse support by @sskaje: https://sskaje.me/2017/08/unzip-with-lzfse-support/

Incoming search terms:

Virtualize macOS Sierra on Ubuntu (Vmware)

By @sskaje
Link: https://sskaje.me/2016/12/virtualize-macos-sierra-ubuntu-vmware/

I need to run something on macOS, but I don’t have any dedicated Mac devices running as server/workstation.

This is a simple tutorial running macOS VM on Ubuntu with VMware workstation server.

Environment

VMware Fusion 8.5.3
macOS Sierra
Ubuntu Server 16.04
VMware workstation server 12.5.2
Continue reading “Virtualize macOS Sierra on Ubuntu (Vmware)” »

Virtualize macOS Sierra on Ubuntu (Vmware) by @sskaje: https://sskaje.me/2016/12/virtualize-macos-sierra-ubuntu-vmware/

Incoming search terms:

How to Download Apple Boot Camp Drivers for Windows

By @sskaje
Link: https://sskaje.me/2016/12/download-apple-boot-camp-drivers-windows/

1 Download this file: http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog

2 Search for AppleBcUpdate.exe, check if PostDate field below.

3 Download

How to Download Apple Boot Camp Drivers for Windows by @sskaje: https://sskaje.me/2016/12/download-apple-boot-camp-drivers-windows/

OSX Change Roaming Preference

By @sskaje
Link: https://sskaje.me/2016/10/osx-change-roaming-preference/

$ sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport  help
Usage: airport <interface> <verb> <options>

	<interface>
	If an interface is not specified, airport will use the first AirPort interface on the system.

	<verb is one of the following:
	prefs	If specified with no key value pairs, displays a subset of AirPort preferences for
		the specified interface.

		Preferences may be configured using key=value syntax. Keys and possible values are specified below.
		Boolean settings may be configured using 'YES' and 'NO'.

		DisconnectOnLogout (Boolean)
		JoinMode (String)
			Automatic
			Preferred
			Ranked
			Recent
			Strongest
		JoinModeFallback (String)
			Prompt
			JoinOpen
			KeepLooking
			DoNothing
		RememberRecentNetworks (Boolean)
		RequireAdmin (Boolean)
		RequireAdminIBSS (Boolean)
		RequireAdminNetworkChange (Boolean)
		RequireAdminPowerToggle (Boolean)
		WoWEnabled (Boolean)

$ sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport help

Usage: airport <interface> <verb> <options>

If an interface is not specified, airport will use the first AirPort interface on the system.

<verb is one of the following:

prefs If specified with no key value pairs, displays a subset of AirPort preferences for

the specified interface.

Preferences may be configured using key=value syntax. Keys and possible values are specified below.

Boolean settings may be configured using 'YES' and 'NO'.

DisconnectOnLogout (Boolean)

JoinMode (String)

Automatic

Preferred

Ranked

Recent

Strongest

JoinModeFallback (String)

Prompt

JoinOpen

KeepLooking

DoNothing

RememberRecentNetworks (Boolean)

RequireAdmin (Boolean)

RequireAdminIBSS (Boolean)

RequireAdminNetworkChange (Boolean)

RequireAdminPowerToggle (Boolean)

WoWEnabled (Boolean)

On my macbook pro, default values are:

AirPort preferences for en0:

DisconnectOnLogout=NO
Unable to retrieve JoinMode
JoinModeFallback=DoNothing
RememberRecentNetworks=YES
RequireAdminIBSS=NO
RequireAdminNetworkChange=NO
RequireAdminPowerToggle=NO
WoWEnabled=NO

AirPort preferences for en0:

DisconnectOnLogout=NO

Unable to retrieve JoinMode

JoinModeFallback=DoNothing

RememberRecentNetworks=YES

RequireAdminIBSS=NO

RequireAdminNetworkChange=NO

RequireAdminPowerToggle=NO

WoWEnabled=NO

修改 JoinMode 为 Preferred

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport prefs JoinMode=Preferred

1	sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport prefs JoinMode=Preferred

OSX Change Roaming Preference by @sskaje: https://sskaje.me/2016/10/osx-change-roaming-preference/

Incoming search terms:

/System/Library/PrivateFrameworks/Apple80211 framework/Versions/A/Resources/airport prefs joinMode

Set up DebugServer on iOS 7

By @sskaje
Link: https://sskaje.me/2016/01/set-up-debugserver-ios-7/

I had my iPhone 4 jailbroken, so I can debug/crack apps on iPhone.

Server: iPhone 4 + debugserver
Client: Mac OS X + lldb

Server

DebugServer

Debugserver can be found on iOS: /Developer/usr/bin/debugserver
Just follow instructions: debugserver on iPhone Wiki

# lipo -info /Developer/usr/bin/debugserver 
Architectures in the fat file: /Developer/usr/bin/debugserver are: armv7 armv7s arm64 
# lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver

# lipo -info /Developer/usr/bin/debugserver

Architectures in the fat file: /Developer/usr/bin/debugserver are: armv7 armv7s arm64

# lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver

Save following content as a plist like dbg.plist

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.springboard.debugapplications</key>
	<true/>
	<key>get-task-allow</key>
	<true/>
	<key>task_for_pid-allow</key>
	<true/>
	<key>run-unsigned-code</key>
	<true/>
</dict>
</plist>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.springboard.debugapplications</key>

<true/>

<key>get-task-allow</key>

<true/>

<key>task_for_pid-allow</key>

<true/>

<key>run-unsigned-code</key>

<true/>

</dict>

</plist>

Apply the entitlement

ldid -Sdbg.plist debugserver

1	ldid -Sdbg.plist debugserver

If entitlement above is not applied, debugserver won’t be able to listen to a TCP port.

Remove FairPlay

FairPlay is Apple’s DRM applied to apps on AppStore.
If you see cryptid 1 like below, try Clutch!

otool -l /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao |grep LC_ENCRYPTION_INFO -A 5 cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 16384 cryptsize 5652480 cryptid 1 Load command 13

1
2
3
4
5
6
7

otool -l /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao  |grep LC_ENCRYPTION_INFO -A 5
          cmd LC_ENCRYPTION_INFO
      cmdsize 20
    cryptoff  16384
    cryptsize 5652480
    cryptid   1
Load command 13

Disable ASLR

Try otool -hv to your App, if you see PIE flags, you have to disable ASLR.

mede-iPhone:~ root# otool -hv /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao 
/var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
   MH_MAGIC     ARM         V7  0x00     EXECUTE    48       5084   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

mede-iPhone:~ root# otool -hv /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao

/var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao:

Mach header

magic cputype cpusubtype caps filetype ncmds sizeofcmds flags

MH_MAGIC ARM V7 0x00 EXECUTE 48 5084 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE

See: Mach-O Disable ASLR/PIE

Make sure you have python installed on your iPhone.

Find your target app.

Client

Copy a decrypted and de-aslr-ed app binary to your OS X and:

$ lldb /path/to/app/binary
(lldb) target create "/path/to/app/binary"
Current executable set to '/path/to/app/binary' (arm64).
(lldb) platform select remote-ios 
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/9.2 (13C75)"
 SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/7.1.2 (11D257)"
 SDK Roots: [ 1] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/8.3 (12F70)"
 SDK Roots: [ 2] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/8.4.1 (12H321)"
 SDK Roots: [ 3] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/9.2 (13C75)"
(lldb) process connect connect://172.18.1.66:9988

$ lldb /path/to/app/binary

(lldb) target create "/path/to/app/binary"

Current executable set to '/path/to/app/binary' (arm64).

(lldb) platform select remote-ios

Platform: remote-ios

Connected: no

SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/9.2 (13C75)"

SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/7.1.2 (11D257)"

SDK Roots: [ 1] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/8.3 (12F70)"

SDK Roots: [ 2] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/8.4.1 (12H321)"

SDK Roots: [ 3] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/9.2 (13C75)"

(lldb) process connect connect://172.18.1.66:9988

Set up DebugServer on iOS 7 by @sskaje: https://sskaje.me/2016/01/set-up-debugserver-ios-7/