Wheres My Keyboard?

[HOW TO] Crack iOS apps with Clutch (now on 64bit!)

What you need:

  • a jailbroken iDevice
  • MobileTerminal iOS app (available from default cydia repos) or you can do a USB SSH tunnel thru iFunbox (you will need afc2add and openssh from default cydia re posfor this) DOWNLOAD iFUNBOX
  • iFIle or iFunbox to explore the iPhone’s filesystem and set permissions (if using iFunbox, you need afc2add from default cydia scources) grab a .deb for a crackedcopy of ifile here: (HERE)
  • a copy of clutch

I WILL ADD MORE TO THIS TUTORIAL AS I GET SCREENSHOT , ETC.
#teamclutch

 

STEP 1 – CYDIA INSTALLATION

get the latest clutch – by installing clutch (stable) from the repo – cydia.iphonecake.com ) (zorro put that thing on the repo xD)

STEP 1 – MANUAL INSTALLATION (skip if you installed thru cydia)

Spoiler

1. DOWNLOAD a copy of Clutch
2. MOVE clutch to usr/bin using iFile or iFunobx
1_ifile.jpg

3. RENAME clutch, by default the file will be named something unwieldy like clutch131 or Clutch 1.3.2-git,
you can rename it to something easier to type in, for the purpose of this tutorial, we will name it ” clutch “, but really you can name it whatever you like.
To rename it, in iFile press the blue arrow next to the filename, then delete the old name and enter “clutch”
2_rename.jpg

4. SET permissions to Read, Write, Execute , to do this in iFile, press the blue arrow next to the filename, to get the file info, and then scroll down a little bit until you see permissions.

SET permissions for user, group, and world to Read, Write, Execute.
4_set_permissions.jpg

you should have this:
3_permissions.jpg

How to SET permissions in iFunbox:

Spoiler

RIGHT CLICK on the file in iFunbox, and select set permissions
permissions_ifunbox.jpg

SET permissions for user, group, and world to Read, Write, Execute.
i_Fiunbox_File_Ownership_and_Permissions

STEP 2 – CONFIGURATION

Spoiler

Instead of using MobileTerminal on your iDevice, you can do a SSH Tunnel via USB with iFunbox, install openSSH (defualt cydia repos) first.

1. OPEN the terminal app on your springboard.
Terminal.png

You will get this window:
5_terminal.png

2. Next you will get root access to your device, which is necessary for clutch.

ENTER EXACTLY: su root
IMG_1007_PNG.jpg

press RETURN, you will be prompted for a password, your default password is alpine
ENTER your password and press RETURN, you now have root access
IMG_1039_PNG.jpg

3. LAUNCH the configuration utility. Enter exactly : clutch -C (notice the letter “C” must be capitalized)
7_clutch_C.jpg

4. There will be a series of options to configure.
8_configu_utitlity_opneend.jpg

Enter “YES” or “NO” to each of them, and for the email, enter anything you want to come up in the apple ID in the metadata, it doesn’t necessarily have to be in email format
9_enter_email.jpg

5.Then you can’t set compression, etc.When you get thru config, you will get a message and there will be nothing more to configure, simply restart terminal, or open a new tab in terminal, etc.
10_abort_trap4.jpg

CRACKING APPS
Instead of using MobileTerminal on your iDevice, you can do a SSH Tunnel via USB with iFunbox

1. OPEN the terminal app on your springboard.
2. GET root access (how to coverd above0
3. ENTER ” clutch ” (remember, if you renamed the script something else, enter that instead of “clutch”)
4. You will get this numbered menu

iPhone:~ root# clutch
You're using a Clutch development build, checking for updates..
Your version of Clutch is up to date!
Clutch-1.3.2-git1
usage: clutch [flags] [application name] [...]
Applications available: 
1) Angry Birds
2) Brazzers Mobile
3) Butch
4) CrackAddict
5) Facebook
6) Gangstar Rio
7) Gangnam Style
8) Installous
9) Movie Box
10) Mostuniique+quandary=g@Y
11) Rasticrac
12) RedTube Mobile
13) SWAGR Pro
14) Tjglass
15) Youtube
16) Zeusmos

5. ENTER clutch followed by the number that corresponds with the app you want to crack.
If I want to crack Facebook, I enter” clutch -b 5″
6. The application will then crack
7.The IPAs are in /var/tmp/clutch copy them to your PC with iFunbox and upload.

 

 

Or simply use the terminal:

 

Once I was connected I typed “Clutch2” which showed the following options:

Clutch1

Typing “Clutch2 –i” displayed all of the app store apps installed on the device:

clutch2

 

I decided to dump the third application (which I don’t want to display since I didn’t write the app) so I ran “Clutch2 –b <BundleID#>”. If I had wanted to dump the second app (WordPress) I would have typed “Clutch2 –b org.wordpress”. Clutch2 quickly generated the following output:

clutch3

 

The decrypted binary was placed under the /var/tmp/clutch directory. I used ifunbox to copy both the decrypted binary and the original binary (located in /var/mobile/Containers/Bundle/Application/xxxx) to my computer so I could compare the before and after results. Normally Mach-O executable files contain code for multiple arm architectures and you need to use the OSX command line tool “lipo” to extract the arm version that you would like to analyze but in this case the application only contained code for armv7 so that wasn’t necessary.

Below you can see where I ran file on an iOS app with multiple architectures (armv7s and armv7) and file on this application which only has one architecture.

mini

 

 

 

 

 

 

 

 

Once I confirmed that I wasn’t dealing with multiple architectures I used the strings command to extract the txt from both the original binary and the binary which Clutch2 produced. The original encrypted version is on the left and the post Clutch2 decrypted version is on the right.

compare

 

 

 

 

 

 

 

 

As you can see the decrypted version gives us quite a bit more information about what’s going on inside of the application and I can start to use the tricks I learned in the SANS SEC575 course to analyze the app and it’s behavior.

tanush

,