What you need:
- a jailbroken iDevice
- MobileTerminal iOS app (available from default cydia repos) or you can do a USB SSH tunnel thru iFunbox (you will need afc2add and openssh from default cydia re posfor this) DOWNLOAD iFUNBOX
- iFIle or iFunbox to explore the iPhone’s filesystem and set permissions (if using iFunbox, you need afc2add from default cydia scources) grab a .deb for a crackedcopy of ifile here: (HERE)
- a copy of clutch
I WILL ADD MORE TO THIS TUTORIAL AS I GET SCREENSHOT , ETC.
#teamclutch
STEP 1 – CYDIA INSTALLATION
get the latest clutch – by installing clutch (stable) from the repo – cydia.iphonecake.com ) (zorro put that thing on the repo xD)
STEP 1 – MANUAL INSTALLATION (skip if you installed thru cydia)
2. MOVE clutch to usr/bin using iFile or iFunobx
3. RENAME clutch, by default the file will be named something unwieldy like clutch131 or Clutch 1.3.2-git,
you can rename it to something easier to type in, for the purpose of this tutorial, we will name it ” clutch “, but really you can name it whatever you like.
To rename it, in iFile press the blue arrow next to the filename, then delete the old name and enter “clutch”
4. SET permissions to Read, Write, Execute , to do this in iFile, press the blue arrow next to the filename, to get the file info, and then scroll down a little bit until you see permissions.
SET permissions for user, group, and world to Read, Write, Execute.
you should have this:
How to SET permissions in iFunbox:
SET permissions for user, group, and world to Read, Write, Execute.
STEP 2 – CONFIGURATION
1. OPEN the terminal app on your springboard.
You will get this window:
2. Next you will get root access to your device, which is necessary for clutch.
ENTER EXACTLY: su root
press RETURN, you will be prompted for a password, your default password is alpine
ENTER your password and press RETURN, you now have root access
3. LAUNCH the configuration utility. Enter exactly : clutch -C (notice the letter “C” must be capitalized)
4. There will be a series of options to configure.
Enter “YES” or “NO” to each of them, and for the email, enter anything you want to come up in the apple ID in the metadata, it doesn’t necessarily have to be in email format
5.Then you can’t set compression, etc.When you get thru config, you will get a message and there will be nothing more to configure, simply restart terminal, or open a new tab in terminal, etc.
CRACKING APPS
Instead of using MobileTerminal on your iDevice, you can do a SSH Tunnel via USB with iFunbox
1. OPEN the terminal app on your springboard.
2. GET root access (how to coverd above0
3. ENTER ” clutch ” (remember, if you renamed the script something else, enter that instead of “clutch”)
4. You will get this numbered menu
iPhone:~ root# clutch You're using a Clutch development build, checking for updates.. Your version of Clutch is up to date! Clutch-1.3.2-git1 usage: clutch [flags] [application name] [...] Applications available: 1) Angry Birds 2) Brazzers Mobile 3) Butch 4) CrackAddict 5) Facebook 6) Gangstar Rio 7) Gangnam Style 8) Installous 9) Movie Box 10) Mostuniique+quandary=g@Y 11) Rasticrac 12) RedTube Mobile 13) SWAGR Pro 14) Tjglass 15) Youtube 16) Zeusmos
5. ENTER clutch followed by the number that corresponds with the app you want to crack.
If I want to crack Facebook, I enter” clutch -b 5″
6. The application will then crack
7.The IPAs are in /var/tmp/clutch copy them to your PC with iFunbox and upload.
Or simply use the terminal:
Once I was connected I typed “Clutch2” which showed the following options:
Typing “Clutch2 –i” displayed all of the app store apps installed on the device:
I decided to dump the third application (which I don’t want to display since I didn’t write the app) so I ran “Clutch2 –b <BundleID#>”. If I had wanted to dump the second app (WordPress) I would have typed “Clutch2 –b org.wordpress”. Clutch2 quickly generated the following output:
The decrypted binary was placed under the /var/tmp/clutch directory. I used ifunbox to copy both the decrypted binary and the original binary (located in /var/mobile/Containers/Bundle/Application/xxxx) to my computer so I could compare the before and after results. Normally Mach-O executable files contain code for multiple arm architectures and you need to use the OSX command line tool “lipo” to extract the arm version that you would like to analyze but in this case the application only contained code for armv7 so that wasn’t necessary.
Below you can see where I ran file on an iOS app with multiple architectures (armv7s and armv7) and file on this application which only has one architecture.
Once I confirmed that I wasn’t dealing with multiple architectures I used the strings command to extract the txt from both the original binary and the binary which Clutch2 produced. The original encrypted version is on the left and the post Clutch2 decrypted version is on the right.
As you can see the decrypted version gives us quite a bit more information about what’s going on inside of the application and I can start to use the tricks I learned in the SANS SEC575 course to analyze the app and it’s behavior.