Signing with ldid (since the original signature is made invalid after editing) See Dustin Howett's theos if you would like to try this method. When you are patching functions, an easier way to work (if you know Objective-C) is to use MobileSubstrate to hook the relevant functions. It may still be quite messy since much of iOS's code works with objc_sendMsg(). One possible tool is IDA Pro (Free version does not support ARM). You can begin reverse engineering the code when you have access to an unencrypted copy of the binary. There are many tools of dubious purposes (piracy) which automates the process, however the above is the gist of how the process is done. Use ldid to sign the new binary, and change the cryptid to 0 (so that iOS won't decrypt the decrypted app again).Create a new file, using the first 0x1000 bytes of the original binary, and appended with the dump file.Use gdb to dump the payload (beginning from 0x2000) gdb -p then dump output.bin 0x2000 0xNNNN where NNNN is the sum of the beginning (0x2000) and the payload size.Launch the app and suspend it immediately.Run otool on the binary to get information such as the size of the encrypted payload.
Ios ipa files install#
If cryptid is 0, you can proceed on to the Post Decryption section. (where thebinary is the executable binary - see the app's ist, CFBundleExecutable key) otool -arch armv7 -l thebinary | grep crypt If you are unsure, you can check whether the cryptid bit is set with otool (see this page). If the IPA file is straight from iTunes/iPhone (without any modification), the code section in the binary (as indicated by the ist) is encrypted with FairPlay (Apple's proprietary DRM).