What are the possibilities for reverse engineering an IPA file to its source?

Question

I browsed a lot, but can't find any resources for reverse engineering an IPA file (iPhone application). Is there any method to reverse engineer an IPA file to its source? I've tried to rename it to zip and open it via Winrar/Winzip to view its source, but it doesn't seem helpful.

What are the possibilities to decompile/reverse engineer an IPA file to its source code?

Answer 1

If the IPA file is straight from iTunes/iPhone (without any modification), the code section in the binary (as indicated by the Info.plist) is encrypted with FairPlay (Apple's proprietary DRM). If you are unsure, you can check whether the cryptid bit is set with otool (see this page).

otool -arch armv7 -l thebinary | grep crypt

(where thebinary is the executable binary - see the app's Info.plist, CFBundleExecutable key)

Pre Decryption:

if cryptid is 0, you can proceed on to the Post Decryption section. Otherwise, you will need to decrypt the app. The typical method in brief (with a jailbroken iOS device) is to

1. Install otool, gdb and ldid from Cydia
2. Install the IPA on an authorized device
3. Run otool on the binary to get information such as the size of the encrypted payload
4. Launch the app and suspend it immediately
5. Use gdb to dump the payload (beginning from 0x2000) gdb -p <process id> then dump output.bin 0x2000 0xNNNN where NNNN is the sum of the beginning (0x2000) and the payload size
6. Create a new file, using the first 0x1000 bytes of the original binary, and appended with the dump file
7. Use ldid to sign the new binary, and change the cryptid to 0 (so that iOS won't decrypt the decrypted app again)

There are many tools of dubious purposes (piracy) which automates the process, however the above is the gist of how the process is done.

Post Decryption:

You can begin reverse engineering the code when you have access to an unencrypted copy of the binary.

One possible tool is IDA Pro (Free version does not support ARM). It may still be quite messy since much of iOS's code works with objc_sendMsg(). This IDA plugin may help: https://github.com/zynamics/objc-helper-plugin-ida

When you are patching functions, an easier way to work (if you know Objective-C) is to use MobileSubstrate to hook the relevant functions. See Dustin Howett's theos if you would like to try this method.

Useful Links:

More about the decryption process: http://iphonedevwiki.net/index.php/Crack_prevention

Getting otool: https://apple.stackexchange.com/questions/21256/i-cant-find-otool-on-my-jailbroken-ipod

Signing with ldid (since the original signature is made invalid after editing) http://www.saurik.com/id/8

For newer devices

Some of the tools (gdb in my base) are not working reliably on the iPhone 5S / iOS7. Currently a method that works is to use a popular open-source cracking software "Clutch". The actual cracking process can be found here: https://github.com/KJCracks/Clutch/blob/master/Clutch/Binary.m

iOS 11

Bishop Fox's bfdecrypt, used together with their bfinject should work for iOS 11.

Answer 2

After decrypting an IPA file on a jailbroken iDevice, you can use a much more affordable alternative to IDA Pro called Hopper - the multi-platform disassembler for < $100.

https://www.hopperapp.com/

It has support for analyzing iOS executables (among others) and even comes with the ability to convert ARM assembly to pseudo-C.

Answer 3

Other users have done a good job with the elements of this question that are specific to the IPA format. As for obtaining the source code to a binary object, please see this answer as for why this may be more difficult than you expect (as compared to, say, bytecode language decompilation).

Answer 4

If you have a jailbroken iDevice, AppSec Labs' iNalyzer can automate some of this process for you as well as provide you with a great way to review an iOS application.adding the appropriate repo

You can install iNalyzer from Cydia after adding the appropriate repo.

In my experience, it's easiest to work with the iNalyzer created project files (that you will copy from your iDevice after running iNalyzer) from a Linux machine because the tool will require doxygen and Graphviz Dot to be installed to create it's HTML report.

AppSec Labs iNalyzer is a framework for manipulating iOS applications, tampering with parameters and methods; no sources needed! AppSec Labs iNalyzer targets closed applications, turning a painful Black Box into an automatic Gray-Box effort.

AppSec Labs iNalyzer Automates your testing effort as it exposes the internal logic of your target iOS application and the correlation between hidden functionalities. The AppSec Labs iNalyzer allows you to use your daily web-based pen-testing tools such as scanners, proxies etc. AppSec Labs iNalyzer maintains the attack logic and forwards it onto the targeted iOS application. No more manual BruteForce, Fuzzing, SQL injection and other tedious manual work!

Answer 5

I would recommend checking out Frida. It's an open source instrumentation toolkit for iOS, Android, Windows, Mac and Linux.

Check out this tutorial to dive in by building your own debugger in 5 minutes using Frida and Qml. The last part shows how to inject code into the “Yo” app and plot its network connections on Google Maps.

Answer 6

dumpdecrypted can automate the decryption of the iOS binary. Additionally, there is a tool called iRET that you can use that automates alot of the analysis and reversing for you.

Answer 7

Rasticrac can also automate the decryption (FairPlay DRM) of the iOS binary and is very easy to use!

Rasticrac

Rapid Advanced Secure Thorough Intelligent Gaulish Nuclear Acclaimed Cracker

Rasticrac is a very powerful tool to decrypt the iOS app binaries. You can install Rasticrac with Cydia by adding the following Repo source in Cydia: http://cydia.iphonecake.com