Failed to dump Gridrunner game

[gingerbeardman]

General information

Please delete the example text and fill this in:

• iOS version: 10.3.3
• Commit hash: 2.0.4-47-gd104f30a9cc5 via Cydia https://stek29.rocks/cyrepo/
• App bundle ID: uk.co.llamasoft.minotron
• App name: Gridrunner
• Command used: example: Clutch -d uk.co.llamasoft.gridrunner

Log

2021-09-12 22:32:40.867 Clutch[1069:19554] command: Dump specified bundleID into .ipa file
Zipping Gridrunner.app
Swapping architectures..
Error: Failed to find address of header!

Error: Failed to dump <Gridrunner> with arch armv7

2021-09-12 22:32:41.414 Clutch[1069:19564] failed operation :(
2021-09-12 22:32:41.415 Clutch[1069:19564] application <NSOperationQueue: 0x100372d90>{name = 'NSOperationQueue 0x100372d90'}
Swapping architectures..
Error: Failed to find address of header!

Error: Failed to dump <Gridrunner> with arch armv7s

2021-09-12 22:32:41.456 Clutch[1069:19564] failed operation :(
2021-09-12 22:32:41.457 Clutch[1069:19564] application <NSOperationQueue: 0x100372d90>{name = 'NSOperationQueue 0x100372d90'}
Error: Failed to dump <Gridrunner>

2021-09-12 22:32:41.457 Clutch[1069:19564] failed operation :(
2021-09-12 22:32:41.457 Clutch[1069:19564] application <NSOperationQueue: 0x100372d90>{name = 'NSOperationQueue 0x100372d90'}
FAILED: <Gridrunner bundleID: uk.co.llamasoft.gridrunner>
Finished dumping uk.co.llamasoft.gridrunner in 1.3 seconds

[Tatsh]

No longer on the store. archive.org has the game and it looks like it is decrypted.

[gingerbeardman]

You're correct that it's no longer on the store.

That's my copy on archive and as far as I know it's not decrypted, it was straight out of iTunes.

That's why I'm here 😄 trying to get it in a better form I can share with others.

I've already successfully decrypted another app I uploaded to archive, using Clutch, and that worked OK and I was able to install it on a device that isn't mine.

[Tatsh]

It's failing to disable ASLR for this binary. Not sure why.

[Tatsh]

Try running with --debug and paste the output here.

[gingerbeardman]

OK, here's verbose output from debug version Clutch-2.0.4-Debug

Matts-iPad:~ root# Clutch-debug -v -d uk.co.llamasoft.gridrunner
ClutchPrint.m : 77 | using bundle identifier
Now dumping uk.co.llamasoft.gridrunner
ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654
Preparing to dump <Gridrunner>
Path: /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner
Zipping Gridrunner.app
ClutchPrint.m : 77 | Finding compatible dumper for binary <Gridrunner> with arch cputype: 12
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 9
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Dumper <ARM64Dumper> does not support the armv7 architecture
ClutchPrint.m : 77 | <ARM64Dumper: 0x1291a5c20> cannot dump binary <Gridrunner> (arch armv7). Dumper not compatible, finding another dumper
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 9
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 12
ClutchPrint.m : 77 | God Mode On
ClutchPrint.m : 77 | Found compatible dumper <ARMDumper: 0x1291a5c20> for binary <Gridrunner> with arch armv7
Swapping architectures..
ClutchPrint.m : 77 | (null)
ClutchPrint.m : 77 | wrote new header to binary
ClutchPrint.m : 77 | 32bit Dumping: arch armv7 offset 4096
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 8192 | cryptsize 409600 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 465088 | datasize 8656
ClutchPrint.m : 77 | binary path /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7
ClutchPrint.m : 77 | found all required load commands for <Gridrunner> armv7
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 684 /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7
ClutchPrint.m : 77 | 4096 465088 738197504
ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY
Error: Failed to find address of header!

Error: Failed to dump <Gridrunner> with arch armv7

2021-09-13 13:11:37.248 Clutch-debug[683:60564] failed operation :(
2021-09-13 13:11:37.249 Clutch-debug[683:60564] application <NSOperationQueue: 0x127e556c0>{name = 'NSOperationQueue 0x127e556c0'}
ClutchPrint.m : 77 | operation hash 4984503296
ClutchPrint.m : 77 | operation hash 4983617248
ClutchPrint.m : 77 | operation hash 4201234
ClutchPrint.m : 77 | Finding compatible dumper for binary <Gridrunner> with arch cputype: 12
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 11
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Dumper <ARM64Dumper> does not support the armv7s architecture
ClutchPrint.m : 77 | <ARM64Dumper: 0x1290dce80> cannot dump binary <Gridrunner> (arch armv7s). Dumper not compatible, finding another dumper
ClutchPrint.m : 77 | Segment cputype: 12, cpusubtype: 11
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 12
ClutchPrint.m : 77 | God Mode On
ClutchPrint.m : 77 | Found compatible dumper <ARMDumper: 0x1290dce80> for binary <Gridrunner> with arch armv7s
Swapping architectures..
ClutchPrint.m : 77 | (null)
ClutchPrint.m : 77 | wrote new header to binary
ClutchPrint.m : 77 | 32bit Dumping: arch armv7s offset 479232
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 8192 | cryptsize 409600 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 465008 | datasize 8656
ClutchPrint.m : 77 | binary path /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7s
ClutchPrint.m : 77 | found all required load commands for <Gridrunner> armv7s
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 685 /var/containers/Bundle/Application/369CE54E-5C00-4E2E-973A-321BA9D72654/Gridrunner.app/Gridrunner_armv7s
ClutchPrint.m : 77 | 479232 465008 738197504
ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY
Error: Failed to find address of header!

Error: Failed to dump <Gridrunner> with arch armv7s

2021-09-13 13:11:37.272 Clutch-debug[683:60564] failed operation :(
2021-09-13 13:11:37.272 Clutch-debug[683:60564] application <NSOperationQueue: 0x127e556c0>{name = 'NSOperationQueue 0x127e556c0'}
ClutchPrint.m : 77 | operation hash 4984503296
ClutchPrint.m : 77 | operation hash 4201234
Error: Failed to dump <Gridrunner>

2021-09-13 13:11:37.272 Clutch-debug[683:60564] failed operation :(
2021-09-13 13:11:37.272 Clutch-debug[683:60564] application <NSOperationQueue: 0x127e556c0>{name = 'NSOperationQueue 0x127e556c0'}
ClutchPrint.m : 77 | operation hash 4984503296
ClutchPrint.m : 77 | operation hash 4201234
FAILED: <Gridrunner bundleID: uk.co.llamasoft.gridrunner>
Finished dumping uk.co.llamasoft.gridrunner in 1.3 seconds
Matts-iPad:~ root# 

[gingerbeardman]

Any further thoughts @Tatsh ?

[Tatsh]

Try https://github.com/as0ler/r2flutch

[gingerbeardman]

Will do

[Tatsh]

Try https://github.com/JohnCoates/flexdecrypt (iOS) and https://github.com/subdiox/UnFairPlay (on macOS) if you can. I am curious if these work.

[gingerbeardman]

UnFairPlay

$ ./unfairplay Gridrunner Gridrunner.out
Assertion failed: (header->magic == MH_MAGIC_64), function main, file unfairplay.c, line 147.
[1]    34894 abort      ./unfairplay Gridrunner Gridrunner.out

Will try the others soon.

[gingerbeardman]

flexdecrypt

Error: message("Spawn failed with result #85: #2: No such file or directory")

see this issue

[gingerbeardman]

r2flutch

$ r2flutch -i uk.co.llamasoft.gridrunner
[+] Open Application Process uk.co.llamasoft.gridrunner
[r] Cannot open 'frida://launch/usb/644ceeafa65960cb3a2249b2f6a8b7702381d15b/uk.co.llamasoft.gridrunner'
[x] ERROR - Cannot open target process: uk.co.llamasoft.gridrunner

I can't seem to get Frida running correctly. Will try again at some point soon.

[Tatsh]

As far as I can tell, that new method only works on 64-bit binaries unfortunately.