GIDecrypt

From The Apple Wiki

GIDecrypt is a program written by p0sixninja to automatically decrypt KBAG and print the key/IV pair for a given 3.0 IMG3.

Tested on anything other then 32-bit Linux. Requires libcrypto to compile properly.

License

This code is assumed to be in the public domain, or where that is not possible, this code is CC0. As it uses OpenSSL, this code CAN NOT be used in GNU GPL applications1, however, this statement has been disputed and there are ways around this restriction2. It can, however, be used freely in GNU GPL applications IF GnuTLS is used instead as GnuTLS is licensed under the GNU LGPL, which is GNU GPL compatible.

The code below requires OpenSSL, but can support GnuTLS with very little modification

Code

/*
 * gidecrypt.c
 *
 *  Created on: Jun 17, 2009
 *      Author: posixninja
 * 
 *  Modified on: Jan 23, 2013
 *      Author: 5urd
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <openssl/aes.h>

typedef struct {
    uint32_t magic;
    uint32_t total_size;
    uint32_t data_size;
    uint32_t state;
    uint32_t type;
    uint8_t iv[16];
    uint8_t key[32];
} kbag_struct;

void hexdump(uint8_t *hex, int size) {
    int i = 0;
    for (; i < size; i++)
        printf("%02x", hex[i]);
    printf("\n");
}

int main(int argc, char* argv[]) {
    uint8_t gid_key[] = { 0x5F, 0x65, 0x02, 0x95, 0xE1, 0xFF, 0xFC, 0x97,
                          0xCE, 0x77, 0xAB, 0xD4, 0x9D, 0xD9, 0x55, 0xB3 };
    uint8_t gid_iv[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
    
    uint8_t kbag_tag[4] = { 0x47, 0x41, 0x42, 0x4B };
    uint8_t outbuf[32];
    uint8_t *input;
    uint8_t *output;
    AES_KEY aes_key;
    kbag_struct *kbag;
    uint8_t *file_buffer;
    int i;
    int file_size;
    FILE *in_file;
    
    if (argc < 3) {
        printf("Usage: ./gidecrypt <input.img3> <output.img3>\n");
        return 1;
    }
    input = argv[1];
    output = argv[2];

    in_file = fopen(input, "rb");
    if (in_file == NULL) {
        printf("Can't open file %s\n", input);
        return 1;
    }
    fseek(in_file, 0, SEEK_END);
    file_size = ftell(in_file);
    fseek(in_file, 0, SEEK_SET);

    file_buffer = malloc(file_size);
    fread(file_buffer, 1, file_size, in_file);
    fclose(in_file);
    
    for (i = 0; i < file_size; i++) {
        if (memcmp(&file_buffer[i], &kbag_tag, 4) == 0) {
            kbag = malloc(sizeof(kbag_struct));
            memcpy(kbag, &file_buffer[i], sizeof(kbag_struct));
            break;
        }
    }
    
    AES_set_decrypt_key(gid_key, kbag->type ,&aes_key);
    AES_cbc_encrypt((uint8_t*)&kbag->iv, outbuf, 0x30, &aes_key, gid_iv, AES_DECRYPT);
    
    printf("IV:  ");
    hexdump(outbuf, 16);
    printf("Key: ");
    hexdump(&outbuf[16], 16);
    
    free(kbag);
    free(file_buffer);
    
    return 0;
}

References

  1. Why the GNU GPL is incompatible with OpenSSL
  2. GNOME on OpenSSL and the GPL [Archived 2013-03-02 at the Wayback Machine]
Retrieved from "https://theapplewiki.com/index.php?title=GIDecrypt&oldid=174271"