jtool: incorrect extraction of binary plist (solved)

Used for discussing the various tools in the book as well as encouraging members to share tools

jtool: incorrect extraction of binary plist (solved)

Postby 0xdead10cc » Tue Mar 06, 2018 5:17 pm

Entitlement can be embedded as binary plists in executables. These entitlement blobs are not correctly extracted by jtool.

The app that triggered this issue for me is https://itunes.apple.com/us/app/word-puzzle-quiz/id1330220225?mt=12

This is what codesign returns:

Code: Select all
$ codesign -d --entitlements - /Applications/WORD\ PUZZLE\ QUIZ.app/Contents/MacOS/WORD\ PUZZLE\ QUIZ | xxd
Executable=/Applications/WORD PUZZLE QUIZ.app/Contents/MacOS/WORD PUZZLE QUIZ
00000000: fade 7171 0000 0081 6270 6c69 7374 3030  ..qq....bplist00
00000010: d201 0203 045f 101e 636f 6d2e 6170 706c  ....._..com.appl
00000020: 652e 7365 6375 7269 7479 2e61 7070 2d73  e.security.app-s
00000030: 616e 6462 6f78 5f10 2163 6f6d 2e61 7070  andbox_.!com.app
00000040: 6c65 2e73 6563 7572 6974 792e 6e65 7477  le.security.netw
00000050: 6f72 6b2e 636c 6965 6e74 0909 080d 2e52  ork.client.....R
00000060: 5300 0000 0000 0001 0100 0000 0000 0000  S...............
00000070: 0500 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 54                                       T


and this is what jtool produces:

Code: Select all
$ jtool --ent /Applications/WORD\ PUZZLE\ QUIZ.app/Contents/MacOS/WORD\ PUZZLE\ QUIZ | xxd
00000000: 6270 6c69 7374 3030 d201 0203 045f 101e  bplist00....._..
00000010: 636f 6d2e 6170 706c 652e 7365 6375 7269  com.apple.securi
00000020: 7479 2e61 7070 2d73 616e 6462 6f78 5f10  ty.app-sandbox_.
00000030: 2163 6f6d 2e61 7070 6c65 2e73 6563 7572  !com.apple.secur
00000040: 6974 792e 6e65 7477 6f72 6b2e 636c 6965  ity.network.clie
00000050: 6e74 0909 080d 2e52 530a                 nt.....RS.


codesign's output is a valid binary plist, after discarding the first 8 bytes. Jtool's output however is not. Both plutil and jlutil cannot work with the resulting file.

J Says: Thanks. This was a stupid error of a "printf("%s\n", ent); for the blob, which ended naturally on the NULL byte.. (the bplist00 ends later, which is why it was not recognized. Fixed (incorporated into NewOSXbook.com/tools/jtool , the silent build).

Code: Select all
Chimera:MacOS morpheus$ jtool  --ent /Applications/WORD\ PUZZLE\ QUIZ.app/Contents/MacOS/WORD\ PUZZLE\ QUIZ  > /tmp/x.ent
Chimera:MacOS morpheus$ plutil !$
plutil /tmp/x.ent
/tmp/x.ent: OK


0xdead10cc
 
Posts: 5
Joined: Fri Jan 05, 2018 12:00 am

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

cron