iOS App Unpacking Tutorial Using dumpdecrypted and frida‑ios‑dump

Before the tutorial begins, a brief explanation is given about why "cracking" (removing the protection shell) is necessary and what can be achieved after the process.

When an interesting app is found on the App Store, developers often want to analyze its implementation: the engine used, coding style, third‑party libraries, etc. However, apps from the App Store are protected by a shell, so the first hurdle is to remove that shell.

Step 1 – Jailbreak the iPhone

1. Download checkra1n from https://checkra.in/.

2. Connect the iPhone to a Mac, ensure the device is recognized, and click the start button.

3. Follow the on‑screen instructions; after a successful jailbreak, the checkra1n app appears on the phone (do not disconnect the phone before the process finishes).

4. Open checkra1n and install Cydia.

Step 2 – Configure the phone environment

In Cydia, install OpenSSH and Cycript , then add the Frida repository ( https://build.frida.re ) and install the Frida plugin (choose the version that matches the iOS version).

Step 3 – Download the target app

Download the desired app from the App Store and launch it.

Step 4 – Core cracking operations

Two main tools are introduced:

dumpdecrypted – simple environment setup, but requires several manual steps and generates a .decrypted file that must be manually replaced in the IPA.

frida – one‑click cracking that generates an IPA package, but the environment setup is more complex and the process must be restarted if interrupted.

dumpdecrypted method

Download address: https://github.com/stefanesser/dumpdecrypted . The source only extracts the executable file, not framework libraries (see https://github.com/AloneMonkey/dumpdecrypted.git for a modified version).

1. Build dumpdecrypted.dylib and sign it:

security find-identity -v -p codesigning

codesign --force --verify --verbose --sign "iPhone Developer: xxxxx" dumpdecrypted.dylib

2. Locate the target app on the device and copy dumpdecrypted.dylib into its sandbox:

ssh root@

ps -e – list processes, find the app’s PID and path.

cycript -p – obtain the sandbox path.

3. Transfer the dylib to the sandbox:

scp dumpdecrypted.dylib root@ :/var/mobile/Containers/Data/Application/ /Documents/

4. Use the dylib to dump the app:

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/.../"Strategy click ejection".app/"Strategy click ejection"

5. Retrieve the generated .decrypted file and the original IPA, replace the encrypted binary with the decrypted one, and rebuild the IPA.

Verification command:

otool -l | grep cryptid – a result of 1 indicates the binary is still encrypted.

frida‑ios‑dump method

Download address: https://github.com/AloneMonkey/frida-ios-dump .

1. Install the Frida environment on the computer (matching the iOS version) and install required dependencies:

pip3 install frida

sudo pip3 install -r requirements.txt --upgrade

2. Edit dump.py to set the correct host and port of the iPhone.

3. List installed apps on the device:

python3 dump.py -l

4. Dump a specific app by name or bundle identifier:

python3 dump.py [app name]/[app bundle]

Step 5 – Extract class information

Use class‑dump to extract header information from the dumped Mach‑O file.

Download address: http://stevenygard.com/projects/class-dump/ .

Install and give execution permission:

sudo chmod 777 class-dump

Extract headers:

class-dump -H -o

Common Issues and Solutions

1. SSH connection error – caused by stale entries in known_hosts . Fix with ssh-keygen -R .

2. dumpdecrypted aborts with “Abort trap: 6” – due to version mismatch between the dylib and the iOS version. Rebuild the dylib for the correct OS version.

3. Frida dependency installation error – add --use-feature=2020-resolver to the pip command.

4. Frida dump script errors:

Missing gadget library – download the matching gadget‑ios.dylib from the Frida releases page and place it in ~/.cache/frida .

Python traceback in dump.py – adjust the shebang to #!/usr/bin/env python3 and ensure UTF‑8 encoding declaration.

By following these steps, the protected iOS app can be successfully unpacked, its binary decrypted, and its class information extracted for further analysis.