pa4373/find_cryptid_offset.py

## find_cryptid_offset.py
#!/usr/bin/env python
import os, sys, struct

def parse_arg(argv):
    if len(argv) != 2:
        print 'require one argument.'
    elif not 'Mach-O' in [i.rstrip() for i in os.popen('file %s' % argv[1])][0]:
        print 'the argument must be Mach-O binary file.'
    else:
        return argv[1]
    exit()

def otool_file(filename):
    # armv7 is supported
    cmd = 'arm-apple-darwin11-lipo -thin armv7 %s -output %s.armv7' % (filename, filename)
    os.system(cmd)
    cmd = "arm-apple-darwin11-otool -l %s.armv7 | grep LC_ENCRYPTION -A 3 | awk '{print $2}'" % filename
    stdout = [i.rstrip() for i in os.popen(cmd)]
    try:
        cmdsize = int(stdout[1])
        cryptoff = int(stdout[2])
        cryptsize = int(stdout[3])
    except ValueError:
        print "cannot determine bytes to search."
        exit()
    os.remove('%s.armv7' % filename)
    return (cmdsize, cryptoff, cryptsize)

def find_offset(filename):
    f = open(filename, 'rb')
    s = f.read()
    LC_ENCRYPTION_INFO = struct.pack('<I', 33)
    _cmdsize, _cryptoff, _cryptsize = otool_file(filename)
    cmdsize = struct.pack('<I', _cmdsize)
    cryptoff = struct.pack('<I', _cryptoff)
    cryptsize = struct.pack('<I', _cryptsize)
    LC_ENCRYPTION_SECTION = LC_ENCRYPTION_INFO + cmdsize + cryptoff + cryptsize
    section_offset = s.find(LC_ENCRYPTION_SECTION)
    cryptid_offset = section_offset + 16
    return cryptid_offset

if __name__ == '__main__':
    filename = parse_arg(sys.argv)
    print find_offset(filename)
	#!/usr/bin/env python
	import os, sys, struct

	def parse_arg(argv):
	if len(argv) != 2:
	print 'require one argument.'
	elif not 'Mach-O' in [i.rstrip() for i in os.popen('file %s' % argv[1])][0]:
	print 'the argument must be Mach-O binary file.'
	else:
	return argv[1]
	exit()

	def otool_file(filename):
	# armv7 is supported
	cmd = 'arm-apple-darwin11-lipo -thin armv7 %s -output %s.armv7' % (filename, filename)
	os.system(cmd)
	cmd = "arm-apple-darwin11-otool -l %s.armv7 \| grep LC_ENCRYPTION -A 3 \| awk '{print $2}'" % filename
	stdout = [i.rstrip() for i in os.popen(cmd)]
	try:
	cmdsize = int(stdout[1])
	cryptoff = int(stdout[2])
	cryptsize = int(stdout[3])
	except ValueError:
	print "cannot determine bytes to search."
	exit()
	os.remove('%s.armv7' % filename)
	return (cmdsize, cryptoff, cryptsize)

	def find_offset(filename):
	f = open(filename, 'rb')
	s = f.read()
	LC_ENCRYPTION_INFO = struct.pack('<I', 33)
	_cmdsize, _cryptoff, _cryptsize = otool_file(filename)
	cmdsize = struct.pack('<I', _cmdsize)
	cryptoff = struct.pack('<I', _cryptoff)
	cryptsize = struct.pack('<I', _cryptsize)
	LC_ENCRYPTION_SECTION = LC_ENCRYPTION_INFO + cmdsize + cryptoff + cryptsize
	section_offset = s.find(LC_ENCRYPTION_SECTION)
	cryptid_offset = section_offset + 16
	return cryptid_offset

	if __name__ == '__main__':
	filename = parse_arg(sys.argv)
	print find_offset(filename)