Skip to content
/ MGKeys Public

MobileGestalt Keys (De)obfuscation.

License

MIT license
132 stars 21 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PoomSmart/MGKeys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

138 Commits
MGKeys.playground
MGKeys.playground
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
combine-hashes.sh
combine-hashes.sh
 
 
deobfuscate.sh
deobfuscate.sh
 
 
deobfuscated.py
deobfuscated.py
 
 
deobfuscated_legacy.py
deobfuscated_legacy.py
 
 
discover.sh
discover.sh
 
 
false-positives.txt
false-positives.txt
 
 
gen_mapping.py
gen_mapping.py
 
 
gen_maybe_non_gestalt_keys.py
gen_maybe_non_gestalt_keys.py
 
 
gen_md5.py
gen_md5.py
 
 
hashes_legacy.txt
hashes_legacy.txt
 
 
keys_desc.py
keys_desc.py
 
 
locate-usage.sh
locate-usage.sh
 
 
mapping-gestalt.h
mapping-gestalt.h
 
 
mapping-legacy.h
mapping-legacy.h
 
 
mapping.h
mapping.h
 
 
obfuscate.py
obfuscate.py
 
 
struct.h
struct.h
 
 
util.m
util.m
 
 

Repository files navigation

MGKeys

Mapping of the obfuscated keys (or questions) used by iOS's MobileGestalt to the de-obfuscated, easier-to-understand ones. To obfuscate a key, Apple calculates the base64 of MGCopyAnswer{theKey}, truncates the last two characters and calculates the MD5 from the resulting string.

It is our job to de-obfuscate them all.

The keys are currently based on iOS 18.2b1.

Patterns

There are a few certain patterns of the key names, which can be useful for de-obfuscation.

  • Kebab case some-key-name
    • has-xxx
    • supports-xxx
  • Pascal case of DeviceSupportsXXX (common)
  • Pascal case of XXXCapability (common)
    • FrontFacing(Camera)XXXCapability
    • RearFacing(Camera)XXXCapability
  • Pascal case of SupportsXXX
  • Pascal case of HasXXX
  • Pascal case of IsXXX
  • Pascal case of XXXData (usually come alongside another key without Data suffix in it)

Non-Gestalt Keys

There are also keys which are obfuscated the same way but are not considered as MobileGestalt keys. That is, you can't use MGCopyAnswer to get the value of the key. Instead, they are used for retrieving the value from the IODeviceTree, in an obfuscated manner. These keys are mostly in the kebab case, having their pascal case equivalent which is actually used by MGCopyAnswer. In the mapping files, these keys are marked with a comment // non-gestalt-key.

Typical Workflow

  1. Extract libMobileGestalt.dylib from the dyld_shared_cache of an iOS device
  2. Run deobfuscate.sh script to get the new unmapped obfuscated keys
  3. Throw the dylib into Hopper or IDA to find the human-readable function that is referenced by each key
  4. Update the key mapping in deobfuscated.py
  5. Run deobfuscate.sh again to update the mapping and to also verify each function name converts to the obfuscated key it references to
  6. Move all keys that fail to convert to unknown_keys_desc of keys_desc.py, if any

Credits (Keys De-obfuscation)

Further Readings

About

MobileGestalt Keys (De)obfuscation.

Topics

ios obfuscation md5 mobilegestalt

Resources

Readme

License

MIT license
Activity

Stars

132 stars

Watchers

12 watching

Forks

21 forks
Report repository

Contributors 3

Languages