Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Removing the code signature from a mac app executable

Tags:

macos

assembly

objective-c

I have a signed mac app executable. I initialised NSMutableData with the content of code signed executable. Then I modified some part of the executable and I saved the modified executable. When I tried the run the original app with this modified executable, the app crashed.

Crash log is, 

 System Integrity Protection: disabled

 Crashed Thread:        0  Dispatch queue: com.apple.main-thread

 Exception Type:        EXC_CRASH (Code Signature Invalid)
 Exception Codes:       0x0000000000000001, 0x0000000000000000
 Exception Note:        EXC_CORPSE_NOTIFY

 Termination Reason:    Namespace CODESIGNING, Code 0x2

From the crash log it is clear that it crashed because of invalid code signature. I don't have source code for the app and I'm simply trying to fix some bugs in someone's old app.

So my question is how to remove code signature of a binary in objective c ?

like image 940
Jaffer Sheriff Avatar asked Jun 07 '26 02:06

Jaffer Sheriff

1 Answers

For all moral preachers, thanks for enlighting my life and showing the moral path of life. 😏

It's not well documented at all, from what I can tell, but you may be able to remove code signing via:

      codesign --remove-signature appName

Alternate Way :

Patching up decrypted files (removing LC_CODE_SIGNATURE) ——————————————————————————————

Make sure you have got the files thinned (ditto --arch i386) before proceeding.

To remove a code signature you need to do the following steps: NOTE: Intel Mach-O binaries start with 0xCEFAEDFE PPC Mach-O binaries start with 0xFEEDFACE

    • Modify the number of load commands (Starts at offset 0x10/16, 4B size).

    • If the load commands are e.g. 0x2C subtract 0x1 -> 0x2B.

    • Modify the size of the load commands (Starts at offset 0x14/20, 4B size).
    • remember for Intel you need to swap the bytes to get the value... If it reads as FC 17 00 00 it actually is 0x000017FC
    • Subtract 0x10 or 16 from the value. in the case above -> 0x000017EC
    • swap bytes again (for Intel). 0x000017EC is thus EC 17 00 00
    • Modify the 16 Bytes from the load command entry for LC_CODE_SIGNATURE. Replace them with 16 x 0x00. This entry starts with 0x1D000000 on Intel and 0x0000001D on PPC.
    • This modifies the load command (8B) and the contents of the load command (8B). In this case the load command in total should allways be: Intel: 0x1D00000010000000 PPC: 0x0000001D00000010
    • Remove the actual code signature. This starts with 0xFADE0CC0 on both Intel and PPC. Replace the entire code signature with 0x00 bytes.
like image 78
Jaffer Sheriff Avatar answered Jun 09 '26 17:06

Jaffer Sheriff
Sign in to Comment

Related questions

How to Load Larger Size PDFs in iOS?
What is the Cocoa/OSX equivalent of wglMakeCurrent or glXMakeCurrent?
Is it possible to detect intersection of CGMutablePathRef and CGRect ?
Detect that OS X app was launched as login item?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!