Skip to content

MobileGestalt Keys (De)obfuscation.

License

Notifications You must be signed in to change notification settings

PoomSmart/MGKeys

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MGKeys

Mapping of the obfuscated keys (or questions) used by iOS's MobileGestalt to the de-obfuscated, easier-to-understand ones. To obfuscate a key, Apple calculates the base64 of MGCopyAnswer{theKey}, truncates the last two characters and calculates the MD5 from the resulting string.

It is our job to de-obfuscate them all.

The keys are currently based on iOS 18.2.

Patterns

There are a few certain patterns of the key names, which can be useful for de-obfuscation.

  • Kebab case some-key-name
    • has-xxx
    • supports-xxx
  • Pascal case of DeviceSupportsXXX (common)
  • Pascal case of XXXCapability (common)
    • FrontFacing(Camera)XXXCapability
    • RearFacing(Camera)XXXCapability
  • Pascal case of SupportsXXX
  • Pascal case of HasXXX
  • Pascal case of IsXXX
  • Pascal case of XXXData (usually come alongside another key without Data suffix in it)

Non-Gestalt Keys

There are also keys which are obfuscated the same way but are not considered as MobileGestalt keys. That is, you can't use MGCopyAnswer to get the value of the key. Instead, they are used for retrieving the value from the IODeviceTree, in an obfuscated manner. These keys are mostly in the kebab case, having their pascal case equivalent which is actually used by MGCopyAnswer. In the mapping files, these keys are marked with a comment // non-gestalt-key.

Typical Workflow

  1. Extract libMobileGestalt.dylib from the dyld_shared_cache of an iOS device
  2. Run deobfuscate.sh script to get the new unmapped obfuscated keys
  3. Throw the dylib into Hopper or IDA to find the human-readable function that is referenced by each key
  4. Update the key mapping in deobfuscated.py
  5. Run deobfuscate.sh again to update the mapping and to also verify each function name converts to the obfuscated key it references to
  6. Move all keys that fail to convert to unknown_keys_desc of keys_desc.py, if any

Credits (Keys De-obfuscation)

Further Readings