Patching up decrypted files (removing LCCODESIGNATURE)
——————————————————————————————
Make sure you have got the files thinned (ditto —arch i386) before proceeding.
To remove a code signature you need to do the following steps:
NOTE:
Intel Mach-O binaries start with 0xCEFAEDFE
PPC Mach-O binaries start with 0xFEEDFACE
-
- Modify the number of load commands (Starts at offset 0×10/16, 4B size).
-
If the load commands are e.g. 0x2C subtract 0×1 -> 0x2B.
-
- Modify the size of the load commands (Starts at offset 0×14/20, 4B size).
-
remember for Intel you need to swap the bytes to get the value…
If it reads as FC 17 00 00 it actually is 0x000017FC
-
Subtract 0×10 or 16 from the value. in the case above -> 0x000017EC
-
swap bytes again (for Intel). 0x000017EC is thus EC 17 00 00
-
- Modify the 16 Bytes from the load command entry for LCCODESIGNATURE.
Replace them with 16 x 0×00.
This entry starts with 0x1D000000 on Intel and 0x0000001D on PPC.
- This modifies the load command (8B) and the contents of the load command (8B).
In this case the load command in total should allways be:
Intel: 0x1D00000010000000
PPC: 0x0000001D00000010
-
- Remove the actual code signature.
This starts with 0xFADE0CC0 on both Intel and PPC.
Replace the entire code signature with 0×00 bytes.