This report documents a method to bypass AppSealing protection on iOS applications, specifically targeting Unity-based games.
AppSealing is a mobile application security solution that provides runtime application self-protection. This bypass technique neutralizes AppSealing's protection mechanisms by patching specific ARM64 assembly instructions that trigger system calls used for exit.
File → Open → Select "UnityFramework"
Load the UnityFramework binary into IDA Pro for analysis.
Press Alt + B (Binary Search)
Search pattern: 01 10 00 D4
Format: Hex
Options: ✓ Find all occurrences
Technical Details:
01 10 00 D4is the ARM64 machine code forSVC #0x80- This instruction triggers a supervisor call to the kernel
- AppSealing uses these calls for exit the programing
For each search result:
1. Double-click the occurrence in the search results window
2. Scroll upward in the disassembly view
3. Locate the function label: sub_B350C, _::Ze7f50748c07110499b981067b3cb22b0(void *), _::instant_thread_terminate(void *)
For each identified function:
1. Place cursor on the FIRST instruction of the function
2. Edit → Patch Program → Change Byte
3. Enter RET instruction: C0 03 5F D6
4. Click OK
Details:
C0 03 5F D6is ARM64 machine code forRETinstruction- This replaces the function's prologue with an immediate return
- Effectively neutering the entire exit function
Before:
After:
Edit → Patch Program → Apply patches to input file
After patching I can open and play without exit
This technique has been tested and confirmed working on:
- iOS applications
- AppSealing
This research is intended for:
- Security researchers analyzing mobile protection mechanisms
- Developers improving their security implementations
- Educational purposes in understanding bypass techniques
AppSealing's use of SVC instructions for runtime checks shows solid understanding of ARM64 architecture. But the harsh reality is that this entire protection layer crumbles with a simple binary search and a few patches. For a commercial security solution, having your defenses bypassed by what's essentially a findandreplace operation is a serious problem. This underscores the need for a defense in depth approach to security.
Disclaimer: This information is provided for educational and research purposes only. Unauthorized tampering with protected applications may violate terms of service and applicable laws.
