In this part we'll be moving straightforward: when app is launched, binary is decrypted and loaded memory. We will read the according blob from memory, write to a file, transfer that file to mac, replace encrypted section of Mach-O file with this blob and edit load commands so launchd will not consider this binary encrypted. That will not allow running the binary from sandboxed directories, you will need to re-sign the binary with your own sign identity or sideload the app to the device in some other way. Decrypted binary may be inspected in disassembler or other tools.
Prepare encrypted binary
You will need otool and scp utilities on macOS side
[iOS side] run the app and detect path to the executable:# ps ax | grep NAME
[macOS side] pull the file from iOS device to your mac:$ scp root@<IP>:<IOS-PATH> <MAC-PATH>
[macOS side] find details of encrypted section in load commands:$ otool -l <MAC-PATH> | grep cryptthat will give output similar to this one:
Attach debugger to iOS app
You will need debugserver on iOS side, lldb and MachOView on macOS side
[iOS side] run the app tell debugserver to attech to it and wait for debugger on some port# debugserver *:<PORT> -a <NAME>
[macOS side] Run lldb, connect to port exposed by debugserver from iOS:
Disable load command managing decryption of encrypted section in the patched binary:
open binary in MachOView
Load Commands > LC_ENCRYPTION_INFO_64
for CryptID line set Data to 0
Frida
There were many automated alternatives for this task: Clutch, bfinject, etc. As of iOS 12 this task can be most comfortably automated using Frida (once you'll figure out how to properly configure it). You will need iTunnel and Frida and Frida plugin called frida-ios-dump.
[macOS side] run iTunnel to forward SSH traffic to USB$ itnl --lport 2222 --iport 22
[macOS side] run properly configured script from plugin directory to find identifier of app you need:$ ./dump.py -l
[macOS side] run properly configured script from plugin directory to dump the app, full ipa bundle will be created on your mac:$ ./dump.py <IDENTIFIER>