decrypt.sh

#!/usr/bin/env bash

pushd() { builtin pushd "${@}" 2>/dev/null >&2; }
popd() { builtin popd 2>/dev/null >&2; }

if [ "$#" -lt 2 ]; then
	echo "Usage: $0 <bundleName> <output>"
	exit 1
fi

if [ "${EUID}" -ne 0 ]; then
	echo "This script must be run as root."
	exit 1
fi

APP_NAME="$1"
OUTPUT_PATH="$2"

if [ ! -f /usr/bin/flexdecrypt ]; then
	curl -L https://github.com/JohnCoates/flexdecrypt/releases/download/1.1/flexdecrypt -o /usr/bin/flexdecrypt
	chmod +x /usr/bin/flexdecrypt
fi

temp_dir="$(mktemp -d)"
decrypted="${temp_dir}/${APP_NAME}.app"
result="${decrypted}"

pushd /var/containers/Bundle/Application/*/"${APP_NAME}".app/..
rm -rf "${decrypted}"

echo "[+] Copying app bundle"
cp -r "${APP_NAME}.app" "${decrypted}"

decrypt() {
	input="$1"
	destination="${decrypted}/${input}"
	echo "[+] Decrypting $1..."
	rm -f "${destination}"
	/usr/bin/flexdecrypt "${input}" --output "${destination}" || {
		echo "[-] Decryption failed"
		rm -rf "${decrypted}"
		exit 1
	}
}

pushd "${APP_NAME}".app

# This script assumes executable names match bundle names. This assumption
# may not always be true but most of the time it is.
decrypt "${APP_NAME}"

decrypt_all() {
	for framework in "${@}"; do
		if [ ! -d "${framework}" ]; then continue; fi
		exec_name="$(basename "${framework}")"
		exec_name="${exec_name%.*}"
		decrypt "${framework}/${exec_name}"
	done
}

decrypt_all Frameworks/*.framework
decrypt_all PlugIns/*.appex

if type zip 2>/dev/null >&2; then
	echo "[+] Creating IPA"
	pushd "${temp_dir}"
	rm -rf Payload
	mkdir Payload
	mv "${decrypted}" Payload/
	zip -r "${APP_NAME}.ipa" Payload > /dev/null && {
		result="${temp_dir}/${APP_NAME}.ipa"
		rm -rf Payload
	} || {
		echo "[-] IPA creation failed"
		mv Payload/* ./
	}
	popd
fi

popd
popd 

mv "${result}" "${OUTPUT_PATH}" || {
	echo "[-] Couldn't move result to the specified location."
	rm -rf "${temp_dir}"
	exit 1
}

echo "[+] Saved output to ${OUTPUT_PATH}"
rm -rf "${temp_dir}"