I've been looking at the FairPlay DRM this week. I followed the path from the memory pager, through IOTextCrypter et al, through to fairplayd via com.apple.unfreed IPC. Static analysis of that binary looks impracticable (a lot of effort appears to have been made to ensure this), but have you considered dynamic analysis using Unicorn?