Ted2

Encrypted (EOR'S)

Easy

@DiDA

This is not how you make a support topic. At least add some explaining text. Which hack, link to the hack etc

Correct AppDelegate? %hook UnityAppController = Unity Games only. Correct bundle ID? --> Get it from https://armconverter.com/appinfo (paste in .plist)

Would be vip with those features anyway

Does it says its in installed in Cydia

Pedo

You got banned? It's a single player game, idk why they would ban

Thanks, gimme a BJ maybe?

Noice mate

There's already a hack for this by me. No this does not fill your request but that doesn't matter.

Credits? Who's the one who figured this out

That's allot of work that isn't needed

Remove hack, play tutorial & then install hack maybe ?

Gey

Yes! Sorry I made a small typo in the Mod Menu, I had to re-upload. Try now

Updated to version 3.0!

Not sure, have to look into it. I already tried before, but couldn't figure it out.

Working on a update now

Not every shot you do is going to be in the basket with this feature. You still have to score, but when you score it's going to be +3 instead of what you normally would get.

Thanks, will fix!

Hello Everyone! In this topic, I'll be teaching you how to hack with lldb watchpoints & IDA step by step. Quick note: Watchpoints doesn't seem to work on iOS 11 so you need a phone below that iOS. Requirements: - IDA Program -> get it HERE - Jailbroken Phone - iGameGod - iMemEditor or whatever alternatives. - LLDB -> Follow THIS topic - * Theos _> Follow this: Setup Tutorial * = You can also edit the game's binary manually with a Hex Editor, but this is a pain in the ass to keep replacing each time. Setup a theos project If you already know how to setup a theos project & how to use it correctly, skip this part. For the sake of this tutorial, use this sdk and use this .nic template This video will show you how to setup a theos project: - https://youtu.be/eplJ2118cv0 NOTE: I am using Putty because I'm on windows. If you're on a Mac, you can just use terminal. Type this command to SSH into your device: ssh [email protected] & then type the default password "alpine" LLDB The game we are going to hack is called "Bloody Harry", you can get it HERE: We will be hacking our ammo. I hope you installed lldb as I said with the linked topic from my Requirements list, if not, do it now. You can basically just type "lldb" in your SSH window & it will look like this: Now you have lldb started, you have to attach to the game by this command: attach "PID" / attach "Binary Name" I always use PID, cause I'm too lazy to search for the binary name. You can find the PID by attaching the game to GamePlayer & then the number next to the Game's name is the PID. It will now connect & it should look something like this: ASLR We need to do ONE more VERY IMPORTANT thing before we start setting watchpoints. Since we are hacking arm64, we have to deal with a ASLR slide. You can find this ASLR slide by typing this command in your SSH window: image list or image list "binary name" However, it somehow doesn't support binaries with a space in them. So type the first one & scroll up to where [ 0] starts: As you may see, in my case [ 1] is the line I need. Cause that points to Bloody Harry: [ 1] A0825C08-EAE4-3748-ADB5-042D675A380A 0x000000010007c000 /var/containers/Bundle/Application/4D84AA61-4639-402A-96F0-11CAC3A3F8C8/Bloody Harry.app/Bloody Harry 0x000000010007c000 is what I need. However, I only need to remember 7c000 Your slide is likely diffrent. For example if you had this: 0x0000000100080000 80000 is the only thing you need to remember. Watchpoints We are ready to set watchpoints now! In order to set a watchpoint, we need to find the memory address with, in my case GamePlayer. I assume everyone knows how to work with a memory searcher such as GamePlayer, if not: - Search for your current ammo value in Gameplayer - Shoot one time - Search for the new value - Shoot againt - Search for the new value - Do this till you get 1 / 2 matches. IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP. How to set a watchpoint: w s e -- 0xGamePlayerAddress Example: w s e -- 0x109098E10 So get your GamePlayerAddress & then set a watchpoint. I keep getting 2 matches in Game Player, so I will set 2 watchpoints: NOTE: Sometimes the "new value" isn't correct, just in my case. Please remember the ammo in the next step. So our watchpoint has been set, in order to get the IDA address, we'll have to make a change in our ammo. This is the step where you HAVE to remember your ammo value it's going to change to. My current ammo is: 65 & I'm going to shoot one bullet, which will leave me with 64 bullets. Watchpoint 1 Hit: frame #0 = our IDA offset according to lldb (ignore the 000... before the first "1". Type "register read" in lldb & paste the output in a note somewhere, we are going to need this later. I like to organize it like this: Now let's see if our watchpoint 2 will also hit, type "c" or "continue" in lldb & see what happens: It's not saying anything about watchpoint 2, but it does stop so it might be usefull. Do the same steps you did for watchpoint one: make a note, paste the "read register" output & organize it like mine if you like. We know our IDA Offset according to lldb, however we need to remove the aslr slide from it. Go to this website: https://www.calculator.net/hex-calculator.html In the first box, type your offset lldb gave you & in the second box put your ASLR & you subtract it! Let's do this for watchpoint one first, the one with the red circle around it is the REAL offset in IDA: Write it in your note, something like: Real Offset: "your offset" Now you do the same for the second watchpoint. Register Read Output The register output will show you which register holds what value when the watchpoint was hit (when the game froze) This is really usefull for us. We can read which register holds our ammo & then hack that in IDA later. However, the values are in hexDecimal & we only know our decimal value of our ammo. Mine is 62, so go to some "Decimal To Hex" converter online such as this one: https://www.binaryhexconverter.com/decimal-to-hex-converter Convert your number & search it in your "register read" output. Mine is: 3E & I found a match: x8 = 0x000000000000003e NOTE: the X could be a W in IDA. Do the same for your second watchpoint IDA Alright, first let's go to the offset of watchpoint 1 first in IDA You can do this by pressing the "G" button in IDA View: The yellow colored line is where it brings us: So you might think, this must be the line we have to change. But this is wrong, you know which register holds our ammo (X8 ) so you will be looking for that. This is our matches with X8: W8 = Our ammo, X & W is basically the same 10092DED8 LDR W8, [X19,#0x40] //Load X19+0x40 into W8 10092DEE4 ADD W8, W8, W20 //Add W20 to W8 into W8 10092DEE8 STR W8, [X19,#0x40] //STR W8 into X19+0x40 10092DEF0 LDR X8, [X1,#0x10] //Load X1+0x10 into X8 10092DEF4 LDR X8, [X8,#0x50] //Load X8+0x50 into X8 10092DEF8 BLR X8 //Not important to really know, but it's some sort of branch 10092DF00 LDR X8, [X19,#0x10] //Load X19+0x10 into X8 10092DF0C LDR X2, [X8,#0x188] //Load X8+0x188 into X2 10092DF10 LDR X8, [X2,#0x10] //Load X2+0x10 into X8 10092DF14 LDR X8, [X8,#0x50] //Load X8+0x50 into X8 10092DF18 BLR X8 //Not important to really know, but it's some sort of branch Thing such as: X19+0x40 = X19 = a memory address, 0x40 is a variable that holds something. Together it will point to a address where the memory is at That's allot of matches, however the matches with #0x40 in them seems interesting to me. First: whatever X19+0x40 holds is getting loaded into W8 (our ammo register) Then: W8 is getting stored into X19+0x40, it looks like it's updating it. But we can't be sure until we try something. So how I would try to hack this is this: LDR W8, [X19,#0x40] - Change to: MOV W8, #0xfffff --> this will move the hex value 0xfffff into W8 - Change to: LDR W8, [X23] ---> X23 is a register that has it's own high value. In this way this get's loaded into our ammo. STR W8, [X19,#0x40] - Change W8 to W23 --> This will store a high value into X19+0x40 (which what we think is where our ammo memory is at) - Change it to a NOP, this will skip the instruction & in this way the ammo can't be stored. I'm going with the last option. Compiling a hack with theos Open your tweak.xm from your theos project & find this: if(GetPrefBool(@"key1")) { vm_writeData(0x123456, 0x123456); //The first value should be the offset & the second value the hackedHex } If I wanted to change it to NOP I would change it to this: if(GetPrefBool(@"key1")) { vm_writeData(0x10092DEE8, 0x1F2003D5); // } How do I know it would be "0x1F2003D5"? Well iOSGods has this awesome website: http://armconverter.com/ I typed "NOP" & in the " ARM64 HEX" box I got the Hex of it. You can convert any valid arm instruction here, so if you wanted to hack the LDR, you could have written this in the box: LDR W8, [X23] & it would give you this value: 0xE80240B9 Save your tweak.xm & go back to your SSH window. Type in: cd /your/directory/of/your/project, for me that would be: cd /var/root/bloodyharry Hit enter & now type: "mpi" & if that gives you a error, type "make package install" This will compile it into a .deb & automaticly install it for you. Open your settings & enable the first toggle. NOTE: @"key1" is used to recognize the toggle key of your Root.plist inside /"yourproject"/"projectName"Settings/Resources/Root.plist See this topic for more info about patchers: https://iosgods.com/topic/444-tutorial-how-to-make-a-preference-bundle/ NOTE: You can skip step 1 & 2 in that topic, you already did that by creating a project. Open the game & voila since I NOP'ed the STR, my ammo won't substract! Ammo succesfully hacked : So after all we didn't need the second watchpoint. But if the first watchpoint's location just didn't work out, you could move to watchpoint 2 When you're hacking ammo in ALLOT of cases you'll see something like this: SUB W8, W8, #1 //SUBstract 1 from w8 into w8 If you see this from a watchpoint, you're basically sure that it's the right thing to hack. You could NOP it or change the #1 with a #0 (use armconverter) Try to hack the gold yourself If you're confused about some parts, leave a comment. Other useful topic for this tutorial: - https://iosgods.com/topic/852-tutorial-how-to-hack-using-ida/ NOTE: This tutorial is old & the registers are armv7 registers. But this may help you understand how instruction works (instructions = STR, LDR, MOV, CMP etc etc) - https://iosgods.com/topic/19378-how-to-defeatremove-aslr-on-ios-9-armv7-and-arm64-devices/ Good luck on your journey!