Ted2

Pedo

You got banned? It's a single player game, idk why they would ban

Thanks, gimme a BJ maybe?

Noice mate

There's already a hack for this by me. No this does not fill your request but that doesn't matter.

Credits? Who's the one who figured this out

That's allot of work that isn't needed

Remove hack, play tutorial & then install hack maybe ?

Gey

Yes! Sorry I made a small typo in the Mod Menu, I had to re-upload. Try now

Updated to version 3.0!

Not sure, have to look into it. I already tried before, but couldn't figure it out.

Working on a update now

Not every shot you do is going to be in the basket with this feature. You still have to score, but when you score it's going to be +3 instead of what you normally would get.

Thanks, will fix!

Hello Everyone! In this topic, I'll be teaching you how to hack with lldb watchpoints & IDA step by step. Quick note: Watchpoints doesn't seem to work on iOS 11 so you need a phone below that iOS. Requirements: - IDA Program -> get it HERE - Jailbroken Phone - iGameGod - iMemEditor or whatever alternatives. - LLDB -> Follow THIS topic - * Theos _> Follow this: Setup Tutorial * = You can also edit the game's binary manually with a Hex Editor, but this is a pain in the ass to keep replacing each time. Setup a theos project If you already know how to setup a theos project & how to use it correctly, skip this part. For the sake of this tutorial, use this sdk and use this .nic template This video will show you how to setup a theos project: - https://youtu.be/eplJ2118cv0 NOTE: I am using Putty because I'm on windows. If you're on a Mac, you can just use terminal. Type this command to SSH into your device: ssh [email protected] & then type the default password "alpine" LLDB The game we are going to hack is called "Bloody Harry", you can get it HERE: We will be hacking our ammo. I hope you installed lldb as I said with the linked topic from my Requirements list, if not, do it now. You can basically just type "lldb" in your SSH window & it will look like this: Now you have lldb started, you have to attach to the game by this command: attach "PID" / attach "Binary Name" I always use PID, cause I'm too lazy to search for the binary name. You can find the PID by attaching the game to GamePlayer & then the number next to the Game's name is the PID. It will now connect & it should look something like this: ASLR We need to do ONE more VERY IMPORTANT thing before we start setting watchpoints. Since we are hacking arm64, we have to deal with a ASLR slide. You can find this ASLR slide by typing this command in your SSH window: image list or image list "binary name" However, it somehow doesn't support binaries with a space in them. So type the first one & scroll up to where [ 0] starts: As you may see, in my case [ 1] is the line I need. Cause that points to Bloody Harry: [ 1] A0825C08-EAE4-3748-ADB5-042D675A380A 0x000000010007c000 /var/containers/Bundle/Application/4D84AA61-4639-402A-96F0-11CAC3A3F8C8/Bloody Harry.app/Bloody Harry 0x000000010007c000 is what I need. However, I only need to remember 7c000 Your slide is likely diffrent. For example if you had this: 0x0000000100080000 80000 is the only thing you need to remember. Watchpoints We are ready to set watchpoints now! In order to set a watchpoint, we need to find the memory address with, in my case GamePlayer. I assume everyone knows how to work with a memory searcher such as GamePlayer, if not: - Search for your current ammo value in Gameplayer - Shoot one time - Search for the new value - Shoot againt - Search for the new value - Do this till you get 1 / 2 matches. IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP. How to set a watchpoint: w s e -- 0xGamePlayerAddress Example: w s e -- 0x109098E10 So get your GamePlayerAddress & then set a watchpoint. I keep getting 2 matches in Game Player, so I will set 2 watchpoints: NOTE: Sometimes the "new value" isn't correct, just in my case. Please remember the ammo in the next step. So our watchpoint has been set, in order to get the IDA address, we'll have to make a change in our ammo. This is the step where you HAVE to remember your ammo value it's going to change to. My current ammo is: 65 & I'm going to shoot one bullet, which will leave me with 64 bullets. Watchpoint 1 Hit: frame #0 = our IDA offset according to lldb (ignore the 000... before the first "1". Type "register read" in lldb & paste the output in a note somewhere, we are going to need this later. I like to organize it like this: Now let's see if our watchpoint 2 will also hit, type "c" or "continue" in lldb & see what happens: It's not saying anything about watchpoint 2, but it does stop so it might be usefull. Do the same steps you did for watchpoint one: make a note, paste the "read register" output & organize it like mine if you like. We know our IDA Offset according to lldb, however we need to remove the aslr slide from it. Go to this website: https://www.calculator.net/hex-calculator.html In the first box, type your offset lldb gave you & in the second box put your ASLR & you subtract it! Let's do this for watchpoint one first, the one with the red circle around it is the REAL offset in IDA: Write it in your note, something like: Real Offset: "your offset" Now you do the same for the second watchpoint. Register Read Output The register output will show you which register holds what value when the watchpoint was hit (when the game froze) This is really usefull for us. We can read which register holds our ammo & then hack that in IDA later. However, the values are in hexDecimal & we only know our decimal value of our ammo. Mine is 62, so go to some "Decimal To Hex" converter online such as this one: https://www.binaryhexconverter.com/decimal-to-hex-converter Convert your number & search it in your "register read" output. Mine is: 3E & I found a match: x8 = 0x000000000000003e NOTE: the X could be a W in IDA. Do the same for your second watchpoint IDA Alright, first let's go to the offset of watchpoint 1 first in IDA You can do this by pressing the "G" button in IDA View: The yellow colored line is where it brings us: So you might think, this must be the line we have to change. But this is wrong, you know which register holds our ammo (X8 ) so you will be looking for that. This is our matches with X8: W8 = Our ammo, X & W is basically the same 10092DED8 LDR W8, [X19,#0x40] //Load X19+0x40 into W8 10092DEE4 ADD W8, W8, W20 //Add W20 to W8 into W8 10092DEE8 STR W8, [X19,#0x40] //STR W8 into X19+0x40 10092DEF0 LDR X8, [X1,#0x10] //Load X1+0x10 into X8 10092DEF4 LDR X8, [X8,#0x50] //Load X8+0x50 into X8 10092DEF8 BLR X8 //Not important to really know, but it's some sort of branch 10092DF00 LDR X8, [X19,#0x10] //Load X19+0x10 into X8 10092DF0C LDR X2, [X8,#0x188] //Load X8+0x188 into X2 10092DF10 LDR X8, [X2,#0x10] //Load X2+0x10 into X8 10092DF14 LDR X8, [X8,#0x50] //Load X8+0x50 into X8 10092DF18 BLR X8 //Not important to really know, but it's some sort of branch Thing such as: X19+0x40 = X19 = a memory address, 0x40 is a variable that holds something. Together it will point to a address where the memory is at That's allot of matches, however the matches with #0x40 in them seems interesting to me. First: whatever X19+0x40 holds is getting loaded into W8 (our ammo register) Then: W8 is getting stored into X19+0x40, it looks like it's updating it. But we can't be sure until we try something. So how I would try to hack this is this: LDR W8, [X19,#0x40] - Change to: MOV W8, #0xfffff --> this will move the hex value 0xfffff into W8 - Change to: LDR W8, [X23] ---> X23 is a register that has it's own high value. In this way this get's loaded into our ammo. STR W8, [X19,#0x40] - Change W8 to W23 --> This will store a high value into X19+0x40 (which what we think is where our ammo memory is at) - Change it to a NOP, this will skip the instruction & in this way the ammo can't be stored. I'm going with the last option. Compiling a hack with theos Open your tweak.xm from your theos project & find this: if(GetPrefBool(@"key1")) { vm_writeData(0x123456, 0x123456); //The first value should be the offset & the second value the hackedHex } If I wanted to change it to NOP I would change it to this: if(GetPrefBool(@"key1")) { vm_writeData(0x10092DEE8, 0x1F2003D5); // } How do I know it would be "0x1F2003D5"? Well iOSGods has this awesome website: http://armconverter.com/ I typed "NOP" & in the " ARM64 HEX" box I got the Hex of it. You can convert any valid arm instruction here, so if you wanted to hack the LDR, you could have written this in the box: LDR W8, [X23] & it would give you this value: 0xE80240B9 Save your tweak.xm & go back to your SSH window. Type in: cd /your/directory/of/your/project, for me that would be: cd /var/root/bloodyharry Hit enter & now type: "mpi" & if that gives you a error, type "make package install" This will compile it into a .deb & automaticly install it for you. Open your settings & enable the first toggle. NOTE: @"key1" is used to recognize the toggle key of your Root.plist inside /"yourproject"/"projectName"Settings/Resources/Root.plist See this topic for more info about patchers: https://iosgods.com/topic/444-tutorial-how-to-make-a-preference-bundle/ NOTE: You can skip step 1 & 2 in that topic, you already did that by creating a project. Open the game & voila since I NOP'ed the STR, my ammo won't substract! Ammo succesfully hacked : So after all we didn't need the second watchpoint. But if the first watchpoint's location just didn't work out, you could move to watchpoint 2 When you're hacking ammo in ALLOT of cases you'll see something like this: SUB W8, W8, #1 //SUBstract 1 from w8 into w8 If you see this from a watchpoint, you're basically sure that it's the right thing to hack. You could NOP it or change the #1 with a #0 (use armconverter) Try to hack the gold yourself If you're confused about some parts, leave a comment. Other useful topic for this tutorial: - https://iosgods.com/topic/852-tutorial-how-to-hack-using-ida/ NOTE: This tutorial is old & the registers are armv7 registers. But this may help you understand how instruction works (instructions = STR, LDR, MOV, CMP etc etc) - https://iosgods.com/topic/19378-how-to-defeatremove-aslr-on-ios-9-armv7-and-arm64-devices/ Good luck on your journey!

Wdym? Send me a message on discord: RudePerson#3280

This is from shmoo's github page: - add-aslr-set: a command to automatically add the ASLR slide to the expression in the set command. To use, set add-aslr-set on. Since memory addresses already have ASLR accounted for, we need an upper bound to know when to not add the ASLR slide. Use 0x103000000 if you know you aren't going to be modifing memory and only instructions, otherwise, use IDA Pro to find out where main code segment ends (Ctrl+S)

What about GamePlayer

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

Thanks Sir

Understand that hacking with strings & a debugger is really trial and error. Some games do require hours just to get a feature, some are just obvious & too easy.

Hi! This tutorial is gonne be hacking with GDB Breakpoints. Read & study this tutorial by @shmoo about strings first, cause it's really necessarily. https://iosgods.com/topic/26584-ida-tutorialhow-to-hack-with-strings/ Breakpoints are extremely useful, once your breakpoint gets hit the game will freeze. You probably think, why the f*** is that useful you stupid b**** Well, now you can read which registers hold what value, you can see back traces (functions/places that are also called once breakpoint was hit), you can read memory & allot more. They are also useful if you aren't sure if you're at the right place, for example you had a string called Coins & did some xReffing & you end up somewhere but you're not sure if it's anything useful. What you can do now, is set a breakpoint on the offset you are in IDA & make a change in the coins. If the place where you were in IDA has anything to do with coins, the game should freeze when you make a change in coins. Requirements - GDB, repo: https://shmoo419.github.io/ - IDA, get it from the forum. - A Game (or use my example game): https://itunes.apple.com/nz/app/war-heroes-top-strategy-games/id1142744199?mt=8 - Some experience with strings & ARM Crack the binary & load the binary into IDA & wait till it's done. This game I'm hacking is some sort of game like Clash Of Royale. You have 3 towers, or whatever they're called. The middle one, is the most important one. If that one is broken aka dead, you win. You have 4 cards you can make use of, each has it's own damage amount. So, what we're going to try is hack the damage of a card. There's not really a specific way of finding such a thing. Some games have obvious strings & some games have not. To open strings window in IDA, you go to: View - Open Sub Views - Strings If I search for the word "damage", I'm getting 50 results, not that much but still a struggle to read. I like to click on the "Length" button in IDA, so it sorts the results & it's much cleaner: I like to go from top through bottom, so let's double click the first string & xRef it: If you don't know what xRef means, please read shmoo's tutorial on strings & come back later. When I click the first result, I've some sub_x functions around the string The ones with a straight red line are from the damageReduction string, the other are from damage string: I like to think sub_x functions with more than 70 xRefs are useless. (XRefs is just to see where the function is getting used by other functions) However, sometimes function look interesting & you might want to try them out anyways. It's really just experience that will tell your brain whether the function can be useful or no. The sub_10000F7F0 & sub_100012158 have too many xRefs, first one above 300 & the other above 900. You don't wanna modify a function that is getting used/called in another 300 functions. Neither would a developer code a damage function that is getting used in another 300 functions, cause that would likely cause instability. However, the sub_100190A78 has only one xRef & sub_100190A8C has only one xRef too. sub_100190A8C seems to be for the damage_reduction string (sounds useful too tho). But let's focus on sub_100190A78: It's a really short function. STR W1, [X0,#0x2C] // Store whatever value W1 is holding into X0+0x2C RET // RETurn the function (end it). Alright, we aren't sure whether this function is the right one for damage or not. We have two options: 1. Try modify the function & see what happens 2. Set a breakpoint on the function & see if it hits. While some people may recommend option 1 because they don't know how to use a debugger, I don't. Cause if you keep trying without debugging it CAN be a LONG LONG night, however sometimes you just find it in the first try So we are going to set a breakpoint on the function. First you need to know this about arm64 binaries: arm64 binaries have a ASLR Slide which can't be removed. You have to make calculations in order to get the right offset. IDA Offset + ASLR Slide with a Hex Calculator would do. But since Shmoo has it's built in feature in gdb, you don't have to make any calculations. Just this command in GDB & it will do it for you: set add-aslr-bp on We need to actually start GDB first, open Putty & SSH into your device. Then type "gdb" & hit enter & it should start. Then you have to attach to the game, I recommend attaching with the PID but I think binary names are also supported. How to find your PID: You can find it with GamePlayer, iGameGuardian etc or type this into your putty window: "ps ax | grep 'binary name'" Attach command: attach "PID" It will attach, it may show scary lines of "code" but that's normal. Aslong as your game froze, it's fine. Type "continue" or "c" in short to unfreeze the game. How to set a breakpoint: Before you do, enter this command first: set add-aslr-bp on Breakpoint command: break *0xoffset / b *0xofffset For me that would be: break *0x100190A78. (see picture above, the sub_x functions is 100190A78) Now let me play a match & see whether it hits or no. So the game froze when the tower was hit, this is a good thing! From here you can do multiply things: - you can read registers (reading what for example W0, W1, W20 is holding at the time of the breakpoint being hit) - you can read back traces to see which places where also called when the breakpoint was hit - you can read memory So let's read the registers by typing this command: "info registers" --> this will show all normal registers, "info all-registers" will also show float values. Remember: X & W is basically the same, they'll hold the same value. My X1 shows me it's 162, which is correct cause the enemies tower's health went down with 162. Alright, so now we have to hack the damage amount. If you may know, W23 & W29 hold huge ass values that never change. If we store that value instead of our orignal value X1, we'll have a One Hit Kill // ------- Original: ------- STR W1, [X0,#0x2C] RET // ------- Hacked: ------ STR W23, [X0,#0x2C] RET So I'm going to do this with code injection, I assumed you know how to do that, if not do research on the forum. I compiled it with theos, installed it & I got a One Hit Kill However, this function had only one instruction that could be hacked, so the part where we read the register wasn't really needed. I'll make a video soon enough with an longer function example. I hope you learned how to work with breakpoints & how you can read the registers. Understand that this tutorial is absolutely noob, some games require allot of back tracing etc etc Useful GDB Commands: Auto Add Aslr To Breakpoint: add aslr-bp on Breakpoint: break *0xIDAOffset or b *0xIDAOffset Reading Normal Registers: info registers Reading All Registers: info all-registers (usefull for floats, damage, health etc are most of times float) Find more here: https://lldb.llvm.org/lldb-gdb.html