miseaujeu

I guess they mean that it's useless ?

i can see

This is a comment

Spam

wings are the devil

version heading appears like this when I run GDB: GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012)

iPhone 5S ios 9.3.3 Win 7 I have not been able to get either GDB or LLDB/debugserver working with 9.3.3 What are some other methods or tools to determine the IDA offset location from the GamePlayer memory location? -M

Thanks

Nope that doesn't do it. What I'm looking for is something that will trigger a breakpoint or watchpoint when register $r0 is equal to a certain value. -M

In GDB I was able to put a conditional watchpoint on a register: watch $r0 == 0x01234567 Is there an equivalent for LLDB ? -M

I was able to setup LLDB in Win7 however I'm still being returned all my debugging information in relation to _mh_execute_header () Let me be perfectly clear -- I was able to debug perfectly fine using GDB on iOS 8.4 through a Win7 machine as of Nov 19 2015 <sample output from Nov 19 2015 07:20 PM> 0x00677150 in m_QuestSummary_GetPercentCompelete () 6: $r4 = 354180160 5: $r3 = 1110881504 4: $r2 = 84215400 3: $r1 = 16 2: $r0 = 1 1: x/i $pc 0x677150: 00 00 50 e3 cmp r0, #0 ; 0x0 However by 12 December 2015 all my debugging started to look like this 0x001f000c in _mh_execute_header () 4: $r2 = 2041261 3: $r1 = 1 2: $r0 = 19582444 1: x/i $pc 0x1f000c: 78 44 00 68 stmdavs r0, {r3, r4, r5, r6, r10, lr} <snip> 0x000a3b38 <_mh_execute_header+248632>: 00 68 90 f8 undefined instruction 0xf8906800 0x000a3b3c <_mh_execute_header+248636>: ad 10 11 f0 undefined instruction 0xf01110ad 0x000a3b40 <_mh_execute_header+248640>: 01 0f 05 d0 andle r0, r5, r1, lsl #30 0x000a3b44 <_mh_execute_header+248644>: 01 6e 19 b9 ldmdblt r9, {r0, r9, r10, r11, sp, lr} 0x000a3b48 <_mh_execute_header+248648>: 03 21 08 91 tstls r8, r3, lsl #2 0x000a3b4c <_mh_execute_header+248652>: 6a f3 bc d2 adcsle pc, r12, #-1476395007 ; 0xa8000001 0x000a3b50 <_mh_execute_header+248656>: 02 98 00 f1 undefined instruction 0xf1009802 </snip> At first I believed that this was due to some patch of my Taig iOS 8.4 Jailbreak. So I used Cydia Impactor and restored my phone to a clean jailbreak state. After reinstalling GDB and a few other bare bones tools I got the same results -- only _mh_execute_header () returns. I have been racking my brain and so I figured it had to do with the interface between the iOS and my Win7 debugging machine. If this is not the case I'm completely at a loss. Can anyone confirm if they are able to use iOS8.4 with either GDB or LLDB and NOT get all returns in relation to _mh_execute_header () ? If so please post a code snippet of any available iStore app along with version etc. I would like to compare my output to a known sample. Thank You, -M

I've been discouraged by the issues surrounding iOS 8.4 and debugging on a Win7 machine. I've looked into making an OSX VM on my Win7 box and am guessing I'll encounter different issues that will still prevent me from using it properly. What would be the cheapest used mac machine I could buy that would still do a great job as a debugger? What version of OS X needs to be supported ? What are some min recommended specs for such a box? Thanks -M

Thanks ITz_kser ! I was able to get the LLDB debugserver running and I'm trying out the various commands. Woo! -M

I'm still using Win7. But GDB worked perfectly fine 2 months ago with my same Windows PC setup at that time. ( there have been a couple of monthly updates since then ... ). I downgraded the GNU Debugger install from cydia.radare.org back to version 1518-12 hoping that would fix it ... but now I get the "Illegal instruction: 4" error. It's very frustrating as I was able to use this in October and now it doesn't work @ITz_kser I would love to use LLDB however I have not been able to figure out how to use it with a Windows PC. Can you point me to a correct setup instruction? -M

I'm on 8.4 and since some update about 2 months ago ( either in Cydia, gnu debugger or possibly a supporting library ) GDB only returns debugging information in relation to the _mh_execute_header (). 0x001f000c in _mh_execute_header () 4: $r2 = 2041261 3: $r1 = 1 2: $r0 = 19582444 1: x/i $pc 0x1f000c: 78 44 00 68 stmdavs r0, {r3, r4, r5, r6, r10, lr} performing a disassemble command at this break returns hundreds of thousands of lines of bad commands: <snip> 0x000a3b38 <_mh_execute_header+248632>: 00 68 90 f8 undefined instruction 0xf8906800 0x000a3b3c <_mh_execute_header+248636>: ad 10 11 f0 undefined instruction 0xf01110ad 0x000a3b40 <_mh_execute_header+248640>: 01 0f 05 d0 andle r0, r5, r1, lsl #30 0x000a3b44 <_mh_execute_header+248644>: 01 6e 19 b9 ldmdblt r9, {r0, r9, r10, r11, sp, lr} 0x000a3b48 <_mh_execute_header+248648>: 03 21 08 91 tstls r8, r3, lsl #2 0x000a3b4c <_mh_execute_header+248652>: 6a f3 bc d2 adcsle pc, r12, #-1476395007 ; 0xa8000001 0x000a3b50 <_mh_execute_header+248656>: 02 98 00 f1 undefined instruction 0xf1009802 </snip> Any idea on what I can do to revert and have it work the way it was 2 months ago? -M

I'm on 8.4 and since some update about 2 months ago ( either in Cydia, gnu debugger or possibly a supporting library ) GDB only returns debugging information in relation to the _mh_execute_header (). 0x001f000c in _mh_execute_header () 4: $r2 = 2041261 3: $r1 = 1 2: $r0 = 19582444 1: x/i $pc 0x1f000c: 78 44 00 68 stmdavs r0, {r3, r4, r5, r6, r10, lr} performing a disassemble command at this break returns hundreds of thousands of lines of bad commands: <snip> 0x000a3b38 <_mh_execute_header+248632>: 00 68 90 f8 undefined instruction 0xf8906800 0x000a3b3c <_mh_execute_header+248636>: ad 10 11 f0 undefined instruction 0xf01110ad 0x000a3b40 <_mh_execute_header+248640>: 01 0f 05 d0 andle r0, r5, r1, lsl #30 0x000a3b44 <_mh_execute_header+248644>: 01 6e 19 b9 ldmdblt r9, {r0, r9, r10, r11, sp, lr} 0x000a3b48 <_mh_execute_header+248648>: 03 21 08 91 tstls r8, r3, lsl #2 0x000a3b4c <_mh_execute_header+248652>: 6a f3 bc d2 adcsle pc, r12, #-1476395007 ; 0xa8000001 0x000a3b50 <_mh_execute_header+248656>: 02 98 00 f1 undefined instruction 0xf1009802 </snip> Any idea on what I can do to revert and have it work the way it was 2 months ago? -M

Do you know of a way to disable this? It would be very handy for me... -M

Ratz .. was hoping someone would point me to a settings window . @shmoo -- I'm certain that I used the same binary because I ran them in the same directory. First 6.1. Once it finished I closed 6.1. Opened 6.6 disassembled from there. Could it be a problem that they're in the same subdirectory? -M

I disassembled the same binary in 2 different versions of IDA v6.1.0110409 v6.6.140604 and ended up with good symbol details in 6.1(on left) but not in 6.6 (on right) -- both @ 0x006201F8 I went through the various setting windows and matched to the best of my ability ( some of the options had changed terminology ) but ended up with the same results. Any advise on how to make 6.6 ( which is waaaaaay faster ) produce the same details? -M

Alright, let's go again ! Duplicated source binary to keep as backup Ran Clutch Clutch marvelbattle DEBUG | Localization.m:70 | preferred lang: ( en ) 2015-11-19 21:27:28.273 Clutch[670:12594] checking localization cache You're using a Clutch development build, checking for updates.. Your version of Clutch is up to date! Clutch 1.4.7 (git-3) --------------------------------- is iOS 8 application listing method brah DEBUG | Preferences.m:42 | preferences_location: /etc/clutch.conf DEBUG | Preferences.m:43 | { CheckMetadata = YES; CompressionLevel = "-1"; CrackerName = Miseaujeu; CreditFile = NO; MetadataEmail = "[email protected]"; RemoveMetadata = NO; UseNativeZip = YES; } DEBUG | main.m:609 | app to crack { ApplicationBasename = "marvelbattle.app"; ApplicationBundleID = "com.kabam.marvelbattle"; ApplicationContainer = "/var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/"; ApplicationDirectory = "marvelbattle.app"; ApplicationDisplayName = Champions; ApplicationExecutableName = marvelbattle; ApplicationName = marvelbattle; ApplicationVersion = 99500; Framework = 0; MinimumOSVersion = "7.0"; PlugIn = 0; RealUniqueID = "C1829FD3-15A4-4DCD-A398-3CEBF3963DAA"; } Cracking marvelbattle... DEBUG | Cracker.m:80 | ------Prepairing from Installed App------ DEBUG | Cracker.m:92 | Temporary Directory: /tmp/clutch_1x2kHu3x/Payload/marvelbattle.app Creating working directory... DEBUG | Cracker.m:103 | Temporary Binary Path: /tmp/clutch_1x2kHu3x/Payload/marvelbattle.app/marvelbattle DEBUG | Cracker.m:111 | Binary Path: /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle DEBUG | Cracker.m:113 | -------End Prepairing Installed App----- DEBUG | Cracker.m:120 | ------Generating Paths------ DEBUG | Cracker.m:139 | /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa DEBUG | Cracker.m:141 | ------End Generating Paths----- DEBUG | Cracker.m:150 | ------Executing crack------ 2015-11-19 21:27:28.572 Clutch[670:12594] created IPAPAth /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa DEBUG | Cracker.m:165 | ------Crack Operation------ DEBUG | Cracker.m:167 | beginning crack operation DEBUG | Binary.m:396 | attempting to crack binary to file! finalpath /tmp/clutch_1x2kHu3x/Payload/marvelbattle.app/marvelbattle DEBUG | Binary.m:397 | DEBUG: binary path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle DEBUG | Cracker.m:253 | ------Zip Operation------ DEBUG | Cracker.m:254 | beginning zip operation DEBUG | Cracker.m:258 | using native zip DEBUG | Binary.m:415 | basedir ok Performing initial analysis... DEBUG | Binary.m:423 | open ok DEBUG | Binary.m:440 | local arch - armv7s DEBUG | Binary.m:543 | FAT binary detected DEBUG | Binary.m:545 | nfat_arch 2 DEBUG | Binary.m:556 | arch arch subtype 201326592 DEBUG | Binary.m:551 | 64bit arch detected! DEBUG | Binary.m:566 | currently cracking arch 9 DEBUG | Binary.m:614 | arch compatible with device, but swap DEBUG | Binary.m:134 | ##### STRIPPING ARCH ##### DEBUG | Binary.m:139 | lipo path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle_arm9_lwork DEBUG | Binary.m:161 | found arch to keep 9! Storing it DEBUG | Binary.m:189 | blanking arch! 0 DEBUG | Binary.m:194 | changing nfat_arch DEBUG | Binary.m:198 | number of architectures 1 DEBUG | Binary.m:203 | Wrote new header to binary! DEBUG | Binary.m:207 | copying sc_info files! 2015-11-19 21:27:34.123 Clutch[670:12598] sinf file yo /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/SC_Info/marvelbattle_arm9_lwork.sinf DEBUG | Binary.m:724 | currently cracking 32bit portion DEBUG | Binary.m:1091 | Dumping 32bit segment.. DEBUG | Binary.m:1119 | 32bit dumping: offset 16384 dumping binary: analyzing load commands DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1130 | found encryption info DEBUG | Binary.m:1135 | found code signature dumping binary: obtaining ptrace handle dumping binary: forking to begin tracing dumping binary: successfully forked dumping binary: obtaining mach port dumping binary: preparing code resign dumping binary: preparing to dump dumping binary: ASLR enabled, identifying dump location dynamically DEBUG | Binary.m:1291 | 32-bit Region Size: 16384 35913728 DEBUG | Binary.m:1291 | 32-bit Region Size: 35913728 35913728 dumping binary: performing dump dumping binary: patched cryptid [=============================================================>] 100% dumping binary: writing new checksum DEBUG | Binary.m:566 | currently cracking arch 0 DEBUG | Device.m:53 | Can't crack 64bit arch on 32bit device! skipping DEBUG | Binary.m:607 | arch not compatible with device! DEBUG | Binary.m:666 | only one architecture left!? strip DEBUG | Cracker.m:236 | crack operation ok! packaging: waiting for zip thread DEBUG | Cracker.m:238 | -----End Crack Op------ DEBUG | Cracker.m:280 | zip original ok DEBUG | Cracker.m:282 | ------End Zip Op------ DEBUG | Cracker.m:287 | ------Zip Cracked Op------ packaging: compressing IPA DEBUG | Cracker.m:352 | old metadata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist /tmp/clutch_1x2kHu3x/iTunesMetadata.plist packaging: censoring iTunesMetadata DEBUG | Cracker.m:357 | Generating fake iTunesMetadata DEBUG | Cracker.m:435 | generate metdata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist, /tmp/clutch_1x2kHu3x/iTunesMetadata.plist DEBUG | Cracker.m:387 | Copying iTunesArtwork DEBUG | Cracker.m:388 | copy from /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesArtwork, to /tmp/clutch_1x2kHu3x/iTunesArtwork DEBUG | Cracker.m:295 | package IPA ok DEBUG | izip.m:182 | working dir /tmp/clutch_1x2kHu3x DEBUG | Cracker.m:299 | zip cracked ok packaging: compression level 4294967295 DEBUG | Cracker.m:317 | ------End Zip Crack Op------ DEBUG | Cracker.m:332 | ------End Execute Crack------ DEBUG | ApplicationLister.m:336 | cracked app ok DEBUG | ApplicationLister.m:337 | this crack lol 99500 DEBUG | Cracker.m:336 | Saved cracked app info! /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa elapsed time: 176.47s Applications cracked: marvelbattle Total success: 1 Total failed: 0 -Moved Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa from /User/Documents/Cracked/ to desktop harddrive. Extracted "marvelbattle" and began IDA disassembly. -Copied the newly Clutch-ed marvelbattle to original install location (/private/var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app ) and overwrote original binary -I then ran Remove ASLR GUI -Signed with ldid -s -Set Permissions in iFile 5. Run App -- Success! ... but now the cycrypt check to see if ASLR is really gone 6. It is ! Thank you ! I can't understand how I was doing something wrong each time for the past several days. By needing to lay it out like this I guess I wasn't able to miss a step. Now I can get down to seeing how drastically this build was changed from the previous versions. Thanks again! -M

@DiDA I really like the mikeyb method you linked -- but I'm not sure I'm using it correctly. For Gdb Users (Like @shmoo ) .Open your binary in IDA and select the architecture you are going to be hacking. .Once it has loaded, go to the very beginning of the file. You should see something like this: HEADER:000XXXXX. this will be your ASLR bias .There are other ways to get the header offset, like using otool, but I prefer using IDA. so ... 0x4000 .Start your app and connect to it with gdb .Next, type in the command “info address _mh_execute_header”. gdb should print an address to you. so ... 0xb2000 .Subtract the value from IDA from value you got from gdb and this is your ASLR bias. 0xb2000 - 0x4000 = 0xAE000 .From now on, subtract your ASLR bias from any offset you get from watchpoints, breakpoints etc. to get the correct offset for IDA or add your bias to an address from IDA before using it in GDB. In previous versions of the game the IDA disassembly provided function names and structure: since v5.1.0 it's a Sub_x setup with some STRING information -- I'll try to see if we can get it to break with starting a quest ... perhaps this string can help us? @ 0x11382E2 ( from IDA ) "to get the correct offset for IDA or add your bias to an address from IDA before using it in GDB." So, 0x11382E2 + 0xAE000 = 0x11E62E2 Now I've started and stopped many quests. Tried various different versions and instances of quests that they provide and each time I "BEGIN" a quest .... nothing happens. No breakpoint ... nothing. It could just be the wrong offset ... but am I doing the right things ? Should this work if 0x11382E2 in IDA is what I'm looking for ? -M

@Shmoo -- I've not had luck with that method for this particular binary. 1. Take source binary ( marvelbattle ~86mb ) 2. Run Remove ASLR GUI 3. Sign with ldid -s 4. Set Permissions in iFile 5. Run App -- Success! But it still hasn't been cracked with Clutch or rc.sh ( rasticrac ) 6. Run Clutch and it still shows ASLR as being present 7. Replace source binary with much smaller Clutch-ed binary 8. Run App -- Success! Buuut GDB debugging is still a mess. 9. cycrypt check also fails =( : Am I doing something wrong ? -M

Hardware: iPhone 5 & Win7 remote debugging. iOS: 8.4 Jailbreak: TaiG 8.1.3 - 8.x Untether With the release of Marvel Contest of Champions 5.1.0 ( and the subsequent 5.1.1 ) I'm no longer able to crack a viable copy. https://itunes.apple.com/us/app/marvel-contest-of-champions/id896112560?mt=8 When I run Clutch ( 1.4.7 git-3 ) I get the following output: root# Clutch marvelbattle DEBUG | Localization.m:70 | preferred lang: ( en ) 2015-11-19 18:55:55.609 Clutch[1728:72803] checking localization cache You're using a Clutch development build, checking for updates.. Your version of Clutch is up to date! Clutch 1.4.7 (git-3) --------------------------------- is iOS 8 application listing method brah DEBUG | Preferences.m:42 | preferences_location: /etc/clutch.conf DEBUG | Preferences.m:43 | { CheckMetadata = YES; CompressionLevel = "-1"; CrackerName = Miseaujeu; CreditFile = NO; MetadataEmail = "[email protected]"; RemoveMetadata = NO; UseNativeZip = YES; } DEBUG | main.m:609 | app to crack { ApplicationBasename = "marvelbattle.app"; ApplicationBundleID = "com.kabam.marvelbattle"; ApplicationContainer = "/var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/"; ApplicationDirectory = "marvelbattle.app"; ApplicationDisplayName = Champions; ApplicationExecutableName = marvelbattle; ApplicationName = marvelbattle; ApplicationVersion = 99500; Framework = 0; MinimumOSVersion = "7.0"; PlugIn = 0; RealUniqueID = "C1829FD3-15A4-4DCD-A398-3CEBF3963DAA"; } Cracking marvelbattle... DEBUG | Cracker.m:80 | ------Prepairing from Installed App------ DEBUG | Cracker.m:92 | Temporary Directory: /tmp/clutch_3PrQxBcr/Payload/marvelbattle.app Creating working directory... DEBUG | Cracker.m:103 | Temporary Binary Path: /tmp/clutch_3PrQxBcr/Payload/marvelbattle.app/marvelbattle DEBUG | Cracker.m:111 | Binary Path: /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle DEBUG | Cracker.m:113 | -------End Prepairing Installed App----- DEBUG | Cracker.m:120 | ------Generating Paths------ DEBUG | Cracker.m:139 | /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa DEBUG | Cracker.m:141 | ------End Generating Paths----- DEBUG | Cracker.m:150 | ------Executing crack------ 2015-11-19 18:55:55.861 Clutch[1728:72803] created IPAPAth /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa DEBUG | Cracker.m:165 | ------Crack Operation------ DEBUG | Cracker.m:167 | beginning crack operation DEBUG | Binary.m:396 | attempting to crack binary to file! finalpath /tmp/clutch_3PrQxBcr/Payload/marvelbattle.app/marvelbattle DEBUG | Binary.m:397 | DEBUG: binary path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle DEBUG | Cracker.m:253 | ------Zip Operation------ DEBUG | Cracker.m:254 | beginning zip operation DEBUG | Cracker.m:258 | using native zip DEBUG | Binary.m:415 | basedir ok Performing initial analysis... DEBUG | Binary.m:423 | open ok DEBUG | Binary.m:440 | local arch - armv7s DEBUG | Binary.m:543 | FAT binary detected DEBUG | Binary.m:545 | nfat_arch 2 DEBUG | Binary.m:556 | arch arch subtype 201326592 DEBUG | Binary.m:551 | 64bit arch detected! DEBUG | Binary.m:566 | currently cracking arch 9 DEBUG | Binary.m:614 | arch compatible with device, but swap DEBUG | Binary.m:134 | ##### STRIPPING ARCH ##### DEBUG | Binary.m:139 | lipo path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle_arm9_lwork DEBUG | Binary.m:161 | found arch to keep 9! Storing it DEBUG | Binary.m:189 | blanking arch! 0 DEBUG | Binary.m:194 | changing nfat_arch DEBUG | Binary.m:198 | number of architectures 1 DEBUG | Binary.m:203 | Wrote new header to binary! DEBUG | Binary.m:207 | copying sc_info files! 2015-11-19 18:56:01.021 Clutch[1728:72809] sinf file yo /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/SC_Info/marvelbattle_arm9_lwork.sinf DEBUG | Binary.m:724 | currently cracking 32bit portion DEBUG | Binary.m:1091 | Dumping 32bit segment.. DEBUG | Binary.m:1119 | 32bit dumping: offset 16384 dumping binary: analyzing load commands DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1149 | found segment DEBUG | Binary.m:1130 | found encryption info DEBUG | Binary.m:1135 | found code signature dumping binary: obtaining ptrace handle dumping binary: forking to begin tracing dumping binary: successfully forked dumping binary: obtaining mach port dumping binary: preparing code resign dumping binary: preparing to dump dumping binary: ASLR enabled, identifying dump location dynamically DEBUG | Binary.m:1291 | 32-bit Region Size: 16384 35913728 DEBUG | Binary.m:1291 | 32-bit Region Size: 35913728 35913728 dumping binary: performing dump dumping binary: patched cryptid [========================================================================================>] 100% dumping binary: writing new checksum DEBUG | Binary.m:566 | currently cracking arch 0 DEBUG | Device.m:53 | Can't crack 64bit arch on 32bit device! skipping DEBUG | Binary.m:607 | arch not compatible with device! DEBUG | Binary.m:666 | only one architecture left!? strip DEBUG | Cracker.m:236 | crack operation ok! packaging: waiting for zip thread DEBUG | Cracker.m:238 | -----End Crack Op------ DEBUG | Cracker.m:280 | zip original ok DEBUG | Cracker.m:282 | ------End Zip Op------ DEBUG | Cracker.m:287 | ------Zip Cracked Op------ packaging: compressing IPA DEBUG | Cracker.m:352 | old metadata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist /tmp/clutch_3PrQxBcr/iTunesMetadata.plist packaging: censoring iTunesMetadata DEBUG | Cracker.m:357 | Generating fake iTunesMetadata DEBUG | Cracker.m:435 | generate metdata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist, /tmp/clutch_3PrQxBcr/iTunesMetadata.plist DEBUG | Cracker.m:387 | Copying iTunesArtwork DEBUG | Cracker.m:388 | copy from /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesArtwork, to /tmp/clutch_3PrQxBcr/iTunesArtwork DEBUG | Cracker.m:295 | package IPA ok DEBUG | izip.m:182 | working dir /tmp/clutch_3PrQxBcr DEBUG | Cracker.m:299 | zip cracked ok packaging: compression level 4294967295 DEBUG | Cracker.m:317 | ------End Zip Crack Op------ DEBUG | Cracker.m:332 | ------End Execute Crack------ DEBUG | ApplicationLister.m:336 | cracked app ok DEBUG | ApplicationLister.m:337 | this crack lol 99500 DEBUG | Cracker.m:336 | Saved cracked app info! /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa elapsed time: 152.32s Applications cracked: marvelbattle Total success: 1 Total failed: 0 It appears to work including LIPO of source binary as well as identifying ( and removing? ) ASLR: "dumping binary: ASLR enabled, identifying dump location dynamically" However when I test if the file still contains ASLR ( per the instruction from Alcatraz - http://iosgods.com/topic/11639-disable-aslr-on-ios-8384/ ) cycript -p PROCESS x = dlsym(RTLD_DEFAULT,"_dyld_get_image_vmaddr_slide") get_aslr_slid = @encode(uint(int)) (x) get_aslr_slide(0) this returns a value other than 0 ... which indicates the binary still is using ASLR. When I hexedit the binary and change the 21 to 01, ( or 00, or 20 ) the app crashes -- even after setting owner and permissions. Debugging with GDB in the Win7 desktop no longer provides a view of functions called and backtrace -- instead lots of "bfd_mach_o_scan: unknown architecture 0x100000c/0x0" and <redacted> functions / root# gdb warning: unrecognized host cpusubtype 11, defaulting to host==armv7. GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "arm-apple-darwin". (gdb) att marv Attaching to process 1809. Reading symbols for shared libraries . done unable to read unknown load command 0x80000028 bfd_mach_o_scan: unknown architecture 0x100000c/0x0 unable to read unknown load command 0x80000028 bfd_mach_o_scan: unknown architecture 0x100000c/0x0 bfd_mach_o_scan: unknown architecture 0x100000c/0x0 Reading symbols for shared libraries ................................................................................................................................................................................................................................................................................................. done unable to read unknown load command 0x80000028 bfd_mach_o_scan: unknown architecture 0x100000c/0x0 unable to read unknown load command 0x80000028 bfd_mach_o_scan: unknown architecture 0x100000c/0x0 bfd_mach_o_scan: unknown architecture 0x100000c/0x0 Reading symbols for shared libraries + done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done 0x24f1c04e in <redacted> () (gdb) bt 5 #0 0x24f1c04e in <redacted> () #1 0x24f197ba in <redacted> () (gdb) I've attempted the crack using rasticrac ( v3.2.9... NOTE: no perfect support for this iOS yet! ) with the same results. Will someone please attempt to crack using Clutch or rasticrac and let me know if you're able to defeat the ASLR and debug with GDB ? -Miseaujeu

thanks!