Hi, I looked at the tutorials section here and saw that the only tutorial about debugging was a tutorial by Ted22 without support for watchpoints. This does support wp and is you don't need to download stuff from unofficial sources. But I do recommend reading his tutorial as it covers other stuff.
For this you need Xcode & Homebrew. (on macOS). Probably works on GNU/Linux if you get debugserver and the right iOS SDK some other way, or you could run macOS in a VM.
Run this to get ldid:
brew install ldid
Then you need to get the right debugserver. Run
cd /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ (iPadOS if you're using an iPad, I guess)
Then do an ls to list all available versions. In my case "13.3" since I run iOS 13.3.1 on an iPhone X.
Run this to mount the DeveloperDiskImage of your version. 13.3 in my case.
open ./13.3/DeveloperDiskImage.dmg
Then open your mounted disk image and go to DeveloperDiskImage/usr/bin. There you'll find debugserver. Copy that to your computer somewhere. I used ~/Documents/debugserver
To thin your binary, run
lipo -thin arm64 ./debugserver -output ./debugserverthin (if using arm64)
lipo -thin arm64e ./debugserver -output ./debugserverthin (if using arm64e, iPhone XS and above, haven't tried though, maybe arm64 will work fine aswell)
Next, sign debugserver with this xml file (save as ent.xml):
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
<key>run-unsigned-code</key>
<true/>
</dict>
</plist>
Using ldid as such:
ldid -Sent.xml ./debugserverthin
Copy it to your phone using sftp.
sftp root@yourphoneip
then
put debugserverthin
now SSH into your phone and run
mv ./debugserverthin /usr/bin/debugserver (/usr/local/bin is more standard but /usr/bin just worked for me so I'll go with that, doesn't really matter).
Run this to find all running processes. I'll use Hill Climb Racing as an example:
ps -A
Example output: 51523 ?? 0:34.60 /var/containers/Bundle/Application/72FDFED4-16FB-47FE-999D-1CD53CF16B8C/Hill Climb Racing.app/Hill Climb Racing
Run debugserver to start the debugging server. To specify which process to attach on, do it like this:
debugserver 0.0.0.0:1234 -a "Hill Climb Racing"
To attach LLDB from your Mac, run this (ON MAC, not phone).
lldb
(lldb) platform select remote-ios
(lldb) process connect connect://yourphoneip:1234
To set watchpoints (got addr from iGG, gold value):
(lldb) process interrupt
Process 51523 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x00000001b7044634 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x1b7044634 <+8>: ret
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x1b7044638 <+0>: mov x16, #-0x20
0x1b704463c <+4>: svc #0x80
0x1b7044640 <+8>: ret
Target 0: (Hill Climb Racing) stopped.
(lldb) w s e -s 4 -- 0x106128024
Watchpoint created: Watchpoint 1: addr = 0x106128024 size = 4 state = enabled type = w
new value: 148742069
(lldb) c
Process 51523 resuming
When your watchpoints gets you'll see disassembled code that ran some instruction on your data. Example (when buying from store):
Watchpoint 1 hit:
old value: 148742069
new value: 148642069
Process 51523 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
frame #0: 0x0000000104a38a74 Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing + 276
Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing:
-> 0x104a38a74 <+276>: mov x0, x19
0x104a38a78 <+280>: mov x1, x20
0x104a38a7c <+284>: bl 0x104a38d94 ; ___lldb_unnamed_symbol5832$$Hill Climb Racing
0x104a38a80 <+288>: add x8, sp, #0x30 ; =0x30
Target 0: (Hill Climb Racing) stopped.
I have literally no idea how to write ARM assembly but I'd guess that you could replace the instructions at 0x104a38a74 with NOP's to get free-buy, or write a jmp to your own function for mid-function hooks. I suggest watching other tutorials for that, I'm only good at Windows hacking but I may learn some iOS soon :D.
For moderators who review: can I wrap everything in hide-tags without messing up everything? I don't really care but a few more likes is cool 😛
I'll make a follow-up some day when I actually create a fully featured cheat with this, iGG, Theos and a disassembler like Ghidra or Binary Ninja.
Secret:
[hide][/hide]