- Ruby Red
- Matte Black
Download Xcode and try to build an empty project for your phone, that will get you the iOS SDK Okay, home now with my pc so I'll try getting it working on Windows.
hmm, okay, haven't tested on arm64e. Try to thin the debugserver binary with arm64e instead if you haven't already
iPhone X on 13.4.1, works fine, what messes up for you?
I haven't tried anything else. If you get LLDB to run with an iOS SDK on another OS then probably. The remote-ios platform maybe only exists on the macOS version of LLDB (but you can always try). Search for how to set SDK path. It does that automatically if you have Xcode installed for macOS.
Yep, that's fine, I attached a hidden meme instead. I may do a video next time when I make a cheat with this. Let's see how that goes
Hi, I looked at the tutorials section here and saw that the only tutorial about debugging was a tutorial by Ted22 without support for watchpoints. This does support wp and is you don't need to download stuff from unofficial sources. But I do recommend reading his tutorial as it covers other stuff. For this you need Xcode & Homebrew. (on macOS). Probably works on GNU/Linux if you get debugserver and the right iOS SDK some other way, or you could run macOS in a VM. Run this to get ldid: brew install ldid Then you need to get the right debugserver. Run cd /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ (iPadOS if you're using an iPad, I guess) Then do an ls to list all available versions. In my case "13.3" since I run iOS 13.3.1 on an iPhone X. Run this to mount the DeveloperDiskImage of your version. 13.3 in my case. open ./13.3/DeveloperDiskImage.dmg Then open your mounted disk image and go to DeveloperDiskImage/usr/bin. There you'll find debugserver. Copy that to your computer somewhere. I used ~/Documents/debugserver To thin your binary, run lipo -thin arm64 ./debugserver -output ./debugserverthin (if using arm64) lipo -thin arm64e ./debugserver -output ./debugserverthin (if using arm64e, iPhone XS and above, haven't tried though, maybe arm64 will work fine aswell) Next, sign debugserver with this xml file (save as ent.xml): <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist> Using ldid as such: ldid -Sent.xml ./debugserverthin Copy it to your phone using sftp. sftp [email protected] then put debugserverthin now SSH into your phone and run mv ./debugserverthin /usr/bin/debugserver (/usr/local/bin is more standard but /usr/bin just worked for me so I'll go with that, doesn't really matter). Run this to find all running processes. I'll use Hill Climb Racing as an example: ps -A Example output: 51523 ?? 0:34.60 /var/containers/Bundle/Application/72FDFED4-16FB-47FE-999D-1CD53CF16B8C/Hill Climb Racing.app/Hill Climb Racing Run debugserver to start the debugging server. To specify which process to attach on, do it like this: debugserver 0.0.0.0:1234 -a "Hill Climb Racing" To attach LLDB from your Mac, run this (ON MAC, not phone). lldb (lldb) platform select remote-ios (lldb) process connect connect://yourphoneip:1234 To set watchpoints (got addr from iGG, gold value): (lldb) process interrupt Process 51523 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP frame #0: 0x00000001b7044634 libsystem_kernel.dylib`mach_msg_trap + 8 libsystem_kernel.dylib`mach_msg_trap: -> 0x1b7044634 <+8>: ret libsystem_kernel.dylib`mach_msg_overwrite_trap: 0x1b7044638 <+0>: mov x16, #-0x20 0x1b704463c <+4>: svc #0x80 0x1b7044640 <+8>: ret Target 0: (Hill Climb Racing) stopped. (lldb) w s e -s 4 -- 0x106128024 Watchpoint created: Watchpoint 1: addr = 0x106128024 size = 4 state = enabled type = w new value: 148742069 (lldb) c Process 51523 resuming When your watchpoints gets you'll see disassembled code that ran some instruction on your data. Example (when buying from store): Watchpoint 1 hit: old value: 148742069 new value: 148642069 Process 51523 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1 frame #0: 0x0000000104a38a74 Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing + 276 Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing: -> 0x104a38a74 <+276>: mov x0, x19 0x104a38a78 <+280>: mov x1, x20 0x104a38a7c <+284>: bl 0x104a38d94 ; ___lldb_unnamed_symbol5832$$Hill Climb Racing 0x104a38a80 <+288>: add x8, sp, #0x30 ; =0x30 Target 0: (Hill Climb Racing) stopped. I have literally no idea how to write ARM assembly but I'd guess that you could replace the instructions at 0x104a38a74 with NOP's to get free-buy, or write a jmp to your own function for mid-function hooks. I suggest watching other tutorials for that, I'm only good at Windows hacking but I may learn some iOS soon :D. For moderators who review: can I wrap everything in hide-tags without messing up everything? I don't really care but a few more likes is cool 😛 I'll make a follow-up some day when I actually create a fully featured cheat with this, iGG, Theos and a disassembler like Ghidra or Binary Ninja. Secret: [hide][/hide]
yeah NewTerm2 is pretty weird, it just goes black sometimes lol. I also got Killed: 9 when just replacing the debugger instead of removing it and then putting the debugger there. I have no idea why though so try "rm /debugger" first
Recently Browsing 0 members
No registered users viewing this page.
- Administrator |
- Special Rank |
- ViP Plus |
- ViP Jailed |
- ViP |
- Cheater |
- Modder |
- Novice Cheater |
- Rookie Modder |
- Contributor |
- Senior Member |
- Member |