Affe2626

thanks

ty

Download Xcode and try to build an empty project for your phone, that will get you the iOS SDK Okay, home now with my pc so I'll try getting it working on Windows.

hmm, okay, haven't tested on arm64e. Try to thin the debugserver binary with arm64e instead if you haven't already

iPhone X on 13.4.1, works fine, what messes up for you?

I haven't tried anything else. If you get LLDB to run with an iOS SDK on another OS then probably. The remote-ios platform maybe only exists on the macOS version of LLDB (but you can always try). Search for how to set SDK path. It does that automatically if you have Xcode installed for macOS.

Yep, that's fine, I attached a hidden meme instead. I may do a video next time when I make a cheat with this. Let's see how that goes

Hi, I looked at the tutorials section here and saw that the only tutorial about debugging was a tutorial by Ted22 without support for watchpoints. This does support wp and is you don't need to download stuff from unofficial sources. But I do recommend reading his tutorial as it covers other stuff. For this you need Xcode & Homebrew. (on macOS). Probably works on GNU/Linux if you get debugserver and the right iOS SDK some other way, or you could run macOS in a VM. Run this to get ldid: brew install ldid Then you need to get the right debugserver. Run cd /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ (iPadOS if you're using an iPad, I guess) Then do an ls to list all available versions. In my case "13.3" since I run iOS 13.3.1 on an iPhone X. Run this to mount the DeveloperDiskImage of your version. 13.3 in my case. open ./13.3/DeveloperDiskImage.dmg Then open your mounted disk image and go to DeveloperDiskImage/usr/bin. There you'll find debugserver. Copy that to your computer somewhere. I used ~/Documents/debugserver To thin your binary, run lipo -thin arm64 ./debugserver -output ./debugserverthin (if using arm64) lipo -thin arm64e ./debugserver -output ./debugserverthin (if using arm64e, iPhone XS and above, haven't tried though, maybe arm64 will work fine aswell) Next, sign debugserver with this xml file (save as ent.xml): <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist> Using ldid as such: ldid -Sent.xml ./debugserverthin Copy it to your phone using sftp. sftp root@yourphoneip then put debugserverthin now SSH into your phone and run mv ./debugserverthin /usr/bin/debugserver (/usr/local/bin is more standard but /usr/bin just worked for me so I'll go with that, doesn't really matter). Run this to find all running processes. I'll use Hill Climb Racing as an example: ps -A Example output: 51523 ?? 0:34.60 /var/containers/Bundle/Application/72FDFED4-16FB-47FE-999D-1CD53CF16B8C/Hill Climb Racing.app/Hill Climb Racing Run debugserver to start the debugging server. To specify which process to attach on, do it like this: debugserver 0.0.0.0:1234 -a "Hill Climb Racing" To attach LLDB from your Mac, run this (ON MAC, not phone). lldb (lldb) platform select remote-ios (lldb) process connect connect://yourphoneip:1234 To set watchpoints (got addr from iGG, gold value): (lldb) process interrupt Process 51523 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP frame #0: 0x00000001b7044634 libsystem_kernel.dylib`mach_msg_trap + 8 libsystem_kernel.dylib`mach_msg_trap: -> 0x1b7044634 <+8>: ret libsystem_kernel.dylib`mach_msg_overwrite_trap: 0x1b7044638 <+0>: mov x16, #-0x20 0x1b704463c <+4>: svc #0x80 0x1b7044640 <+8>: ret Target 0: (Hill Climb Racing) stopped. (lldb) w s e -s 4 -- 0x106128024 Watchpoint created: Watchpoint 1: addr = 0x106128024 size = 4 state = enabled type = w new value: 148742069 (lldb) c Process 51523 resuming When your watchpoints gets you'll see disassembled code that ran some instruction on your data. Example (when buying from store): Watchpoint 1 hit: old value: 148742069 new value: 148642069 Process 51523 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1 frame #0: 0x0000000104a38a74 Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing + 276 Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing: -> 0x104a38a74 <+276>: mov x0, x19 0x104a38a78 <+280>: mov x1, x20 0x104a38a7c <+284>: bl 0x104a38d94 ; ___lldb_unnamed_symbol5832$$Hill Climb Racing 0x104a38a80 <+288>: add x8, sp, #0x30 ; =0x30 Target 0: (Hill Climb Racing) stopped. I have literally no idea how to write ARM assembly but I'd guess that you could replace the instructions at 0x104a38a74 with NOP's to get free-buy, or write a jmp to your own function for mid-function hooks. I suggest watching other tutorials for that, I'm only good at Windows hacking but I may learn some iOS soon :D. For moderators who review: can I wrap everything in hide-tags without messing up everything? I don't really care but a few more likes is cool 😛 I'll make a follow-up some day when I actually create a fully featured cheat with this, iGG, Theos and a disassembler like Ghidra or Binary Ninja. Secret: [hide][/hide]

ty

NewTerm2, Termius and SSH from my MacBook Some stuff should be fixed now.

isn't really needed but I can make a .deb file yeah

yeah working on it now. School has been taking a lot of time

Got it back, yay. Just moved because of school though. I need to setup my PC and stuff then I'll fix some things

ty

Same, authorized repairs needs to order the parts because they aren't allowed to stock most of it iirc, it's just caps-lock that's unresponsive. Apple pls fix faster

yeah NewTerm2 is pretty weird, it just goes black sometimes lol. I also got Killed: 9 when just replacing the debugger instead of removing it and then putting the debugger there. I have no idea why though so try "rm /debugger" first

yea hmm haven't seen that. Does it always happen?

Probably the entitlements but the app should be signed. Uploaded the debugger from an exfat formatted drive which doesn't support permissons. That may've f***ed up the file but I doubt it. Edit: downloaded it now and tried, worked fine. install wget from Cydia. "su" password "cd /" "wget http://download1351.mediafire.com/r8i48y9gb6vg/p2d84v1f8m20eqk/debugger" "chmod 777 /debugger" "/debugger" Worked fine for me

Try to move it to /, and login as root.

chmod 777 /path/to/binary

Download it directly to your phone and put it where you want using Filza or download it to your computer and transfer it using SFTP (WinSCP for Windows and Cyberduck/built-in sftp for Mac) you don't need source.cpp unless you want to edit the app and compile it yourself

Feel you, I've had one single thing on my coding to-do list forever and I haven't even started. That's making a phone application that communicates with my CS:GO cheat so it for example vibrates when standing close to an enemy, external radar & settings controlled by phone. Maybe I should make a tweak and make it as a lockscreen widget? hmm

GamePlayer isn't updated for iOS 11 and everyone has issues with GameGem from what I've seen. Right now I think it's worse because it has a few bugs which I can't fix because I don't have my Mac here. However, this tool is much faster when getting data in my experience.

okay let's name it cooltoolfool

Has a bug so you can't use the search_for_something functions more than once. Use the fix I wrote later in the post. Sometimes you get segmentation fault: 11 after searching for changed value. I don't know what causes it right now, may just be a nullptr check. Will definitely fix it once I get my computer back. It works most of the time though Hi, I've made a cheat engine for iOS 11.3.1. All other cheat engines just seems to not work or they're paid. This is completely free and open source. This is more of a proof of concept than an actual cheat engine but it works fine for game-hacking :). Written in C++ and compilation instructions are commented in the source. Got the idea from Billy Ellis' Lyla but that one doesn't even have a memory scanner so I guess all credit goes to me (except for the register dumper). Report back if you find any issues, I made this in an afternoon and everything isn't tested. Example of changing gold, usually an int (if it's not an int then replace search_for_int with search_for* where "*" is a supported data type, list them with help or by looking at the source) step 1. ->search_for_int ->0 ->0 ->enter the value of (gold, health, xp, whatever) step 2. filter out garbage values(optional, if you have few results it isn't needed) if you get many results then make the game change the value (buy something to decrease gold or take damage) ->type c ->enter the changed value repeat until you have few results step 3. list all values by index ->type r it'll show a list of found values, find the index of the address that you want to edit step 4. changing value ->type w (AVAILABLE IN LATEST UPDATE) ->enter the index that you found in step 3. ->enter your desired value DONE! Upcoming features (gotta get my MacBook back from repair first, sending it in tomorrow ? Get ASLR slide. Or implement it yourself: https://github.com/Tyilo/get_aslr https://github.com/gdbinit/MachOView. A pretty gui. Searching for unknown values. In-game mixtape player. [Hidden Content]