Goran

this is what i got in IDA PRO sub_331CA6 PUSH {R4-R7,LR} ; Push registers ADD R7, SP, #0xC ; Rd = Op1 + Op2 MOV R4, R1 ; Rd = Op2 MOV R5, R0 ; Rd = Op2 LDR R0, [R4,#0xC] ; Load from Memory LDR R0, [R0,#0x54] ; Load from Memory LDR.W R6, [R0,#0xD0] ; Load from Memory MOV R0, R6 ; Rd = Op2 BL.W sub_FB2FC8 ; Branch with Link MOV R0, R6 ; Rd = Op2 BL.W sub_FC5A74 ; Branch with Link MOV R6, R0 ; Rd = Op2 LDR R0, [R4,#0xC] ; Load from Memory MOV R1, R5 ; Rd = Op2 LDR R0, [R0,#0x54] ; Load from Memory LDR.W R2, [R0,#0xD4] ; Load from Memory MOV R0, R6 ; Rd = Op2 LDR R3, [R2] ; Load from Memory BLX R3 ; Branch with Link and Exchange (register indirect) MOV R0, R6 ; Rd = Op2 POP {R4-R7,PC} ; Pop registers

I know that R1 hold value, but how the hell i find in ida when this dont exist

i just got one address from iGG, then i w s e over LLDB, and got this * thread #1: tid = 0x36f39, 0x00425cb4 covetHome, stop reason = breakpoint 1.1 frame #0: 0x00425cb4 covetHome -> 0x425cb4: andlo r6, r1, r0, lsr r11 0x425cb8: andlt r6, r7, r0, lsr r3 0x425cbc: stceq p8, c14, [r0, #-756] what i need to do next??? to watch or breakpoint what???

thanks will study this

Nope, game can be edited with iGG, but am learning on this one IDA PRO... over LLDB....

Here is function, that i got from LLDB.. it is for coins... X1 and W1 hold values. i need something to increase coins... to increase intead of decrease, or to be big constant value... GAME IS NOT SERVER SIDED, CAN BE EDITED WITH IGG... BUT AM LEARNING ON THIS GAME.. SO I GO OVER LLDB AND IDA PRO..

Done...

Difference Between ADDRESS and OFFSET In the initial days when I started writing assembly programs on my own I used to get confused as to when to use ADDRESS and when to use OFFSET in the program. This article is an attempt to clear the doubts of assembly programmers regarding the meaning and usage of ADDRESS and OFFSET. First and foremost, the purpose of using either ADDRESS or OFFSET is to get the memory address of variables during program execution. Now, we know that variables in any assembly program are of two types, i.e. local and global variables. While global variables remain in the memory throughout the execution of the program, local variables exist only during the execution of the functions in which they are declared and will be removed from the stack memory once the function in which they are declared completes is execution. Since the global variables exist in memory throughout the lifetime of a program's execution, their memory address is allocated during assembly time by the assembler. The assembler knows the exact location of the global variable's memory address during assembly time. In case of local variables, the assembler has no idea about the address of the variable as it's address is allocated during runtime in the stack as and when the function in which it is declared is executed. now coming back to our assembler instructions, OFFSET will get the address of a variable which already has it's address allocated. This in turn means, OFFSET could be used to get the address of global variables only. We cannot receive the address of a local variable by using OFFSET as the address of a local variable is not decided during assembly time. To overcome this difficulty we have ADDRESS instruction. This instruction should be used if we want to retrieve the address of a local variable. Now naturally a question arises as to how does ADDRESS know the address of a local variable while OFFSET cannot. Well, even ADDRESS will not know the actual address of a local variable as it is referred during assembly time. What ADDRESS actually does is a simple substitution in the code as follows, just before the function is executed. lea eax, localvar push eax What really this means is that ADDRESS causes the address of the local variable which is generated during runtime to be returned. lea is used to refer to the stack memory. LEA means Load Effective Address! It is used to load variables from the stack. If you still did not get it, then imagine a situation as follows. I am standing somewhere on the street there and you come to meet me there in search of the address of a beautiful girl which you feel I know. So, now your asking me of the address could be considered as the assembly time of the program, you are the assembly program in search of the (girl's) address and I am the assembler. Now if I know her exact address I'll give it to you: with perfect street address, door number, etc. This is what OFFSET does. Now if I don't know where she lives, but I know somebody who I know knows the address of that girl, then I'll give you the address of that somebody and ask you to checkout there for the address of the girl you are searching for. That's what ADDRESS does. So it's clear that even ADDRESS doesn't have the exact address of the variable. Now that we clearly know when to use ADDRESS and OFFSET, another question arises. Can we use ADDRESS to load global variables???? Yes, of course! If you are referring to global variables using ADDRESS, then ADDRESS simply substitutes is as following. mov eax, 3000h where 3000h is the actual address of the global variable. Remember, the actual address of a global variable is known during assemble and link time. But then, why does ADDRESS use LEA instead of MOV in case of local variables. Well, for the simple reason that mov eax,ebp+2 is an invalid CPU instruction. Note that EBP also known as base address is the register used to access stack, and it is in stack where the local variables are stored. Hence, LEA is used by ADDRESS in case of local variables. So it is clear that OFFSET is to be used to global variables and ADDRESS for local variables. ADDRESS could ALSO be used while referring to global variables, BUT OFFSET cannot be used while referring to local variables. Credits to author: http://www.hitxp.com/comp/pro/asm/120403.htm

its about usb mux tunneling.... and is really good, but i dont have software to compile this.... https://github.com/onlinemediagroup/ocaml-usbmux

I need explain whe is needed to re3verse HEX codes, for example, if i got address in LLDB 69 85 28, do i need to reverse it when i search in IDA PRO to 28 85 69...? When comes to that reverse, in which cases??? I need detail answer so i can understand... THANKS...

maybe it just need to be like that... also, what game is?

What to change here, so it goes on High value, or at least dont decrease.... TED2 please, if you answer this be PRECISE Example: 100B92FE4 LDR W8, [X19,#0x50] change to 100B92FE4 LDR X9, [X19,#0x50] this is exact how you can help precise and EASY X9 and W9 hold value....

I hope you are man of word

update now lol

Can someone make video tutorial of hacking CoinDozer game... For coins and Dozen Dollars... with LLDB and iGG.... and IDA PRO that will explain a lot for me and other people.... it can be in two separate videos, for dollars, for coins.... THANKS IN ADVANCE.... https://itunes.apple.com/us/app/coin-dozer/id372836496?mt=8

LDR R1, [R0,#0x60] changed to LDR R1, [R7,#0x60] nothing happened att all, not even crash Are you sure that i dont need to do something with text:000CE5F4 BL.W sub_E09B20

use this my friend.... And when you want to crack ipa, u need to download from itunes and transfer to iDevice....

loc_CE5D2 ; CODE XREF: sub_CE560+54j MOV R0, #(off_1D2383C - 0xCE5DE) ADD R0, PC ; off_1D2383C LDR R5, [R0] ; unk_1FDCE3C LDR R0, [R5] LDRB.W R1, [R0,#0xB2] TST.W R1, #1 BEQ loc_CE5F8 LDR R1, [R0,#0x60] CBNZ R1, loc_CE5F8 MOV.W R1, #0xFFFFFFFF STR R1, [SP,#0x68+var_48] BL.W sub_E09B20 loc_CE5F8 ; CODE XREF: sub_CE560+88j ; sub_CE560+8Cj MOVW R0, #(:lower16:(off_1D23830 - 0xCE608)) MOV.W R4, #0xFFFFFFFF MOVT.W R0, #(:upper16:(off_1D23830 - 0xCE608)) ADD R0, PC ; off_1D23830 LDR R6, [R0] ; unk_1FDF8A0 MOVS R0, #0 LDR R1, [R6] STR R4, [SP,#0x68+var_48] BL sub_32A5A4 CMP R0, #0 BEQ loc_CE6CE LDRB.W R0, [R0,#0x24] CMP R0, #0 BNE loc_CE6B2 LDR R0, [R5] LDRB.W R1, [R0,#0xB2] TST.W R1, #1 BEQ loc_CE638 LDR R1, [R0,#0x60] CBNZ R1, loc_CE638 MOV.W R1, #0xFFFFFFFF STR R1, [SP,#0x68+var_48] BL.W sub_E09B20

__text:000CE5D2 loc_CE5D2 ; CODE XREF: sub_CE560+54j __text:000CE5D2 MOV R0, #(off_1D2383C - 0xCE5DE) __text:000CE5DA ADD R0, PC ; off_1D2383C ; Rd = Op1 + Op2 __text:000CE5DC LDR R5, [R0] ; unk_1FDCE3C ; Load from Memory __text:000CE5DE LDR R0, [R5] ; Load from Memory __text:000CE5E0 LDRB.W R1, [R0,#0xB2] ; Load from Memory __text:000CE5E4 TST.W R1, #1 ; Set cond. codes on Op1 & Op2 __text:000CE5E8 BEQ loc_CE5F8 ; Branch __text:000CE5EA LDR R1, [R0,#0x60] ; Load from Memory __text:000CE5EC CBNZ R1, loc_CE5F8 ; Compare and Branch on Non-Zero __text:000CE5EE MOV.W R1, #0xFFFFFFFF ; Rd = Op2 __text:000CE5F2 STR R1, [SP,#0x68+var_48] ; Store to Memory __text:000CE5F4 BL.W sub_E09B20 ; Branch with Link __text:000CE5F8 __text:000CE5F8 loc_CE5F8 ; CODE XREF: sub_CE560+88j __text:000CE5F8 ; sub_CE560+8Cj __text:000CE5F8 MOVW R0, #(:lower16:(off_1D23830 - 0xCE608)) ; Rd = Op2 __text:000CE5FC MOV.W R4, #0xFFFFFFFF ; Rd = Op2 __text:000CE600 MOVT.W R0, #(:upper16:(off_1D23830 - 0xCE608)) ; Move Top __text:000CE604 ADD R0, PC ; off_1D23830 ; Rd = Op1 + Op2 __text:000CE606 LDR R6, [R0] ; unk_1FDF8A0 ; Load from Memory __text:000CE608 MOVS R0, #0 ; Rd = Op2 __text:000CE60A LDR R1, [R6] ; Load from Memory __text:000CE60C STR R4, [SP,#0x68+var_48] ; Store to Memory __text:000CE60E BL sub_32A5A4 ; Branch with Link __text:000CE612 CMP R0, #0 ; Set cond. codes on Op1 - Op2 __text:000CE614 BEQ loc_CE6CE ; Branch __text:000CE616 LDRB.W R0, [R0,#0x24] ; Load from Memory __text:000CE61A CMP R0, #0 ; Set cond. codes on Op1 - Op2 __text:000CE61C BNE loc_CE6B2 ; Branch __text:000CE61E LDR R0, [R5] ; Load from Memory __text:000CE620 LDRB.W R1, [R0,#0xB2] ; Load from Memory __text:000CE624 TST.W R1, #1 ; Set cond. codes on Op1 & Op2 __text:000CE628 BEQ loc_CE638 ; Branch __text:000CE62A LDR R1, [R0,#0x60] ; Load from Memory __text:000CE62C CBNZ R1, loc_CE638 ; Compare and Branch on Non-Zero __text:000CE62E MOV.W R1, #0xFFFFFFFF ; Rd = Op2 __text:000CE632 STR R1, [SP,#0x68+var_48] ; Store to Memory __text:000CE634 BL.W sub_E09B20 ; Branch with Link __text:000CE638 __text:000CE638 loc_CE638 ; CODE XREF: sub_CE560+C8j __text:000CE638 ; sub_CE560+CCj What will you do step by step in this situation... thanks mate

Cuase i watched adress from iGG w s e --... and in lldb showed me... than i used register read -all than i caltucelted adress given - ASLR, got this IDA PRO ADDRESS "0x000CE5F4" and that adress is on picture :_)

Coin Dozer Coins "R1 hold value" -> 0x18e5f4: ldr r0, [r2, #0xc] 0x18e5f6: cbz r0, 0x18e600 ; ¬¬¬¬¬ + 136463 0x18e5f8: mov r1, r2 Game have ASLR I found value in LLDB, that guided me to this in IDA PRO... now what? step by step... please...

I found this in Ida Pro, guided by LLDB, and now what??? what is exact next step in ida pro or lldb??? i need retard like explanation because am rookie... step by step...

What I need to change here so i can have unlimited value or big one frozen... or any of help for me... in register my value is stored in X9 and W9

Man, I dont know, I did not makr that game, am just hacking will try...