Help/Support Wrong IDA Offset

NotEriic · August 25, 2019

Hey Gods,
ife a Problem again with the ASLR Slide / IDA Offset.
I've Substract the ASRL (4968000) from Frame0# (01C05F1E68).
So its 104B4B544 - 4968000 = 1BBC89E68
But there is no 1BBC89E68 in IDA.
What's wrong? Is it because the iGG Offset is: 281DE25F0?
Its the only Offset i found.

See Code below: ( --->)

(lldb) attach HGAppstore
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/lldb/formatters/__init__.py", line 3, i                                                                             n <module>
    __import__('lldb.formatters.' + x)
  File "/usr/lib/python2.7/site-packages/lldb/formatters/cache.py", line 8, in <                                                                             module>
    import lldb.formatters.metrics
  File "/usr/lib/python2.7/site-packages/lldb/formatters/metrics.py", line 9, in                                                                              <module>
    import time, datetime
ImportError: dynamic module does not define init function (inittime)
Traceback (most recent call last):
  File "<input>", line 1, in <module>
NameError: name 'pydoc' is not defined
Process 14047 stopped
* thread #1: tid = 0x92653, 0x00000001c05730f4 libsystem_kernel.dylib`mach_ms                                                                                g_trap + 8, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00000001c05730f4 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x1c05730f4 <+8>: ret

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x1c05730f8 <+0>: movn   x16, #0x1f
    0x1c05730fc <+4>: svc    #0x80
    0x1c0573100 <+8>: ret

Executable module set to "/var/containers/Bundle/Application/FC3513E2-1B69-40                                                                                73-B4D9-A9E7A62875AF/HGAppstore.app/HGAppstore".
Architecture set to: arm64-apple-ios.
(lldb) image list
[  1] CA1E82A4-F26A-3499-9AB3-4044D5DEFC9E 0x0000000104968000 /var/containers                                                                                /Bundle/Application/FC3513E2-1B69-4073-B4D9-A9E7A62875AF/HGAppstore.app/HGApp                                                                                store
(lldb) c
>->->->-> ///// ///// ///// SEARCH FOR INGAME MONEY ///// ///// ///// <-<-<-<-<
(lldb) process interrupt
(lldb) w s e -- 0x281DE25F0
Watchpoint created: Watchpoint 2: addr = 0x281de25f0 size = 8 state = enabled                                                                                 type = w
    new value: 999999241
(lldb) c
Process 14047 resuming

Watchpoint 2 hit:
old value: 999999241
new value: 999999437
Process 14047 stopped
* thread #1: tid = 0x92653, 0x00000001c05f1e68 libsystem_platform.dylib`_plat                                                                                form_memmove + 312, queue = 'com.apple.main-thread', stop reason = watchpoint                                                                                 2
    frame #0: 0x00000001c05f1e68 libsystem_platform.dylib`_platform_memmove +                                                                                 312
libsystem_platform.dylib`_platform_memmove:
->  0x1c05f1e68 <+312>: subs   x2, x2, #1
    0x1c05f1e6c <+316>: b.ne   0x1c05f1e60               ; <+304>
    0x1c05f1e70 <+320>: ret
    0x1c05f1e74 <+324>: cbz    x3, 0x1c05f1fa8           ; <+632>
(lldb) c
Process 14047 resuming

Watchpoint 2 hit:
old value: 999999437
new value: 999997901
Process 14047 stopped
* thread #1: tid = 0x92653, 0x00000001c05f1e68 libsystem_platform.dylib`_plat                                                                                form_memmove + 312, queue = 'com.apple.main-thread', stop reason = watchpoint                                                                                 2
    frame #0: 0x00000001c05f1e68 libsystem_platform.dylib`_platform_memmove +                                                                                 312
libsystem_platform.dylib`_platform_memmove:
->  0x1c05f1e68 <+312>: subs   x2, x2, #1
    0x1c05f1e6c <+316>: b.ne   0x1c05f1e60               ; <+304>
    0x1c05f1e70 <+320>: ret
    0x1c05f1e74 <+324>: cbz    x3, 0x1c05f1fa8           ; <+632>
(lldb) register read
General Purpose Registers:
        x0 = 0x0000000281de25f0
        x1 = 0x0000000281dae9d2
        x2 = 0x0000000000000003
        x3 = 0x0000000281de25f2
        x4 = 0x0000000000013e33
        x5 = 0x0000000000000000
        x6 = 0x00000000000000c1
        x7 = 0x0000000000000403
        x8 = 0x0000000281963640
        x9 = 0x000000000000132c
       x10 = 0x000000000ac00000
       x11 = 0x000000000000029d
       x12 = 0x0000000000000001
       x13 = 0x0000000000000258
       x14 = 0x000000000000007d
       x15 = 0x0000000000000100
       x16 = 0x00000001c05f1d30  libsystem_platform.dylib`_platform_memmove
       x17 = 0x000000011300d0f4  DLGMemor.dylib`-[DLGMem DLGMemUIRefresh]
       x18 = 0x0000000000000000
       x19 = 0x0000000281de27a0
       x20 = 0x0000000000000203
       x21 = 0x0000000281dae9d0
       x22 = 0x000000011e5ce240
       x23 = 0x0000000000000001
       x24 = 0x0000000281dacfd0
       x25 = 0x0000000000000000
       x26 = 0x00000001ed47f87c  "objectAtIndex:"
       x27 = 0x0000000000000001
       x28 = 0x000000028118a550
        fp = 0x000000016b496000
        lr = 0x000000011300dfc4  DLGMemor.dylib`review_mem_in_chain + 112
        sp = 0x000000016b495fd0
        pc = 0x00000001c05f1e68  libsystem_platform.dylib`_platform_memmove +                                                                                 312
      cpsr = 0x20000000

(lldb) watchpoint delete 2
1 watchpoints deleted.
(lldb) c
Process 14047 resuming
(lldb)