Help/Support Bloody Harry Coins hack

[myDonuts 1 iPad Air 2 12.4]

Hi,

After following this tutorial and being successful to hack Ammo. I wanted to hack the gold like the tutorial suggest  but after long time of trial and error I still cannot get it t work.

 

So I found the memory address of the coins and find the address when I spent some and the register.

Offset = 0x10098b948
Coins Register = x20

All the register

Spoiler

General Purpose Registers:
        x0 = 0x0000000000000004
        x1 = 0x0000000000008cd8
        x2 = 0x0000000109407b58
        x3 = 0x000000000000850e
        x4 = 0x0000000103898510
        x5 = 0x0000000000000000
        x6 = 0x0000000000000032
        x7 = 0x0000000000000002
        x8 = 0x000000016fb8c738
        x9 = 0x0000000000000000
       x10 = 0x0000000000000006
       x11 = 0x0000000103cd008a
       x12 = 0x000000000000000e
       x13 = 0x000000000000003a
       x14 = 0x0000000000000009
       x15 = 0x0000000103dc7460
       x16 = 0x0000000000000000
       x17 = 0x0000000045000000
       x18 = 0x0000000000000000
       x19 = 0x00000001038b9000
       x20 = 0x00000000000010a1
       x21 = 0x0000000108bfaca0
       x22 = 0x0000000108c058a8
       x23 = 0x000000000000850e
       x24 = 0x0000000000008cde
       x25 = 0x000000010899b290
       x26 = 0x0000000103d71970
       x27 = 0x0000000108c7af12
       x28 = 0x0000000109198901
        fp = 0x000000016fb8c790
        lr = 0x0000000100bfb944  Bloody Harry`___lldb_unnamed_function49893$$Bloody Harry + 388
        sp = 0x000000016fb8c730
        pc = 0x0000000100bfb948  Bloody Harry`___lldb_unnamed_function49893$$Bloody Harry + 392
      cpsr = 0x40000000

 

And the ARM disasembly

Spoiler

        ,=< 0x10098b900      980300b4       cbz x24, 0x10098b970
        |   0x10098b904      080b40f9       ldr x8, [x24, 0x10]        ; [0x10:4]=-1 ; 16
        |   0x10098b908      e00318aa       mov x0, x24
        |   0x10098b90c      e10319aa       mov x1, x25
        |   0x10098b910      e2031aaa       mov x2, x26
        |   0x10098b914      048540f9       ldr x4, [x8, sym.entry17989] ; [0x108:4]=-1
        |   0x10098b918      880840f9       ldr x8, [x4, 0x10]         ; [0x10:4]=-1 ; 16
        |   0x10098b91c      082940f9       ldr x8, [x8, 0x50]         ; [0x50:4]=-1 ; 80
        |   0x10098b920      00013fd6       blr x8
        |   0x10098b924      a01640f9       ldr x0, [x21, 0x28]        ; [0x28:4]=-1 ; 40
       ,==< 0x10098b928      400200b4       cbz x0, 0x10098b970
       ||   0x10098b92c      080840f9       ldr x8, [x0, 0x10]         ; [0x10:4]=-1 ; 16
       ||   0x10098b930      e10317aa       mov x1, x23
       ||   0x10098b934      025140f9       ldr x2, [x8, 0xa0]         ; sym.entry16703
       ||                                                              ; [0xa0:4]=-1
       ||   0x10098b938      480840f9       ldr x8, [x2, 0x10]         ; [0x10:4]=-1 ; 16
       ||   0x10098b93c      082940f9       ldr x8, [x8, 0x50]         ; [0x50:4]=-1 ; 80
       ||   0x10098b940      00013fd6       blr x8
       ||   0x10098b944      b42200b9       str w20, [x21, 0x20]
       ||   0x10098b948      e80740f9       ldr x8, [sp, 8]            ; [0x8:4]=-1 ; 8
       ||   0x10098b94c      e0031e32       orr w0, wzr, 4
       ||   0x10098b950      683200f9       str x8, [x19, 0x60]
       ||   0x10098b954      bf0301d1       sub sp, x29, 0x40
       ||   0x10098b958      fd7b44a9       ldp x29, x30, [sp, 0x40]
       ||   0x10098b95c      f44f43a9       ldp x20, x19, [sp, 0x30]
       ||   0x10098b960      f65742a9       ldp x22, x21, [sp, 0x20]
       ||   0x10098b964      f85f41a9       ldp x24, x23, [sp, 0x10]
       ||   0x10098b968      fa67c5a8       ldp x26, x25, [sp], 0x50
       ||   0x10098b96c      c0035fd6       ret
       ``-> 0x10098b970      e00316aa       mov x0, x22
            0x10098b974      b034f097       bl sym.func.100598c34
            ;-- func.10098b978:
            0x10098b978      f657bda9       stp x22, x21, [sp, -0x30]!
            0x10098b97c      f44f01a9       stp x20, x19, [sp, 0x10]
            0x10098b980      fd7b02a9       stp x29, x30, [sp, 0x20]
            0x10098b984      fd830091       add x29, sp, 0x20
            0x10098b988      ff8300d1       sub sp, sp, 0x20
            0x10098b98c      f30301aa       mov x19, x1
            0x10098b990      680a40f9       ldr x8, [x19, 0x10]        ; [0x10:4]=-1 ; 16
            0x10098b994      e9230091       add x9, sp, 8
            0x10098b998      081940f9       ldr x8, [x8, 0x30]         ; [0x30:4]=-1 ; 48

 

I think that the close that I got from it to work was by modifying the ARM at the address 0x10098B988 to MOV x20, #0 RET wich put infinite amount of gold and crown but crash every time I buy something. I would really enjoy explanation of why it put huge amount in crown and gold because it don't make sense in my head?

Huge thanks for the help in advance.

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

Hello, 

Sorry for the late reply, but some tips:

When you set a watchpoint to, for example gold, it's nice to spend the gold & use that output as you'll likely come to a SUB(S).
Or you could try to earn gold & see if the output is different & if so there will likely be a ADD.

 

Also: Sometimes the IDA address lldb gives you, is not exactly where you HAVE to be. You can look in the functions around the one you land in too, which you can see if they hit by setting breakpoints.

From your output, the only thing I would have tried is:
 

OLD:
0x10098b944      b42200b9       str w20, [x21, 0x20]

NEW:
0x10098b944      b42200b9       NOP

This would freeze the gold.

[myDonuts 1 iPad Air 2 12.4]

Hi,

I have tried what you suggested me but the gold isn't freeze. I tough that a STR would put the value in x20 into [x21, 0x20] why would it change something in coins ? I followed your tips and explore the function around and I found a MOV x20, x0 at 0x10098b9d0 modifying it to anything else freeze the gold and crown to 0 even if I move any other register.

Spoiler

            ;-- func.10098b978:                                                                                                                                                          
            0x10098b978      f657bda9       stp x22, x21, [sp, -0x30]!                                                                                                                   
            0x10098b97c      f44f01a9       stp x20, x19, [sp, 0x10]                                                                                                                     
            0x10098b980      fd7b02a9       stp x29, x30, [sp, 0x20]                                                                                                                     
            0x10098b984      fd830091       add x29, sp, 0x20                                                                                                                            
            0x10098b988      ff8300d1       sub sp, sp, 0x20                                                                                                                             
            0x10098b98c      f30301aa       mov x19, x1                                                                                                                                  
            0x10098b990      680a40f9       ldr x8, [x19, 0x10]        ; [0x10:4]=-1 ; 16                                                                                                
            0x10098b994      e9230091       add x9, sp, 8                                                                                                                                
            0x10098b998      081940f9       ldr x8, [x8, 0x30]         ; [0x30:4]=-1 ; 48                                                                                                
            0x10098b99c      f30b00f9       str x19, [sp, 0x10]                                                                                                                          
            0x10098b9a0      150540f9       ldr x21, [x8, 8]           ; [0x8:4]=-1 ; 8                                                                                                  
            0x10098b9a4      a83240f9       ldr x8, [x21, 0x60]        ; [0x60:4]=-1 ; 96                                                                                                
            0x10098b9a8      e80700f9       str x8, [sp, 8]                                                                                                                              
            0x10098b9ac      a93200f9       str x9, [x21, 0x60]                                                                                                                          
            0x10098b9b0      001440f9       ldr x0, [x0, 0x28]         ; [0x28:4]=-1 ; 40                                                                                                
        ,=< 0x10098b9b4      000400b4       cbz x0, 0x10098ba34        ; unlikely                                                                                                        
        |   0x10098b9b8      080840f9       ldr x8, [x0, 0x10]         ; [0x10:4]=-1 ; 16                                                                                                
        |   0x10098b9bc      014d40f9       ldr x1, [x8, 0x98]         ; sym.entry17810                                                                                                  
        |                                                              ; [0x98:4]=-1                                                                                                     
        |   0x10098b9c0      280840f9       ldr x8, [x1, 0x10]         ; [0x10:4]=-1 ; 16                                                                                                
        |   0x10098b9c4      082940f9       ldr x8, [x8, 0x50]         ; [0x50:4]=-1 ; 80                                                                                                
        |   0x10098b9c8      00013fd6       blr x8                     ;[?] ; 0xffffffffffffffff(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0)                                       
        |   0x10098b9cc      680e40f9       ldr x8, [x19, 0x18]        ; [0x18:4]=-1 ; 24                                                                                                
        |   0x10098b9d0      f40300aa       mov x20, x0                                                                                                                                  
        |   0x10098b9d4      080940f9       ldr x8, [x8, 0x10]         ; [0x10:4]=-1 ; 16                                                                                                
        |   0x10098b9d8      091940f9       ldr x9, [x8, 0x30]         ; [0x30:4]=-1 ; 48                                                                                                
        |   0x10098b9dc      281142f9       ldr x8, [x9, 0x420]        ; [0x420:4]=-1 ; 1056                                                                                             
       ,==< 0x10098b9e0      a80000b5       cbnz x8, 0x10098b9f4       ; likely                                                                                                          
       ||   0x10098b9e4      20811091       add x0, x9, 0x420                                                                                                                            
       ||   0x10098b9e8      e1230091       add x1, sp, 8                                                                                                                                
       ||   0x10098b9ec      4894ef97       bl sym.func.100570b0c      ;[2] ; sym.func.100570b0c(0x41f, 0x28, 0x0, 0x0)                                                                  
       ||   0x10098b9f0      e80300aa       mov x8, x0                                                                                                                                   
       `--> 0x10098b9f4      084940f9       ldr x8, [x8, 0x90]         ; sym.entry17542                                                                                                  

 

So I have look for when I spent coins I try changing everywhere SUB but only one affect gold but make the game crash when I spent some. I looked around the function and found a MOV on the gold register but can only get the gold to 0. What should I do next now.

Huge thanks for all of the tips and the help. There no problem for the late reply.