TuT Disable ASLR on iOS 8.3/8.4

DuIslingr · July 20, 2015

After spending literally days trying to solve the stupid ASLR/Signing problem I finally figured out my own solution.

This tutorial is for those of you that have issues removing ASLR on iOS 8.3 and 8.4. If for some reason your apps still crash after using the tools and signing, then following the steps below is the answer.

Things you need:

Hex Editor
Cycript from Cydia(This is not really necessary, but its an easy way to verify if ASLR is actually disabled)
A Brain

Disabling ASLR:

Crack the app (At the time of this post, rasticrac is the only cracker that works properly on 8.3/8.4)
Put the binary on your desktop and open it with a hex editor. (There are multiple ways to view and edit the hex of a binary. So do it however you like. This is just for reference)
You need to go to the following offset depending on if your binary is FAT or non-FAT.(FAT means your binary has more than one arch. non-FAT is a thinned binary or a binary only containing one arch.)
```
FAT armv7 = 0x4018
non-FAT armv7 or arm64 = 0x18
```
http://i.imgur.com/PFSxpBe.png
You are going to edit the 21 highlighted in the image above to 01. (The entire hex highlighted is the same for both armv7 and arm64. If this is not what you see then you are at the wrong offset.)
Save and that is it. Put the modded binary back in your game folder and run it. Just make sure permissions are set. You do not need to sign when you follow this method.

Verifying ASLR is Disabled:
If you would like to make sure that ASLR is disabled before you start debugging and finding out it is not, then do the following in terminal.

cycript -p PROCESS
x = dlsym(RTLD_DEFAULT,"_dyld_get_image_vmaddr_slide")
get_aslr_slide = @[member='encoder88'](uint(int))(x)
get_aslr_slide(0)

Process = Binaryname

If the result of this is 0 then ASLR is disabled. Otherwise it is enabled.

Do not copy and paste all of it at once in the commandline. Run the first line. Then copy and paste the rest.

NOTES:
Q: What about FAT arm64 offset?
A:You may have noticed that I do not specify the offset for fat arm64. This is because I am unsure if this is dynamic. As in I don't know if it changes based on binary size. I would assume so but need to test. For now if you want to debug arm64, then lipo the binary and go to the non fat offset. Then stick it into your game. If I figure it out, I will update this tutorial.

Credits:
Alcatraz
HackJack: Provided cycript code to verify ASLR status.

Updated July 20, 2015 by Alcatraz

Rook · July 20, 2015

Nice!

Have you seen this also? http://iosgods.com/topic/10447-tutorial-how-to-make-removeaslr-work-on-ios-83-84/

Seems to be working for most.

DuIslingr · July 20, 2015

If you read the first cpl of sentences I state that if attempting to sign still causes problems like it was for me then this tut was for you. So no that tut did not work.

ipaarchive.com · July 20, 2015

Hidden Content

React or reply to this topic to see the hidden content & download link. 👀

Updated July 20, 2015 by iOSv64

Raggnar · July 20, 2015

Awesome!

DuIslingr · July 20, 2015

Hidden Content

React or reply to this topic to see the hidden content & download link. 👀

Every single ASLR removal tool sets it to 01. Never caused any issues. I fail to see the point of your post. I also do not understand why you bothered to use hide content.

Updated July 20, 2015 by Alcatraz

Parsifal · July 20, 2015

Thanks for the tutorial mate!

orella · July 20, 2015

Thanks!! i was waiting for a solution

Updated July 20, 2015 by orella

DuIslingr · July 20, 2015

Thanks!! i was waiting for a solution

You are actually why I posted it here. I saw you had the same problem as me. Wasn't sure if you were on the other sites.

orella · July 20, 2015

You are actually why I posted it here. I saw you had the same problem as me. Wasn't sure if you were on the other sites.

game still crashing =S tried to change the 21 to 01 and nothing. Tried 00 and nothing. Also some games have 20 instead of 21 but anyways is still crashing.