TuT Disable ASLR on iOS 8.3/8.4

[DuIslingr 181 iPhone 15 Pro Max 17.0]

After spending literally days trying to solve the stupid ASLR/Signing problem I finally figured out my own solution.

 

This tutorial is for those of you that have issues removing ASLR on iOS 8.3 and 8.4. If for some reason your apps still crash after using the tools and signing, then following the steps below is the answer.

 

Things you need:

Hex Editor
Cycript from Cydia(This is not really necessary, but its an easy way to verify if ASLR is actually disabled)
A Brain
 

Disabling ASLR:
 

1. Crack the app (At the time of this post, rasticrac is the only cracker that works properly on 8.3/8.4)
    
2. Put the binary on your desktop and open it with a hex editor. (There are multiple ways to view and edit the hex of a binary. So do it however you like. This is just for reference)
    
3. You need to go to the following offset depending on if your binary is FAT or non-FAT.(FAT means your binary has more than one arch. non-FAT is a thinned binary or a binary only containing one arch.)
   

   FAT armv7 = 0x4018
   non-FAT armv7 or arm64 = 0x18

   http://i.imgur.com/PFSxpBe.png
    
4. You are going to edit the 21 highlighted in the image above to 01. (The entire hex highlighted is the same for both armv7 and arm64. If this is not what you see then you are at the wrong offset.)
    
5. Save and that is it. Put the modded binary back in your game folder and run it. Just make sure permissions are set. You do not need to sign when you follow this method.

Verifying ASLR is Disabled:
If you would like to make sure that ASLR is disabled before you start debugging and finding out it is not, then do the following in terminal.

cycript -p PROCESS
x = dlsym(RTLD_DEFAULT,"_dyld_get_image_vmaddr_slide")
get_aslr_slide = @[member='encoder88'](uint(int))(x)
get_aslr_slide(0)

Process = Binaryname

If the result of this is 0 then ASLR is disabled. Otherwise it is enabled.

Do not copy and paste all of it at once in the commandline. Run the first line. Then copy and paste the rest.

 

NOTES:
Q: What about FAT arm64 offset?
A:You may have noticed that I do not specify the offset for fat arm64. This is because I am unsure if this is dynamic. As in I don't know if it changes based on binary size. I would assume so but need to test. For now if you want to debug arm64, then lipo the binary and go to the non fat offset. Then stick it into your game. If I figure it out, I will update this tutorial.

 

Credits:
Alcatraz
HackJack: Provided cycript code to verify ASLR status.

[Rook 541.2k iPad Pro (2nd gen) 17.4 Donor]

Nice!

 

Have you seen this also? http://iosgods.com/topic/10447-tutorial-how-to-make-removeaslr-work-on-ios-83-84/

 

Seems to be working for most.

[DuIslingr 181 iPhone 15 Pro Max 17.0]

If you read the first cpl of sentences I state that if attempting to sign still causes problems like it was for me then this tut was for you. So no that tut did not work.

[ipaarchive.com 11.1k]

Hidden Content

React or reply to this topic to see the hidden content & download link.

[Raggnar 8.5k 12 9.3.3]

Awesome!

[DuIslingr 181 iPhone 15 Pro Max 17.0]

Hidden Content

React or reply to this topic to see the hidden content & download link.

Every single ASLR removal tool sets it to 01. Never caused any issues. I fail to see the point of your post. I also do not understand why you bothered to use hide content.

[Parsifal 3 iPhone 12 Mini 16.0.2]

Thanks for the tutorial mate!

[orella 116 9]

Thanks!! i was waiting for a solution

[DuIslingr 181 iPhone 15 Pro Max 17.0]

Thanks!! i was waiting for a solution 

You are actually why I posted it here. I saw you had the same problem as me. Wasn't sure if you were on the other sites.

[orella 116 9]

You are actually why I posted it here. I saw you had the same problem as me. Wasn't sure if you were on the other sites.

game still crashing =S tried to change the 21 to 01 and nothing. Tried 00 and nothing. Also some games have 20 instead of 21 but anyways is still crashing.