Help/Support LLDB watchpoint address value not updating

scratchyentree · September 8, 2020

iOS version 11.4.1 on iPhone 7 Plus using unc0ver 5.2.0 and lldb from San bigner’s repo

For multiple apps, when I set a watchpoint through lldb, it sets a watchpoint properly and reads the value properly. When I go back to the game and modify the value, the watchpoint doesn’t hit, and when I do “w list”, the value of the watchpoint isn’t changed. Am I doing something wrong?

Rook · September 9, 2020

Hello,

Did you bypass/adjust for ASLR on your offset?

songyuki97 · September 9, 2020

ios 11.4.1 unc0ver 5.3.1

too

songyuki97 · September 9, 2020

2 hours ago, Rook said:

Hello,

Did you bypass/adjust for ASLR on your offset?

Example

[ 0] E63DF4AA-6ED9-30DB-A1F4-2BEDF61449B0 0x0000000102c90000 /var/containers/Bundle/Application/C40578D2-AF06-4CC7-A126-B44D9D39C965/PvZ2.app/PvZ2

0x0000000102c9000

0x2c9000 is ASRL offset

and iGG address is 0x14ED0DBF0

(lldb) w s e -- 0x14ED0DBF0
Watchpoint created: Watchpoint 3: addr = 0x14ed0dbf0 size = 8 state = enabled type = w
    new value: 55837351936

i change value in game, but lldb not hit.

and i try other

0x14ED0DBF0 - 0x2c9000 = 0x14C07DBF0

(lldb) w s e -- 0x14C07DBF0
Watchpoint created: Watchpoint 2: addr = 0x14c07dbf0 size = 8 state = enabled type = w
    new value: (null)

i change value in game, but lldb not hit.

what should i do?

thank you

scratchyentree · September 9, 2020

2 hours ago, Rook said:

Hello,

Did you bypass/adjust for ASLR on your offset?

From what I understand from most of the tutorials I've read on here, I have to get a watchpoint to hit on the Memory Editor Address before I adjust the ASLR on the IDA address. The picture in the OP where it stopped was where I changed the value in game (in my case I gained another coin), and the watchpoint still didn't hit (So it's not outputting the address to subtract the ASLR from). Maybe I'm wrong, but I'm using iMemEditor (Formerly iGameGuardian) to get the memory address, adding said address to lldb, and my watchpoint isn't updating or hitting even though I verified that the address value is changing through iMemEditor.

Also, are you telling me to adjust for ASLR on the iMemEditor offset? Because if so, it goes against every tutorial on here I've ever read, and also I took the time to try to subtract the ASLR from the iMemEditor address myself with no success.

scratchyentree · September 9, 2020

24 minutes ago, songyuki97 said:
Example

[ 0] E63DF4AA-6ED9-30DB-A1F4-2BEDF61449B0 0x0000000102c90000 /var/containers/Bundle/Application/C40578D2-AF06-4CC7-A126-B44D9D39C965/PvZ2.app/PvZ2

0x0000000102c9000

0x2c9000 is ASRL offset

and iGG address is 0x14ED0DBF0
(lldb) w s e -- 0x14ED0DBF0
Watchpoint created: Watchpoint 3: addr = 0x14ed0dbf0 size = 8 state = enabled type = w
    new value: 55837351936
i change value in game, but lldb not hit.

and i try other

0x14ED0DBF0 - 0x2c9000 = 0x14C07DBF0
(lldb) w s e -- 0x14C07DBF0
Watchpoint created: Watchpoint 2: addr = 0x14c07dbf0 size = 8 state = enabled type = w
    new value: (null)
i change value in game, but lldb not hit.

what should i do?

thank you

Seems like I'm not the only one having this issue. I believe it might be something to do with either our iOS version, or the LLDB debian that's become outdated. If you could post your iOS version and the version of LLDB you're using maybe we can get an answer sooner.

K_K · September 9, 2020

I’ll see if I can help with this one

where are you getting your watchpoint from?.. igg , game player etc.

Don’t worry about the aslr unless you are trying find the real offset in IDA.

lldb can be frustrating at times .

You could change the value in the lldb .

You would need to find out what is @ this address :

w s e -- 0x14ED0DBF0

After it break/ pause you would need to find The register for the number you’re after

3524493

x/i 0x14ED0DBF0

will give you this info .

0x14ED0DBF0 - 0x2c9000 = 0x14C07DBF0 this is giving you real address taking away aslr that’s why it’s not breaking/stopping .

Go to this address in IDA 0x14C07DBF0

songyuki97 · September 9, 2020

37 minutes ago, scratchyentree said:

Seems like I'm not the only one having this issue. I believe it might be something to do with either our iOS version, or the LLDB debian that's become outdated. If you could post your iOS version and the version of LLDB you're using maybe we can get an answer sooner.

I don't think the cause of the problem is lldb out of date.

because i used xcode attached game and run lldb, watchpoint not hit.

i think ios 11.4.1 cause the problem

scratchyentree · September 9, 2020

10 minutes ago, K_K said:
I’ll see if I can help with this one

where are you getting your watchpoint from?.. igg , game player etc.

Don’t worry about the aslr unless you are trying find the real offset in IDA.

lldb can be frustrating at times .

You could change the value in the lldb .

You would need to find out what is @ this address :
w s e -- 0x14ED0DBF0
After it break/ pause you would need to find The register for the number you’re after

3524493

x/i 0x14ED0DBF0

will give you this info .

0x14ED0DBF0 - 0x2c9000 = 0x14C07DBF0 this is giving you real address taking away aslr that’s why it’s not breaking/stopping .

Go to this address in IDA 0x14C07DBF0

So it’s not breaking or pausing because the vale of the watchpoint address isn’t changing in lldb, even though it is in iGG (I’m using iMemEditor which is the same thing with a different name from the same company).

songyuki97 · September 9, 2020

17 minutes ago, K_K said:
I’ll see if I can help with this one

where are you getting your watchpoint from?.. igg , game player etc.

Don’t worry about the aslr unless you are trying find the real offset in IDA.

lldb can be frustrating at times .

You could change the value in the lldb .

You would need to find out what is @ this address :
w s e -- 0x14ED0DBF0
After it break/ pause you would need to find The register for the number you’re after

3524493

x/i 0x14ED0DBF0

will give you this info .

0x14ED0DBF0 - 0x2c9000 = 0x14C07DBF0 this is giving you real address taking away aslr that’s why it’s not breaking/stopping .

Go to this address in IDA 0x14C07DBF0

iPad-2:~ root# lldb
(lldb) attach 3174
Process 3174 stopped
* thread #1: tid = 0x1f64d, 0x00000001817f7de8 libsystem_kernel.dylib`mach_msg_trap + 8, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00000001817f7de8 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x1817f7de8 <+8>: ret    

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x1817f7dec <+0>: movn   x16, #0x1f
    0x1817f7df0 <+4>: svc    #0x80
    0x1817f7df4 <+8>: ret    

Executable module set to "/var/containers/Bundle/Application/C40578D2-AF06-4CC7-A126-B44D9D39C965/PvZ2.app/PvZ2".
Architecture set to: arm64-apple-ios.
(lldb) w s e -- 0x105D76DF0
Watchpoint created: Watchpoint 1: addr = 0x105d76df0 size = 8 state = enabled type = w
    new value: 55840628736
(lldb) x/i 0x105D76DF0
    0x105d76df0: 0x005c6000   .long  0x005c6000                ; unknown opcode

i got ithe info.
then?