Help/Support HELP - Finding IDA offset address using LLDB

nyc709 · April 5, 2021

Tools used:
IDA Pro, Putty (for lldb command), LLDB, IGameGod

What I did:

1. First I run the Game.

2. Used IGameGod and found a value. 0x125affa9c = 3.5 (FLOAT)

3. Run Putty, logged in as root, lldb, attach (pid number)

(lldb) attach 66524
Process 66524 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x000000019c5fe198 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x19c5fe198 <+8>: ret

libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x19c5fe19c <+0>: mov x16, #-0x20
0x19c5fe1a0 <+4>: svc #0x80
0x19c5fe1a4 <+8>: ret

Executable module set to "/private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/xxxxx.app/xxxxxx".
Architecture set to: arm64-apple-ios-.

4. Run image list (path) and noted the HEX number 0118000

image list /private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/BNEI0335.app/BNEI0335
[ 0] E6DA5503-9359-326D-8118-0D3503EC2F14 0x0000000100118000 /private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/xxxx.app/xxxx

5. Set watchpoint for 0x125affa9c but the value is showing 1080033280, in Igamegod/dlgmemor the value is 3.5 Float. Please explain?

(lldb) w s e -- 0x125affa9c
Watchpoint created: Watchpoint 1: addr = 0x125affa9c size = 8 state = enabled type = w
new value: 1080033280

6. Then I continue.

(lldb) c
Process 66524 resuming

Problem:

Can't find the address in IDA because watchpoint is not working when I change the value in IGameGod/DLGmemor.
Please not that the value can't be change in Game.

Is there a way to make a breakpoint/watchpoint for me to find the offset in IDA but it's impossible to change the VALUE in Game.
Can change only using IGameGod/DLGmemor.

I know that IDA offset = (watchpoint hit address) - (0118000)

KillerAE · April 6, 2021

Is this a unity game?

nyc709 · April 7, 2021

9 hours ago, KillerAE said:

Is this a unity game?

Yes

KillerAE · April 7, 2021

10 hours ago, nyc709 said:

Yes

The best way is to use il2cppdumper with Unity game and find the function that relates to the value you want to change.

asianqueen · April 9, 2021

I’m a bit confused. Did you get your value by fuzz search or exact search?

did you also decrypted the game before search?

nyc709 · April 9, 2021

9 hours ago, asianqueen said:

I’m a bit confused. Did you get your value by fuzz search or exact search?

did you also decrypted the game before search?

I used crackerxi to get the binary file and global meta.
Cheat will work if i change the value in igamegod, but it will not get a hit in watchpoint lldb to that address because you cant change the value in the game. But you can edit it in igamegod.