Tutorial Hack without subtracting the ASLR Address against the Finder Address

QuistisQueen · May 10, 2021

Please note, I will not cover from ground up. This tutorial assume you already know how to use LLDB and searching for addresses.

If you're looking for a beginner tutorial, please refer to

For this tutorial I will be using Dino Cap 3.

1. Load the games on your iDevice.

2. Using iGameGod to search for the handgun ammo. You can search as soon as the stage loaded. Waste some bullet then do your next search. Test to make sure the remain address works. For me, this is the Finder Address for my ammo:

0x280275B14

Note that Finder address.

3. On your Mac/PC; load up two terminal to connect so we can use LLDB.

4. Set the Watchpoint for the Finder Address then continue.

5. Waste an ammo and LLDB should break. Here we landed on the Base Address: 0x1045DD448. On the noob friendly tutorial; we use the command 'Image List [application name]' to get the ASLR address so we can subtract the address against the Base Address. However, I will teach you a shortcut that takes you directly to the address you need in IDA without subtracting the address. Run this command on LLDB: image lookup -a [Base Address]

Example:

The second line: Address: Dino Cap 3[0x0000000100039448] ; The bolded address there is your IDA Address.

6. Open IDA and jump to the IDA Address. You will landed on the LDR X0, [X19, #0xc8] assemble structure. If you look above it; you will see the SUBS W8, W8, #1. If you NOP it on the Live Offset Patcher for the SUBS address. You now find it that you have infinite ammo.