Help/Support IDA PRO + LLDB “JumpAsk” Failed

[0xWeiss 765 iPhone X 13.3]

HELLO AGAIN! 🙋🏻‍♀️ 

I’ve run into another issue during this learning journey and I’ve searched the forums to see whether someone’s had the same issue or not, one person did but it went unsolved.

Steps:

1. Grabbed ASLR — CE8000

Money: 3320 — CF8

 

2. Removed ASLR from WatchPoint Offsets.

•WatchPoint1 — 0X12C144674

Frame#0 — 10832D0F8

ASLR Removed — 1076450F8

 

•WatchPoint2 — 0X12C3C8BB0

Frame#0 — 10836CE58

ASLR Removed — 107684E58
 

3. Converted Decimal to Hex.

4. Searched in Register Read.

5. Made a match (x11 - 12C65CCF8)

6. Went to IDA.

7. Searched for 1076450F8 & 107684E58

8. Met with Command “JumpAsk” Failed.

 

Did I go wrong somewhere? Please educate me!

[busmanl30 166 iPhone Xs Max 14.6]

On 8/29/2021 at 2:33 AM, LEON... said:

 

 

1 hour ago, Mandu said:

HELLO AGAIN! 🙋🏻‍♀️ 

I’ve run into another issue during this learning journey and I’ve searched the forums to see whether someone’s had the same issue or not, one person did but it went unsolved.

Steps:

1. Grabbed ASLR — CE8000

Money: 3320 — CF8

 

2. Removed ASLR from WatchPoint Offsets.

•WatchPoint1 — 0X12C144674

Frame#0 — 10832D0F8

ASLR Removed — 1076450F8

 

•WatchPoint2 — 0X12C3C8BB0

Frame#0 — 10836CE58

ASLR Removed — 107684E58
 

3. Converted Decimal to Hex.

4. Searched in Register Read.

5. Made a match (x11 - 12C65CCF8)

6. Went to IDA.

7. Searched for 1076450F8 & 107684E58

8. Met with Command “JumpAsk” Failed.

 

Did I go wrong somewhere? Please educate me!

Hey can you provide screenshots on exactly what you are doing or a video, you might be grabbing offsets that might be from another process, sometimes games are weird and have stuff in a framework which can make things a little more difficult 

[0xWeiss 765 iPhone X 13.3]

3 hours ago, ProGamerMoment said:

 

Hey can you provide screenshots on exactly what you are doing or a video, you might be grabbing offsets that might be from another process, sometimes games are weird and have stuff in a framework which can make things a little more difficult 

If you don’t mind, I’ll list everything in detailed steps.

Game:

• Zombie Shop V-0.21.1

 

Devices:

• iPhone X 13.3 UnC0Ver 7.0.0 JB

• ASUS ROG Laptop Win10 x64

 

Programs:

• IDA PRO 7.3

• iL2CPPDumper

• Notepad++

• LLDB

• 3uTools

• PuTTy

• iGameGod

• Filza

• NewTerm

• FlexDecrypt | CrackerXI

 

Sites:

• ArmConverter

• BinaryHexConverter

• Calculator-HexCalculator

——————————————

1. Gathering the necessary files.

• [iPhone] Launch CrackerXI —> Zombie Shop —> Full IPA

• [iPhone] Launch Filza (/var/mobile/Documents/CrackerXI) —> EXTRACT ZombieShop_0.21.1_Weiss
• Launch NewTerm —> flexdecrypt /var/mobile/Documents/CrackerXI/ZombieShop_0.21.1_Weiss/Payload/ZombieShop.app/Frameworks/UnityFramework.framework/UnityFramework

[[Cracked binary is in /tmp/UnityFramework]]

• [PC] — Launch 3uTools > Grab UnityFramework and place in Desktop Folder.

• [PC] Direct to ZombieShop.app > Data > Managed > Metadata > Grab global-metadata.dat and place in Desktop Folder.

——————————————

2. IDA Pro Portion

• [PC] Launch IDA Pro x64 > New > Select “UnityFramework” > Allow to fully load with “IDLE” is on the bottom left.

• [PC] Launch iL2CPPDumper > Select “UnityFramework” > Select “global-metadata.dat” > Allow to finish.

• [PC] Return to IDA Pro (Fully Loaded) > File > Script File... > IDA.py > Script.JSON

• [PC] Allow the script to fully finish until it says “IDLE” is on the bottom left.

——————————————

3. 3uTools / PuTTy / LLDB / Game Portion

• [iPhone] Open iGameGod and enable Zombie Shop.

• [iPhone] Launch Zombie Shop.

• [PC] Launch 3uTools > Toolbox > Open SSH Tunnel > SSH Client (PuTTy)

• [PC] In PuTTy > Type “lldb” > Type “attach ZombieShop”

• [PC] Game attaches successfully, the game freezes.

• [PC] In PuTTy > Type “image list ZombieShop” > Note the ASLR > Type “c” to continue process (unfreeze game).

• [iPhone] Use iGameGod to search values until I’m left with 1-2 (in my case, 3).

• [PC] In PuTTy > Type “process interrupt” (freezes game).

[[NOTE: Cannot create Watchpoints while the game’s running.]]

• [PC] Creates Watchpoints.

• [iPhone/PC] Changes the value > Trigger Watchpoints 1.

• [PC] In PuTTy > Type “register read” and copy the output into Notepad++ > Type “c” to proceed > Watchpoint 2 was trigger-ed > Type “register read” and copy the output into Notepad++.

• [PC] Acquired 2 IDA offsets > Removed ASLR using hex calculator.

• [PC/iPhone] Kept notes on money value and converted using decimal to hex.

• [PC] Searched for the converted value in the register read outputs and found a match in watchpoint 1.

• [PC] Returned to IDA > Press “G” > Inserts Address (ASLR REMOVED ONE)

——————————————
[[ENCOUNTERS ERROR]]
• Command “JumpAsk” Failed

——————————————

Hopefully you could help spot the issue this way!

 

Updated October 27, 2021 by 0xWeiss

[0xWeiss 765 iPhone X 13.3]

EDIT:

Possible Mistakes List:

- “image list UnityFramework” instead of “image list ZombieShop”? (3:23AM Thought)

[busmanl30 166 iPhone Xs Max 14.6]

5 hours ago, 0xWeiss said:

EDIT:

Possible Mistakes List:

- “image list UnityFramework” instead of “image list ZombieShop”? (3:23AM Thought)

That is correct, you must use UnityFramework, offsets will be in there and usually they don’t have the 0x10 in front so try it without and see if they match up, however when looking for the process you have to side Zombie shop since it loads the the frameworks once the binary has been loading, hence why the binary is small. Hope this helps

[0xWeiss 765 iPhone X 13.3]

7 hours ago, ProGamerMoment said:

That is correct, you must use UnityFramework, offsets will be in there and usually they don’t have the 0x10 in front so try it without and see if they match up, however when looking for the process you have to side Zombie shop since it loads the the frameworks once the binary has been loading, hence why the binary is small. Hope this helps

That solved a problem, but not the one I originally had. Haha. However, I realized I was able to find the address in the debug portion of IDA. The green play button thing. However it didn’t have anything next to it, so I exited and saw that the analysis thing wasn’t finished. So I’m gonna let that load and try again tonight.

[Max-Q 51.3k iPhone 15 Pro 17.0.2 Donor]

On 10/27/2021 at 9:46 AM, 0xWeiss said:

If you don’t mind, I’ll list everything in detailed steps.

Game:

• Zombie Shop V-0.21.1

 

Devices:

• iPhone X 13.3 UnC0Ver 7.0.0 JB

• ASUS ROG Laptop Win10 x64

 

Programs:

• IDA PRO 7.3

• iL2CPPDumper

• Notepad++

• LLDB

• 3uTools

• PuTTy

• iGameGod

• Filza

• NewTerm

• FlexDecrypt | CrackerXI

 

Sites:

• ArmConverter

• BinaryHexConverter

• Calculator-HexCalculator

——————————————

1. Gathering the necessary files.

• [iPhone] Launch CrackerXI —> Zombie Shop —> Full IPA

• [iPhone] Launch Filza (/var/mobile/Documents/CrackerXI) —> EXTRACT ZombieShop_0.21.1_Weiss
• Launch NewTerm —> flexdecrypt /var/mobile/Documents/CrackerXI/ZombieShop_0.21.1_Weiss/Payload/ZombieShop.app/Frameworks/UnityFramework.framework/UnityFramework

[[Cracked binary is in /tmp/UnityFramework]]

• [PC] — Launch 3uTools > Grab UnityFramework and place in Desktop Folder.

• [PC] Direct to ZombieShop.app > Data > Managed > Metadata > Grab global-metadata.dat and place in Desktop Folder.

——————————————

2. IDA Pro Portion

• [PC] Launch IDA Pro x64 > New > Select “UnityFramework” > Allow to fully load with “IDLE” is on the bottom left.

• [PC] Launch iL2CPPDumper > Select “UnityFramework” > Select “global-metadata.dat” > Allow to finish.

• [PC] Return to IDA Pro (Fully Loaded) > File > Script File... > IDA.py > Script.JSON

• [PC] Allow the script to fully finish until it says “IDLE” is on the bottom left.

——————————————

3. 3uTools / PuTTy / LLDB / Game Portion

• [iPhone] Open iGameGod and enable Zombie Shop.

• [iPhone] Launch Zombie Shop.

• [PC] Launch 3uTools > Toolbox > Open SSH Tunnel > SSH Client (PuTTy)

• [PC] In PuTTy > Type “lldb” > Type “attach ZombieShop”

• [PC] Game attaches successfully, the game freezes.

• [PC] In PuTTy > Type “image list ZombieShop” > Note the ASLR > Type “c” to continue process (unfreeze game).

• [iPhone] Use iGameGod to search values until I’m left with 1-2 (in my case, 3).

• [PC] In PuTTy > Type “process interrupt” (freezes game).

[[NOTE: Cannot create Watchpoints while the game’s running.]]

• [PC] Creates Watchpoints.

• [iPhone/PC] Changes the value > Trigger Watchpoints 1.

• [PC] In PuTTy > Type “register read” and copy the output into Notepad++ > Type “c” to proceed > Watchpoint 2 was trigger-ed > Type “register read” and copy the output into Notepad++.

• [PC] Acquired 2 IDA offsets > Removed ASLR using hex calculator.

• [PC/iPhone] Kept notes on money value and converted using decimal to hex.

• [PC] Searched for the converted value in the register read outputs and found a match in watchpoint 1.

• [PC] Returned to IDA > Press “G” > Inserts Address (ASLR REMOVED ONE)

——————————————
[[ENCOUNTERS ERROR]]
• Command “JumpAsk” Failed

——————————————

Hopefully you could help spot the issue this way!

 

Im inestigating this issue because it just happening to me same. I think i have founded the solution , but not 100% sure, checking well before posting any bulsh!t and i will update here tomorrow ,

[Max-Q 51.3k iPhone 15 Pro 17.0.2 Donor]

3 minutes ago, Max-- said:

Im investigating this issue because it just happening to me same. I think i have founded the solution , but not 100% sure, checking well before posting any bulsh!t and i will update here tomorrow ,

i can give a tip like the droping offset when watchpoint hits its not the real one, thats why when remove the aslr from it we get a ridiculous offset, that doesnt even exist in ida=Jump failed

Updated November 4, 2021 by Max--

[0xWeiss 765 iPhone X 13.3]

7 hours ago, Max-- said:

i can give a tip like the droping offset when watchpoint hits its not the real one, thats why when remove the aslr from it we get a ridiculous offset, that doesnt even exist in ida=Jump failed

Please let me know. I'm currently trying to hack a game atm using LLDB.

I've searched values -> set watchpoints -> trigger watchpoints -> image lookup -a 0x00000000 (the watchpoint hit)

[Happy Secret 3.2k iPad Pro (2nd gen) 16.2]

@0xWeiss Did you eventually find a solution? 
 

I hit very similar things when I am hacking Otherworld Legends. Unity Framework game, I can modify the memory of the arm code (with Xcode) but i can’t find the real offset for the UnityFramework Binary file.

also got “JumpAsk” failed