Request Iron Blade: Medieval RPG 2.3.0

TheFreakzz · February 26, 2022

Name of the game you want hacked:Iron Blade: Medieval RPG
Version of the game: 2.3.0
iTunes Link for the app:
Jailbroken or Non-Jailbroken: Jailbroken

Requested Features: Enemy dont Attack

xrayactual · March 3, 2022

@TheFreakzz FYI: This app has anti-debugging enabled, making it more difficult to hack. It is also not an il2cpp or unity game so finding methods that are exploitable could be near impossible. Also cannot "uncar" Assets.car to search for potential exploits

~~IDA might help disable the anti-debugger but methods likely cannot be deciphered in bulk if they are obfuscated.~~

Update: This game uses syscall and sysctl to prevent debugging

Updated March 3, 2022 by xrayactual

TheFreakzz · March 3, 2022

@xrayactualDon't understand much about it, but is there a small hope of hacking the game, or impossible?

xrayactual · March 3, 2022

13 minutes ago, TheFreakzz said:

@xrayactualDon't understand much about it, but is there a small hope of hacking the game, or impossible?

I don't know yet, I don't have enough information ~~as I'm waiting for my mac to finish transferring the decrypted files to my windows computer so I can try to disable the debugger.~~

Hackers FYI: within IronBladeSlice.app/Payload/app_package/behaviors/ is a file labeled "AIEnemy.dat", that's probably what dictates AI behavior, i.e. ignore player, but I don't know for certain

Updated March 3, 2022 by xrayactual

TheFreakzz · March 3, 2022

@xrayactualI understand. That would be really great if it works. Enemy dont Attack would do just fine as a hack. But thanks for trying that.

xrayactual · March 3, 2022

20 hours ago, TheFreakzz said:

@xrayactualI understand. That would be really great if it works. Enemy dont Attack would do just fine as a hack. But thanks for trying that.

I don't have any experience in manipulating dat files so that may be in Zahir's realm.
I'm still scanning for iterations of _syscall and _sysctl within the assembly, if I can recompile it without issue we may have a starting point...

Additional findings: Iron Blade Medieval runs memory checks, and premium currency is held within 5 memory addresses

Update:

Its littered with antidebugging 🤣 98 total calls, will update when I make more progress

_sysctl:

Spoiler

Address	Function	Instruction
__text:000000010009912C	sub_1000990CC	                BL              _sysctl
__text:00000001000B48AC	+[ISHelpers platformString]	                BL              _sysctlbyname
__text:00000001000B48D0	+[ISHelpers platformString]	                BL              _sysctlbyname
__text:00000001000B4978	+[ISHelpers getMACAddress]	                BL              _sysctl
__text:00000001000B49A8	+[ISHelpers getMACAddress]	                BL              _sysctl
__text:00000001000B4A24	+[ISHelpers getMACAddress]	                ADRL            X20, cfstr_SysctlMgmtinfo ; "sysctl mgmtInfoBase failure"
__text:00000001000B4A3C	+[ISHelpers getMACAddress]	                ADRL            X20, cfstr_SysctlMsgbuffe ; "sysctl msgBuffer failure"
__text:00000001000BC73C	+[ISUtils getMACAddress]	                BL              _sysctl
__text:00000001000BC76C	+[ISUtils getMACAddress]	                BL              _sysctl
__text:00000001000BC7E8	+[ISUtils getMACAddress]	                ADRL            X20, cfstr_SysctlMgmtinfo ; "sysctl mgmtInfoBase failure"
__text:00000001000BC800	+[ISUtils getMACAddress]	                ADRL            X20, cfstr_SysctlMsgbuffe ; "sysctl msgBuffer failure"
__text:00000001000BC974	+[ISUtils platformString]	                BL              _sysctlbyname
__text:00000001000BC998	+[ISUtils platformString]	                BL              _sysctlbyname
__text:000000010013D0CC	+[SSAHelperMethods getMACAddress]	                BL              _sysctl
__text:000000010013D0FC	+[SSAHelperMethods getMACAddress]	                BL              _sysctl
__text:000000010013D178	+[SSAHelperMethods getMACAddress]	                ADRL            X20, cfstr_SysctlMgmtinfo ; "sysctl mgmtInfoBase failure"
__text:000000010013D190	+[SSAHelperMethods getMACAddress]	                ADRL            X20, cfstr_SysctlMsgbuffe ; "sysctl msgBuffer failure"
__text:000000010013D314	+[SSAHelperMethods platformString]	                BL              _sysctlbyname
__text:000000010013D338	+[SSAHelperMethods platformString]	                BL              _sysctlbyname
__text:00000001002B1390	-[APMAdExposureReporter currentTime]	                BL              _sysctl
__text:00000001002D1BD4	-[APMMeasurement updateSchedule]	                BL              _sysctl
__text:00000001002D3C84	-[APMMeasurement networkUploadCompletionHandlerWithResponse:error:]	                BL              _sysctl
__text:00000001002DDAC8	-[APMMeasurement networkRemoteConfigFetchCompletionHandler:data:error:]	                BL              _sysctl
__text:00000001002DDCC4	-[APMMeasurement networkRemoteConfigFetchCompletionHandler:data:error:]	                BL              _sysctl
__text:00000001002EAF90	-[APMSessionReporter currentUptime]	                BL              _sysctl
__text:000000010046FF18	_GADTimeIntervalSinceBoot	                BL              _sysctl
__text:000000010046FF30	_GADTimeIntervalSinceBoot	                ADRL            X1, cfstr_SysctlErrorS ; "sysctl error: %s"
__text:00000001004DADEC	+[FBSDKAppEventsDeviceInfo _readSysCtlUInt:type:]	                BL              _sysctl
__text:0000000100EA7494	sub_100EA7434	                BL              _sysctl
__text:0000000100EF8E98	sub_100EF8D18	                BL              _sysctlbyname
__text:0000000100EF8EC8	sub_100EF8D18	                BL              _sysctlbyname
__text:0000000100F30EB8	sub_100F30E84	                BL              _sysctlbyname
__text:0000000100F30EDC	sub_100F30E84	                BL              _sysctlbyname
__text:0000000100FCCBC8	-[FreemiumIGP openRedirectLinkWithType:languageIndex:andGameVersion:ctgSource:]	                BL              _sysctlbyname
__text:0000000100FCCBEC	-[FreemiumIGP openRedirectLinkWithType:languageIndex:andGameVersion:ctgSource:]	                BL              _sysctlbyname
__text:0000000100FCDB38	-[FreemiumIGP getFreemiumIGPLink]	                BL              _sysctlbyname
__text:0000000100FCDB5C	-[FreemiumIGP getFreemiumIGPLink]	                BL              _sysctlbyname
__text:0000000100FCED84	-[SendInfo sendGameInfo::::::]	                BL              _sysctlbyname
__text:0000000100FCEDA8	-[SendInfo sendGameInfo::::::]	                BL              _sysctlbyname
__text:000000010103A5C4	sub_10103A540	                BL              _sysctl
__text:000000010103A60C	sub_10103A540	                BL              _sysctl
__text:00000001012B78B4	__ZNK6glitch11COSOperator20getProcessorSpeedMHzEPj	                BL              _sysctlbyname
__text:000000010170F150	__ZN3glf17getWifiMacAddressEPci	                BL              _sysctl
__text:000000010170F17C	__ZN3glf17getWifiMacAddressEPci	                BL              _sysctl
__text:000000010170F3C4	_main	                BL              _sysctl
__text:0000000101718808	__ZN3glf11PropertyMap20SetDefaultPropertiesEv	                BL              _sysctl
__text:000000010171884C	__ZN3glf11PropertyMap20SetDefaultPropertiesEv	                BL              _sysctl
__text:0000000101718890	__ZN3glf11PropertyMap20SetDefaultPropertiesEv	                BL              _sysctl
__text:000000010172FF60	-[AppDelegate createMainWindow]	                BL              _sysctlbyname
__text:000000010172FF84	-[AppDelegate createMainWindow]	                BL              _sysctlbyname
__text:0000000101981538	sub_1019814E8	                BL              _sysctl
__text:0000000101981588	sub_1019814E8	                BL              _sysctl
__text:00000001019B3840	+[FBAdPerformanceMetrics coreCount]	                BL              _sysctl
__text:00000001019B3978	+[FBAdPerformanceMetrics freeMemoryBytes]	                BL              _sysctl
__text:00000001019B3A10	+[FBAdPerformanceMetrics totalMemoryBytes]	                BL              _sysctl
__text:00000001019E66E4	+[FBAdUtility isDebuggerAttached]	                BL              _sysctl
__text:0000000101A90B50	sub_101A8E168	                BL              _sysctl
__text:0000000101A930D4	sub_101A92E80	                BL              _sysctl
__stubs:0000000101ADDB70	_sysctl	; [0000000C BYTES: COLLAPSED FUNCTION _sysctl. PRESS CTRL-NUMPAD+ TO EXPAND]
__stubs:0000000101ADDB7C	_sysctlbyname	; [0000000C BYTES: COLLAPSED FUNCTION _sysctlbyname. PRESS CTRL-NUMPAD+ TO EXPAND]
__cstring:0000000101C5B3DF		                                        ; DATA XREF: __cfstring:cfstr_SysctlMgmtinfo↓o
__cstring:0000000101C5B415		                                        ; DATA XREF: __cfstring:cfstr_SysctlMsgbuffe↓o
__cstring:0000000101CBE27D		                                        ; DATA XREF: __cfstring:cfstr_SysctlErrorS↓o
__la_symbol_ptr:0000000101E8F440		_sysctl_ptr     DCQ __imp__sysctl       ; DATA XREF: _sysctl↑o
__la_symbol_ptr:0000000101E8F448		_sysctlbyname_ptr DCQ __imp__sysctlbyname
__cfstring:0000000101F905F0		cfstr_SysctlMgmtinfo __CFString <___CFConstantStringClassReference, 0x7C8, aSysctlMgmtinfo,\
__cfstring:0000000101F90630		cfstr_SysctlMsgbuffe __CFString <___CFConstantStringClassReference, 0x7C8, aSysctlMsgbuffe,\
__cfstring:0000000101FCE650		cfstr_SysctlErrorS __CFString <___CFConstantStringClassReference, 0x7C8, aSysctlErrorS, \
UNDEF:00000001022BB6F8		; int __cdecl _sysctl(int *, u_int, void *, size_t *, void *, size_t)
UNDEF:00000001022BB700		; int __cdecl _sysctlbyname(const char *, void *, size_t *, void *, size_t)

_syscall:

Spoiler

Address	Function	Instruction
__text:0000000100B7213C	sub_100B72050	                BL              _syscall
__text:0000000100B72248	sub_100B72050	                BL              _syscall
__text:0000000100B72354	sub_100B72050	                BL              _syscall
__text:0000000100B72460	sub_100B72050	                BL              _syscall
__text:0000000100B7256C	sub_100B72050	                BL              _syscall
__text:0000000100B72678	sub_100B72050	                BL              _syscall
__text:0000000100B72698	sub_100B72050	                BL              _syscall
__text:0000000100DADD54	sub_100DAC444	                ADRL            X9, aSslErrorSyscal ; "SSL_ERROR_SYSCALL"
__text:0000000100DB0164	sub_100DAFF5C	                ADRL            X1, aSslErrorSyscal ; "SSL_ERROR_SYSCALL"
__text:0000000100FCF8AC	sub_100FCF888	                BL              _syscall
__text:0000000100FCF8C4	sub_100FCF888	                BL              _syscall
__text:0000000100FCF8E0	sub_100FCF888	                BL              _syscall
__text:0000000100FCF8F8	sub_100FCF888	                BL              _syscall
__text:0000000100FCF914	sub_100FCF888	                BL              _syscall
__text:0000000100FCF92C	sub_100FCF888	                BL              _syscall
__text:0000000100FCF938	sub_100FCF888	                BL              _syscall
__text:0000000100FD9FEC	sub_100FD9FA0	                BL              _syscall
__text:0000000100FDA004	sub_100FD9FA0	                BL              _syscall
__text:0000000100FDA020	sub_100FD9FA0	                BL              _syscall
__text:0000000100FDA038	sub_100FD9FA0	                BL              _syscall
__text:0000000100FDA054	sub_100FD9FA0	                BL              _syscall
__text:0000000100FDA06C	sub_100FD9FA0	                BL              _syscall
__text:0000000100FDA078	sub_100FD9FA0	                BL              _syscall
__stubs:0000000101ADDB64	_syscall	; [0000000C BYTES: COLLAPSED FUNCTION _syscall. PRESS CTRL-NUMPAD+ TO EXPAND]
__cstring:0000000101D0BF39		aSslErrorSyscal DCB "SSL_ERROR_SYSCALL",0
__la_symbol_ptr:0000000101E8F438		_syscall_ptr    DCQ __imp__syscall      ; DATA XREF: _syscall↑o
__const:0000000101F156C8		                DCQ aSslErrorSyscal     ; "SSL_ERROR_SYSCALL"
UNDEF:00000001022BB6F0		; int _syscall(int, ...)

Updated March 4, 2022 by xrayactual

TheFreakzz · March 3, 2022

@xrayactualI asked Zahir and I think he'll take a look. I hope he will have time for that . I told him I'll check back on Sunday to see if he was successful.