Tutorial Using iGameGod Breakpoints & iGDisassembler (On-Device)

0xSolana · April 20, 2023

Hello!

A new iGameGod update was released today with some exciting new features which we'll go through in this tutorial!

These features will be useful for you to debug, patch instructions, see instructions (just like IDA/Hopper Ghidra), modify registers, set breakpoints and watchpoints!

We saw watchpoints in the previous tutorial, here we will see the new breakpoint feature.

1) Breakpoints & Disassembler

Okay, from here, we will use any iGG way to find our coin value. I will use the Exact Search option. (we will cover also if the amount is obfuscated later on this tutorial)

Long press the result, and Set A Watchpoint. Now click the the search icon on the bottom right corner, and select iGDebugger.

I resumed the game and hit 9 coins (grabbed a coin 9 times), and now, in our watchpoint, you can see some changes (Writes: 9) . It's great! It fits our in-game actions!

We will have a closer look at it. Click on the 'Hill Climb Racing +2567624' field, and select the last Stack Trace. On the top, I will select "Offset" to get the decimal values of the registers. Scroll down until you see the register values.

Note that the last coin I picked had the amount of 5. and x0 has it! My balance is 845 now, and x9 is holding it! Now we now what instructions to look at. From here you can easily add a "New Action" and modify the value the registers are holding which we will cover in a bit, but for now, let's take a look at what's happening.

Now, we will try to see which stack frame will be useful. Look at the first one, it has a special symbol name that is attractive to me. (_ZN.....addCoins....). From the name it seems it's adding our coins. Let's click on it.

BOOM! The hole instructions of this function! The middle instruction ADD w9, w9, w0 seems the instruction that is adding the coin to our balance (w9 = w9 + w0).

Let's mod this!

You can simply tap the instruction, and select the Patch Instruction option and edit it to whatever.

Here, I've decided to add the balance to the balance which will make x2 on our balance each time we collect a coin.

Another way you can modify this instruction is by using breakpoints! To do so, click the instruction and select Breakpoint. You instruction will be marked with a small blue circle.

Once you have done that, it will bring you on a new window where you can place some actions. It can be scary at first sight but don't worry, it works really simply!

An action will be called BEFORE the breakpoint (so before the ADD w9, w9, w0) and it will allow us to do something. Lets check the options we have.

We have 2 option, the Jump one, and the Modify Register. We will use the 2nd option for now. In the field, you can set the value to attribute to that register, and you can click the blue square to set your register. Here I will select x0 register as its holding our coin value.

NOTE (w0 and x0 are basically the same, only the size of the register is the difference).

Don't forget to enable the breakpoint, and let's resume the game.

As you could notice, the game doesn't stop like a "normal" breakpoint would do. But that's okay since our action is still executed. And now we earn +1000 each time we collect a coin.

We can verify this is working by checking in-game, or via the watchpoint history!

So, this was the correct instruction, we will add it to our Bookmark section so that we do not have to repeat all theses steps. To do this, swipe the instruction to the left and press "Bookmark". If the app gets updated, the offset will likely change. But as long as the app version is unchanged, the bookmark will be valid.

You will be able to see all your bookmarks in the Disassembler window, when you open iGG.

It was all concerning breakpoints & iGDisassembler.

Let's see something else now.

2) Hacking with Symbols & Function Names

Now, lets say we want unlimited fuel, but problem, there isn't an easy value to search for since we do not know it's value. And I don't want to spend 10 minutes to do some fuzzy search, so we will go trough symbols!

NOTE Symbols are generated when the game gets compiled, sometimes its obfuscated, sometimes not, and when its not it deals with the function name

To generate all the symbols from our binary file, select Settings, Disassembler, Libraries and Hill Climb Racing. We will use the second option (Symbols). It may take time since the app is 40MB, (around 1 minute) and from there, lets search for strings such as "fuel" "consumption" "spendFuel" anything useful. I finally found this:

The symbol name is duplicated but that's not a problem, select one of the two and you will land at the same place:

Hmm this seems to be the fuel consumption multiplier as the name suggest Click the instruction, and this time we won't use the Modify register option, but the Jump option! And we will enter the default number which is 1. Why? Because it will skip 1 instruction. If we wanted to skip more, increase the field value but be careful of crashes

And so, it will never mov the value of 1 into s0. After testing, our Car fuel never decreases!

3) With obfuscated coins

Let's assume we couldn't find the coins with all iGG search feature. Well if it was the case, we had to do some symbol search like the step 2, or we could use IDA and strings or whatever to help us. Let's say after a few hours/days/year on IDA you find this :

Well its the same function as the one we found earlier. But it was without using the coins amount! Of course this would take time to find the right function and wouldn't be as fast a searching the coin number, but well if its obfuscated, its the only solution!

Now, we have the offset of our function addCoins : 0x100272DB0

We will able to see the function on iGG and do some patches/change the registers, to do this, select Settings, Disassembler, Libraries and Hill Climb Racing. We will this time use the Lookup Library Offset option. Make sure to enter the offset without the 0x100 before