TuT How to Defeat/Remove ASLR On iOS 9 - Armv7 and ARM64 Devices

mikeyb · November 2, 2015

Thing You Will Need:

. A Cracked App. For This Tut I'm using High Noon 2 Game

. LLDB OR GDB

. A Brain

Instructions:

. A lot has changed on ios9 so cracking a binary and removing the aslr from it on an older version ios aint going to work on your ios9 device forget it, it wont happen, follow the tut below to defeat it, it's so easy

. Get your offsets from igamegaurdian or gamegem ready

. Attach you game to LLDB you should all know how to do this by now.

. When LLDB Connects Type image list

. This will bring up a big list go to the very top like the pic below to find your games aslr

. Now as you can see I'm using High Noon 2 game at the top of my list its shows HN2.app/HN2 (0x00000001000dc000)

. This is my Aslr - dc000, what you need to do is now in LLDB Add your watchpoint (example w s e -- 0x1b5f00210)

. when you get a hit and the address from lldb you need to subtract your aslr from it example......LLDB Address given 0x10023ca45 so now you subtract your Aslr address from it so I will do 10023ca45 − dc000 = 100160a45

and 0x100160a45 is the address I need in ida

.Easy As That I Hope It Helps

. You will need to reapeat each time you attach the game cause the Aslr changes

. Also I use this online hex calculator if you don't have one http://www.miniwebtool.com/hex-calculator/

For Gdb Users Like @@shmoo

.Open your binary in IDA and

.select the architecture you are

going to be hacking.

.Once it has loaded, go to the very beginning of

the file. You should see something

like this:

HEADER:000XXXXX. this will be your ASLR bias