TuT How to Defeat/Remove ASLR On iOS 9 - Armv7 and ARM64 Devices

[mikeyb 8.7k iPad (5th Generation) 11.2.1]

Thing You Will Need:

 

. A Cracked App. For This Tut I'm using High Noon 2 Game

. LLDB OR GDB

. A Brain

 

Instructions:

 

. A lot has changed on ios9 so cracking a binary and removing the aslr from it on an older version ios aint going to work on your ios9 device forget it, it wont happen, follow the tut below to defeat it, it's so easy

 

. Get your offsets from igamegaurdian or gamegem ready

. Attach you game to LLDB you should all know how to do this by now.

. When LLDB Connects Type image list

. This will bring up a big list go to the very top like the pic below to find your games aslr

 

 

. Now as you can see I'm using High Noon 2 game at the top of my list its shows HN2.app/HN2 (0x00000001000dc000)

 

. This is my Aslr - dc000, what   you need  to do is now in LLDB Add your watchpoint (example w s e -- 0x1b5f00210)

 

. when you get a hit and the address from lldb you need to subtract your aslr from it example......LLDB Address  given  0x10023ca45  so now you subtract your Aslr address from it so I will do 10023ca45 − dc000 = 100160a45

and  0x100160a45 is the address I need in ida

 

.Easy As That I Hope It Helps

 

. You will need to reapeat each time you attach the game cause the Aslr changes

 

. Also I use this online hex calculator if you don't have one http://www.miniwebtool.com/hex-calculator/

 

For Gdb Users Like @@shmoo

 

.Open your binary in IDA and

 

.select the architecture you are

going to be hacking.

 

.Once it has loaded, go to the very beginning of

the file. You should see something

like this:

HEADER:000XXXXX. this will be your ASLR bias

 

.There are other ways to

get the header offset, like using

otool, but I prefer using IDA.

 

.Start your app and connect to it

with gdb 

 

.Next, type in the command “info

address _mh_execute_header”.

 

.gdb should print an address to

you.

 

.Subtract the value from IDA from

value you got from gdb and this is

your ASLR bias.

 

.From now on,

subtract your ASLR bias from any

offset you get from watchpoints,

breakpoints etc. to get the correct

offset for IDA or add your bias to

an address from IDA before using

it in GDB.

 

 

Updated November 2, 2015 by mikeyb

[Guest]

GDB does work on ios 9 I use it all the time

[Amuyea 87.7k iPhone 7 Plus 14.3]

nice job

[mikeyb 8.7k iPad (5th Generation) 11.2.1]

not for arm64 devices

[smokey 2.7k 25 8.1.0]

#rekt

[Guest]

not for arm64 devices

It does, I use a 5s

[mikeyb 8.7k iPad (5th Generation) 11.2.1]

GDB does work on ios 9 I use it all the time

what version I will test

Updated November 2, 2015 by mikeyb

[Guest]

not for arm64 devices?

I use a 5s and it works

what version I will test

the gdb from cydia.radare.org (repo)

[mikeyb 8.7k iPad (5th Generation) 11.2.1]

I use a 5s and it works

 

the gdb from cydia.radare.org (repo)

tried that on my  iPhone 6 plus wouldn't work for me at all anyway lldb is better

[Guest]

tried that on my  iPhone 6 plus wouldn't work for me at all anyway lldb is better

I like gdb because you don't have to wait a million years