Help/Support Marvel Contest of Champions help Crack/ASLR/debug

miseaujeu · November 20, 2015

Hardware: iPhone 5 & Win7 remote debugging.

iOS: 8.4

Jailbreak: TaiG 8.1.3 - 8.x Untether

With the release of Marvel Contest of Champions 5.1.0 ( and the subsequent 5.1.1 ) I'm no longer able to crack a viable copy.

https://itunes.apple.com/us/app/marvel-contest-of-champions/id896112560?mt=8

When I run Clutch ( 1.4.7 git-3 ) I get the following output:

 root# Clutch marvelbattle
DEBUG | Localization.m:70 | preferred lang: (
    en
)
2015-11-19 18:55:55.609 Clutch[1728:72803] checking localization cache
You're using a Clutch development build, checking for updates..
Your version of Clutch is up to date!
Clutch 1.4.7 (git-3)
---------------------------------
is iOS 8 application listing method brah
DEBUG | Preferences.m:42 | preferences_location: /etc/clutch.conf
DEBUG | Preferences.m:43 | {
    CheckMetadata = YES;
    CompressionLevel = "-1";
    CrackerName = Miseaujeu;
    CreditFile = NO;
    MetadataEmail = "[email protected]";
    RemoveMetadata = NO;
    UseNativeZip = YES;
}
DEBUG | main.m:609 | app to crack {
    ApplicationBasename = "marvelbattle.app";
    ApplicationBundleID = "com.kabam.marvelbattle";
    ApplicationContainer = "/var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/";
    ApplicationDirectory = "marvelbattle.app";
    ApplicationDisplayName = Champions;
    ApplicationExecutableName = marvelbattle;
    ApplicationName = marvelbattle;
    ApplicationVersion = 99500;
    Framework = 0;
    MinimumOSVersion = "7.0";
    PlugIn = 0;
    RealUniqueID = "C1829FD3-15A4-4DCD-A398-3CEBF3963DAA";
}
Cracking marvelbattle...
DEBUG | Cracker.m:80 | ------Prepairing from Installed App------
DEBUG | Cracker.m:92 | Temporary Directory: /tmp/clutch_3PrQxBcr/Payload/marvelbattle.app
Creating working directory...
DEBUG | Cracker.m:103 | Temporary Binary Path: /tmp/clutch_3PrQxBcr/Payload/marvelbattle.app/marvelbattle
DEBUG | Cracker.m:111 | Binary Path: /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle
DEBUG | Cracker.m:113 | -------End Prepairing Installed App-----
DEBUG | Cracker.m:120 | ------Generating Paths------
DEBUG | Cracker.m:139 | /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa
DEBUG | Cracker.m:141 | ------End Generating Paths-----
DEBUG | Cracker.m:150 | ------Executing crack------
2015-11-19 18:55:55.861 Clutch[1728:72803] created IPAPAth /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa
DEBUG | Cracker.m:165 | ------Crack Operation------
DEBUG | Cracker.m:167 | beginning crack operation
DEBUG | Binary.m:396 | attempting to crack binary to file! finalpath /tmp/clutch_3PrQxBcr/Payload/marvelbattle.app/marvelbattle
DEBUG | Binary.m:397 | DEBUG: binary path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle
DEBUG | Cracker.m:253 | ------Zip Operation------
DEBUG | Cracker.m:254 | beginning zip operation
DEBUG | Cracker.m:258 | using native zip
DEBUG | Binary.m:415 | basedir ok
Performing initial analysis...
DEBUG | Binary.m:423 | open ok
DEBUG | Binary.m:440 | local arch - armv7s
DEBUG | Binary.m:543 | FAT binary detected
DEBUG | Binary.m:545 | nfat_arch 2
DEBUG | Binary.m:556 | arch arch subtype 201326592
DEBUG | Binary.m:551 | 64bit arch detected!
DEBUG | Binary.m:566 | currently cracking arch 9
DEBUG | Binary.m:614 | arch compatible with device, but swap
DEBUG | Binary.m:134 | ##### STRIPPING ARCH #####
DEBUG | Binary.m:139 | lipo path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle_arm9_lwork
DEBUG | Binary.m:161 | found arch to keep 9! Storing it
DEBUG | Binary.m:189 | blanking arch! 0
DEBUG | Binary.m:194 | changing nfat_arch
DEBUG | Binary.m:198 | number of architectures 1
DEBUG | Binary.m:203 | Wrote new header to binary!
DEBUG | Binary.m:207 | copying sc_info files!
2015-11-19 18:56:01.021 Clutch[1728:72809] sinf file yo /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/SC_Info/marvelbattle_arm9_lwork.sinf
DEBUG | Binary.m:724 | currently cracking 32bit portion
DEBUG | Binary.m:1091 | Dumping 32bit segment..
DEBUG | Binary.m:1119 | 32bit dumping: offset 16384
dumping binary: analyzing load commands
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1130 | found encryption info
DEBUG | Binary.m:1135 | found code signature
dumping binary: obtaining ptrace handle
dumping binary: forking to begin tracing
dumping binary: successfully forked
dumping binary: obtaining mach port
dumping binary: preparing code resign
dumping binary: preparing to dump
dumping binary: ASLR enabled, identifying dump location dynamically
DEBUG | Binary.m:1291 | 32-bit Region Size: 16384 35913728
DEBUG | Binary.m:1291 | 32-bit Region Size: 35913728 35913728
dumping binary: performing dump
dumping binary: patched cryptid
 [========================================================================================>] 100%
 dumping binary: writing new checksum
DEBUG | Binary.m:566 | currently cracking arch 0
DEBUG | Device.m:53 | Can't crack 64bit arch on 32bit device! skipping
DEBUG | Binary.m:607 | arch not compatible with device!
DEBUG | Binary.m:666 | only one architecture left!? strip
DEBUG | Cracker.m:236 | crack operation ok!
packaging: waiting for zip thread
DEBUG | Cracker.m:238 | -----End Crack Op------
DEBUG | Cracker.m:280 | zip original ok
DEBUG | Cracker.m:282 | ------End Zip Op------
DEBUG | Cracker.m:287 | ------Zip Cracked Op------
packaging: compressing IPA
DEBUG | Cracker.m:352 | old metadata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist /tmp/clutch_3PrQxBcr/iTunesMetadata.plist
packaging: censoring iTunesMetadata
DEBUG | Cracker.m:357 | Generating fake iTunesMetadata
DEBUG | Cracker.m:435 | generate metdata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist, /tmp/clutch_3PrQxBcr/iTunesMetadata.plist
DEBUG | Cracker.m:387 | Copying iTunesArtwork
DEBUG | Cracker.m:388 | copy from /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesArtwork, to /tmp/clutch_3PrQxBcr/iTunesArtwork
DEBUG | Cracker.m:295 | package IPA ok
DEBUG | izip.m:182 | working dir /tmp/clutch_3PrQxBcr
DEBUG | Cracker.m:299 | zip cracked ok
packaging: compression level 4294967295
DEBUG | Cracker.m:317 | ------End Zip Crack Op------
DEBUG | Cracker.m:332 | ------End Execute Crack------
DEBUG | ApplicationLister.m:336 | cracked app ok
DEBUG | ApplicationLister.m:337 | this crack lol 99500
DEBUG | Cracker.m:336 | Saved cracked app info!
        /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa
elapsed time: 152.32s

Applications cracked:

marvelbattle

Total success: 1   Total failed: 0

It appears to work including LIPO of source binary as well as identifying ( and removing? ) ASLR: "dumping binary: ASLR enabled, identifying dump location dynamically"

However when I test if the file still contains ASLR ( per the instruction from Alcatraz - http://iosgods.com/topic/11639-disable-aslr-on-ios-8384/ )

cycript -p PROCESS
x = dlsym(RTLD_DEFAULT,"_dyld_get_image_vmaddr_slide")
get_aslr_slid = @encode(uint(int)) (x)
get_aslr_slide(0)

this returns a value other than 0 ... which indicates the binary still is using ASLR. When I hexedit the binary and change the 21 to 01, ( or 00, or 20 ) the app crashes -- even after setting owner and permissions.

Debugging with GDB in the Win7 desktop no longer provides a view of functions called and backtrace -- instead lots of "bfd_mach_o_scan: unknown architecture 0x100000c/0x0" and <redacted> functions

/ root# gdb
warning: unrecognized host cpusubtype 11, defaulting to host==armv7.
GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "arm-apple-darwin".
(gdb) att marv
Attaching to process 1809.
Reading symbols for shared libraries . done
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries ................................................................................................................................................................................................................................................................................................. done
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries + done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
0x24f1c04e in <redacted> ()
(gdb) bt 5
#0 0x24f1c04e in <redacted> ()
#1 0x24f197ba in <redacted> ()
(gdb)

I've attempted the crack using rasticrac ( v3.2.9... NOTE: no perfect support for this iOS yet! ) with the same results.

Will someone please attempt to crack using Clutch or rasticrac and let me know if you're able to defeat the ASLR and debug with GDB ?

-Miseaujeu

November 20, 2015

Yeah, all you have to do is get rmaslrgui and specify the path to the binary you want the aslr removed from, sign it, set permissions, then replace the original binary with that

Diversityy · November 20, 2015

You can't debug on 8.4. It is broken and that game is hard to hack.

DeVIL BoY · November 20, 2015

Thes game need hack

November 20, 2015

You can't debug on 8.4. It is broken and that game is hard to hack.

You can

Thes game need hack

Yes but this is a help/support topic so those comments aren't needed here

Rook · November 20, 2015

You can also use this tutorial for bypassing ASLR: http://iosgods.com/topic/19378-how-to-defeatremove-aslr-on-ios-9-armv7-and-arm64-devices/

Diversityy · November 20, 2015

You can

Yes but this is a help/support topic so those comments aren't needed here

Atleast on Windows, it is.

miseaujeu · November 20, 2015

@Shmoo -- I've not had luck with that method for this particular binary.

1. Take source binary ( marvelbattle ~86mb )

2. Run Remove ASLR GUI

3. Sign with ldid -s

4. Set Permissions in iFile

5. Run App -- Success! But it still hasn't been cracked with Clutch or rc.sh ( rasticrac )

6. Run Clutch and it still shows ASLR as being present

7. Replace source binary with much smaller Clutch-ed binary

8. Run App -- Success! Buuut GDB debugging is still a mess.

9. cycrypt check also fails =( :

Am I doing something wrong ?

-M

November 20, 2015

@Shmoo -- I've not had luck with that method for this particular binary.

1. Take source binary ( marvelbattle ~86mb )

2. Run Remove ASLR GUI

3. Sign with ldid -s

4. Set Permissions in iFile

5. Run App -- Success! But it still hasn't been cracked with Clutch or rc.sh ( rasticrac )

6. Run Clutch and it still shows ASLR as being present

7. Replace source binary with much smaller Clutch-ed binary

8. Run App -- Success! Buuut GDB debugging is still a mess.

9. cycrypt check also fails =( :

Am I doing something wrong ?

-M

You have to crack the game then remove ASLR with rmaslrgui

miseaujeu · November 20, 2015

@DiDA I really like the mikeyb method you linked -- but I'm not sure I'm using it correctly.

For Gdb Users (Like @shmoo )

.Open your binary in IDA and select the architecture you are going to be hacking.

.Once it has loaded, go to the very beginning of the file. You should see something like this:

HEADER:000XXXXX. this will be your ASLR bias

.There are other ways to get the header offset, like using otool, but I prefer using IDA.

so ... 0x4000

.Start your app and connect to it with gdb

.Next, type in the command “info address _mh_execute_header”. gdb should print an address to you.

so ... 0xb2000

.Subtract the value from IDA from value you got from gdb and this is your ASLR bias.

0xb2000 - 0x4000 = 0xAE000

.From now on, subtract your ASLR bias from any offset you get from watchpoints, breakpoints etc. to get the correct offset for IDA or add your bias to an address from IDA before using it in GDB.

In previous versions of the game the IDA disassembly provided function names and structure:

since v5.1.0 it's a Sub_x setup with some STRING information

-- I'll try to see if we can get it to break with starting a quest ... perhaps this string can help us? @ 0x11382E2 ( from IDA )

"to get the correct offset for IDA or add your bias to an address from IDA before using it in GDB."

So, 0x11382E2 + 0xAE000 = 0x11E62E2

Now I've started and stopped many quests. Tried various different versions and instances of quests that they provide and each time I "BEGIN" a quest .... nothing happens. No breakpoint ... nothing.

It could just be the wrong offset ... but am I doing the right things ? Should this work if 0x11382E2 in IDA is what I'm looking for ?

-M