Help/Support Marvel Contest of Champions help Crack/ASLR/debug

November 20, 2015

@DiDA I really like the mikeyb method you linked -- but I'm not sure I'm using it correctly.

For Gdb Users (Like @shmoo )

.Open your binary in IDA and select the architecture you are going to be hacking.

.Once it has loaded, go to the very beginning of the file. You should see something like this:

HEADER:000XXXXX. this will be your ASLR bias

.There are other ways to get the header offset, like using otool, but I prefer using IDA.

so ... 0x4000

.Start your app and connect to it with gdb

.Next, type in the command “info address _mh_execute_header”. gdb should print an address to you.

so ... 0xb2000

.Subtract the value from IDA from value you got from gdb and this is your ASLR bias.

0xb2000 - 0x4000 = 0xAE000

.From now on, subtract your ASLR bias from any offset you get from watchpoints, breakpoints etc. to get the correct offset for IDA or add your bias to an address from IDA before using it in GDB.

In previous versions of the game the IDA disassembly provided function names and structure:

since v5.1.0 it's a Sub_x setup with some STRING information

-- I'll try to see if we can get it to break with starting a quest ... perhaps this string can help us? @ 0x11382E2 ( from IDA )

"to get the correct offset for IDA or add your bias to an address from IDA before using it in GDB."

So, 0x11382E2 + 0xAE000 = 0x11E62E2

Now I've started and stopped many quests. Tried various different versions and instances of quests that they provide and each time I "BEGIN" a quest .... nothing happens. No breakpoint ... nothing.

It could just be the wrong offset ... but am I doing the right things ? Should this work if 0x11382E2 in IDA is what I'm looking for ?

-M

But try what I said before. Remove ASLR after cracking the binary. And that does not look like the right string for anything

Updated November 20, 2015 by Guest

miseaujeu · November 20, 2015

You have to crack the game then remove ASLR with rmaslrgui

Alright, let's go again !

Duplicated source binary to keep as backup

Ran Clutch

Clutch marvelbattle
DEBUG | Localization.m:70 | preferred lang: (
    en
)
2015-11-19 21:27:28.273 Clutch[670:12594] checking localization cache
You're using a Clutch development build, checking for updates..
Your version of Clutch is up to date!
Clutch 1.4.7 (git-3)
---------------------------------
is iOS 8 application listing method brah
DEBUG | Preferences.m:42 | preferences_location: /etc/clutch.conf
DEBUG | Preferences.m:43 | {
    CheckMetadata = YES;
    CompressionLevel = "-1";
    CrackerName = Miseaujeu;
    CreditFile = NO;
    MetadataEmail = "[email protected]";
    RemoveMetadata = NO;
    UseNativeZip = YES;
}
DEBUG | main.m:609 | app to crack {
    ApplicationBasename = "marvelbattle.app";
    ApplicationBundleID = "com.kabam.marvelbattle";
    ApplicationContainer = "/var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/";
    ApplicationDirectory = "marvelbattle.app";
    ApplicationDisplayName = Champions;
    ApplicationExecutableName = marvelbattle;
    ApplicationName = marvelbattle;
    ApplicationVersion = 99500;
    Framework = 0;
    MinimumOSVersion = "7.0";
    PlugIn = 0;
    RealUniqueID = "C1829FD3-15A4-4DCD-A398-3CEBF3963DAA";
}
Cracking marvelbattle...
DEBUG | Cracker.m:80 | ------Prepairing from Installed App------
DEBUG | Cracker.m:92 | Temporary Directory: /tmp/clutch_1x2kHu3x/Payload/marvelbattle.app
Creating working directory...
DEBUG | Cracker.m:103 | Temporary Binary Path: /tmp/clutch_1x2kHu3x/Payload/marvelbattle.app/marvelbattle
DEBUG | Cracker.m:111 | Binary Path: /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle
DEBUG | Cracker.m:113 | -------End Prepairing Installed App-----
DEBUG | Cracker.m:120 | ------Generating Paths------
DEBUG | Cracker.m:139 | /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa
DEBUG | Cracker.m:141 | ------End Generating Paths-----
DEBUG | Cracker.m:150 | ------Executing crack------
2015-11-19 21:27:28.572 Clutch[670:12594] created IPAPAth /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa
DEBUG | Cracker.m:165 | ------Crack Operation------
DEBUG | Cracker.m:167 | beginning crack operation
DEBUG | Binary.m:396 | attempting to crack binary to file! finalpath /tmp/clutch_1x2kHu3x/Payload/marvelbattle.app/marvelbattle
DEBUG | Binary.m:397 | DEBUG: binary path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle
DEBUG | Cracker.m:253 | ------Zip Operation------
DEBUG | Cracker.m:254 | beginning zip operation
DEBUG | Cracker.m:258 | using native zip
DEBUG | Binary.m:415 | basedir ok
Performing initial analysis...
DEBUG | Binary.m:423 | open ok
DEBUG | Binary.m:440 | local arch - armv7s
DEBUG | Binary.m:543 | FAT binary detected
DEBUG | Binary.m:545 | nfat_arch 2
DEBUG | Binary.m:556 | arch arch subtype 201326592
DEBUG | Binary.m:551 | 64bit arch detected!
DEBUG | Binary.m:566 | currently cracking arch 9
DEBUG | Binary.m:614 | arch compatible with device, but swap
DEBUG | Binary.m:134 | ##### STRIPPING ARCH #####
DEBUG | Binary.m:139 | lipo path /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/marvelbattle_arm9_lwork
DEBUG | Binary.m:161 | found arch to keep 9! Storing it
DEBUG | Binary.m:189 | blanking arch! 0
DEBUG | Binary.m:194 | changing nfat_arch
DEBUG | Binary.m:198 | number of architectures 1
DEBUG | Binary.m:203 | Wrote new header to binary!
DEBUG | Binary.m:207 | copying sc_info files!
2015-11-19 21:27:34.123 Clutch[670:12598] sinf file yo /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app/SC_Info/marvelbattle_arm9_lwork.sinf
DEBUG | Binary.m:724 | currently cracking 32bit portion
DEBUG | Binary.m:1091 | Dumping 32bit segment..
DEBUG | Binary.m:1119 | 32bit dumping: offset 16384
dumping binary: analyzing load commands
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1149 | found segment
DEBUG | Binary.m:1130 | found encryption info
DEBUG | Binary.m:1135 | found code signature
dumping binary: obtaining ptrace handle
dumping binary: forking to begin tracing
dumping binary: successfully forked
dumping binary: obtaining mach port
dumping binary: preparing code resign
dumping binary: preparing to dump
dumping binary: ASLR enabled, identifying dump location dynamically
DEBUG | Binary.m:1291 | 32-bit Region Size: 16384 35913728
DEBUG | Binary.m:1291 | 32-bit Region Size: 35913728 35913728
dumping binary: performing dump
dumping binary: patched cryptid
 [=============================================================>] 100%
 dumping binary: writing new checksum
DEBUG | Binary.m:566 | currently cracking arch 0
DEBUG | Device.m:53 | Can't crack 64bit arch on 32bit device! skipping
DEBUG | Binary.m:607 | arch not compatible with device!
DEBUG | Binary.m:666 | only one architecture left!? strip
DEBUG | Cracker.m:236 | crack operation ok!
packaging: waiting for zip thread
DEBUG | Cracker.m:238 | -----End Crack Op------
DEBUG | Cracker.m:280 | zip original ok
DEBUG | Cracker.m:282 | ------End Zip Op------
DEBUG | Cracker.m:287 | ------Zip Cracked Op------
packaging: compressing IPA
DEBUG | Cracker.m:352 | old metadata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist /tmp/clutch_1x2kHu3x/iTunesMetadata.plist
packaging: censoring iTunesMetadata
DEBUG | Cracker.m:357 | Generating fake iTunesMetadata
DEBUG | Cracker.m:435 | generate metdata /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesMetadata.plist, /tmp/clutch_1x2kHu3x/iTunesMetadata.plist
DEBUG | Cracker.m:387 | Copying iTunesArtwork
DEBUG | Cracker.m:388 | copy from /var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/iTunesArtwork, to /tmp/clutch_1x2kHu3x/iTunesArtwork
DEBUG | Cracker.m:295 | package IPA ok
DEBUG | izip.m:182 | working dir /tmp/clutch_1x2kHu3x
DEBUG | Cracker.m:299 | zip cracked ok
packaging: compression level 4294967295
DEBUG | Cracker.m:317 | ------End Zip Crack Op------
DEBUG | Cracker.m:332 | ------End Execute Crack------
DEBUG | ApplicationLister.m:336 | cracked app ok
DEBUG | ApplicationLister.m:337 | this crack lol 99500
DEBUG | Cracker.m:336 | Saved cracked app info!
        /User/Documents/Cracked/Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa
elapsed time: 176.47s

Applications cracked:

marvelbattle

Total success: 1   Total failed: 0

-Moved Champions-v99500-Miseaujeu-(Clutch-1.4.7).ipa from /User/Documents/Cracked/ to desktop harddrive. Extracted "marvelbattle" and began IDA disassembly.

-Copied the newly Clutch-ed marvelbattle to original install location (/private/var/mobile/Containers/Bundle/Application/C1829FD3-15A4-4DCD-A398-3CEBF3963DAA/marvelbattle.app ) and overwrote original binary

-I then ran Remove ASLR GUI

-Signed with ldid -s

-Set Permissions in iFile

5. Run App -- Success! ... but now the cycrypt check to see if ASLR is really gone

6. It is !

Thank you ! I can't understand how I was doing something wrong each time for the past several days. By needing to lay it out like this I guess I wasn't able to miss a step.

Now I can get down to seeing how drastically this build was changed from the previous versions.

Thanks again!

-M

November 20, 2015