Help/Support My first steps with IDA

DrBonsai · November 27, 2015

Hi, I am actually learning how to hack with ida.

I'm in my second year of computer engineer degree and Assembler languaje is one of my subjets, so this really interest me.

I am trying to break the security of an app that uses this subroutine:

__text:0000000100325E1C ; =============== S U B R O U T I N E =======================================
__text:0000000100325E1C
__text:0000000100325E1C ; MATUtils + (bool)checkJailBreak
__text:0000000100325E1C ; Attributes: bp-based frame
__text:0000000100325E1C
__text:0000000100325E1C ; bool __cdecl +[MATUtils checkJailBreak](struct MATUtils_meta *self, SEL)
__text:0000000100325E1C __MATUtils_checkJailBreak_ ; DATA XREF: __objc_const:0000000100779BE8o
__text:0000000100325E1C
__text:0000000100325E1C var_200 = -0x200
__text:0000000100325E1C var_1F8 = -0x1F8
__text:0000000100325E1C var_1F0 = -0x1F0
__text:0000000100325E1C var_1E8 = -0x1E8
__text:0000000100325E1C var_1E0 = -0x1E0
__text:0000000100325E1C var_1D8 = -0x1D8
__text:0000000100325E1C var_1D0 = -0x1D0
__text:0000000100325E1C var_1C8 = -0x1C8
__text:0000000100325E1C var_1C0 = -0x1C0
__text:0000000100325E1C var_1B8 = -0x1B8
__text:0000000100325E1C var_1B0 = -0x1B0
__text:0000000100325E1C var_1A8 = -0x1A8
__text:0000000100325E1C var_1A0 = -0x1A0
__text:0000000100325E1C var_198 = -0x198
__text:0000000100325E1C var_190 = -0x190
__text:0000000100325E1C var_188 = -0x188
__text:0000000100325E1C var_180 = -0x180
__text:0000000100325E1C var_178 = -0x178
__text:0000000100325E1C var_170 = -0x170
__text:0000000100325E1C var_168 = -0x168
__text:0000000100325E1C var_148 = -0x148
__text:0000000100325E1C var_140 = -0x140
__text:0000000100325E1C var_138 = -0x138
__text:0000000100325E1C var_118 = -0x118
__text:0000000100325E1C var_98 = -0x98
__text:0000000100325E1C var_90 = -0x90
__text:0000000100325E1C var_88 = -0x88
__text:0000000100325E1C var_78 = -0x78
__text:0000000100325E1C var_68 = -0x68
__text:0000000100325E1C var_58 = -0x58
__text:0000000100325E1C var_50 = -0x50
__text:0000000100325E1C var_40 = -0x40
__text:0000000100325E1C var_30 = -0x30
__text:0000000100325E1C var_20 = -0x20
__text:0000000100325E1C var_10 = -0x10
__text:0000000100325E1C var_s0 = 0
__text:0000000100325E1C
__text:0000000100325E1C STP X29, X30, [SP,#-0x10+var_s0]!
__text:0000000100325E20 MOV X29, SP
__text:0000000100325E24 STP X20, X19, [SP,#var_10]!
__text:0000000100325E28 STP X22, X21, [SP,#0x10+var_20]!
__text:0000000100325E2C STP X24, X23, [SP,#0x20+var_30]!
__text:0000000100325E30 STP X26, X25, [SP,#0x30+var_40]!
__text:0000000100325E34 STP X28, X27, [SP,#0x40+var_50]!
__text:0000000100325E38 SUB SP, SP, #0x1B0
__text:0000000100325E3C ADRP X8, #___stack_chk_guard_ptr@PAGE
__text:0000000100325E40 LDR X8, [X8,#___stack_chk_guard_ptr@PAGEOFF]
__text:0000000100325E44 LDR X8, [X8]
__text:0000000100325E48 STUR X8, [X29,#var_58]
__text:0000000100325E4C ADRP X8, #classRef_NSArray@PAGE
__text:0000000100325E50 LDR X0, [X8,#classRef_NSArray@PAGEOFF]
__text:0000000100325E54 ADRP X8, #selRef_arrayWithObjects_@PAGE
__text:0000000100325E58 NOP
__text:0000000100325E5C LDR X1, [X8,#selRef_arrayWithObjects_@PAGEOFF]
__text:0000000100325E60 ADRP X8, #cfstr_UsrSbinSshd@PAGE ; "/usr/sbin/sshd"
__text:0000000100325E64 ADD X8, X8, #cfstr_UsrSbinSshd@PAGEOFF ; "/usr/sbin/sshd"
__text:0000000100325E68 STP X8, XZR, [SP,#0x200+var_168]
__text:0000000100325E6C ADRP X8, #cfstr_UsrLibexecSftp@PAGE ; "/usr/libexec/sftp-server"
__text:0000000100325E70 ADD X8, X8, #cfstr_UsrLibexecSftp@PAGEOFF ; "/usr/libexec/sftp-server"
__text:0000000100325E74 STR X8, [SP,#0x200+var_170]
__text:0000000100325E78 ADRP X8, #cfstr_UsrBinSshd@PAGE ; "/usr/bin/sshd"
__text:0000000100325E7C ADD X8, X8, #cfstr_UsrBinSshd@PAGEOFF ; "/usr/bin/sshd"
__text:0000000100325E80 STR X8, [SP,#0x200+var_178]
__text:0000000100325E84 ADRP X8, #cfstr_SystemLibrar_2@PAGE ; "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist"
__text:0000000100325E88 ADD X8, X8, #cfstr_SystemLibrar_2@PAGEOFF ; "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist"
__text:0000000100325E8C STR X8, [SP,#0x200+var_180]
__text:0000000100325E90 ADRP X8, #cfstr_SystemLibraryL@PAGE ; "/System/Library/LaunchDaemons/com.ikey.bbot.plist"
__text:0000000100325E94 ADD X8, X8, #cfstr_SystemLibraryL@PAGEOFF ; "/System/Library/LaunchDaemons/com.ikey.bbot.plist"
__text:0000000100325E98 STR X8, [SP,#0x200+var_188]
__text:0000000100325E9C ADRP X8, #cfstr_PrivateVarTmpC@PAGE ; "/private/var/tmp/cydia.log"
__text:0000000100325EA0 ADD X8, X8, #cfstr_PrivateVarTmpC@PAGEOFF ; "/private/var/tmp/cydia.log"
__text:0000000100325EA4 STR X8, [SP,#0x200+var_190]
__text:0000000100325EA8 ADRP X8, #cfstr_PrivateVarStas@PAGE ; "/private/var/stash"
__text:0000000100325EAC ADD X8, X8, #cfstr_PrivateVarStas@PAGEOFF ; "/private/var/stash"
__text:0000000100325EB0 STR X8, [SP,#0x200+var_198]
__text:0000000100325EB4 ADRP X8, #cfstr_PrivateVarMobi@PAGE ; "/private/var/mobile/Library/SBSettings/Themes"
__text:0000000100325EB8 ADD X8, X8, #cfstr_PrivateVarMobi@PAGEOFF ; "/private/var/mobile/Library/SBSettings/Themes"
__text:0000000100325EBC STR X8, [SP,#0x200+var_1A0]
__text:0000000100325EC0 ADRP X8, #cfstr_PrivateVarLibC@PAGE ; "/private/var/lib/cydia"
__text:0000000100325EC4 ADD X8, X8, #cfstr_PrivateVarLibC@PAGEOFF ; "/private/var/lib/cydia"
__text:0000000100325EC8 STR X8, [SP,#0x200+var_1A8]
__text:0000000100325ECC ADRP X8, #cfstr_PrivateVarLibA@PAGE ; "/private/var/lib/apt"
__text:0000000100325ED0 ADD X8, X8, #cfstr_PrivateVarLibA@PAGEOFF ; "/private/var/lib/apt"
__text:0000000100325ED4 STR X8, [SP,#0x200+var_1B0]
__text:0000000100325ED8 ADRP X8, #cfstr_LibraryMobil_1@PAGE ; "/Library/MobileSubstrate/DynamicLibraries/Veency.plist"
__text:0000000100325EDC ADD X8, X8, #cfstr_LibraryMobil_1@PAGEOFF ; "/Library/MobileSubstrate/DynamicLibraries/Veency.plist"
__text:0000000100325EE0 STR X8, [SP,#0x200+var_1B8]
__text:0000000100325EE4 ADRP X8, #cfstr_LibraryMobiles@PAGE ; "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist"
__text:0000000100325EE8 ADD X8, X8, #cfstr_LibraryMobiles@PAGEOFF ; "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist"
__text:0000000100325EEC STR X8, [SP,#0x200+var_1C0]
__text:0000000100325EF0 ADRP X8, #cfstr_ApplicationsWi@PAGE ; "/Applications/WinterBoard.app"
__text:0000000100325EF4 ADD X8, X8, #cfstr_ApplicationsWi@PAGEOFF ; "/Applications/WinterBoard.app"
__text:0000000100325EF8 STR X8, [SP,#0x200+var_1C8]
__text:0000000100325EFC ADRP X8, #cfstr_ApplicationsSb@PAGE ; "/Applications/SBSettings.app"
__text:0000000100325F00 ADD X8, X8, #cfstr_ApplicationsSb@PAGEOFF ; "/Applications/SBSettings.app"
__text:0000000100325F04 STR X8, [SP,#0x200+var_1D0]
__text:0000000100325F08 ADRP X8, #cfstr_ApplicationsRo@PAGE ; "/Applications/RockApp.app"
__text:0000000100325F0C ADD X8, X8, #cfstr_ApplicationsRo@PAGEOFF ; "/Applications/RockApp.app"
__text:0000000100325F10 STR X8, [SP,#0x200+var_1D8]
__text:0000000100325F14 ADRP X8, #cfstr_ApplicationsMx@PAGE ; "/Applications/MxTube.app"
__text:0000000100325F18 ADD X8, X8, #cfstr_ApplicationsMx@PAGEOFF ; "/Applications/MxTube.app"
__text:0000000100325F1C STR X8, [SP,#0x200+var_1E0]
__text:0000000100325F20 ADRP X8, #cfstr_ApplicationsIn@PAGE ; "/Applications/IntelliScreen.app"
__text:0000000100325F24 ADD X8, X8, #cfstr_ApplicationsIn@PAGEOFF ; "/Applications/IntelliScreen.app"
__text:0000000100325F28 STR X8, [SP,#0x200+var_1E8]
__text:0000000100325F2C ADRP X8, #cfstr_ApplicationsIc@PAGE ; "/Applications/Icy.app"
__text:0000000100325F30 ADD X8, X8, #cfstr_ApplicationsIc@PAGEOFF ; "/Applications/Icy.app"
__text:0000000100325F34 STR X8, [SP,#0x200+var_1F0]
__text:0000000100325F38 ADRP X8, #cfstr_ApplicationsFa@PAGE ; "/Applications/FakeCarrier.app"
__text:0000000100325F3C ADD X8, X8, #cfstr_ApplicationsFa@PAGEOFF ; "/Applications/FakeCarrier.app"
__text:0000000100325F40 STR X8, [SP,#0x200+var_1F8]
__text:0000000100325F44 ADRP X8, #cfstr_ApplicationsBl@PAGE ; "/Applications/blackra1n.app"
__text:0000000100325F48 ADD X8, X8, #cfstr_ApplicationsBl@PAGEOFF ; "/Applications/blackra1n.app"
__text:0000000100325F4C STR X8, [SP,#0x200+var_200]
__text:0000000100325F50 ADRP X2, #cfstr_ApplicationsCy@PAGE ; "/Applications/Cydia.app"
__text:0000000100325F54 ADD X2, X2, #cfstr_ApplicationsCy@PAGEOFF ; "/Applications/Cydia.app"
__text:0000000100325F58 BL _objc_msgSend
__text:0000000100325F5C MOV X29, X29
__text:0000000100325F60 BL _objc_retainAutoreleasedReturnValue
__text:0000000100325F64 STP XZR, XZR, [X29,#var_68]
__text:0000000100325F68 STP XZR, XZR, [X29,#var_78]
__text:0000000100325F6C STP XZR, XZR, [X29,#var_88]
__text:0000000100325F70 STP XZR, XZR, [X29,#var_98]
__text:0000000100325F74 BL _objc_retain
__text:0000000100325F78 MOV X19, X0
__text:0000000100325F7C ADRP X8, #selRef_countByEnumeratingWithState_objects_count_@PAGE
__text:0000000100325F80 NOP
__text:0000000100325F84 LDR X20, [X8,#selRef_countByEnumeratingWithState_objects_count_@PAGEOFF]
__text:0000000100325F88 SUB X2, X29, #-var_98
__text:0000000100325F8C ADD X3, SP, #0x200+var_118
__text:0000000100325F90 MOV X4, #0x10
__text:0000000100325F94 MOV X1, X20
__text:0000000100325F98 BL _objc_msgSend
__text:0000000100325F9C MOV X22, X0
__text:0000000100325FA0 CBZ X22, loc_100326058
__text:0000000100325FA4 LDUR X8, [X29,#var_88]
__text:0000000100325FA8 LDR X28, [X8]
__text:0000000100325FAC ADRP X8, #selRef_defaultManager@PAGE
__text:0000000100325FB0 NOP
__text:0000000100325FB4 LDR X21, [X8,#selRef_defaultManager@PAGEOFF]
__text:0000000100325FB8 ADRP X8, #selRef_fileExistsAtPath_@PAGE
__text:0000000100325FBC NOP
__text:0000000100325FC0 LDR X23, [X8,#selRef_fileExistsAtPath_@PAGEOFF]
__text:0000000100325FC4 ADRP X24, #0x1007B9000
__text:0000000100325FC8 SUB X8, X29, #-var_98
__text:0000000100325FCC STR X8, [SP,#0x200+var_140]
__text:0000000100325FD0 ADD X8, SP, #0x200+var_118
__text:0000000100325FD4 STR X8, [SP,#0x200+var_148]
__text:0000000100325FD8
__text:0000000100325FD8 loc_100325FD8 ; CODE XREF: +[MATUtils checkJailBreak]+238j
__text:0000000100325FD8 MOV X25, #0
__text:0000000100325FDC
__text:0000000100325FDC loc_100325FDC ; CODE XREF: +[MATUtils checkJailBreak]+21Cj
__text:0000000100325FDC LDUR X8, [X29,#var_88]
__text:0000000100325FE0 LDR X8, [X8]
__text:0000000100325FE4 CMP X8, X28
__text:0000000100325FE8 B.EQ loc_100325FF4
__text:0000000100325FEC MOV X0, X19
__text:0000000100325FF0 BL _objc_enumerationMutation
__text:0000000100325FF4
__text:0000000100325FF4 loc_100325FF4 ; CODE XREF: +[MATUtils checkJailBreak]+1CCj
__text:0000000100325FF4 LDUR X8, [X29,#var_90]
__text:0000000100325FF8 LDR X26, [X8,X25,LSL#3]
__text:0000000100325FFC LDR X0, [X24,#0x818]
__text:0000000100326000 MOV X1, X21
__text:0000000100326004 BL _objc_msgSend
__text:0000000100326008 MOV X29, X29
__text:000000010032600C BL _objc_retainAutoreleasedReturnValue
__text:0000000100326010 MOV X27, X0
__text:0000000100326014 MOV X1, X23
__text:0000000100326018 MOV X2, X26
__text:000000010032601C BL _objc_msgSend
__text:0000000100326020 MOV X26, X0
__text:0000000100326024 MOV X0, X27
__text:0000000100326028 BL _objc_release
__text:000000010032602C TBNZ W26, #0, loc_1003260FC
__text:0000000100326030 ADD X25, X25, #1
__text:0000000100326034 CMP X25, X22
__text:0000000100326038 B.CC loc_100325FDC
__text:000000010032603C MOV X4, #0x10
__text:0000000100326040 MOV X0, X19
__text:0000000100326044 MOV X1, X20
__text:0000000100326048 LDP X3, X2, [SP,#0x200+var_148]
__text:000000010032604C BL _objc_msgSend
__text:0000000100326050 MOV X22, X0
__text:0000000100326054 CBNZ X22, loc_100325FD8
__text:0000000100326058
__text:0000000100326058 loc_100326058 ; CODE XREF: +[MATUtils checkJailBreak]+184j
__text:0000000100326058 MOV X0, X19
__text:000000010032605C BL _objc_release
__text:0000000100326060 MOV X0, #0
__text:0000000100326064 BL _system
__text:0000000100326068 CBNZ W0, loc_100326104
__text:000000010032606C ADRP X8, #classRef_NSFileManager@PAGE
__text:0000000100326070 LDR X0, [X8,#classRef_NSFileManager@PAGEOFF]
__text:0000000100326074 ADRP X8, #selRef_class@PAGE
__text:0000000100326078 NOP
__text:000000010032607C LDR X1, [X8,#selRef_class@PAGEOFF]
__text:0000000100326080 BL _objc_msgSend
__text:0000000100326084 ADRP X8, #selRef_fileExistsAtPath_@PAGE
__text:0000000100326088 NOP
__text:000000010032608C LDR X1, [X8,#selRef_fileExistsAtPath_@PAGEOFF]
__text:0000000100326090 BL _class_getMethodImplementation
__text:0000000100326094 ADD X1, SP, #0x200+var_138
__text:0000000100326098 BL _dladdr
__text:000000010032609C ADRP X8, #classRef_NSString@PAGE
__text:00000001003260A0 LDR X0, [X8,#classRef_NSString@PAGEOFF]
__text:00000001003260A4 LDR X8, [SP,#0x200+var_138]
__text:00000001003260A8 ADRP X9, #selRef_stringWithFormat_@PAGE
__text:00000001003260AC NOP
__text:00000001003260B0 LDR X1, [X9,#selRef_stringWithFormat_@PAGEOFF]
__text:00000001003260B4 STR X8, [SP,#0x200+var_200]
__text:00000001003260B8 ADRP X2, #cfstr_S@PAGE ; "%s"
__text:00000001003260BC ADD X2, X2, #cfstr_S@PAGEOFF ; "%s"
__text:00000001003260C0 BL _objc_msgSend
__text:00000001003260C4 MOV X29, X29
__text:00000001003260C8 BL _objc_retainAutoreleasedReturnValue
__text:00000001003260CC MOV X20, X0
__text:00000001003260D0 ADRP X8, #selRef_compare_@PAGE
__text:00000001003260D4 NOP
__text:00000001003260D8 LDR X1, [X8,#selRef_compare_@PAGEOFF]
__text:00000001003260DC ADRP X2, #cfstr_SystemLibrar_0@PAGE ; "/System/Library/Frameworks/Foundation.framework/Foundation"
__text:00000001003260E0 ADD X2, X2, #cfstr_SystemLibrar_0@PAGEOFF ; "/System/Library/Frameworks/Foundation.framework/Foundation"
__text:00000001003260E4 BL _objc_msgSend
__text:00000001003260E8 CMP X0, #0
__text:00000001003260EC CSET W21, NE
__text:00000001003260F0 MOV X0, X20
__text:00000001003260F4 BL _objc_release
__text:00000001003260F8 B loc_100326108
__text:00000001003260FC ; ---------------------------------------------------------------------------
__text:00000001003260FC
__text:00000001003260FC loc_1003260FC ; CODE XREF: +[MATUtils checkJailBreak]+210j
__text:00000001003260FC MOV X0, X19
__text:0000000100326100 BL _objc_release
__text:0000000100326104
__text:0000000100326104 loc_100326104 ; CODE XREF: +[MATUtils checkJailBreak]+24Cj
__text:0000000100326104 MOV W21, #1
__text:0000000100326108
__text:0000000100326108 loc_100326108 ; CODE XREF: +[MATUtils checkJailBreak]+2DCj
__text:0000000100326108 MOV X0, X19
__text:000000010032610C BL _objc_release
__text:0000000100326110 ADRP X8, #___stack_chk_guard_ptr@PAGE
__text:0000000100326114 LDR X8, [X8,#___stack_chk_guard_ptr@PAGEOFF]
__text:0000000100326118 LDR X8, [X8]
__text:000000010032611C LDUR X9, [X29,#var_58]
__text:0000000100326120 SUB X8, X8, X9
__text:0000000100326124 CBNZ X8, loc_10032614C
__text:0000000100326128 AND W0, W21, #1
__text:000000010032612C SUB SP, X29, #0x50
__text:0000000100326130 LDP X28, X27, [SP+0x50+var_50],#0x10
__text:0000000100326134 LDP X26, X25, [SP+0x40+var_40],#0x10
__text:0000000100326138 LDP X24, X23, [SP+0x30+var_30],#0x10
__text:000000010032613C LDP X22, X21, [SP+0x20+var_20],#0x10
__text:0000000100326140 LDP X20, X19, [SP+0x10+var_10],#0x10
__text:0000000100326144 LDP X29, X30, [SP+var_s0],#0x10
__text:0000000100326148 RET
__text:000000010032614C ; ---------------------------------------------------------------------------
__text:000000010032614C
__text:000000010032614C loc_10032614C ; CODE XREF: +[MATUtils checkJailBreak]+308j
__text:000000010032614C BL ___stack_chk_fail
__text:000000010032614C ; End of function +[MATUtils checkJailBreak]

Is a boolean subroutine that returns a true or false depending on the existence of some cydia related files. The return value must be stored in X0, but i am not sure. The stretegy I have in mind is replace the functions before the object_release and send_msg and the other modiffications of the X0 register with a MOV X0, #0. But i am not sure if 0 is the value for false.

¿Somebody can teach me more about the ARM proccessors and how this subroutine works?
I am reading the manual (Over 1.000 pages) But it´s not a big help. WELP

Sorry for the spelling mistakes and that stuff. I am spanish.

Updated November 27, 2015 by DrBonsai

NitroxicDemon · November 27, 2015

idk arm64 but on armv7 it would be MOV R0, #0 followed by a BX LR

November 27, 2015

You actually don't need to IDA this because the function is named (bool)checkJailBreak. You can easily hook it with MobileSubstrate by doing:

-(bool)checkJailBreak{
return FALSE;
}

But if you want to do it with IDA, and since its arm64, you can RET at the beginning of that function.

By the way, 0 is false and 1 is true.

Updated November 27, 2015 by Guest

--Techarmor-- · November 27, 2015

You actually don't need to IDA this because the function is named (bool)checkJailBreak. You can easily hook it with MobileSubstrate by doing:
-(bool)checkJailBreak{
return FALSE;
}
But if you want to do it with IDA, and since its arm64, you can RET at the beginning of that function.
By the way, 0 is false and 1 is true.

Thank You! I have been looking for an answer too.

--Techarmor-- · November 27, 2015

Next time please, use a spoiler. Im on my phone and it took me so long scrolling all the way here

DrBonsai · November 27, 2015

Next time please, use a spoiler. Im on my phone and it took me so long scrolling all the way here

Wow, i will edit that. I just didn´t pay attention to that detail

You actually don't need to IDA this because the function is named (bool)checkJailBreak. You can easily hook it with MobileSubstrate by doing:
-(bool)checkJailBreak{
return FALSE;
}
But if you want to do it with IDA, and since its arm64, you can RET at the beginning of that function.

By the way, 0 is false and 1 is true.

Wow interesting... I will investigate how to do that wit mobile substrate thanks.

By the way... If i return at the beginning of the function it will return false? Is not going to return a null?

idk arm64 but on armv7 it would be MOV R0, #0 followed by a BX LR

That is what i thought, but i haven´t tried yet.

Thank You all

Anyway I will look for other people suggestion and add the spoiler.

November 28, 2015

Wow interesting... I will investigate how to do that wit mobile substrate thanks.

By the way... If i return at the beginning of the function it will return false? Is not going to return a null?

the game will just skip over the function

DrBonsai · November 28, 2015

the game will just skip over the function

Yeha, I know that, but is an anti-cheat subrutine. I think it expect a True or false return, if I skip the function maybe the program who call the subrutine will know something was wrong. I will try now anyway.

November 28, 2015

Yeha, I know that, but is an anti-cheat subrutine. I think it expect a True or false return, if I skip the function maybe the program who call the subrutine will know something was wrong. I will try now anyway.

Unless this is a gameloft, gamevil, or TinyCo game you don't have to worry

DrBonsai · November 29, 2015

Unless this is a gameloft, gamevil, or TinyCo game you don't have to worry

I tried to do this. But it continues not working... Hummmmm... I am now learning mobile substrate as you told me. I will try to hook the functions (Because this one is just one of a lot of functions related with jailbreak detection) And i will get tired soon or later if i keep doing this with ida. The game is not a gameloft, gamevil or TinyCo game. So i will try to make a tweak.