Guide [Breaking Security]How to disable syscall (anti-debugging protection)

[Guest]

I made this tutorial in April of 2015 for the cheaters here and after almost a year of it being private I decided to post it to the public.

 

Gameloft always uses syscall on their games, and while this was written in April, MC5 still has removable syscall and you can use MC5 to practice

 

Requirements:

- IDA Pro

- Modern Combat 5

- GNU Debugger from cydia.radare.org (repo)

- OpenSSH

- Clutch 1.4.7-2

- armv7 binary of MC5, crack it on a 32 bit device for it to be armv7. I won't post one here because of copyright issues.

 

Below this line is the exact text I wrote on April 10, 2015. Enjoy

 

------

Hidden Content

What is syscall? Syscall is anti-debugging protection. This is what causes the Segmentation Fault: 11 when trying to attach to an app. But as hackers we need to attach to an app, and thats why I made this tutorial

 

Again, I'm using MC5.

 

Let's get started

 

1. Open up the binary in IDA and wait like four to five minutes so that you can actually xref.

 

2. Once you have waited, click on the "Imports" tab and search for syscall.



 

3. Double click it and xref to syscall's location in the binary. Here is the function that you are looking for:



 

It should have _getpid, _memset, and _sysctl there.

 

4. Highlight the BLX _syscall (or BLX.W _syscall sometimes), and click "Hex View 1". The hex should be highlighted. Now right click before the beginning of the highlighted hex and click "edit".



 

5. Now type "C046C046". This means NOP, or no instruction/operation. Basically it makes the app ignore the instruction. The edited hex should have turned orange.



 

6. Save your changes. Right click on the orange edited hex and click "Apply changes".



 

7. After that, go back to IDA View A and confirm that the BLX _syscall and the instruction below it is NOP'ed.

 

8. Apply your changes to the binary. Go to Edit --> Patch program --> Apply patches to input file. Create a backup if you want to.



 

9. Replace the original binary with the hacked binary and set the permissions to:

Owner: mobile

Group: mobile

 

User: read, write, execute

Group: read, write, execute

World: read, write, execute

 

Now you are done! Try to attach and it should work!

Proof: (me attaching to Modern Combat 5 in GDB)

 

[xyzzy 64 8 9.0.2]

Thanks for sharing !

One question.

when the app do not use _syscall what it could be ?

i searched for all methods that check if they had Cydia or etc.

 

Thanks.

[DZ Hicham 1.9k iPhone Xs Max 13.5.1]

how much mc5 kids show here after that

Updated March 22, 2016 by Shisui11

[Guest]

  On 3/22/2016 at 10:56 PM, Shisui11 said:

how much mc5 kids show here after that

they'll think its a hack

[Diversityy 32k iPhone 7 Plus 10.2]

:franic:

[cu_rry 10.7k iPhone 7 Plus 11.2]

Useful when I get back to hacking.

[DZ Hicham 1.9k iPhone Xs Max 13.5.1]

  On 3/22/2016 at 10:58 PM, shmoo said:

they'll think its a hack

here we go again

[Battousai 20.2k iPad Air 2 9.33]

yey  

[1Jakey 949]

Yay ayah. Another think I don't understand. Thank You very much

[Guest]

  On 3/22/2016 at 10:55 PM, xyzzy said:

Thanks for sharing !

One question.

when the app do not use _syscall what it could be ?

i searched for all methods that check if they had Cydia or etc.

 

Thanks.

 

It's ptrace. Try searching imports for ptrace