Guide [Breaking Security]How to disable syscall (anti-debugging protection)

March 22, 2016

I made this tutorial in April of 2015 for the cheaters here and after almost a year of it being private I decided to post it to the public.

Gameloft always uses syscall on their games, and while this was written in April, MC5 still has removable syscall and you can use MC5 to practice

Requirements:

- IDA Pro

- Modern Combat 5

- GNU Debugger from cydia.radare.org (repo)

- OpenSSH

- Clutch 1.4.7-2

- armv7 binary of MC5, crack it on a 32 bit device for it to be armv7. I won't post one here because of copyright issues.

Below this line is the exact text I wrote on April 10, 2015. Enjoy

------

Hidden Content

What is syscall? Syscall is anti-debugging protection. This is what causes the Segmentation Fault: 11 when trying to attach to an app. But as hackers we need to attach to an app, and thats why I made this tutorial

Again, I'm using MC5.

Let's get started

1. Open up the binary in IDA and wait like four to five minutes so that you can actually xref.

2. Once you have waited, click on the "Imports" tab and search for syscall.

3. Double click it and xref to syscall's location in the binary. Here is the function that you are looking for:

It should have _getpid, _memset, and _sysctl there.

4. Highlight the BLX _syscall (or BLX.W _syscall sometimes), and click "Hex View 1". The hex should be highlighted. Now right click before the beginning of the highlighted hex and click "edit".

5. Now type "C046C046". This means NOP, or no instruction/operation. Basically it makes the app ignore the instruction. The edited hex should have turned orange.

6. Save your changes. Right click on the orange edited hex and click "Apply changes".

7. After that, go back to IDA View A and confirm that the BLX _syscall and the instruction below it is NOP'ed.

8. Apply your changes to the binary. Go to Edit --> Patch program --> Apply patches to input file. Create a backup if you want to.

9. Replace the original binary with the hacked binary and set the permissions to:

Owner: mobile

Group: mobile

User: read, write, execute

Group: read, write, execute

World: read, write, execute

Now you are done! Try to attach and it should work!

Proof: (me attaching to Modern Combat 5 in GDB)

xyzzy · March 22, 2016

Thanks for sharing !

One question.

when the app do not use _syscall what it could be ?

i searched for all methods that check if they had Cydia or etc.

Thanks.

DZ Hicham · March 22, 2016

how much mc5 kids show here after that

Updated March 22, 2016 by Shisui11

March 22, 2016

how much mc5 kids show here after that

they'll think its a hack

Diversityy · March 22, 2016

:franic:

cu_rry · March 22, 2016

Useful when I get back to hacking.

DZ Hicham · March 22, 2016

they'll think its a hack

here we go again

Battousai · March 22, 2016

yey

1Jakey · March 22, 2016

Yay ayah. Another think I don't understand. Thank You very much

March 23, 2016

Thanks for sharing !

One question.

when the app do not use _syscall what it could be ?

i searched for all methods that check if they had Cydia or etc.

Thanks.

It's ptrace. Try searching imports for ptrace