Help/Support [Question] Can somebody give me an IDA assignment?

TripMX · August 6, 2016

Hello fellow IDA hackers,

Some weeks ago, I had posted a thread asking for help with IDA hacking, but the problem (although assumingly basic) still wasn't solved.

THREAD HERE: https://iosgods.com/topic/32534-ida-attempt-trouble-with-ida-hacking/?view=findpost&p=1109430

So, I'm asking an IDA hacker to give me an easy assignment. Assign me an iOS app/game to hack.

All I require is for you to personally hack the binary first to prove that the hack works before giving me the assignment, as I want to reproduce the same results.

Thanks in advance!

Diversityy · August 6, 2016

Monkey City, I posted a cheat yesterday for it. You can also try PvZ2.

TripMX · August 8, 2016

Monkey City, I posted a cheat yesterday for it. You can also try PvZ2.

Hey Diversityy, thank you so much for taking the time to give me an IDA assignment!

I've tried to hack the game (Monkey City) with IDA Pro, but I can't seem to find any registers (the "R0, R1" etc.-type), I only see the "X0, X1," etc.-type, and I don't think I could just store (STR) an "R7" value into them because it doesn't work like that in x64 bit. I searched for "currency" and found lots of functions.

Can you give me a hint on what I should do?

BTW, are you using GDB to find the offsets or are you purely using IDA Pro to view, read through, and find the the offsets/critical instructions in the functions manually?

Diversityy · August 8, 2016

Hey Diversityy, thank you so much for taking the time to give me an IDA assignment!

I've tried to hack the game (Monkey City) with IDA Pro, but I can't seem to find any registers (the "R0, R1" etc.-type), I only see the "X0, X1," etc.-type, and I don't think I could just store (STR) an "R7" value into them because it doesn't work like that in x64 bit. I searched for "currency" and found lots of functions.

Can you give me a hint on what I should do?

BTW, are you using GDB to find the offsets or are you purely using IDA Pro to view, read through, and find the the offsets/critical instructions in the functions manually?

You're seeing X1, because you're hacking the 64-bit portion of the binary. I modded 32-bit.

To get the 32-bit, you have to download the .ipa from iTunes. Install the .ipa via iFunBox. Crack the game via Rasticrac.

TripMX · August 9, 2016

You're seeing X1, because you're hacking the 64-bit portion of the binary. I modded 32-bit.

To get the 32-bit, you have to download the .ipa from iTunes. Install the .ipa via iFunBox. Crack the game via Rasticrac.

Okay, thanks, I've tried to hack the 32-bit cracked binary, but still no success. Here's what I've done:

I've hacked the following in the Monkey City code:

SEARCHED FUNCTION: -[ADCV4VCCurrency addVideoCredit]

ORIGINAL OFFSET and INSTRUCTIONS:

_text:00617A3A                 ADDS            R3, #1

MODIFIED OFFSET and INSTRUCTION:

_text:00617A3A                 ADDS            R3, #0xC8

^: I had assumed that the original offset instructions meant that after you watch the video, you will receive 1 Bloonstone, which would be added to the R3 register, so I modified it to #0xC8 (200) instead of 1.....I thought this would give out 200 Bloonstones instead of 1 after watching the video. Didn't work.

SEARCHED FUNCTION: -[ADCV4VCCurrency checkReward]

ORIGINAL OFFSET and INSTRUCTIONS:

__text:00617AA0                 LDR             R1, [R1] ; int_ video_credit_balance

MODIFIED OFFSET and INSTRUCTION:

__text:00617AA0                 LDR             R1, [R7]

^: I figured that I could change the amount of Bloonstones received from watching a video with this function since the previous modification didn't work. I thought I could load (LDR) the R7 (high amount) register into R1....but still nothing happened.

Here's a list of searched functions that I've encountered that I *THINK* are hackable:

-[ADCV4VCCurrency addVideoCredit]

-[ADCV4VCCurrency checkReward]

-[ADCV4VCCurrency onReward]

-[ADCV4VCCurrency reward_name]

-[ADCV4VCCurrency videos_per_reward]

-[ADCV4VCCurrency video_credit_balance]

-[ADCV4VCCurrency reward_amount]

-[ADCV4VCCurrency balance]

-[ADCV4VCCurrency client_side]

Just to let you know, I'm not using GDB (are you?) and the iOS device that I'm using to test this hack is an iPad Air 2 (64-bit architecture, right?), so will hacking the 32-bit part of the binary work on my device as it is or do I also have to hack the 64-bit part? Could you please lead me into the right direction so I could at least get something to work with hacking this game? Sorry for the trouble, and thank you for your help thus far!

Diversityy · August 9, 2016

Okay, thanks, I've tried to hack the 32-bit cracked binary, but still no success. Here's what I've done:

I've hacked the following in the Monkey City code:SEARCHED FUNCTION: -[ADCV4VCCurrency addVideoCredit]ORIGINAL OFFSET and INSTRUCTIONS:
_text:00617A3A                 ADDS            R3, #1
MODIFIED OFFSET and INSTRUCTION:
_text:00617A3A                 ADDS            R3, #0xC8
^: I had assumed that the original offset instructions meant that after you watch the video, you will receive 1 Bloonstone, which would be added to the R3 register, so I modified it to #0xC8 (200) instead of 1.....I thought this would give out 200 Bloonstones instead of 1 after watching the video. Didn't work.SEARCHED FUNCTION: -[ADCV4VCCurrency checkReward]ORIGINAL OFFSET and INSTRUCTIONS:
__text:00617AA0                 LDR             R1, [R1] ; int_ video_credit_balance
MODIFIED OFFSET and INSTRUCTION:
__text:00617AA0                 LDR             R1, [R7]
^: I figured that I could change the amount of Bloonstones received from watching a video with this function since the previous modification didn't work. I thought I could load (LDR) the R7 (high amount) register into R1....but still nothing happened.Here's a list of searched functions that I've encountered that I *THINK* are hackable:

Just to let you know, I'm not using GDB (are you?) and the iOS device that I'm using to test this hack is an iPad Air 2 (64-bit architecture, right?), so will hacking the 32-bit part of the binary work on my device as it is or do I also have to hack the 64-bit part? Could you please lead me into the right direction so I could at least get something to work with hacking this game? Sorry for the trouble, and thank you for your help thus far!

That isn't going to work. Look for the in-game currencies. You have to manually thin and replace the old binary with the thinned binary.

I don't think I will be able to guide you through the whole process, as it will take so long, but there are several tutorials posted on the Tut mortals section.

TripMX · August 10, 2016

That isn't going to work. Look for the in-game currencies. You have to manually thin and replace the old binary with the thinned binary.

I don't think I will be able to guide you through the whole process, as it will take so long, but there are several tutorials posted on the Tut mortals section.

Okay, after taking a look at some of the tutorials here, I've discovered that I could manually thin the binary so that I could simply get rid of the 64-bit ARM portion AND somehow attempt to remove ASLR, supposedly making it "easier" to find the correct functions/memory addresses....so I'll try that.

When you hacked Monkey City, did you use GDB or purely used your eyes with IDA Pro?

Diversityy · August 10, 2016

Okay, after taking a look at some of the tutorials here, I've discovered that I could manually thin the binary so that I could simply get rid of the 64-bit ARM portion AND somehow attempt to remove ASLR, supposedly making it "easier" to find the correct functions/memory addresses....so I'll try that.

When you hacked Monkey City, did you use GDB or purely used your eyes with IDA Pro?

Strings with IDA, I haven't tried GDB/LLDB yet.

TripMX · August 12, 2016

Strings with IDA, I haven't tried GDB/LLDB yet.

I see I see, so here's the new situation:

I have done these things:

Properly cracked Monkey City's binary
Thinned the binary
Removed ASLR

Now, I have two cracked binaries:

Monkey City binary CRACKED (ASLR removed)
Monkey City binary CRACKED + THINNED (ASLR removed)

My iOS device is an iPad Air 2 running iOS 8.3 [ARMv8 (64-bit)]

....so, what should I do next in IDA Pro? From my above posts, you can see that I've failed to get results.

What specific offset/function should I seek to alter to actually get some results on my current iOS device to prove that I'm at least capable of getting results?

To make things simple, could you just tell me which function to find and which offset to target (the same one you used)? Also, it MUST be able to work on my current iOS device, so that's why I need to know if I'm going to be hacking the thinned cracked binary or original cracked binary for the sake of it working on my ARMv8 [64-bit] device.