Help with disabling _syscall

January 15, 2015

I'm trying to hack NOVA 3: Freedom Edition, so obviously, being gameloft, they added in _syscall. I've attempted to remove it before but all that happens is that the app would freeze or crash. Here is what I NOP'ed:

__text:0055F054 MOV SP, R4

__text:0055F056 VST1.64 {D8-D11}, [R4@128]!

__text:0055F05A VST1.64 {D12-D15}, [R4@128]

__text:0055F05E SUB.W SP, SP, #0x250

__text:0055F062 MOV R10, R0

__text:0055F064 MOV R0, #(___stack_chk_guard_ptr - 0x55F072)

__text:0055F06C MOV R8, R1

__text:0055F06E ADD R0, PC ; ___stack_chk_guard_ptr

__text:0055F070 MOVS R5, #0

__text:0055F072 MOVS R1, #0x1F

__text:0055F074 MOVS R2, #0

__text:0055F076 LDR R6, [R0] ; ___stack_chk_guard

__text:0055F078 MOVS R3, #0

__text:0055F07A LDR R0, [R6]

__text:0055F07C STR R0, [sP,#0x24C]

__text:0055F07E MOVS R0, #0x1A

__text:0055F080 STR R5, [sP]

__text:0055F082 BLX _syscall

__text:0055F086 ADD R4, SP, #0x24

__text:0055F088 MOV.W R0, #0x1EC

__text:0055F08C STR R0, [sP,#0x210]

__text:0055F08E MOVS R1, #0

__text:0055F090 MOV R0, R4

__text:0055F092 MOV.W R2, #0x1EC

__text:0055F096 BLX _memset

__text:0055F09A MOVS R0, #1

__text:0055F09C MOVS R1, #0xE

__text:0055F09E STR R0, [sP,#0x14]

__text:0055F0A0 STR R1, [sP,#0x18]

__text:0055F0A2 STR R0, [sP,#0x1C]

__text:0055F0A4 BLX _getpid

__text:0055F0A8 STR R0, [sP,#0x20]

__text:0055F0AA ADD R0, SP, #0x14

__text:0055F0AC ADD R3, SP, #0x210

__text:0055F0AE MOVS R1, #4

__text:0055F0B0 MOV R2, R4

__text:0055F0B2 STR R5, [sP]

__text:0055F0B4 STR R5, [sP,#4]

__text:0055F0B6 BLX _sysctl

__text:0055F0BA MOV R4, R0

After I NOP'ed that the app would crash upon startup. I then NOP'ed:

__text:0055F054 MOV SP, R4

__text:0055F056 VST1.64 {D8-D11}, [R4@128]!

__text:0055F05A VST1.64 {D12-D15}, [R4@128]

__text:0055F05E SUB.W SP, SP, #0x250

__text:0055F062 MOV R10, R0

__text:0055F064 MOV R0, #(___stack_chk_guard_ptr - 0x55F072)

__text:0055F06C MOV R8, R1

__text:0055F06E ADD R0, PC ; ___stack_chk_guard_ptr

__text:0055F070 MOVS R5, #0

__text:0055F072 MOVS R1, #0x1F

__text:0055F074 MOVS R2, #0

__text:0055F076 LDR R6, [R0] ; ___stack_chk_guard

__text:0055F078 MOVS R3, #0

__text:0055F07A LDR R0, [R6]

__text:0055F07C STR R0, [sP,#0x24C]

__text:0055F07E MOVS R0, #0x1A

__text:0055F080 STR R5, [sP]

__text:0055F082 BLX _syscall

__text:0055F086 ADD R4, SP, #0x24

__text:0055F088 MOV.W R0, #0x1EC

__text:0055F08C STR R0, [sP,#0x210]

__text:0055F08E MOVS R1, #0

__text:0055F090 MOV R0, R4

__text:0055F092 MOV.W R2, #0x1EC

__text:0055F096 BLX _memset

__text:0055F09A MOVS R0, #1

__text:0055F09C MOVS R1, #0xE

__text:0055F09E STR R0, [sP,#0x14]

__text:0055F0A0 STR R1, [sP,#0x18]

__text:0055F0A2 STR R0, [sP,#0x1C]

__text:0055F0A4 BLX _getpid

__text:0055F0A8 STR R0, [sP,#0x20]

__text:0055F0AA ADD R0, SP, #0x14

__text:0055F0AC ADD R3, SP, #0x210

__text:0055F0AE MOVS R1, #4

__text:0055F0B0 MOV R2, R4

__text:0055F0B2 STR R5, [sP]

__text:0055F0B4 STR R5, [sP,#4]

__text:0055F0B6 BLX _sysctl

__text:0055F0BA MOV R4, R0

Again, same thing. It would crash. So the last thing I did was I changed

__text:0055F072 MOVS R1, #0x1F

to

__text:0055F072 MOVS R1, #0x0

and the app did not crash this time, it only froze right at the gameloft logo. So I tried to attach it to GDB, because it is technically running if it is frozen, and it gave me segmentation fault: 11. Please, if any of you could help me solve this problem, I would be so happy, its been driving me crazy since the new year

Thanks!

Updated January 15, 2015 by Guest

sn0wqt · January 15, 2015

I'm trying to hack NOVA 3: Freedom Edition, so obviously, being gameloft, they added in _syscall. I've attempted to remove it before but all that happens is that the app would freeze or crash. Here is what I NOP'ed:

__text:0055F054 MOV SP, R4

__text:0055F056 VST1.64 {D8-D11}, [R4@128]!

__text:0055F05A VST1.64 {D12-D15}, [R4@128]

__text:0055F05E SUB.W SP, SP, #0x250

__text:0055F062 MOV R10, R0

__text:0055F064 MOV R0, #(___stack_chk_guard_ptr - 0x55F072)

__text:0055F06C MOV R8, R1

__text:0055F06E ADD R0, PC ; ___stack_chk_guard_ptr

__text:0055F070 MOVS R5, #0

__text:0055F072 MOVS R1, #0x1F

__text:0055F074 MOVS R2, #0

__text:0055F076 LDR R6, [R0] ; ___stack_chk_guard

__text:0055F078 MOVS R3, #0

__text:0055F07A LDR R0, [R6]

__text:0055F07C STR R0, [sP,#0x24C]

__text:0055F07E MOVS R0, #0x1A

__text:0055F080 STR R5, [sP]

__text:0055F082 BLX _syscall

__text:0055F086 ADD R4, SP, #0x24

__text:0055F088 MOV.W R0, #0x1EC

__text:0055F08C STR R0, [sP,#0x210]

__text:0055F08E MOVS R1, #0

__text:0055F090 MOV R0, R4

__text:0055F092 MOV.W R2, #0x1EC

__text:0055F096 BLX _memset

__text:0055F09A MOVS R0, #1

__text:0055F09C MOVS R1, #0xE

__text:0055F09E STR R0, [sP,#0x14]

__text:0055F0A0 STR R1, [sP,#0x18]

__text:0055F0A2 STR R0, [sP,#0x1C]

__text:0055F0A4 BLX _getpid

__text:0055F0A8 STR R0, [sP,#0x20]

__text:0055F0AA ADD R0, SP, #0x14

__text:0055F0AC ADD R3, SP, #0x210

__text:0055F0AE MOVS R1, #4

__text:0055F0B0 MOV R2, R4

__text:0055F0B2 STR R5, [sP]

__text:0055F0B4 STR R5, [sP,#4]

__text:0055F0B6 BLX _sysctl

__text:0055F0BA MOV R4, R0

After I NOP'ed that the app would crash upon startup. I then NOP'ed:

__text:0055F054 MOV SP, R4

__text:0055F056 VST1.64 {D8-D11}, [R4@128]!

__text:0055F05A VST1.64 {D12-D15}, [R4@128]

__text:0055F05E SUB.W SP, SP, #0x250

__text:0055F062 MOV R10, R0

__text:0055F064 MOV R0, #(___stack_chk_guard_ptr - 0x55F072)

__text:0055F06C MOV R8, R1

__text:0055F06E ADD R0, PC ; ___stack_chk_guard_ptr

__text:0055F070 MOVS R5, #0

__text:0055F072 MOVS R1, #0x1F

__text:0055F074 MOVS R2, #0

__text:0055F076 LDR R6, [R0] ; ___stack_chk_guard

__text:0055F078 MOVS R3, #0

__text:0055F07A LDR R0, [R6]

__text:0055F07C STR R0, [sP,#0x24C]

__text:0055F07E MOVS R0, #0x1A

__text:0055F080 STR R5, [sP]

__text:0055F082 BLX _syscall

__text:0055F086 ADD R4, SP, #0x24

__text:0055F088 MOV.W R0, #0x1EC

__text:0055F08C STR R0, [sP,#0x210]

__text:0055F08E MOVS R1, #0

__text:0055F090 MOV R0, R4

__text:0055F092 MOV.W R2, #0x1EC

__text:0055F096 BLX _memset

__text:0055F09A MOVS R0, #1

__text:0055F09C MOVS R1, #0xE

__text:0055F09E STR R0, [sP,#0x14]

__text:0055F0A0 STR R1, [sP,#0x18]

__text:0055F0A2 STR R0, [sP,#0x1C]

__text:0055F0A4 BLX _getpid

__text:0055F0A8 STR R0, [sP,#0x20]

__text:0055F0AA ADD R0, SP, #0x14

__text:0055F0AC ADD R3, SP, #0x210

__text:0055F0AE MOVS R1, #4

__text:0055F0B0 MOV R2, R4

__text:0055F0B2 STR R5, [sP]

__text:0055F0B4 STR R5, [sP,#4]

__text:0055F0B6 BLX _sysctl

__text:0055F0BA MOV R4, R0

Again, same thing. It would crash. So the last thing I did was I changed

__text:0055F072 MOVS R1, #0x1F

to

__text:0055F072 MOVS R1, #0x0

and the app did not crash this time, it only froze right at the gameloft logo. So I tried to attach it to GDB, because it is technically running if it is frozen, and it gave me segmentation fault: 11. Please, if any of you could help me solve this problem, I would be so happy, its been driving me crazy since the new year

Thanks!

bro GameLoft's game are not that easy lol u should learn save game hack then ms then ida then code inject

January 15, 2015

bro GameLoft's game are not that easy lol u should learn save game hack then ms then ida then code inject

I know that already, this is one of the first forums I've signed up with. I know how to use GDB to find offsets in IDA and I know how to patch a binary. My first hack was a savegame for COD: BOZ for v1.3.3, I already learned MS, MSHook, and I'm doing IDA and code inject (writeData) right now and I'm working on Dead Trigger 2 but decided to take a break and do this because I get angry very easily lol

so im not really a beginner

@

Updated January 15, 2015 by Guest

AnotherLurker · January 16, 2015

@

he already understands arm, no need to go through all that outdated crap

@@Shmoo419

hmmm... me and Swag had the same issue with Brothers In arms 3...

trying disabling calls to _dlsym

Laxus · January 16, 2015

@

he already understands arm, no need to go through all that outdated crap

@@Shmoo419

hmmm... me and Swag had the same issue with Brothers In arms 3...

trying disabling calls to _dlsym

hmm Its work for me

AnotherLurker · January 16, 2015

@@Laxus

really?, with syscall patched? try brothers in arms 3, me and Swag had it crash on our devices

Laxus · January 16, 2015

@@Laxus

really?, with syscall patched? try brothers in arms 3, me and Swag had it crash on our devices

Works fine on my iP5, not sure about 64 bit devices

CmakLove · January 16, 2015

I had the same issue with brothers in arms 3...

January 16, 2015

@

he already understands arm, no need to go through all that outdated crap

@@Shmoo419

hmmm... me and Swag had the same issue with Brothers In arms 3...

trying disabling calls to _dlsym

OK, I'll try that. Thanks for an answer, I'll see what happenes once I do it. But who is Swag?

@

Updated January 16, 2015 by Guest