Help with disabling _syscall

Aswag1 · January 17, 2015

Well after laying dormant for quite awhile, I thought I might add a couple of pointers....

It seems that for 64-bit devices, there are certain additional checks in the binary in most GameLoft games. Most notably, the addition of a __sysctl. What this call does is check whether the __syscall flag is checked. If it sees that it has been manipulated in some fashion (such as NOPing the BLX or NOP the MOV) it will immediately give a EXEC_BAD_ADDRESS error.

Now here are some of my findings to combat this...

I have seen that making any alterations in a binary patch have led to the game crashing once I attach to it in lldb. So, logically I just patch the memory of the game rather than make crude adjustments. It seems to work, though it is a pain in the ass and you have to keep stepping through the memory stack to make sure that all checks are thoroughly disabled. I had all the checks for Brothers In Arms 3 before, I am not sure if I have them still. I would like to help, but I'm not really into iOS hacking anymore so there's that. Hopefully one of the young bloods can help you out and resolve your problem.

January 17, 2015

Well after laying dormant for quite awhile, I thought I might add a couple of pointers....

It seems that for 64-bit devices, there are certain additional checks in the binary in most GameLoft games. Most notably, the addition of a __sysctl. What this call does is check whether the __syscall flag is checked. If it sees that it has been manipulated in some fashion (such as NOPing the BLX or NOP the MOV) it will immediately give a EXEC_BAD_ADDRESS error.

Now here are some of my findings to combat this...

I have seen that making any alterations in a binary patch have led to the game crashing once I attach to it in lldb. So, logically I just patch the memory of the game rather than make crude adjustments. It seems to work, though it is a pain in the ass and you have to keep stepping through the memory stack to make sure that all checks are thoroughly disabled. I had all the checks for Brothers In Arms 3 before, I am not sure if I have them still. I would like to help, but I'm not really into iOS hacking anymore so there's that. Hopefully one of the young bloods can help you out and resolve your problem.

Thank you for a great explanation. So basically, I cannot use my 5S to make hacks for Gameloft games (except for patching the memory, which would be temporary because the addresses would change every time) because it is 64-bit, but I can use a device that is not 64-bit, for example my old ipod touch 5g. So if I load up the binary from my iPod, I might be able to patch __syscall so that I can attach it to GDB?

Aswag1 · January 22, 2015

That is correct, however I doubt you would be able to debug on a iPod Touch 5g considering the low RAM it has.

Gh0stByte · January 22, 2015

Find the syscal method, and BX LR the first instruction.

jx1992 · January 23, 2015

Find the syscal method, and BX LR the first instruction.

That's right. If calls to the functions can easily be disabled, you could simply make the actual syscall function to return and do nothing. Can you post the disassembly for the syscall function?

January 24, 2015

@@Aswag1 yeah, it has been jailbroken four times and freezes regularly... i don't think i can use it, and out of curiosity, is android hacking easier than ios?

@@Gh0stByte i feel like if i BX LR the first instruction, it will crash because of what aswag1 said

@jx1992 i can post the disassembly here later, just not now, i'm going to a movie in 5 mins

January 24, 2015

@@jx1992 here are the things that i think are the _syscall function.

1.

__text:0000C5C8 sub_C5C8 ; CODE XREF: -[sendInfoInterface IGPSendGameInfo:::::]+536p

__text:0000C5C8 PUSH {R7,LR}

__text:0000C5CA MOV R7, SP

__text:0000C5CC SUB SP, SP, #0x6C

__text:0000C5CE MOVW R1, #(:lower16:(aLibraryMobiles - 0xC5DE)) ; "/Library/MobileSubstrate/MobileSubstrat"...

__text:0000C5D2 MOV R2, SP

__text:0000C5D4 MOVT.W R1, #(:upper16:(aLibraryMobiles - 0xC5DE)) ; "/Library/MobileSubstrate/MobileSubstrat"...

__text:0000C5D8 MOVS R0, #0xBC ; int

__text:0000C5DA ADD R1, PC ; "/Library/MobileSubstrate/MobileSubstrat"...

__text:0000C5DC BLX.W _syscall

__text:0000C5E0 CMP R0, #0

__text:0000C5E2 BEQ loc_C66C

__text:0000C5E4 MOVW R1, #(:lower16:(aApplicationsCy - 0xC5F4)) ; "/Applications/Cydia.app"

__text:0000C5E8 MOV R2, SP

__text:0000C5EA MOVT.W R1, #(:upper16:(aApplicationsCy - 0xC5F4)) ; "/Applications/Cydia.app"

__text:0000C5EE MOVS R0, #0xBC ; int

__text:0000C5F0 ADD R1, PC ; "/Applications/Cydia.app"

__text:0000C5F2 BLX.W _syscall

__text:0000C5F6 CMP R0, #0

__text:0000C5F8 BEQ loc_C66C

__text:0000C5FA MOVW R1, #(:lower16:(aVarLibApt - 0xC60A)) ; "/var/lib/apt"

__text:0000C5FE MOV R2, SP

__text:0000C600 MOVT.W R1, #(:upper16:(aVarLibApt - 0xC60A)) ; "/var/lib/apt"

__text:0000C604 MOVS R0, #0xBC ; int

__text:0000C606 ADD R1, PC ; "/var/lib/apt"

__text:0000C608 BLX.W _syscall

__text:0000C60C CMP R0, #0

__text:0000C60E BEQ loc_C66C

__text:0000C610 MOVW R1, #(:lower16:(aVarLibCydia - 0xC620)) ; "/var/lib/cydia"

__text:0000C614 MOV R2, SP

__text:0000C616 MOVT.W R1, #(:upper16:(aVarLibCydia - 0xC620)) ; "/var/lib/cydia"

__text:0000C61A MOVS R0, #0xBC ; int

__text:0000C61C ADD R1, PC ; "/var/lib/cydia"

__text:0000C61E BLX.W _syscall

__text:0000C622 CMP R0, #0

__text:0000C624 BEQ loc_C66C

__text:0000C626 MOVW R1, #(:lower16:(aVarTmpCydia_lo - 0xC636)) ; "/var/tmp/cydia.log"

__text:0000C62A MOV R2, SP

__text:0000C62C MOVT.W R1, #(:upper16:(aVarTmpCydia_lo - 0xC636)) ; "/var/tmp/cydia.log"

__text:0000C630 MOVS R0, #0xBC ; int

__text:0000C632 ADD R1, PC ; "/var/tmp/cydia.log"

__text:0000C634 BLX.W _syscall

__text:0000C638 CMP R0, #0

__text:0000C63A BEQ loc_C66C

__text:0000C63C MOVW R1, #(:lower16:(aEtcApt - 0xC64C)) ; "/etc/apt"

__text:0000C640 MOV R2, SP

__text:0000C642 MOVT.W R1, #(:upper16:(aEtcApt - 0xC64C)) ; "/etc/apt"

__text:0000C646 MOVS R0, #0xBC ; int

__text:0000C648 ADD R1, PC ; "/etc/apt"

__text:0000C64A BLX.W _syscall

__text:0000C64E CMP R0, #0

__text:0000C650 BEQ loc_C66C

__text:0000C652 MOVS R0, #2 ; int

__text:0000C654 BLX.W _syscall

__text:0000C658 MOV R1, R0

__text:0000C65A MOVS R0, #0 ; int

__text:0000C65C CMP R1, #0

__text:0000C65E BEQ loc_C672

__text:0000C660 CMP.W R1, #0xFFFFFFFF

__text:0000C664 IT GT

__text:0000C666 MOVGT R0, #1

__text:0000C668 ADD SP, SP, #0x6C

__text:0000C66A POP {R7,PC}

__text:0000C66C ; ---------------------------------------------------------------------------

__text:0000C66C

__text:0000C66C loc_C66C ; CODE XREF: sub_C5C8+1Aj

__text:0000C66C ; sub_C5C8+30j ...

__text:0000C66C MOVS R0, #1

__text:0000C66E ADD SP, SP, #0x6C

__text:0000C670 POP {R7,PC}

__text:0000C672 ; ---------------------------------------------------------------------------

__text:0000C672

__text:0000C672 loc_C672 ; CODE XREF: sub_C5C8+96j

__text:0000C672 BLX.W _exit

__text:0000C676 NOP

__text:0000C676 ; End of function sub_C5C8

2.

__picsymbolstub4:0095AEE8 _syscall ; CODE XREF: sub_C5C8+14p

__picsymbolstub4:0095AEE8 ; sub_C5C8+2Ap ...

__picsymbolstub4:0095AEE8 LDR R12, =(_syscall_ptr - 0x95AEF4)

__picsymbolstub4:0095AEEC ADD R12, PC, R12 ; _syscall_ptr

__picsymbolstub4:0095AEF0 LDR PC, [R12] ; __imp__syscall

__picsymbolstub4:0095AEF0 ; End of function _syscall

Again, I'm not used to doing all of this just to debug a game. I was surprised that there where almost no answers from when I first searched this, or no guide on any website. I am also surprised that there are so many people that are willing to help me, it really means alot

jx1992 · January 25, 2015

@@Shmoo419

In the disassembly posted on page 1, the syscall is made to ptrace with the argument "PT_DENY_ATTACH".

In linux, this would be used to deny debuggers from attaching to the current process (in this case, Nova 3).

Since the disassembly shows that the program doesn't check for the return value of the ptrace syscall, what you can do is one of these 2.

1) Set r1 to -1

Because -1 is not a valid ptrace request argument, the ptrace syscall will return with an error and the call will not succeed.

2) Nop the branch to syscall

This simply stops the function from making a syscall. Simple as that.

From what I can infer, I suppose you are trying to attach a debugger to the Nova 3 app. You can try the above 2 methods to see if you can get your debugger to attach.

For more details you can reference this site : http://www.coredump.gr/articles/ios-anti-debugging-protections-part-1/

Good luck

January 25, 2015

@@jx1992 I know that PT_DENY_ATTACH keeps the debugger from attaching, but I never tried -1, but instead anything other than 31 (0x1F) or I NOP'ed it. And I usually stay away from NOP'ing branches because it usually results in a crash (for me at least), but I'll give it a go. That website was really useful, too.

jx1992 · January 26, 2015

@@Shmoo419 I noticed theres a sysctl call in the function as well. That function is usually used to detect the presence of a debugger as well. You can visit this site http://www.coredump.gr/articles/ios-anti-debugging-protections-part-2/ to read more about bypassing it or you can post the whole disassembly of the first function and we can figure it out