TuT [Tutorial] How to hack iOS games and apps! [Hex Editing/IDA]

ZectixV1 · January 20, 2015

Hex editing

Requirements:

winSCP or i-funbox or simalar
(most of you already know how to hex edit )
your save files are located in /var/mobile/applications/**your app folder**/Documents
I will show you how to transfer the files only, i am not teaching people to hex edit. if enough people want me to teach you all i will.
in cydia install openSSH and respring.
download winSCP here

this is an example of fruit ninja folders.

just transfer the file anto your PC and edit in a hex editor.

IDA Method

Requirements:
-IDA pro 6.1+ i recommend 6.4 (the demo works fine but you may also get a cracked one)
-winSCP or similar
-logical thinking
-Ldone (from the repo cydia.hackulo.us) EDIT: If you are on iOS6 this is no longer needed

transfer the game you want to hacks binary, it is located in the yourApp.app folder and has no extention (i.e the file BloonsTD4 would be the bloonsTD4 binary)
(in this tut we are hacking PvZ 1.9.1)

Open IDA (idaq.exe not idau.exe if you have that)

(please note, i say 1 but i mean 01 )

save the file and transfer it back to your iDevice
once back in the PvZ app folder do this:

Useful information/FAQ

useful codes and hexes:

BX LR (skips entire function, useful for infinite ammo. i.e put bx lr at the start of a function like weapon::removeAmmo(int) )

2 byte code: 70 47

4 byte code: 1E FF 2F E1

NOP (cheat engine users may be familiar with this) skips the code it is placed on ( for example put a NOP instead of mov r0 #2 and it skips the mov r0 #2)

2 byte code: C0 46

4 byte code: 0000A0E1

Branches (branch to another part of the function or a different function)

B (normal branch)

2 byte: ends in E0

4 byte: ends in EA

BEQ (branch if equal, usually a CMP command above it and it branches if EQUAL)

4 byte: ends in 0A

BNE (branch if not equal, again usually a CMP command above)

4 byte: ends in 1A

BGT (branch if greater than, another CMP above it)

4 byte: ends in CA

BLT: (branch less than, CMP above)

4 byte: ends in BA

BL (branch link. branches to another function)

these are really hard to calculate as the hex is different each time. if you can calculate it though the pay-off is great. you can have rocket bullets, always have full health etc

FAQ:

Q: what if my binary only has an ARMv6 option?

A: use ARMv6, they still run on ARMv7 devices

Q: how do i know if my binary is 2 byte or 4 byte?

A: highlight any code and see if 2 bytes or 4 bytes are highlighted in Hex view in IDA

Q: my app crashes, what should I do?

A: you may not have signed properly, sign again and respring. or you may have edited a wrong function causing your app to be unstable

Q: are there any other methods to IDA hacking?

A: hell yeah, I only showed you basic IDA hacking today, there are way more advanced methods which i MAY make a tut for too at some point

Q: My binary's functions are all sub_xxxxx commands, what do I do now?

A: this is where the compiler throws out function names as they are not needed. in IDA press shift+f12 to open the strings window, search for gold or something here instead and double click on one and press ctrl+X to jump to the function (hard to explain in text but i will include this in my more advanced tutorial)