Tutorial How to Find Offsets of Game In Ios(with Pictures)

[Swagter123 8.7k]

 

Sorry If this has a Bad english as it was in german language i used google translate to covert.If u want anything to edited fell free to tell me.

 

 

Requirements

 

OpenSSH

iGameGuardian

Gnu Debugger

Cracked,Thinned and Aslr Removed Ipa File

 

In PC:

Ida Pro

Putty

Itools Or ifunBox

 

Last but not least, a game is missing. In my tutorial I take Plants vs Zombies

 

 

 

 

So Lets start

 

Plug in your device to the computer and start iTools .

In the selection menu on the left side chooses their apps and searches from the list PvZ .

Clicking on the folder icon opens a new window.

 

In the new window opens her PvZ.app and searches for the file PvZ(without extension)

This file you copied you on your computer, the best you have to create a new folder.

Now start their IDA and click New

It opens directly a window in which you must select your PvZ file. ( CAUTION: Selects the bottom right All Files (*) ! From)

After you have selected the PvZ file, opens a new window where you have to set the processor types.

Just take the settings from the following screen:

Click OK and confirm the following query with Yes. A short time later, a new window opens, which can be closed with a click on OK.

Now, IDA works, recognizable by the number of consecutive numbers on the left.

You must now wait until there idle stands. In the meantime we will devote ourselves to the game and the value to be chopped.

You can now start Plants vs Zombies and begin a level and pauses it directly.

 

Then you press on your home button and start iGameGuardian

There selects her PvZ and acknowledged the query by pressing Select.

Now you can start it on the bottom with your search Search Press.

At this point I have long wondered whether I go into detail, or not ... but I decided against it because iGameGuardian a kind Cheat Engine is and anyone who deals with such an issue, in fact, the necessary knowledge of the use With such programs.

So you are looking for your solar value and filter until you have the right address.

If you have the address, you can putty start.

You enter the IP from your device and click Open.

The following window will open

When login as: you give root a and password you give Alpine a

(Input on password are not visible!)

Input history:

root <ENTER> alpine <ENTER>

So should your putty window look.

Now you start the GNU debugger by her gdb eingebt and confirms the input with Enter.

Now you have the debugger to attach PvZ process, so give her the following:

att PvZ

(In case sensitive eighth! Att pvz would not work)

Putty is now working a little, but does not take long.

So now the putty window should look.

Now you created a watch point to the address that we with iGameGuardian found.

To do this, type the following:

watch * 0xADRESSE <ENTER> (your in iGameGuardian found address. * 0x must always stand in front!)

display / i $ pc <ENTER>

display $ r0 <ENTER> (optional)

display $ r1 <ENTER> (optional)

display $ r2 <ENTER> (optional)

display $ r3 <ENTER> (optional)

display $ r4 <ENTER> (optional)

$ r0 to r12 are $ register, similar to eax, esi, edi, etc.

Due to the optional input of display $ r0 is a brake after only displayed, which values the Register.

These registers One can also by entering after Brake however

info r

display.

 

If you now switch to the PvZ game, it will see that it is still paused by GDB.

To make the game now continue to run, you need to putty just a c (for continue) and confirm with Enter

Now you have to go back to the game and collect a sun.

The game might not run smoothly through the debugger or by the watchpoint ...

Once you've collected a sun, the game is automatically paused by GDB.

If you look at putty, you should see something like this:

As you can see, my old value 40 and the new 55.

The command that is run is

cmp r1, r2

, and is located at the address

0x120D18

 

To display the Speicherbereicht, give her the following:

x / 20x 0xADRESSE (your address)

 

You can now work with these bytes.

 

You are now changing to IDA (should now be finished)

Bottom left should now idle are

in the upper window you right-click and select Text View.

Now click at the top of Search -> sequence of bytes ..

In the search box you give now Bytes of putty, in my case, this would look like:

The first 8 bytes should initially rich, respected, however, note that the bytes have to be entered in reverse order, making a hook at Find all occurences .

Then click Ok.

The result list should now only be an entry, which you select directly with a double-click.

You should now land here:

 

Here is R1 compared with R2, then comes a JUMP because BLT for Branch if lowerthan (jump if less) stands.

2 lines below you see

mov R1, # 0x2706

The Hex value 2706 (decimal = 9990) is written to R1, but this command is not executed because the Branch (jump) is about, so the instruction is mov R1, # 0x2706 simply getting Skipped

The simplest solution to this problem is an NOP.

You either nopped the CMP command or the BLT command.

If the CMP command is genopped, the BLT command has no result, so it does not jump and what happens when the BLT command nopped, I probably do not need to explain;)

You can now click 1 time on the CMP instruction and goes to IDA up on the tab Hex View-A

 

You now see the bytes of the CMP command and before that the address 00075D18.

For you, however, the address marked with the arrow is important: 00074D18

You now start your favorite hex editor and jump to offset 74D18.

There should you directly jump out the bytes of the CMP instruction: 02 00 51 E1

After you start the ARM ASM converter and convert nop

 

For you, the 4 byte value is the important one.

Back in HexEditor her now changes the bytes from

02 00 51 E1

in

00 00 A0 E1

 

Save a file, but before you create a backup.

Before you now push the changed PvZ file back on your device, you must close putty and close the possibly running PvZ process on your device.

Now you can copy the file to your device, of course, in the same folder from which you have copied it before;)

If you now collect a sun, you get 9990 Suns credited.

 

 

Credits:

Google For translating

Infamous-Ash For compiling

Maker:DNA FROM HOG

Updated November 30, 2016 by Amuyea

[Amuyea 87.6k iPhone 7 Plus 14.3]

Nice tut by whomever made it

[Patricktph 36.4k 10.2.1]

Nice TuT well explained  

[AxCE 5.4k iPhone 6s 11.3.1]

@ Good Job!

Can you give me the link for the original TuT please?

Updated November 16, 2016 by AxCE

[Swagter123 8.7k]

@ Good Job!

Can you give me the link for the original TuT please?

ok i will  pm you are you a german

[Joka 1.1k iPhone X 12.4]

Yes, a tutorial!

[AxCE 5.4k iPhone 6s 11.3.1]

ok i will  pm you are you a german

So?

[Swagter123 8.7k]

So?

just wanted to know

@ Good Job!

Can you give me the link for the original TuT please?

here is the link extract the rar file and open up the html file

 

http://usersdownload.com/u2t8kqygd7y2.html

[castix 18.4k iPhone X 12.1.1]

- Tutorial from 2013

- Zahir and Evilg00d made a better tutorial

- You didn't even credit DNA from HoG

 

@

Updated November 16, 2016 by castix

[Guest]

- Tutorial from 2013

- Zahir and Evilg00d made a better tutorial

- You didn't even credit DNA from HoG

 

@

this tutorial was made by Aswag1, it was a video. @ you took screenshots of Aswag1's old strings tutorial

Lol his account was terminated but heres the link https://www.youtube.com/watch?v=lyN-7-g2BJQ&list=UUMb9AeMUKNpzHI8ozdTJmvA

 

http://m.imgur.com/5Sdyxfh