Tutorial How to Find Offsets of Game In Ios(with Pictures)

Swagter123 · November 30, 2016

Sorry If this has a Bad english as it was in german language i used google translate to covert.If u want anything to edited fell free to tell me.

Requirements

OpenSSH

iGameGuardian

Gnu Debugger

Cracked,Thinned and Aslr Removed Ipa File

In PC:

Ida Pro

Putty

Itools Or ifunBox

Last but not least, a game is missing. In my tutorial I take Plants vs Zombies

So Lets start

Plug in your device to the computer and start iTools .

In the selection menu on the left side chooses their apps and searches from the list PvZ .

Clicking on the folder icon opens a new window.

In the new window opens her PvZ.app and searches for the file PvZ(without extension)

This file you copied you on your computer, the best you have to create a new folder.

Now start their IDA and click New

It opens directly a window in which you must select your PvZ file. ( CAUTION: Selects the bottom right All Files (*) ! From)

After you have selected the PvZ file, opens a new window where you have to set the processor types.

Just take the settings from the following screen:

Click OK and confirm the following query with Yes. A short time later, a new window opens, which can be closed with a click on OK.

Now, IDA works, recognizable by the number of consecutive numbers on the left.

You must now wait until there idle stands. In the meantime we will devote ourselves to the game and the value to be chopped.

You can now start Plants vs Zombies and begin a level and pauses it directly.

Then you press on your home button and start iGameGuardian

There selects her PvZ and acknowledged the query by pressing Select.

Now you can start it on the bottom with your search Search Press.

At this point I have long wondered whether I go into detail, or not ... but I decided against it because iGameGuardian a kind Cheat Engine is and anyone who deals with such an issue, in fact, the necessary knowledge of the use With such programs.

So you are looking for your solar value and filter until you have the right address.

If you have the address, you can putty start.

You enter the IP from your device and click Open.

The following window will open

When login as: you give root a and password you give Alpine a

(Input on password are not visible!)

Input history:

root <ENTER> alpine <ENTER>

So should your putty window look.

Now you start the GNU debugger by her gdb eingebt and confirms the input with Enter.

Now you have the debugger to attach PvZ process, so give her the following:

att PvZ

(In case sensitive eighth! Att pvz would not work)

Putty is now working a little, but does not take long.

So now the putty window should look.

Now you created a watch point to the address that we with iGameGuardian found.

To do this, type the following:

watch * 0xADRESSE <ENTER> (your in iGameGuardian found address. * 0x must always stand in front!)

display / i $ pc <ENTER>

display $ r0 <ENTER> (optional)

display $ r1 <ENTER> (optional)

display $ r2 <ENTER> (optional)

display $ r3 <ENTER> (optional)

display $ r4 <ENTER> (optional)

$ r0 to r12 are $ register, similar to eax, esi, edi, etc.

Due to the optional input of display $ r0 is a brake after only displayed, which values the Register.

These registers One can also by entering after Brake however

info r

display.

If you now switch to the PvZ game, it will see that it is still paused by GDB.

To make the game now continue to run, you need to putty just a c (for continue) and confirm with Enter

Now you have to go back to the game and collect a sun.

The game might not run smoothly through the debugger or by the watchpoint ...

Once you've collected a sun, the game is automatically paused by GDB.

If you look at putty, you should see something like this:

As you can see, my old value 40 and the new 55.

The command that is run is

cmp r1, r2

, and is located at the address

0x120D18

To display the Speicherbereicht, give her the following:

x / 20x 0xADRESSE (your address)

You can now work with these bytes.

You are now changing to IDA (should now be finished)

Bottom left should now idle are

in the upper window you right-click and select Text View.

Now click at the top of Search -> sequence of bytes ..

In the search box you give now Bytes of putty, in my case, this would look like:

The first 8 bytes should initially rich, respected, however, note that the bytes have to be entered in reverse order, making a hook at Find all occurences .

Then click Ok.

The result list should now only be an entry, which you select directly with a double-click.

You should now land here:

Here is R1 compared with R2, then comes a JUMP because BLT for Branch if lowerthan (jump if less) stands.

2 lines below you see

mov R1, # 0x2706

The Hex value 2706 (decimal = 9990) is written to R1, but this command is not executed because the Branch (jump) is about, so the instruction is mov R1, # 0x2706 simply getting Skipped

The simplest solution to this problem is an NOP.

You either nopped the CMP command or the BLT command.

If the CMP command is genopped, the BLT command has no result, so it does not jump and what happens when the BLT command nopped, I probably do not need to explain;)

You can now click 1 time on the CMP instruction and goes to IDA up on the tab Hex View-A

You now see the bytes of the CMP command and before that the address 00075D18.

For you, however, the address marked with the arrow is important: 00074D18

You now start your favorite hex editor and jump to offset 74D18.

There should you directly jump out the bytes of the CMP instruction: 02 00 51 E1

After you start the ARM ASM converter and convert nop

For you, the 4 byte value is the important one.

Back in HexEditor her now changes the bytes from

02 00 51 E1

in

00 00 A0 E1

Save a file, but before you create a backup.