Help/Support Wrong value in GDB

[Archangel04 33k iPhone 7 14.3]

Hi guys,

So here we go. I installed SW FA from itunes and did the following
 

su
Password  
rc.sh -m
Chose the binary

//No errors,  all good

Go to /var/root/, get the cracked binary thin it with

lipo starwars -thin armv7 -o starwars2

Took the output file, used armconverter.com to remove aslr, signed with
 

ldid -s starwars2

Renamed and replaced in the app, permissions set to 777. App works fine.

Connect to Mac (and windows), open terminal, start app, find offset in iGG (and GP)
 

gdb
att pid
watch *0xOffsetfromGP/iGG

When i set a watchpoint it shows a very huge value as compared to the value which im hacking (shows something like 40880308 or so and value should be at max 10)

In iGG it still shows the same value


Checked for ASLR with
 

info address _mh_execute_header

Which returns 0x4000. According to @fahadxmb (as far as i remember) that meant aslr was gone.

I did get a warning about

Possible section anti debug trick detected at segment_Dirty or so (a few hundred times) but thats also fine apparently.

Any ideas what the error is?

Btw, when i use LLDB (debugserver was thinned for arm64) i get the correct value but when i search in IDA the code isnt there (something entirely different is there)

 

Added log from PuTTy

 

http://pastebin.com/gZ1HCRNW

Updated January 17, 2017 by Archangel04

[xiaov 6.6k iPhone 6 8.3]

don't know about lldb~ pass by~

[Naeemjr 35.1k 9.1]

did u remove syscall?

 

if not u have to

[Archangel04 33k iPhone 7 14.3]

did u remove syscall?

 

if not u have to

Theres no syscall but I did find sysctl. I checked imports, strings but no syscall.

 

When i NOP any BLX _sysctl, it crashes the game. If i BX LR or NOP the branch it kills the game. What should i do then

don't know about lldb~ pass by~

The post is about gdb and if you cant contribute there is no need to comment on this. If you want to increase your post count please dont do so here. Do it in spam city or something

[Naeemjr 35.1k 9.1]

Theres no syscall but I did find sysctl. I checked imports, strings but no syscall.

When i NOP any BLX _sysctl, it crashes the game. If i BX LR or NOP the branch it kills the game. What should i do then

 

The post is about gdb and if you cant contribute there is no need to comment on this. If you want to increase your post count please dont do so here. Do it in spam city or something

Chill he was just trying to help

Updated January 16, 2017 by Naeemjr

[Archangel04 33k iPhone 7 14.3]

Chill he was just trying to help

 

TBH, Doesnt seem so. Anyways, moving on,

 

According to another post (multiple posts), I need to find a place where there is _sysctl, _getpid and _memset. I didnt find that, but i did get _getpid and _sysctl

 

 

                 PUSH              {R4,R7,LR}
                 ADD                 R7, SP, #4
                 SUB.W            SP, SP, #0x20C ; void *
                 MOVW             R4, #(:lower16:(___stack_chk_guard_ptr - 0x173AD7A))
                 MOV.W            R0, #0x1EC
                 MOVT.W          R4, #(:upper16:(___stack_chk_guard_ptr - 0x173AD7A))
                 MOVS             R1, #0xE
                 ADD                R4, PC ; ___stack_chk_guard_ptr
                 LDR                R4, [R4] ; ___stack_chk_guard
                 LDR                R4, [R4]
                 STR                R4, [SP,#0x210+var_8]
                 STR                R0, [SP,#0x210+var_208]
                 MOVS             R0, #1
                 STR                R0, [SP,#0x210+var_204]
                 STRD.W         R1, R0, [SP,#0x10]
                 BLX                _getpid
                 STR               R0, [SP,#0x210+var_1F8]
                 MOVS            R0, #0
                 STRD.W        R0, R0, [SP]
                 ADD               R0, SP, #0x210+var_204 ; int *
                 ADD               R2, SP, #0x210+var_1F4 ; void *
                 ADD               R3, SP, #0x210+var_208 ; size_t *
                MOVS             R1, #4  ; u_int
                 BLX                _sysctl
                 CMP.W           R0, #0xFFFFFFFF
                 BEQ               loc_173ADB6
                 MOV              R0, #(byte_1FCB108 - 0x173ADB2)
                 ADD               R0, PC ; byte_1FCB108
                LDRB              R0, [R0]
                CBNZ              R0, loc_173AE0E
                B                     loc_173ADF6

If I NOP, then it crashes (as far as i remember, il have to check later)

[Archangel04 33k iPhone 7 14.3]

NOPed sysctl and the function below it. I can getbin if I use a slow net otherwise it crashes. Debugging witj gdb still gives wrong value

[Naeemjr 35.1k 9.1]

NOPed sysctl and the function below it. I can getbin if I use a slow net otherwise it crashes. Debugging witj gdb still gives wrong value

Have u tired adding repo.xarold repo in Cydia

And installing ptrace pwner it will automatically disable syscall

[Archangel04 33k iPhone 7 14.3]

Have u tired adding repo.xarold repo in Cydia

And installing ptrace pwner it will automatically disable syscall

Il try. I did want to learn how to do so though

[Archangel04 33k iPhone 7 14.3]

Done

 

Have u tired adding repo.xarold repo in Cydia
And installing ptrace pwner it will automatically disable syscall

 

It still shows a super huge value (and yes my iGG offset is correct, i checked)