[IDA Tutorial] How to know what to change in IDA in order to make your hack work

February 27, 2015

I could not think of a better title

Since I will not be able to make hacks for awhile (I tried with my iPod, it was just way too laggy, theos wouln't install), I'm mostly going to be helping around the forum and making IDA tutorials. DiDA please don't put me in retired

This tutorial is sort of noob-friendly, but not really in most ways. You should already have your offset that you got from GDB or LLDB. I am going to go right to the point. It will not be covering the basics. Alright, let's begin

Hidden Content

This is the example I will be using for this tutorial.

0x101968

and

0x101980

is what we will be working with, everything else does not matter. Why? Because when hacking sub_x, you hardly ever pay attension or modify instructions with SP (stack pointer) in it. You are usually always hacking MOV's, STR's, LDR's, ADD's, SUB's, and sometimes CMP's and branches (BEQ, BL, etc.) In this case, R0 holds the value of our coins. But what is this function saying? This is the first step of figuring out how to make your sub_x hack work. This function (between

0x101968

and

0x101980

, of course) is saying to:

0x101968: Move the value of R0 into R6
0x10196C: Store the value of R1 into R11+var_s0
0x101970: Load R6+0x24 into R0
0x101974: Load R11+var_s0 into R1
0x101978: Add R0 and R1 together and store the value in R0 
0x10197C: Store the value of R0 in R6+0x24
0x101980: Move the value of R6 into R0

Now we have figured out what the function is saying in English. I'm sure that you know that R7 holds the value of 668 - 803 million (I'm pretty sure, I know that it is a huge number). To make our coins infinite, we only need to modify instructions with R0 in there because, again, R0 holds the value of our coins. To make it infinite, all we have to do is change the STR (store) because we first want to store R7, or 803 million in R6+0x24 and the LDR (load) instruction because we know want to make it load R7, or 803 million into R0 instead of the regular value of coins. Those two instructions now have dashes and slashes because I don't think you can bold text that already has the code tag.

Here is the function in plain English with the dashes:

0x101968: Move the value of R0 into R6
0x10196C: Store the value of R1 into R11+var_s0
0x101970: Load R6+0x24 into R0 ---/---/---/---/---/--- 
0x101974: Load R11+var_s0 into R1
0x101978: Add R0 and R1 together and store the value in R0
0x10197C: Store the value of R0 in R6+0x24 ---/---/---/---/---/---
0x101980: Move the value of R6 into R0

And here is the same function, but instead it is in assembly instructions with what we can change to what to make coins infinite:

0x101968: MOV R0, R6
0x10196C: STR R1, [R11, #var_s0] 
0x101970: LDR R0, [R6, #0x24] //we can change this to LDR R0, [R7] so it loads 803 million into R0 instead of the regular amount of coins.
0x101974: LDR R1, [R11, #var_s0]
0x101978: ADD R0, R0, R1
0x10197C: STR R0, [R6, #0x24] //we can change this to STR R7, [R6, #0x24] so it stores 803 million into R6+0x24 instead of our regular coins value.
0x101980: MOV R6, R0

And here is the final changed function to make coins infinite (changes marked with dashes):

0x101968: MOV R0, R6
0x10196C: STR R1, [R11, #var_s0] 
0x101970: LDR R0, [R7] ------------------------
0x101974: LDR R1, [R11, #var_s0]
0x101978: ADD R0, R0, R1
0x10197C: STR R7, [R6, #0x24] ----------------------
0x101980: MOV R6, R0

Now coins are infinite! I hope you understood this, and I hope you learned something new

I hope this tutorial helped you

Don't be afraid to ask me questions!

Thanks @RickHaks for catching a mistake I made

Updated February 27, 2015 by Guest