Help/Support HEX editing, dissassembled binary HEX values and binary HEX values different...wt#

Anonymonk · June 17, 2017

i guess i could have choose something easier for my first start ^^, but thats that one i want to hack...

so i have a problem, when i dissassemble the binary as arm7 in ida (arm proc), he show a different hex view... as just to open the binary as raw...

i tried to open the binary with several Hex editors, they never match with the hex values from ida

i was thinking to edit the binary inside my iphone with a hexeditor and test it straight away...

binary of assassin creed unity, thinned and alsr removed

HEX value from binary

Spoiler

003D08E0 252B 447D 7828 BBE0 F641 0088 F235 DB2C F649 31C0 F2C0 2104 4479 6809 6008 F641
003D0900 300A F235 DB21 F64B 4136 F2C0 2104 4479 6809 6008 F641 300E F235 DB16 F64B 4180
003D0920 F2C0 2104 4479 6809 6008 F241 305A F2C8 0000 F235 DB07 F64B 41AE F2C0 2104 4479

HEX value from dissassembled binary in IDA

Spoiler

003D08E0 D193 4605 A801 212A 4622 F239 DB37 9A02 4629 9801 6813 4798 B003 BDF0 6880 4770
003D0900 6087 4770 B580 466F B082 4602 4668 2118 F239 DB24 E89D 0003 680A 4790 B002 BD80
003D0920 B590 AF01 B082 460C 4602 4668 2119 F239 DB15 E89D 0005 4621 6813 4798 B002 BD90

the watchpoint is health going down in 32b float

lldb watchpoint

Spoiler

Watchpoint 1 hit:
old value: 1134626297
new value: 1133971717
Process 766 stopped
* thread #1: tid = 0x1898, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
(lldb) dis -c 20
acier`___lldb_unnamed_function18218$$acier:
0x3d0900 <+0>: str r1, [r0, #0x8]
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
0x3d090a <+6>: mov r2, r0
0x3d090c <+8>: mov r0, sp
0x3d090e <+10>: movs r1, #0x18
0x3d0910 <+12>: bl 0xe09f5c ; ___lldb_unnamed_function81925$$acier
0x3d0914 <+16>: ldm.w sp, {r0, r1}
0x3d0918 <+20>: ldr r2, [r1]
0x3d091a <+22>: blx r2
0x3d091c <+24>: add sp, #0x8
0x3d091e <+26>: pop {r7, pc}

acier`___lldb_unnamed_function18220$$acier:
0x3d0920 <+0>: push {r4, r7, lr}
0x3d0922 <+2>: add r7, sp, #0x4
0x3d0924 <+4>: sub sp, #0x8
0x3d0926 <+6>: mov r4, r1
0x3d0928 <+8>: mov r2, r0
0x3d092a <+10>: mov r0, sp

IDA view-A

Spoiler

__text:003D08FC ; =============== S U B R O U T I N E =======================================
__text:003D08FC
__text:003D08FC
__text:003D08FC sub_3D08FC ; DATA XREF: __const:024C77F0o
__text:003D08FC LDR R0, [R0,#8]
__text:003D08FE BX LR
__text:003D08FE ; End of function sub_3D08FC
__text:003D08FE
__text:003D0900
__text:003D0900 ; =============== S U B R O U T I N E =======================================
__text:003D0900
__text:003D0900
__text:003D0900 sub_3D0900 ; DATA XREF: __const:024C77F4o
__text:003D0900 STR R7, [R0,#8]
__text:003D0902 BX LR
__text:003D0902 ; End of function sub_3D0900
__text:003D0902
__text:003D0904
__text:003D0904 ; =============== S U B R O U T I N E =======================================
__text:003D0904
__text:003D0904
__text:003D0904 sub_3D0904 ; DATA XREF: __const:024C77F8o
__text:003D0904 PUSH {R7,LR}
__text:003D0906 MOV R7, SP
__text:003D0908 SUB SP, SP, #8
__text:003D090A MOV R2, R0
__text:003D090C MOV R0, SP
__text:003D090E MOVS R1, #0x18
__text:003D0910 BL.W sub_E09F5C
__text:003D0914 LDMFD.W SP, {R0,R1}
__text:003D0918 LDR R2, [R1]
__text:003D091A BLX R2
__text:003D091C ADD SP, SP, #8
__text:003D091E POP {R7,PC}
__text:003D091E ; End of function sub_3D0904

when i convert arm to hex or hex to arm... nothing is matching with the value i find when i open the binary in a hex editor..

why is that so, a protection?

all the tuto i have red or watched dont have that issue...

thanks

Amuyea · June 17, 2017

IDA and Hex are at different address

Left is Hex address and right is IDA address

xiaov · June 17, 2017

5 minutes ago, Anonymonk said:

i guess i could have choose something easier for my first start ^^, but thats that one i want to hack...

so i have a problem, when i dissassemble the binary as arm7 in ida (arm proc), he show a different hex view... as just to open the binary as raw...

i tried to open the binary with several Hex editors, they never match with the hex values from ida

i was thinking to edit the binary inside my iphone with a hexeditor and test it straight away...

binary of assassin creed unity, thinned and alsr removed

HEX value from binary

Hide contents

003D08E0 252B 447D 7828 BBE0 F641 0088 F235 DB2C F649 31C0 F2C0 2104 4479 6809 6008 F641
003D0900 300A F235 DB21 F64B 4136 F2C0 2104 4479 6809 6008 F641 300E F235 DB16 F64B 4180
003D0920 F2C0 2104 4479 6809 6008 F241 305A F2C8 0000 F235 DB07 F64B 41AE F2C0 2104 4479

HEX value from dissassembled binary in IDA

Hide contents

003D08E0 D193 4605 A801 212A 4622 F239 DB37 9A02 4629 9801 6813 4798 B003 BDF0 6880 4770
003D0900 6087 4770 B580 466F B082 4602 4668 2118 F239 DB24 E89D 0003 680A 4790 B002 BD80
003D0920 B590 AF01 B082 460C 4602 4668 2119 F239 DB15 E89D 0005 4621 6813 4798 B002 BD90

the watchpoint is health going down in 32b float

lldb watchpoint

Hide contents

Watchpoint 1 hit:
old value: 1134626297
new value: 1133971717
Process 766 stopped
* thread #1: tid = 0x1898, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
(lldb) dis -c 20
acier`___lldb_unnamed_function18218$$acier:
0x3d0900 <+0>: str r1, [r0, #0x8]
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
0x3d090a <+6>: mov r2, r0
0x3d090c <+8>: mov r0, sp
0x3d090e <+10>: movs r1, #0x18
0x3d0910 <+12>: bl 0xe09f5c ; ___lldb_unnamed_function81925$$acier
0x3d0914 <+16>: ldm.w sp, {r0, r1}
0x3d0918 <+20>: ldr r2, [r1]
0x3d091a <+22>: blx r2
0x3d091c <+24>: add sp, #0x8
0x3d091e <+26>: pop {r7, pc}

acier`___lldb_unnamed_function18220$$acier:
0x3d0920 <+0>: push {r4, r7, lr}
0x3d0922 <+2>: add r7, sp, #0x4
0x3d0924 <+4>: sub sp, #0x8
0x3d0926 <+6>: mov r4, r1
0x3d0928 <+8>: mov r2, r0
0x3d092a <+10>: mov r0, sp

IDA view-A

Reveal hidden contents

__text:003D08F4 ; End of function sub_3D0854
__text:003D08F4
__text:003D08F6 BLX R3
__text:003D08F8 ADD SP, SP, #0xC
__text:003D08FA POP {R4-R7,PC}
__text:003D08FC ; ---------------------------------------------------------------------------
__text:003D08FC LDR R0, [R0,#8]
__text:003D08FE BX LR
__text:003D0900 ; ---------------------------------------------------------------------------
__text:003D0900 STR R0, [R0,#8]
__text:003D0902 BX LR
__text:003D0904
__text:003D0904 ; =============== S U B R O U T I N E =======================================
__text:003D0904
__text:003D0904
__text:003D0904 sub_3D0904
__text:003D0904 PUSH {R7,LR}
__text:003D0906 MOV R7, SP
__text:003D0908 SUB SP, SP, #8
__text:003D090A MOV R2, R0
__text:003D090C MOV R0, SP
__text:003D090E MOVS R1, #0x18
__text:003D0910 BL.W sub_E09F5C
__text:003D0914 LDMFD.W SP, {R0,R1}
__text:003D0918 LDR R2, [R1]
__text:003D091A BLX R2
__text:003D091C ADD SP, SP, #8
__text:003D091E POP {R7,PC}
__text:003D091E ; End of function sub_3D0904
__text:003D091E
__text:003D0920

when i convert arm to hex or hex to arm... nothing is matching with the value i find when i open the binary in a hex editor..

why is that so, a protection?

all the tuto i have red or watched dont have that issue...

thanks

1 - did you disable aslr? if never disable aslr, watchpoint offset from lldb is not correct.

2 - if you done disable aslr, when you find hex from hex editor , it must be -4000 from the IDA offset.

Anonymonk · June 17, 2017

7 minutes ago, xiaov said:

1 - did you disable aslr? if never disable aslr, watchpoint offset from lldb is not correct.

2 - if you done disable aslr, when you find hex from hex editor , it must be -4000 from the IDA offset.

i disabled the alsr, and i guess its proper as the lldb display show the same instruction than Ida