Help/Support HEX editing, dissassembled binary HEX values and binary HEX values different...wt#

[Anonymonk 1.9k iPad Air 2 8-9-11]

i guess i could have choose something easier for my first start ^^, but thats that one i want to hack...

so i have a problem, when i dissassemble the binary as arm7 in ida (arm proc), he show a different hex view... as just to open the binary as raw...

i tried to open the binary with several Hex editors, they never match with the hex values from ida

i was thinking to edit the binary inside my iphone with a hexeditor and test it straight away... 

binary of assassin creed unity, thinned and alsr removed

HEX value from binary

Spoiler

003D08E0  252B 447D 7828 BBE0 F641 0088 F235 DB2C F649 31C0 F2C0 2104 4479 6809 6008 F641
003D0900  300A F235 DB21 F64B 4136 F2C0 2104 4479 6809 6008 F641 300E F235 DB16 F64B 4180
003D0920  F2C0 2104 4479 6809 6008 F241 305A F2C8 0000 F235 DB07 F64B 41AE F2C0 2104 4479

HEX value from dissassembled binary in IDA

Spoiler

003D08E0  D193 4605 A801 212A 4622 F239 DB37 9A02 4629 9801 6813 4798 B003 BDF0 6880 4770
003D0900  6087 4770 B580 466F B082 4602 4668 2118 F239 DB24 E89D 0003 680A 4790 B002 BD80
003D0920  B590 AF01 B082 460C 4602 4668 2119 F239 DB15 E89D 0005 4621 6813 4798 B002 BD90

the watchpoint is health going down in 32b float

lldb watchpoint

Spoiler

Watchpoint 1 hit:
old value: 1134626297
new value: 1133971717
Process 766 stopped
* thread #1: tid = 0x1898, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
->  0x3d0902 <+2>: bx     lr

acier`___lldb_unnamed_function18219$$acier:
    0x3d0904 <+0>: push   {r7, lr}
    0x3d0906 <+2>: mov    r7, sp
    0x3d0908 <+4>: sub    sp, #0x8
(lldb) dis -c 20
acier`___lldb_unnamed_function18218$$acier:
    0x3d0900 <+0>:  str    r1, [r0, #0x8]
->  0x3d0902 <+2>:  bx     lr

acier`___lldb_unnamed_function18219$$acier:
    0x3d0904 <+0>:  push   {r7, lr}
    0x3d0906 <+2>:  mov    r7, sp
    0x3d0908 <+4>:  sub    sp, #0x8
    0x3d090a <+6>:  mov    r2, r0
    0x3d090c <+8>:  mov    r0, sp
    0x3d090e <+10>: movs   r1, #0x18
    0x3d0910 <+12>: bl     0xe09f5c                  ; ___lldb_unnamed_function81925$$acier
    0x3d0914 <+16>: ldm.w  sp, {r0, r1}
    0x3d0918 <+20>: ldr    r2, [r1]
    0x3d091a <+22>: blx    r2
    0x3d091c <+24>: add    sp, #0x8
    0x3d091e <+26>: pop    {r7, pc}

acier`___lldb_unnamed_function18220$$acier:
    0x3d0920 <+0>:  push   {r4, r7, lr}
    0x3d0922 <+2>:  add    r7, sp, #0x4
    0x3d0924 <+4>:  sub    sp, #0x8
    0x3d0926 <+6>:  mov    r4, r1
    0x3d0928 <+8>:  mov    r2, r0
    0x3d092a <+10>: mov    r0, sp

 

IDA view-A

Spoiler

__text:003D08FC ; =============== S U B R O U T I N E =======================================
__text:003D08FC
__text:003D08FC
__text:003D08FC sub_3D08FC                              ; DATA XREF: __const:024C77F0o
__text:003D08FC                 LDR             R0, [R0,#8]
__text:003D08FE                 BX              LR
__text:003D08FE ; End of function sub_3D08FC
__text:003D08FE
__text:003D0900
__text:003D0900 ; =============== S U B R O U T I N E =======================================
__text:003D0900
__text:003D0900
__text:003D0900 sub_3D0900                              ; DATA XREF: __const:024C77F4o
__text:003D0900                 STR             R7, [R0,#8]
__text:003D0902                 BX              LR
__text:003D0902 ; End of function sub_3D0900
__text:003D0902
__text:003D0904
__text:003D0904 ; =============== S U B R O U T I N E =======================================
__text:003D0904
__text:003D0904
__text:003D0904 sub_3D0904                              ; DATA XREF: __const:024C77F8o
__text:003D0904                 PUSH            {R7,LR}
__text:003D0906                 MOV             R7, SP
__text:003D0908                 SUB             SP, SP, #8
__text:003D090A                 MOV             R2, R0
__text:003D090C                 MOV             R0, SP
__text:003D090E                 MOVS            R1, #0x18
__text:003D0910                 BL.W            sub_E09F5C
__text:003D0914                 LDMFD.W         SP, {R0,R1}
__text:003D0918                 LDR             R2, [R1]
__text:003D091A                 BLX             R2
__text:003D091C                 ADD             SP, SP, #8
__text:003D091E                 POP             {R7,PC}
__text:003D091E ; End of function sub_3D0904

 

when i convert arm to hex or hex to arm... nothing is matching with the value i find when i open the binary in a hex editor..

why is that so, a protection?

all the tuto i have red or watched dont have that issue...

thanks

 

Updated June 17, 2017 by Anonymonk

[Amuyea 87.9k iPhone 7 Plus 14.3]

IDA and Hex are at different address

Left is Hex address  and right is IDA address

[xiaov 6.6k iPhone 6 8.3]

5 minutes ago, Anonymonk said:

i guess i could have choose something easier for my first start ^^, but thats that one i want to hack...

so i have a problem, when i dissassemble the binary as arm7 in ida (arm proc), he show a different hex view... as just to open the binary as raw...

i tried to open the binary with several Hex editors, they never match with the hex values from ida

i was thinking to edit the binary inside my iphone with a hexeditor and test it straight away... 

binary of assassin creed unity, thinned and alsr removed

HEX value from binary

  Hide contents

003D08E0  252B 447D 7828 BBE0 F641 0088 F235 DB2C F649 31C0 F2C0 2104 4479 6809 6008 F641
003D0900  300A F235 DB21 F64B 4136 F2C0 2104 4479 6809 6008 F641 300E F235 DB16 F64B 4180
003D0920  F2C0 2104 4479 6809 6008 F241 305A F2C8 0000 F235 DB07 F64B 41AE F2C0 2104 4479

HEX value from dissassembled binary in IDA

  Hide contents

003D08E0  D193 4605 A801 212A 4622 F239 DB37 9A02 4629 9801 6813 4798 B003 BDF0 6880 4770
003D0900  6087 4770 B580 466F B082 4602 4668 2118 F239 DB24 E89D 0003 680A 4790 B002 BD80
003D0920  B590 AF01 B082 460C 4602 4668 2119 F239 DB15 E89D 0005 4621 6813 4798 B002 BD90

the watchpoint is health going down in 32b float

lldb watchpoint

  Hide contents

Watchpoint 1 hit:
old value: 1134626297
new value: 1133971717
Process 766 stopped
* thread #1: tid = 0x1898, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
->  0x3d0902 <+2>: bx     lr

acier`___lldb_unnamed_function18219$$acier:
    0x3d0904 <+0>: push   {r7, lr}
    0x3d0906 <+2>: mov    r7, sp
    0x3d0908 <+4>: sub    sp, #0x8
(lldb) dis -c 20
acier`___lldb_unnamed_function18218$$acier:
    0x3d0900 <+0>:  str    r1, [r0, #0x8]
->  0x3d0902 <+2>:  bx     lr

acier`___lldb_unnamed_function18219$$acier:
    0x3d0904 <+0>:  push   {r7, lr}
    0x3d0906 <+2>:  mov    r7, sp
    0x3d0908 <+4>:  sub    sp, #0x8
    0x3d090a <+6>:  mov    r2, r0
    0x3d090c <+8>:  mov    r0, sp
    0x3d090e <+10>: movs   r1, #0x18
    0x3d0910 <+12>: bl     0xe09f5c                  ; ___lldb_unnamed_function81925$$acier
    0x3d0914 <+16>: ldm.w  sp, {r0, r1}
    0x3d0918 <+20>: ldr    r2, [r1]
    0x3d091a <+22>: blx    r2
    0x3d091c <+24>: add    sp, #0x8
    0x3d091e <+26>: pop    {r7, pc}

acier`___lldb_unnamed_function18220$$acier:
    0x3d0920 <+0>:  push   {r4, r7, lr}
    0x3d0922 <+2>:  add    r7, sp, #0x4
    0x3d0924 <+4>:  sub    sp, #0x8
    0x3d0926 <+6>:  mov    r4, r1
    0x3d0928 <+8>:  mov    r2, r0
    0x3d092a <+10>: mov    r0, sp

 

IDA view-A

  Reveal hidden contents

__text:003D08F4 ; End of function sub_3D0854
__text:003D08F4
__text:003D08F6                 BLX             R3
__text:003D08F8                 ADD             SP, SP, #0xC
__text:003D08FA                 POP             {R4-R7,PC}
__text:003D08FC ; ---------------------------------------------------------------------------
__text:003D08FC                 LDR             R0, [R0,#8]
__text:003D08FE                 BX              LR
__text:003D0900 ; ---------------------------------------------------------------------------
__text:003D0900                 STR             R0, [R0,#8]
__text:003D0902                 BX              LR
__text:003D0904
__text:003D0904 ; =============== S U B R O U T I N E =======================================
__text:003D0904
__text:003D0904
__text:003D0904 sub_3D0904
__text:003D0904                 PUSH            {R7,LR}
__text:003D0906                 MOV             R7, SP
__text:003D0908                 SUB             SP, SP, #8
__text:003D090A                 MOV             R2, R0
__text:003D090C                 MOV             R0, SP
__text:003D090E                 MOVS            R1, #0x18
__text:003D0910                 BL.W            sub_E09F5C
__text:003D0914                 LDMFD.W         SP, {R0,R1}
__text:003D0918                 LDR             R2, [R1]
__text:003D091A                 BLX             R2
__text:003D091C                 ADD             SP, SP, #8
__text:003D091E                 POP             {R7,PC}
__text:003D091E ; End of function sub_3D0904
__text:003D091E
__text:003D0920

 

when i convert arm to hex or hex to arm... nothing is matching with the value i find when i open the binary in a hex editor..

why is that so, a protection?

all the tuto i have red or watched dont have that issue...

thanks

 

1 - did you disable aslr? if never disable aslr, watchpoint offset from lldb is not correct.

2 - if you done disable aslr, when you find hex from hex editor , it must be -4000 from the IDA offset.

[Anonymonk 1.9k iPad Air 2 8-9-11]

7 minutes ago, xiaov said:

1 - did you disable aslr? if never disable aslr, watchpoint offset from lldb is not correct.

2 - if you done disable aslr, when you find hex from hex editor , it must be -4000 from the IDA offset.

i disabled the alsr, and i guess its proper as the lldb display show the same instruction than Ida

 

9 minutes ago, Amuyea said:

IDA and Hex are at different address

Left is Hex address  and right is IDA address

i see... thank you both for your help, i will give a try right now

[Anonymonk 1.9k iPad Air 2 8-9-11]

yep.. thats it.. i can now try...

but it seems really hard  to begin to learn instruction in that assassin creed unity

i made a try and everyone became immortal, and all attribute to max.... big mess

seems like i will have to spend time to learn all that...

if someone feel to tell me what to edit ... i welcome everyone, hihihi