Help/Support [IDA] what to edit to make the hack work?

Anonymonk · June 17, 2017

hi again,

still working on Assassin creed unity,

if someone could give me a hand to figure out what to edit for one offset, i think i could manage the rest alone.

i couldn't find what to modify to get the unlimited health, so i took another watch point, killingspree.

both watchpoint show the same instruction (on a different adress)

i higlighted them in red

LLDB killingspree

Spoiler

watchpoint 3 hit:
old value: 3
new value: 1
Process 1079 stopped
* thread #1: tid = 0x1f95, 0x003d021a acier`___lldb_unnamed_function18199$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 3
frame #0: 0x003d021a acier`___lldb_unnamed_function18199$$acier + 2
acier`___lldb_unnamed_function18199$$acier:
-> 0x3d021a <+2>: bx lr

acier`___lldb_unnamed_function18200$$acier:
0x3d021c <+0>: push {r7, lr}
0x3d021e <+2>: mov r7, sp
0x3d0220 <+4>: sub sp, #0x8
(lldb) dis -c 20
acier`___lldb_unnamed_function18199$$acier:
0x3d0218 <+0>: str r1, [r0, #0x8]
-> 0x3d021a <+2>: bx lr

acier`___lldb_unnamed_function18200$$acier:
0x3d021c <+0>: push {r7, lr}
0x3d021e <+2>: mov r7, sp
0x3d0220 <+4>: sub sp, #0x8
0x3d0222 <+6>: mov r2, r0
0x3d0224 <+8>: mov r0, sp
0x3d0226 <+10>: movs r1, #0x16
0x3d0228 <+12>: bl 0xe09f5c ; ___lldb_unnamed_function81925$$acier
0x3d022c <+16>: ldm.w sp, {r0, r1}
0x3d0230 <+20>: ldr r2, [r1]
0x3d0232 <+22>: blx r2
0x3d0234 <+24>: vmov d16, r0, r0
0x3d0238 <+28>: vcvt.f32.s32 d0, d16
0x3d023c <+32>: vmov r0, s0
0x3d0240 <+36>: add sp, #0x8
0x3d0242 <+38>: pop {r7, pc}

acier`___lldb_unnamed_function18201$$acier:
0x3d0244 <+0>: push {r4, r7, lr}
0x3d0246 <+2>: add r7, sp, #0x4
0x3d0248 <+4>: sub sp, #0x8

IDA view-A of killingspree watchpoint (0 ; 1 ; 2 no killingspree - 3 killingspree activated)

Spoiler

__text:003D018E ALIGN 0x10
__text:003D0190
__text:003D0190 ; =============== S U B R O U T I N E =======================================
__text:003D0190
__text:003D0190 ; Attributes: bp-based frame
__text:003D0190
__text:003D0190 sub_3D0190 ; CODE XREF: sub_3CF364+4j
__text:003D0190 ; sub_3CF36C+4j ...
__text:003D0190 PUSH {R4,R5,R7,LR}
__text:003D0192 ADD R7, SP, #8
__text:003D0194 MOV R4, R1
__text:003D0196 CMP R4, #0
__text:003D0198 ITT GE
__text:003D019A LDRGE R1, [R0,#0x24]
__text:003D019C CMPGE R1, R4
__text:003D019E BLE loc_3D01BA
__text:003D01A0 LDR R5, [R0,#0x10]
__text:003D01A2 CBZ R5, loc_3D01BE
__text:003D01A4 LDR R0, [R5,#0xC]
__text:003D01A6 CMP R0, R4
__text:003D01A8 BHI loc_3D01B2
__text:003D01AA BL.W sub_E09F7C
__text:003D01AE BL.W sub_E09F50
__text:003D01B2 ; ---------------------------------------------------------------------------
__text:003D01B2
__text:003D01B2 loc_3D01B2 ; CODE XREF: sub_3D0190+18j
__text:003D01B2 ADD.W R0, R5, R4,LSL#2
__text:003D01B6 LDR R0, [R0,#0x10]
__text:003D01B8 POP {R4,R5,R7,PC}
__text:003D01BA ; ---------------------------------------------------------------------------
__text:003D01BA
__text:003D01BA loc_3D01BA ; CODE XREF: sub_3D0190+Ej
__text:003D01BA MOVS R0, #0
__text:003D01BC POP {R4,R5,R7,PC}
__text:003D01BE ; ---------------------------------------------------------------------------
__text:003D01BE
__text:003D01BE loc_3D01BE ; CODE XREF: sub_3D0190+12j
__text:003D01BE BL.W def_DD114A ; jumptable 003CCBB6 default case
__text:003D01C2 ; ---------------------------------------------------------------------------
__text:003D01C2 NOP
__text:003D01C2 ; End of function sub_3D0190
__text:003D01C2
__text:003D01C4
__text:003D01C4 ; =============== S U B R O U T I N E =======================================
__text:003D01C4
__text:003D01C4 ; Attributes: bp-based frame
__text:003D01C4
__text:003D01C4 sub_3D01C4 ; CODE XREF: sub_3B9F00+54p
__text:003D01C4 ; sub_3B9F94+54p ...
__text:003D01C4 PUSH {R4,R5,R7,LR}
__text:003D01C6 ADD R7, SP, #8
__text:003D01C8 MOVW R5, #(:lower16:(byte_268833C - 0x3D01D6))
__text:003D01CC MOV R4, R0
__text:003D01CE MOVT.W R5, #(:upper16:(byte_268833C - 0x3D01D6))
__text:003D01D2 ADD R5, PC ; byte_268833C
__text:003D01D4 LDRB R0, [R5]
__text:003D01D6 CMP R0, #1
__text:003D01D8 BNE loc_3D01EA
__text:003D01DA MOV R0, #(off_2420804 - 0x3D01E6)
__text:003D01E2 ADD R0, PC ; off_2420804
__text:003D01E4 LDR R0, [R0] ; unk_2631AB0
__text:003D01E6 LDR R1, [R0]
__text:003D01E8 B loc_3D020A
__text:003D01EA ; ---------------------------------------------------------------------------
__text:003D01EA
__text:003D01EA loc_3D01EA ; CODE XREF: sub_3D01C4+14j
__text:003D01EA MOV R0, #0x80001334
__text:003D01F2 BL.W sub_E09F44
__text:003D01F6 MOV R1, R0
__text:003D01F8 MOV R0, #(off_2420804 - 0x3D0204)
__text:003D0200 ADD R0, PC ; off_2420804
__text:003D0202 LDR R0, [R0] ; unk_2631AB0
__text:003D0204 STR R1, [R0]
__text:003D0206 MOVS R0, #1
__text:003D0208 STRB R0, [R5]
__text:003D020A
__text:003D020A loc_3D020A ; CODE XREF: sub_3D01C4+24j
__text:003D020A MOV R0, R4
__text:003D020C POP.W {R4,R5,R7,LR}
__text:003D0210 B.W sub_8E5008
__text:003D0210 ; End of function sub_3D01C4
__text:003D0210
__text:003D0214
__text:003D0214 ; =============== S U B R O U T I N E =======================================
__text:003D0214
__text:003D0214
__text:003D0214 sub_3D0214 ; DATA XREF: __const:024C77A0o
__text:003D0214 LDR R0, [R0,#8]
__text:003D0216 BX LR
__text:003D0216 ; End of function sub_3D0214
__text:003D0216
__text:003D0218
__text:003D0218 ; =============== S U B R O U T I N E =======================================
__text:003D0218
__text:003D0218
__text:003D0218 sub_3D0218 ; DATA XREF: __const:024C77A4o
__text:003D0218 STR R1, [R0,#8]
__text:003D021A BX LR
__text:003D021A ; End of function sub_3D0218
__text:003D021A
__text:003D021C
__text:003D021C ; =============== S U B R O U T I N E =======================================
__text:003D021C
__text:003D021C
__text:003D021C sub_3D021C ; DATA XREF: __const:024C77A8o
__text:003D021C PUSH {R7,LR}
__text:003D021E MOV R7, SP
__text:003D0220 SUB SP, SP, #8
__text:003D0222 MOV R2, R0
__text:003D0224 MOV R0, SP
__text:003D0226 MOVS R1, #0x16
__text:003D0228 BL.W sub_E09F5C
__text:003D022C LDMFD.W SP, {R0,R1}
__text:003D0230 LDR R2, [R1]
__text:003D0232 BLX R2
__text:003D0234 VMOV D16, R0, R0
__text:003D0238 VCVT.F32.S32 D0, D16
__text:003D023C VMOV R0, S0
__text:003D0240 ADD SP, SP, #8
__text:003D0242 POP {R7,PC}
__text:003D0242 ; End of function sub_3D021C
__text:003D0242
__text:003D0244
__text:003D0244 ; =============== S U B R O U T I N E =======================================
__text:003D0244
__text:003D0244 ; Attributes: bp-based frame
__text:003D0244
__text:003D0244 sub_3D0244 ; DATA XREF: __const:024C77ACo
__text:003D0244 PUSH {R4,R7,LR}
__text:003D0246 ADD R7, SP, #4
__text:003D0248 SUB SP, SP, #8
__text:003D024A MOV R4, R1
__text:003D024C MOV R2, R0
__text:003D024E MOV R0, SP
__text:003D0250 MOVS R1, #0x17
__text:003D0252 BL.W sub_E09F5C
__text:003D0256 VMOV D16, R4, R4
__text:003D025A LDMFD.W SP, {R0,R2}
__text:003D025E VCVT.S32.F32 D0, D16
__text:003D0262 LDR R3, [R2]
__text:003D0264 VMOV R1, S0
__text:003D0268 BLX R3
__text:003D026A ADD SP, SP, #8
__text:003D026C POP {R4,R7,PC}
__text:003D026C ; End of function sub_3D0244

LLDB Health float 32b

Spoiler

Watchpoint 1 hit:
old value: 1134626297
new value: 1133971717
Process 766 stopped
* thread #1: tid = 0x1898, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
(lldb) dis -c 20
acier`___lldb_unnamed_function18218$$acier:
0x3d0900 <+0>: str r1, [r0, #0x8]
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
0x3d090a <+6>: mov r2, r0
0x3d090c <+8>: mov r0, sp
0x3d090e <+10>: movs r1, #0x18
0x3d0910 <+12>: bl 0xe09f5c ; ___lldb_unnamed_function81925$$acier
0x3d0914 <+16>: ldm.w sp, {r0, r1}
0x3d0918 <+20>: ldr r2, [r1]
0x3d091a <+22>: blx r2
0x3d091c <+24>: add sp, #0x8
0x3d091e <+26>: pop {r7, pc}

acier`___lldb_unnamed_function18220$$acier:
0x3d0920 <+0>: push {r4, r7, lr}
0x3d0922 <+2>: add r7, sp, #0x4
0x3d0924 <+4>: sub sp, #0x8
0x3d0926 <+6>: mov r4, r1
0x3d0928 <+8>: mov r2, r0
0x3d092a <+10>: mov r0, sp

IDA view-A Health

Spoiler

---------------------------------------------------------------------------
__text:003D0852 ALIGN 4
__text:003D0854
__text:003D0854 ; =============== S U B R O U T I N E =======================================
__text:003D0854
__text:003D0854 ; Attributes: bp-based frame
__text:003D0854
__text:003D0854 sub_3D0854 ; DATA XREF: __const:024C77E8o
__text:003D0854
__text:003D0854 var_18 = -0x18
__text:003D0854 var_14 = -0x14
__text:003D0854 var_10 = -0x10
__text:003D0854
__text:003D0854 PUSH {R4-R7,LR}
__text:003D0856 ADD R7, SP, #0xC
__text:003D0858 SUB SP, SP, #0xC
__text:003D085A MOVW R6, #(:lower16:(byte_2688346 - 0x3D086A))
__text:003D085E MOV R4, R0
__text:003D0860 MOVT.W R6, #(:upper16:(byte_2688346 - 0x3D086A))
__text:003D0864 MOV R5, R2
__text:003D0866 ADD R6, PC ; byte_2688346
__text:003D0868 LDRB R0, [R6]
__text:003D086A CBNZ R0, loc_3D08A0
__text:003D086C MOV R0, #0x80001338
__text:003D0874 BL.W sub_E09F44
__text:003D0878 MOV R1, #(off_242091C - 0x3D0884)
__text:003D0880 ADD R1, PC ; off_242091C
__text:003D0882 LDR R1, [R1] ; unk_2631AC0
__text:003D0884 STR R0, [R1]
__text:003D0886 MOVW R0, #0x2EA9
__text:003D088A BL.W sub_E09F40
__text:003D088E MOV R1, #(off_2420954 - 0x3D089A)
__text:003D0896 ADD R1, PC ; off_2420954
__text:003D0898 LDR R1, [R1] ; unk_2640DA8
__text:003D089A STR R0, [R1]
__text:003D089C MOVS R0, #1
__text:003D089E STRB R0, [R6]
__text:003D08A0
__text:003D08A0 loc_3D08A0 ; CODE XREF: sub_3D0854+16j
__text:003D08A0 MOV R0, R4
__text:003D08A2 MOV R2, R5
__text:003D08A4 BL sub_3D04D0
__text:003D08A8 ADD R0, SP, #0x18+var_14
__text:003D08AA MOVS R1, #0x29
__text:003D08AC MOV R2, R4
__text:003D08AE BL.W sub_E09F5C
__text:003D08B2 LDR R1, [SP,#0x18+var_10]
__text:003D08B4 LDR R0, [SP,#0x18+var_14]
__text:003D08B6 LDR R2, [R1]
__text:003D08B8 BLX R2
__text:003D08BA MOV R3, R0
__text:003D08BC MOV R0, #(off_2420954 - 0x3D08CC)
__text:003D08C4 MOVW R1, #(:lower16:(off_242091C - 0x3D08D2))
__text:003D08C8 ADD R0, PC ; off_2420954
__text:003D08CA MOVT.W R1, #(:upper16:(off_242091C - 0x3D08D2))
__text:003D08CE ADD R1, PC ; off_242091C
__text:003D08D0 LDR R0, [R0] ; unk_2640DA8
__text:003D08D2 LDR R2, [R1] ; unk_2631AC0
__text:003D08D4 LDR R1, [R0]
__text:003D08D6 LDR R0, [R2]
__text:003D08D8 MOV R2, R5
__text:003D08DA STR R0, [SP,#0x18+var_18]
__text:003D08DC MOVS R0, #0
__text:003D08DE BL.W sub_10F2C08
__text:003D08E2 MOV R5, R0
__text:003D08E4 ADD R0, SP, #0x18+var_14
__text:003D08E6 MOVS R1, #0x2A
__text:003D08E8 MOV R2, R4
__text:003D08EA BL.W sub_E09F5C
__text:003D08EE LDR R2, [SP,#0x18+var_10]
__text:003D08F0 MOV R1, R5
__text:003D08F2 LDR R0, [SP,#0x18+var_14]
__text:003D08F4 LDR R3, [R2]
__text:003D08F6 BLX R3
__text:003D08F8 ADD SP, SP, #0xC
__text:003D08FA POP {R4-R7,PC}
__text:003D08FA ; End of function sub_3D0854
__text:003D08FA
__text:003D08FC
__text:003D08FC ; =============== S U B R O U T I N E =======================================
__text:003D08FC
__text:003D08FC
__text:003D08FC sub_3D08FC ; DATA XREF: __const:024C77F0o
__text:003D08FC LDR R0, [R0,#8]
__text:003D08FE BX LR
__text:003D08FE ; End of function sub_3D08FC
__text:003D08FE
__text:003D0900
__text:003D0900 ; =============== S U B R O U T I N E =======================================
__text:003D0900
__text:003D0900
__text:003D0900 sub_3D0900 ; DATA XREF: __const:024C77F4o
__text:003D0900 STR R1, [R0,#8]
__text:003D0902 BX LR
__text:003D0902 ; End of function sub_3D0900
__text:003D0902
__text:003D0904
__text:003D0904 ; =============== S U B R O U T I N E =======================================
__text:003D0904
__text:003D0904
__text:003D0904 sub_3D0904 ; DATA XREF: __const:024C77F8o
__text:003D0904 PUSH {R7,LR}
__text:003D0906 MOV R7, SP
__text:003D0908 SUB SP, SP, #8
__text:003D090A MOV R2, R0
__text:003D090C MOV R0, SP
__text:003D090E MOVS R1, #0x18
__text:003D0910 BL.W sub_E09F5C
__text:003D0914 LDMFD.W SP, {R0,R1}
__text:003D0918 LDR R2, [R1]
__text:003D091A BLX R2
__text:003D091C ADD SP, SP, #8
__text:003D091E POP {R7,PC}
__text:003D091E ; End of function sub_3D0904
__text:003D091E
__text:003D0920
__text:003D0920 ; =============== S U B R O U T I N E =======================================
__text:003D0920
__text:003D0920 ; Attributes: bp-based frame
__text:003D0920
__text:003D0920 sub_3D0920 ; DATA XREF: __const:024C77FCo
__text:003D0920 PUSH {R4,R7,LR}
__text:003D0922 ADD R7, SP, #4
__text:003D0924 SUB SP, SP, #8
__text:003D0926 MOV R4, R1
__text:003D0928 MOV R2, R0
__text:003D092A MOV R0, SP
__text:003D092C MOVS R1, #0x19
__text:003D092E BL.W sub_E09F5C
__text:003D0932 LDMFD.W SP, {R0,R2}
__text:003D0936 MOV R1, R4
__text:003D0938 LDR R3, [R2]
__text:003D093A BLX R3
__text:003D093C ADD SP, SP, #8
__text:003D093E POP {R4,R7,PC}
__text:003D093E ; End of function sub_3D0920
__text:003D093E
__text:003D0940

i also printed a list of all register out of curiosity.. and to try to understand... (edit: this list is wrong i didnt print at the time of the watchpoint)

Spoiler

(lldb) re r -a
General Purpose Registers:
r0 = 0x00000000
r1 = 0x07000806
r2 = 0x00000000
r3 = 0x00000c00
r4 = 0x00002003
r5 = 0xffffffff
r6 = 0x00000000
r7 = 0x029eece4
r8 = 0x00000c00
r9 = 0x5944b670
r10 = 0x07000806
r11 = 0x07000806
r12 = 0xffffffe1
sp = 0x029eeca8
lr = 0x21dc76a9 libsystem_kernel.dylib`mach_msg + 41
pc = 0x21dc78a8 libsystem_kernel.dylib`mach_msg_trap + 20
cpsr = 0x60070010

Floating Point Registers:
s0 = 3.46061e+15
s1 = 0
s2 = 0
s3 = 0
s4 = 1.22094e-40
s5 = 785.067
s6 = 785.067
s7 = 785.067
s8 = 0
s9 = 2.36936e-38
s10 = 0
s11 = 6.61744e-24
s12 = 0
s13 = 0
s14 = 0
s15 = -0.03125
s16 = 0
s17 = 0
s18 = 0
s19 = 0
s20 = -7.44274e+29
s21 = 23.8696
s22 = 0
s23 = 0
s24 = 0
s25 = 0
s26 = 0
s27 = 0
s28 = 0
s29 = 0
s30 = 0
s31 = 0
d0 = 7.39949952398037e-315
d1 = 0
d2 = 7.47707876345793e+20
d3 = 7.4770802645436e+20
d4 = 7.74681714577867e-304
d5 = 2.87284834993229e-188
d6 = 0
d7 = -7.105427357601e-15
d8 = 0
d9 = 0
d10 = 519368177.087129
d11 = 0
d12 = 0
d13 = 0
d14 = 0
d15 = 0
d16 = 519368177.087129
d17 = 8.61815347970907e-145
d18 = 519368177
d19 = 0
d20 = 1497675377
d21 = 4.86736243987645e-302
d22 = -978307200
d23 = nan
d24 = 2.12199579145934e-314
d25 = 2.12199579145934e-314
d26 = 0
d27 = 0
d28 = 0
d29 = 4.94065645841247e-324
d30 = 414
d31 = 0.00781250175011994
q0 = {0x71 0xb6 0x44 0x59 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q1 = {0x59 0x54 0x01 0x00 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44 0x44}
q2 = {0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x19}
q3 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbd}
q4 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q5 = {0x16 0x4e 0x16 0xf1 0xed 0xf4 0xbe 0x41 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q6 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q7 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q8 = {0x16 0x4e 0x16 0xf1 0xed 0xf4 0xbe 0x41 0x51 0x5d 0x05 0x22 0xe1 0x85 0x05 0x22}
q9 = {0x00 0x00 0x00 0xf1 0xed 0xf4 0xbe 0x41 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q10 = {0x00 0x00 0x40 0x9c 0x2d 0x51 0xd6 0x41 0xd5 0xaf 0x60 0x01 0x79 0xb0 0x60 0x01}
q11 = {0x00 0x00 0x00 0x40 0xe4 0x27 0xcd 0xc1 0xe8 0xff 0xff 0xff 0xe8 0xff 0xff 0xff}
q12 = {0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00}
q13 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q14 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q15 = {0x00 0x00 0x00 0x00 0x00 0xe0 0x79 0x40 0xc0 0x37 0x22 0x3c 0x00 0x00 0x80 0x3f}
fpscr = 0x6800009f
exception = 0x5944b671
fsr = 0x00000000
far = 0x00000000

thank you for the help

Anonymonk · June 18, 2017

in case someone want to help me but there is not the neccesary information to do so, i uploaded the processed binary by ida here,

https://www.dropbox.com/s/rxq43n9tw4p3usg/acier.idb?dl=1 to see crossreference.. or subroutine...

, just in case ^^

Anonymonk · June 18, 2017

i just understood that i have to print register value when the watchpoint is hit...

i actually tried to backtrace out of a breakpoint ... but "br s -a 0xhpoffset" was hitting nothing... i have to read more about breakpoint

s0 and s1 is my hp... but nowhere to be seen in ida

s2 and s3 is max hp

backtrace + registers 1st hit

Spoiler

Watchpoint 1 hit:
old value: 1143390208
new value: 1143390208
Process 765 stopped
* thread #1: tid = 0x16d7, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
(lldb) bt
* thread #1: tid = 0x16d7, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
* frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
frame #1: 0x003d0b96 acier`___lldb_unnamed_function18225$$acier + 106
frame #2: 0x008ee474 acier`___lldb_unnamed_function49193$$acier + 604
frame #3: 0x008ed242 acier`___lldb_unnamed_function49169$$acier + 218
frame #4: 0x003cf1c8 acier`___lldb_unnamed_function18178$$acier + 156
frame #5: 0x0033388a acier`___lldb_unnamed_function14845$$acier + 34
frame #6: 0x0031abca acier`___lldb_unnamed_function14136$$acier + 2334
frame #7: 0x0031a200 acier`___lldb_unnamed_function14133$$acier + 972
frame #8: 0x0031045c acier`___lldb_unnamed_function13950$$acier + 120
frame #9: 0x0030fb5a acier`___lldb_unnamed_function13943$$acier + 434
frame #10: 0x0031de58 acier`___lldb_unnamed_function14224$$acier + 148
frame #11: 0x006fe5fa acier`___lldb_unnamed_function37651$$acier + 330
frame #12: 0x006fe1ba acier`___lldb_unnamed_function37648$$acier + 466
frame #13: 0x006fdce6 acier`___lldb_unnamed_function37641$$acier + 1102
frame #14: 0x006ff03a acier`___lldb_unnamed_function37661$$acier + 1006
frame #15: 0x0057f474 acier`___lldb_unnamed_function28327$$acier + 676
frame #16: 0x014111ca acier`___lldb_unnamed_function127447$$acier + 14
frame #17: 0x01e02880 acier`___lldb_unnamed_function179675$$acier + 116
frame #18: 0x01611fae acier`___lldb_unnamed_function143090$$acier + 54
frame #19: 0x0160d180 acier`___lldb_unnamed_function142961$$acier + 312
frame #20: 0x01491bd8 acier`___lldb_unnamed_function134543$$acier + 96
frame #21: 0x017cff3c acier`___lldb_unnamed_function154835$$acier + 284
frame #22: 0x017cf122 acier`___lldb_unnamed_function154825$$acier + 930
frame #23: 0x014f6462 acier`___lldb_unnamed_function136604$$acier + 146
frame #24: 0x015cadde acier`___lldb_unnamed_function141522$$acier + 1426
frame #25: 0x018e6e22 acier`___lldb_unnamed_function164313$$acier + 14
frame #26: 0x00011b10 acier`___lldb_unnamed_function122$$acier + 416
frame #27: 0x000118e8 acier`___lldb_unnamed_function118$$acier + 40
frame #28: 0x2098bcbe libdispatch.dylib`<redacted> + 10
frame #29: 0x2098bcaa libdispatch.dylib`<redacted> + 22
frame #30: 0x20990558 libdispatch.dylib`_dispatch_main_queue_callback_4CF + 1532
frame #31: 0x20dbb754 CoreFoundation`<redacted> + 8
frame #32: 0x20db9c4e CoreFoundation`<redacted> + 1590
frame #33: 0x20d081c8 CoreFoundation`CFRunLoopRunSpecific + 516
frame #34: 0x20d07fbc CoreFoundation`CFRunLoopRunInMode + 108
frame #35: 0x22324af8 GraphicsServices`GSEventRunModal + 160
frame #36: 0x25441434 UIKit`UIApplicationMain + 144
frame #37: 0x00009caa acier`___lldb_unnamed_function1$$acier + 202
frame #38: 0x209b4872 libdyld.dylib`<redacted> + 2
(lldb) re r -a
General Purpose Registers:
r0 = 0x0e1a5c00
r1 = 0x441f7ad7
r2 = 0x037d1e60
r3 = 0x003d0901 acier`___lldb_unnamed_function18218$$acier + 1
r4 = 0x0e1a5c00
r5 = 0x441f7ad7
r6 = 0x0268834b
r7 = 0x029edd48
r8 = 0x1c47f390
r9 = 0x00000000
r10 = 0x0f10cd60
r11 = 0x0262aa9c
r12 = 0x02438e94 (void *)0x20b43ad9: _Unwind_SjLj_Unregister + 1
sp = 0x029edd34
lr = 0x003d0b97 acier`___lldb_unnamed_function18225$$acier + 107
pc = 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
cpsr = 0x80070030

Floating Point Registers:
s0 = 637.919 new hp
s1 = 637.919 new hp
s2 = 667 old hp
s3 = 667 old hp
s4 = inf
s5 = nan
s6 = -inf
s7 = -inf
s8 = -1.16415e-10
s9 = -1.16415e-10
s10 = -0.774709
s11 = 0
s12 = 0
s13 = nan
s14 = 1
s15 = 1
s16 = -28.0807
s17 = -28.0807
s18 = 0
s19 = 0
s20 = 59.2235
s21 = 59.2235
s22 = 87.3042
s23 = 0
s24 = 1
s25 = 1
s26 = 28.0807
s27 = 28.0807
s28 = 0.900639
s29 = 0.900639
s30 = 0
s31 = 0
d0 = 1.45175171194903e+20
d1 = 2.09831751305056e+20
d2 = 2.24711748590092e+307
d3 = -1.40444909838096e+306
d4 = -2.63555120399034e-82
d5 = 1.58548487161733e-314
d6 = 2.24711641857789e+307
d7 = 0.00781250184809323
d8 = -2234082831.02016
d9 = 0
d10 = 992797135719.154
d11 = 5.52730700236523e-315
d12 = 0.00781250184809323
d13 = 2234081807.02016
d14 = 0.00275435717340326
d15 = 0
d16 = 2.07525908295306e+20
d17 = 2.12940969360287e-07
d18 = 0
d19 = 2.99221645827667e-163
d20 = 2.24711694706869e+307
d21 = 2.24711641857789e+307
d22 = 2.24711801976928e+307
d23 = 0.00781250566244258
d24 = 2.24711682039362e+307
d25 = 4.27200144697583e-315
d26 = 2.24711641857789e+307
d27 = 1.483739244464e-314
d28 = -0
d29 = 5.26354424712089e-315
d30 = 0
d31 = 0.0078125
q0 = {0xd7 0x7a 0x1f 0x44 0xd7 0x7a 0x1f 0x44 0x00 0xc0 0x26 0x44 0x00 0xc0 0x26 0x44}
q1 = {0x00 0x00 0x80 0x7f 0x00 0x00 0xc0 0x7f 0x00 0x00 0x80 0xff 0x00 0x00 0x80 0xff}
q2 = {0x00 0x00 0x00 0xaf 0x00 0x00 0x00 0xaf 0x52 0x53 0x46 0xbf 0x00 0x00 0x00 0x00}
q3 = {0x00 0x00 0x00 0x00 0x00 0x00 0xc0 0x7f 0x00 0x00 0x80 0x3f 0x00 0x00 0x80 0x3f}
q4 = {0x2c 0xa5 0xe0 0xc1 0x2c 0xa5 0xe0 0xc1 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q5 = {0xea 0xe4 0x6c 0x42 0xea 0xe4 0x6c 0x42 0xc0 0x9b 0xae 0x42 0x00 0x00 0x00 0x00}
q6 = {0x00 0x00 0x80 0x3f 0x00 0x00 0x80 0x3f 0x2c 0xa5 0xe0 0x41 0x2c 0xa5 0xe0 0x41}
q7 = {0x4e 0x90 0x66 0x3f 0x4e 0x90 0x66 0x3f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q8 = {0x00 0x80 0x26 0x44 0x00 0x80 0x26 0x44 0xb5 0xa6 0x21 0x93 0x98 0x94 0x8c 0x3e}
q9 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x3f 0x23 0x3b 0x31 0x1e}
q10 = {0x99 0xdf 0x21 0x3f 0x00 0x00 0xc0 0x7f 0x00 0x00 0x00 0x00 0x00 0x00 0xc0 0x7f}
q11 = {0x52 0x53 0x46 0xbf 0x00 0x00 0xc0 0x7f 0x24 0x5f 0x8f 0xc2 0x00 0x00 0x80 0x3f}
q12 = {0x00 0x00 0x00 0x30 0x00 0x00 0xc0 0x7f 0xbf 0xb4 0x89 0x33 0x00 0x00 0x00 0x00}
q13 = {0x00 0x00 0x00 0x00 0x00 0x00 0xc0 0x7f 0x00 0x00 0x00 0xb3 0x00 0x00 0x00 0x00}
q14 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x80 0x3f 0x00 0x00 0x00 0x00}
q15 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x3f}
fpscr = 0x8800009f
exception = 0x441f7ad7
fsr = 0x441f7ad7
far = 0x4426c000

backtrace + registers 2nd hit

Spoiler

Watchpoint 1 hit:
old value: 1143390208
new value: 1143390208
Process 765 stopped
* thread #1: tid = 0x16d7, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
acier`___lldb_unnamed_function18218$$acier:
-> 0x3d0902 <+2>: bx lr

acier`___lldb_unnamed_function18219$$acier:
0x3d0904 <+0>: push {r7, lr}
0x3d0906 <+2>: mov r7, sp
0x3d0908 <+4>: sub sp, #0x8
(lldb) bt
* thread #1: tid = 0x16d7, 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2, queue = 'com.apple.main-thread', stop reason = watchpoint 1
* frame #0: 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
frame #1: 0x003d0b96 acier`___lldb_unnamed_function18225$$acier + 106
frame #2: 0x008ee474 acier`___lldb_unnamed_function49193$$acier + 604
frame #3: 0x008ed242 acier`___lldb_unnamed_function49169$$acier + 218
frame #4: 0x003cf1c8 acier`___lldb_unnamed_function18178$$acier + 156
frame #5: 0x0033388a acier`___lldb_unnamed_function14845$$acier + 34
frame #6: 0x0031abca acier`___lldb_unnamed_function14136$$acier + 2334
frame #7: 0x0031a200 acier`___lldb_unnamed_function14133$$acier + 972
frame #8: 0x0031045c acier`___lldb_unnamed_function13950$$acier + 120
frame #9: 0x0030fb5a acier`___lldb_unnamed_function13943$$acier + 434
frame #10: 0x0031de58 acier`___lldb_unnamed_function14224$$acier + 148
frame #11: 0x006fe5fa acier`___lldb_unnamed_function37651$$acier + 330
frame #12: 0x006fe1ba acier`___lldb_unnamed_function37648$$acier + 466
frame #13: 0x006fdce6 acier`___lldb_unnamed_function37641$$acier + 1102
frame #14: 0x006ff03a acier`___lldb_unnamed_function37661$$acier + 1006
frame #15: 0x0057f474 acier`___lldb_unnamed_function28327$$acier + 676
frame #16: 0x014111ca acier`___lldb_unnamed_function127447$$acier + 14
frame #17: 0x01e02880 acier`___lldb_unnamed_function179675$$acier + 116
frame #18: 0x01611fae acier`___lldb_unnamed_function143090$$acier + 54
frame #19: 0x0160d180 acier`___lldb_unnamed_function142961$$acier + 312
frame #20: 0x01491bd8 acier`___lldb_unnamed_function134543$$acier + 96
frame #21: 0x017cff3c acier`___lldb_unnamed_function154835$$acier + 284
frame #22: 0x017cf122 acier`___lldb_unnamed_function154825$$acier + 930
frame #23: 0x014f6462 acier`___lldb_unnamed_function136604$$acier + 146
frame #24: 0x015cadde acier`___lldb_unnamed_function141522$$acier + 1426
frame #25: 0x018e6e22 acier`___lldb_unnamed_function164313$$acier + 14
frame #26: 0x00011b10 acier`___lldb_unnamed_function122$$acier + 416
frame #27: 0x000118e8 acier`___lldb_unnamed_function118$$acier + 40
frame #28: 0x2098bcbe libdispatch.dylib`<redacted> + 10
frame #29: 0x2098bcaa libdispatch.dylib`<redacted> + 22
frame #30: 0x20990558 libdispatch.dylib`_dispatch_main_queue_callback_4CF + 1532
frame #31: 0x20dbb754 CoreFoundation`<redacted> + 8
frame #32: 0x20db9c4e CoreFoundation`<redacted> + 1590
frame #33: 0x20d081c8 CoreFoundation`CFRunLoopRunSpecific + 516
frame #34: 0x20d07fbc CoreFoundation`CFRunLoopRunInMode + 108
frame #35: 0x22324af8 GraphicsServices`GSEventRunModal + 160
frame #36: 0x25441434 UIKit`UIApplicationMain + 144
frame #37: 0x00009caa acier`___lldb_unnamed_function1$$acier + 202
frame #38: 0x209b4872 libdyld.dylib`<redacted> + 2
(lldb) re r -a
General Purpose Registers:
r0 = 0x0e1a5c00
r1 = 0x441875ae
r2 = 0x037d1e60
r3 = 0x003d0901 acier`___lldb_unnamed_function18218$$acier + 1
r4 = 0x0e1a5c00
r5 = 0x441875ae
r6 = 0x0268834b
r7 = 0x029edd38
r8 = 0x1c47f390
r9 = 0x00000000
r10 = 0x0f10cd60
r11 = 0x0262aa9c
r12 = 0x02438e94 (void *)0x20b43ad9: _Unwind_SjLj_Unregister + 1
sp = 0x029edd24
lr = 0x003d0b97 acier`___lldb_unnamed_function18225$$acier + 107
pc = 0x003d0902 acier`___lldb_unnamed_function18218$$acier + 2
cpsr = 0x80070030

Floating Point Registers:
s0 = 609.839
s1 = 609.839
s2 = 667
s3 = 667
s4 = inf
s5 = nan
s6 = -inf
s7 = -inf
s8 = -4.65661e-10
s9 = -4.65661e-10
s10 = -0.166427
s11 = 0
s12 = 0
s13 = nan
s14 = 1
s15 = 1
s16 = -28.0807
s17 = -28.0807
s18 = 0
s19 = 0
s20 = 59.2235
s21 = 59.2235
s22 = 87.3042
s23 = 0
s24 = 1
s25 = 1
s26 = 28.0807
s27 = 28.0807
s28 = 0.900639
s29 = 0.900639
s30 = 0
s31 = 0
d0 = 1.12800411947315e+20
d1 = 2.09831751305056e+20
d2 = 2.24711748590092e+307
d3 = -1.40444909838096e+306
d4 = -1.72723484348156e-77
d5 = 1.57629229609212e-314
d6 = 2.24711641857789e+307
d7 = 0.00781250184809323
d8 = -2234082831.02016
d9 = 0
d10 = 992797135719.154
d11 = 5.52730700236523e-315
d12 = 0.00781250184809323
d13 = 2234081807.02016
d14 = 0.00275435717340326
d15 = 0
d16 = 1.45175171194903e+20
d17 = 2.21118300198688e-07
d18 = 0
d19 = 2.99221645827667e-163
d20 = 2.24711695002987e+307
d21 = 2.24711641857789e+307
d22 = 2.24711801048564e+307
d23 = 0.0078125056521437
d24 = 2.24711680051212e+307
d25 = 1.44335622121974e-314
d26 = 2.24711641857789e+307
d27 = 4.28958133525206e-315
d28 = -0
d29 = 5.26354424712089e-315
d30 = 0
d31 = 0.0078125
q0 = {0xae 0x75 0x18 0x44 0xae 0x75 0x18 0x44 0x00 0xc0 0x26 0x44 0x00 0xc0 0x26 0x44}
q1 = {0x00 0x00 0x80 0x7f 0x00 0x00 0xc0 0x7f 0x00 0x00 0x80 0xff 0x00 0x00 0x80 0xff}
q2 = {0x00 0x00 0x00 0xb0 0x00 0x00 0x00 0xb0 0xb6 0x6b 0x2a 0xbe 0x00 0x00 0x00 0x00}
q3 = {0x00 0x00 0x00 0x00 0x00 0x00 0xc0 0x7f 0x00 0x00 0x80 0x3f 0x00 0x00 0x80 0x3f}
q4 = {0x2c 0xa5 0xe0 0xc1 0x2c 0xa5 0xe0 0xc1 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q5 = {0xea 0xe4 0x6c 0x42 0xea 0xe4 0x6c 0x42 0xc0 0x9b 0xae 0x42 0x00 0x00 0x00 0x00}
q6 = {0x00 0x00 0x80 0x3f 0x00 0x00 0x80 0x3f 0x2c 0xa5 0xe0 0x41 0x2c 0xa5 0xe0 0x41}
q7 = {0x4e 0x90 0x66 0x3f 0x4e 0x90 0x66 0x3f 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
q8 = {0xd7 0x7a 0x1f 0x44 0xd7 0x7a 0x1f 0x44 0x00 0x97 0x30 0x23 0x91 0xad 0x8d 0x3e}
q9 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x3f 0x23 0x3b 0x31 0x1e}
q10 = {0x07 0x6e 0x7c 0x3f 0x00 0x00 0xc0 0x7f 0x00 0x00 0x00 0x00 0x00 0x00 0xc0 0x7f}
q11 = {0xb6 0x6b 0x2a 0xbe 0x00 0x00 0xc0 0x7f 0x24 0xc8 0x34 0xc2 0x00 0x00 0x80 0x3f}
q12 = {0x00 0x00 0xa0 0x2d 0x00 0x00 0xc0 0x7f 0x2b 0xce 0x20 0xae 0x00 0x00 0x00 0x00}
q13 = {0x00 0x00 0x00 0x00 0x00 0x00 0xc0 0x7f 0x00 0x00 0xc0 0x33 0x00 0x00 0x00 0x00}
q14 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x80 0x3f 0x00 0x00 0x00 0x00}
q15 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x3f}
fpscr = 0x8800009f
exception = 0x441875ae
fsr = 0x441875ae
far = 0x4426c000