Help/Support Gotten an IDA offset from lldb not sure what to do next.

NoHax · July 5, 2017

So I'm trying to hack a game's currency and I've done all that lldb stuff and it gave me this

0x100354f78 <+264>: ldr w8, [x20, #0x8]

Would I jump to address 0x100354f78 and change ldr w8, [x20, #0x8] to ldr w8, r7.

r7 is usually a big value, right?

And that means w8 is money?

Updated July 5, 2017 by NoHax

Bossx2 · July 5, 2017

Search for tutorials in iosgods they explain what to do next

Ted2 · July 5, 2017

The offset you get from lldb, is probs right. But it's not always the exact thing lldb says, for you the ldr. If u could post a code/screenshot of the entire function, others (maybe me) can help more.

Also r7 is in armv7 a big value, but it seems like you're hacking arm64, so that will be diffrent.

have a look at this post:

Updated July 5, 2017 by Ted2

NoHax · July 5, 2017

9 minutes ago, Ted2 said:

The offset you get from lldb, is probs right. But it's not always the exact thing lldb says, for you the ldr. If u could post a code/screenshot of the entire function, others (maybe me) can help more.

Also r7 is in armv7 a big value, but it seems like you're hacking arm64, so that will be diffrent.

have a look at this post:

Here's the whole function

ADD X0, SP, #0x160+var_128

MOV X1, X22

BL __ZNSsC1ERKSs ; std::string::string(std::string const&)

ADD X1, SP, #0x160+var_128

MOV X0, X21

MOV X2, X21

BL __ZN3Rtt15ShaderComposite14SetNamedShaderESsPNS_6ShaderE ; Rtt::ShaderComposite::SetNamedShader(std::string,Rtt::Shader *)

LDR X8, [SP,#0x160+var_128]

SUB X0, X8, #0x18

ADRP X20, #__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGE

LDR X20, [X20,#__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGEOFF]

CMP X0, X20

B.NE loc_1003550FC

Also just incase heres what lldb gave me

-> 0x100354f78 <+264>: ldr w8, [x20, #0x8]

0x100354f7c <+268>: str w8, [x25, #0x8]

0x100354f80 <+272>: strb wzr, [x24, #0xa]

0x100354f84 <+276>: ldr w8, [x20, #0x8]

Updated July 5, 2017 by NoHax

Ted2 · July 5, 2017

2 minutes ago, NoHax said:

Here's the whole function

Hide contents

ADD X0, SP, #0x160+var_128

MOV X1, X22

BL __ZNSsC1ERKSs ; std::string::string(std::string const&)

ADD X1, SP, #0x160+var_128

MOV X0, X21

MOV X2, X21

BL __ZN3Rtt15ShaderComposite14SetNamedShaderESsPNS_6ShaderE ; Rtt::ShaderComposite::SetNamedShader(std::string,Rtt::Shader *)

LDR X8, [SP,#0x160+var_128]

SUB X0, X8, #0x18

ADRP X20, #__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGE

LDR X20, [X20,#__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGEOFF]

CMP X0, X20

B.NE loc_1003550FC

[/spoiler]

Also just incase here's what lldb gave me

Reveal hidden contents

-> 0x100354f78 <+264>: ldr w8, [x20, #0x8]

0x100354f7c <+268>: str w8, [x25, #0x8]

0x100354f80 <+272>: strb wzr, [x24, #0xa]

0x100354f84 <+276>: ldr w8, [x20, #0x8]

Thank's for helping!

I'm not sure, u could try chane the SUB to an ADD, when u'll buy something the coins won't substract but they'll add it.

btw for arm64 u gotta remove aslr loaded offset. Now U got the wrong function in IDA.

how you do that is by type 'image list' in lldb & then the above line. There's also a tutorial madr about how to do that, something called like 'how to defeat aslr.....'

Updated July 5, 2017 by Ted2

NoHax · July 5, 2017

20 minutes ago, Ted2 said:

I'm not sure, u could try chane the SUB to an ADD, when u'll buy something the coins won't substract but they'll add it.

btw for arm64 u gotta remove aslr loaded offset. Now U got the wrong function in IDA.

how you do that is by type 'image list' in lldb & then the above line. There's also a tutorial madr about how to do that, something called like 'how to defeat aslr.....'

Wait, so my offset from lldb was 0x100354f78, I just checked my alsr and its d8000, so I would do 0x100354f78-d8000 to find my offset?

Or do I have to do that watchpoint thing again and then take away my alsr value from the new offset I get?

Updated July 5, 2017 by NoHax

Ted2 · July 5, 2017

38 minutes ago, NoHax said:

Wait, so my offset from lldb was 0x100354f78, I just checked my alsr and its d8000, so I would do 0x100354f78-d8000 to find my offset?

Or do I have to do that watchpoint thing again and then take away my alsr value from the new offset I get?

Take the aslr from the lldb offset. See if that matches in IDA.

vinhthai222006 · July 7, 2017

On 7/6/2017 at 1:32 AM, Ted2 said:

The offset you get from lldb, is probs right. But it's not always the exact thing lldb says, for you the ldr. If u could post a code/screenshot of the entire function, others (maybe me) can help more.

Also r7 is in armv7 a big value, but it seems like you're hacking arm64, so that will be diffrent.

have a look at this post:

you don't reply inbox me ???