Help/Support Gotten an IDA offset from lldb not sure what to do next.

[NoHax 3k iPhone 6s 11.2.2]

So I'm trying to hack a game's currency and I've done all that lldb stuff and it gave me this

0x100354f78 <+264>: ldr    w8, [x20, #0x8]

Would I jump to address 0x100354f78 and change ldr    w8, [x20, #0x8] to ldr    w8, r7.

r7 is usually a big value, right?

And that means w8 is money?

Updated July 5, 2017 by NoHax

[Bossx2 4.9k iPhone 6s Plus 10.2]

Search for tutorials in iosgods they explain what to do next 

[Ted2 39.2k iPhone 13 Pro 16.0 Donor]

The offset you get from lldb, is probs right. But it's not always the exact thing lldb says, for you the ldr. If u could post a code/screenshot of the entire function, others (maybe me) can help more. 

 

Also r7 is in armv7 a big value, but it seems like you're hacking arm64, so that will be diffrent.

 

have a look at this post:

 

Updated July 5, 2017 by Ted2

[NoHax 3k iPhone 6s 11.2.2]

9 minutes ago, Ted2 said:

The offset you get from lldb, is probs right. But it's not always the exact thing lldb says, for you the ldr. If u could post a code/screenshot of the entire function, others (maybe me) can help more. 

 

Also r7 is in armv7 a big value, but it seems like you're hacking arm64, so that will be diffrent.

 

have a look at this post:

 

Here's the whole function

ADD             X0, SP, #0x160+var_128

MOV             X1, X22

BL              __ZNSsC1ERKSs ; std::string::string(std::string const&)

ADD             X1, SP, #0x160+var_128

MOV             X0, X21

MOV             X2, X21

BL              __ZN3Rtt15ShaderComposite14SetNamedShaderESsPNS_6ShaderE ; Rtt::ShaderComposite::SetNamedShader(std::string,Rtt::Shader *)

LDR             X8, [SP,#0x160+var_128]

SUB             X0, X8, #0x18

ADRP            X20, #__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGE

LDR             X20, [X20,#__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGEOFF]

CMP             X0, X20

B.NE            loc_1003550FC

Also just incase heres what lldb gave me

->  0x100354f78 <+264>: ldr    w8, [x20, #0x8]

    0x100354f7c <+268>: str    w8, [x25, #0x8]

    0x100354f80 <+272>: strb   wzr, [x24, #0xa]

    0x100354f84 <+276>: ldr    w8, [x20, #0x8]

 

Updated July 5, 2017 by NoHax

[Ted2 39.2k iPhone 13 Pro 16.0 Donor]

2 minutes ago, NoHax said:

Here's the whole function

  Hide contents

ADD             X0, SP, #0x160+var_128

MOV             X1, X22

BL              __ZNSsC1ERKSs ; std::string::string(std::string const&)

ADD             X1, SP, #0x160+var_128

MOV             X0, X21

MOV             X2, X21

BL              __ZN3Rtt15ShaderComposite14SetNamedShaderESsPNS_6ShaderE ; Rtt::ShaderComposite::SetNamedShader(std::string,Rtt::Shader *)

LDR             X8, [SP,#0x160+var_128]

SUB             X0, X8, #0x18

ADRP            X20, #__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGE

LDR             X20, [X20,#__ZNSs4_Rep20_S_empty_rep_storageE_ptr@PAGEOFF]

CMP             X0, X20

B.NE            loc_1003550FC

[/spoiler]

Also just incase here's what lldb gave me

  Reveal hidden contents

->  0x100354f78 <+264>: ldr    w8, [x20, #0x8]

    0x100354f7c <+268>: str    w8, [x25, #0x8]

    0x100354f80 <+272>: strb   wzr, [x24, #0xa]

    0x100354f84 <+276>: ldr    w8, [x20, #0x8]

Thank's for helping!

 

I'm not sure, u could try chane the SUB to an ADD, when u'll buy something the coins won't substract but they'll add it.

 

btw for arm64 u gotta remove aslr loaded offset. Now U got the wrong function in IDA.

 

how you do that is by type 'image list'  in lldb & then the above line. There's also a tutorial madr about how to do that, something called like 'how to defeat aslr.....'

Updated July 5, 2017 by Ted2

[NoHax 3k iPhone 6s 11.2.2]

20 minutes ago, Ted2 said:

I'm not sure, u could try chane the SUB to an ADD, when u'll buy something the coins won't substract but they'll add it.

 

btw for arm64 u gotta remove aslr loaded offset. Now U got the wrong function in IDA.

 

how you do that is by type 'image list'  in lldb & then the above line. There's also a tutorial madr about how to do that, something called like 'how to defeat aslr.....'

Wait, so my offset from lldb was 0x100354f78, I just checked my alsr and its d8000, so I would do 0x100354f78-d8000 to find my offset?

Or do I have to do that watchpoint thing again and then take away my alsr value from the new offset I get?

Updated July 5, 2017 by NoHax

[Ted2 39.2k iPhone 13 Pro 16.0 Donor]

38 minutes ago, NoHax said:

Wait, so my offset from lldb was 0x100354f78, I just checked my alsr and its d8000, so I would do 0x100354f78-d8000 to find my offset?

Or do I have to do that watchpoint thing again and then take away my alsr value from the new offset I get?

Take the aslr from the lldb offset. See if that matches in IDA. 

[vinhthai222006 6.2k iPhone 5s 10.3.3]

On 7/6/2017 at 1:32 AM, Ted2 said:

The offset you get from lldb, is probs right. But it's not always the exact thing lldb says, for you the ldr. If u could post a code/screenshot of the entire function, others (maybe me) can help more. 

 

Also r7 is in armv7 a big value, but it seems like you're hacking arm64, so that will be diffrent.

 

have a look at this post:

 

 you don't reply inbox me ???

[Ted2 39.2k iPhone 13 Pro 16.0 Donor]

2 minutes ago, vinhthai222006 said:

 you don't reply inbox me ???

What?