Help/Support Help with offsets

[Miscdemeanor 3 iPhone 3G]

Hey, So I've been trying to hack Plants vs Zombies Heroes for a few days now and im getting really stuck.

I've found the offsets for the player's sun which is 0x100683328.

This offset is triggered when the player uses their sun. When I change:

SUB             W9, W9, W1

Into this 

ADD            W9, W9, W1

It affects the player's sun value visually, however it still does not allow you to use more than what you initially had(Correct Value).

 

There is also another offset that is triggered on each new wave which again affects the Player's sun (it acts like a reset of sorts) which is located at 0x100683264 

Once again if I change

STR             W1, [X0,#0x48]

To

STR             W7, [X0,#0x48]

It changes the players sun, but only visually. (Note [19,#0x48] and [X0,#0x48] both point to the same address).

 

Now to me it seems there is obviously some sort of check happening to make sure the values are the same and if theyre not restore them to what they were, but I cant seem to find it.

Any help would be greatly appreciated.

[i0s_tweak3r 12.3k iPhone X 13.5]

Have you looked at loc_100683344 ?

Theres a compare, and looks like a branch if W9 does not equal #3. The location I listed above is where it branches to.  I'm still an IDA noobie (especially 64 bit) but I'd check out the code in that location. Seems to be the location the function you hacked ultimately branches to as well.  I forget what CBZ is but it seems like a callback that goes to or checks a value at that same address.

Hope that was of some help. If ya figure it out on ur own plz post back maybe I'll learn something.  Hopefully one of the more experienced ppl can be of more help.

[Miscdemeanor 3 iPhone 3G]

3 hours ago, i0s_tweak3r said:

Have you looked at loc_100683344 ?

Theres a compare, and looks like a branch if W9 does not equal #3. The location I listed above is where it branches to.  I'm still an IDA noobie (especially 64 bit) but I'd check out the code in that location. Seems to be the location the function you hacked ultimately branches to as well.  I forget what CBZ is but it seems like a callback that goes to or checks a value at that same address.

Hope that was of some help. If ya figure it out on ur own plz post back maybe I'll learn something.  Hopefully one of the more experienced ppl can be of more help.

Here is the full function

 

From further testing it seems W2 Branches to 

LDR             W9, [X19,#0x40]
CMP             W9, #3
B.NE            loc_100683344

When the Suns do not match up ie. The correct value is 1, however what is displayed is 10.

However [X19, #0x40] seems to always hold 2 (as I have set a watchpoint on the address and it never triggers). Which means it branches back to the original link (loc_100683344).

 

I am really lost now in where the "true" value is getting stored

[Miscdemeanor 3 iPhone 3G]

Still quite stuck on this

[i0s_tweak3r 12.3k iPhone X 13.5]

On 7/7/2017 at 2:57 AM, Miscdemeanor said:

Here is the full function

 

From further testing it seems W2 Branches to 

LDR             W9, [X19,#0x40]
CMP             W9, #3
B.NE            loc_100683344

When the Suns do not match up ie. The correct value is 1, however what is displayed is 10.

However [X19, #0x40] seems to always hold 2 (as I have set a watchpoint on the address and it never triggers). Which means it branches back to the original link (loc_100683344).

 

I am really lost now in where the "true" value is getting stored

The CBZ means "Compare and Branch when Zero", meaning if the value of register (W2 in this case) is zero, to branch to the address shown, loc_100683344.

Notice it's the same address branched to if W9 does not equal 3. 

I'm curious what's at sub_1006831B0, since you know you are branching there  from either the CMP or CBZ regardless b4 the function ends. Can u show what's at sub_1006831B0?