Help/Support I got This in LLDB now what in IDA PRO?

Goran · August 21, 2017

I got this text in LLDB, finding coins in ZLATAN LEGENDS... Removed Aslr and thined binary... its ARMv7 game...

Here is what i got in LLDB....

w s e -- 0x10A21F20
Watchpoint created: Watchpoint 1: addr = 0x10a21f20 size = 4 state = enabled type = w
    new value: 3719
(lldb) c
Process 201251 resuming
(lldb) Process 201251 stopped
* thread #1: tid = 0x31223, 0x00051ee0 mimosa`ticationMethod_Basic + 303594, stop reason = watchpoint 1
    frame #0: 0x00051ee0 mimosa`ticationMethod_Basic + 303594
mimosa`ticationMethod_Basic + 279210:
   0x51ee0: ldrbmi r6, [r0, -r3, asr #4]!
   0x51ee4: sbcvs r6, r3, #0x20000008
   0x51ee8: movwvs r4, #0x2770

Watchpoint 1 hit:
old value: 3719
new value: 3842

Now I need "retard like" explanation.... what to do in IDA PRO...

i loaded binary, everything is ready... i nned to know what to search from this LLDB info, in ida pro... noob like explanation....

Thanks for helping...

and if someone can explain me this functions....

   0x51ee0: ldrbmi r6, [r0, -r3, asr #4]!
   0x51ee4: sbcvs r6, r3, #0x20000008
   0x51ee8: movwvs r4, #0x2770

coins are in this case...

Ted2 · August 21, 2017

I doubt you can hack coins in this game, but whatever.

What you do now: breakpoint on the sub_x function (b 0xoffset)

Make some changes & see which Registers (R0, R2, R3 etc) holds the current coins value.

Goran · August 21, 2017

1 minute ago, Ted2 said:

I doubt you can hack coins in this game, but whatever.

What you do now: breakpoint on the sub_x function (b 0xoffset)

Make some changes & see which Registers (R0, R2, R3 etc) holds the current coins value.

what is here subx man? and if you can write me "noob like" explanation, with LIVE EXAMPLE on this case...

like you are doing this in ida pro...

Ted2 · August 21, 2017

Just now, Goran said:

what is here subx man? and if you can write me "noob like" explanation, with LIVE EXAMPLE on this case...

like you are doing this in ida pro...

breakpoint on offset you get from llldb watchpoint using the command 'b 0xwatchpointoffset'

make changes in coins, game will freeze.

type 'register read'

U get a list with what the register means.

Copy this list in text editor or so.

Go to decimal to hex converter

Type in your coins in game AFTER freeze from breakpoint

U'll get a hex number

Search this hex number in the list you pasted.

If the value is found, see which registers holds the value (for example R6)

Search in IDA for r6 in the watchpoint offset u got

Goran · August 22, 2017

15 hours ago, Ted2 said:

breakpoint on offset you get from llldb watchpoint using the command 'b 0xwatchpointoffset'

make changes in coins, game will freeze.

type 'register read'

U get a list with what the register means.

Copy this list in text editor or so.

Go to decimal to hex converter

Type in your coins in game AFTER freeze from breakpoint

U'll get a hex number

Search this hex number in the list you pasted.

If the value is found, see which registers holds the value (for example R6)

Search in IDA for r6 in the watchpoint offset u got

you got me nice explanation, thanks, BUT...

What is in this case "offset i get in LLDB?

http://imgur.com/Wnltf2f

can you write me full command with offset for this case (like you are doing hack and writing next step of this), cuz i dont understand where is that new offset i got...

Thanks man...

Ted2 · August 23, 2017

18 hours ago, Goran said:

you got me nice explanation, thanks, BUT...

What is in this case "offset i get in LLDB?

http://imgur.com/Wnltf2f

can you write me full command with offset for this case (like you are doing hack and writing next step of this), cuz i dont understand where is that new offset i got...

Thanks man...

Did you even breakpoint?

Goran · August 23, 2017

4 hours ago, Ted2 said:

Did you even breakpoint?

i know the command that is b 0x????

but am stuck in next step of this... it is CoinDozer game.... Am practicing on that...

Am doing Coins, no ASLR.... And i dont know WHICH ADDRESS in this case to watch or breakpoint...??? I need exact command in this case with exact address so i can understand...

this Register hold coin value.... r1 = 0x000186b2 CoinDozer.__TEXT.__text + 60642

so i need that you write to me exact command that you will be using in this case on live example, and why, so i can understand... thanks....

Ted2 · August 23, 2017

1 hour ago, Goran said:

i know the command that is b 0x????

but am stuck in next step of this... it is CoinDozer game.... Am practicing on that...

Am doing Coins, no ASLR.... And i dont know WHICH ADDRESS in this case to watch or breakpoint...??? I need exact command in this case with exact address so i can understand...

this Register hold coin value.... r1 = 0x000186b2 CoinDozer.__TEXT.__text + 60642

so i need that you write to me exact command that you will be using in this case on live example, and why, so i can understand... thanks....

I didn't know u could read registers with only watchpoints lmao.

Alright, what you do now is see in the function the watchpoint gavee you, what you can hack with the register R1

Goran · August 23, 2017

1 hour ago, Ted2 said:

I didn't know u could read registers with only watchpoints lmao.

Alright, what you do now is see in the function the watchpoint gavee you, what you can hack with the register R1

Can you please write me function that i need to enter in LLDB?

ohh, something you can learn from me ;)