Help/Support Whats this Function? LLDB

[Goran 1.9k]

9 minutes ago, Mr Cub3s said:

i'll ask you one question, do u know what's aslr?

 

"IMAGE LIST"

of course, i got ASLR in this case "F4000", but that is also have nothing with this on LLDB, aslr is important for IDA PRO, BUT WHAT TO DO IN THIS CASE? IF YOU GOTZ THIS ONE, WHAT YOU WILL DO NEXT IN THIS CASE?

[sn0wqt 42.6k iPhone X 13.3]

5 minutes ago, Goran said:

"IMAGE LIST"

of course, i got ASLR in this case "F4000", but that is also have nothing with this on LLDB, aslr is important for IDA PRO, BUT WHAT TO DO IN THIS CASE? IF YOU GOTZ THIS ONE, WHAT YOU WILL DO NEXT IN THIS CASE?

lmaoo

i didn't understand a word... are u doing this for arm64 binaries? if yes, you need to add the bias to the offset you find in lldb

[Goran 1.9k]

56 minutes ago, Mr Cub3s said:

lmaoo

i didn't understand a word... are u doing this for arm64 binaries? if yes, you need to add the bias to the offset you find in lldb

Here it is in details... i have iPhone 6s, that app is ARM64 and ARM7, so i thinned binary to ARMv7, and it works on phone...

i found value for diamonds in app it is I64 in iGG,

attached to lldb, do image list...

w s e -- 0xiGGaddress and got this in lldb...

* thread #1: tid = 0x36f39, 0x00425cb4 covetHome, stop reason = watch 1
    frame #0: 0x00425cb4 covetHome
-> 0x425cb4:  andlo  r6, r1, r0, lsr r11
    0x425cb8:  andlt  r6, r7, r0, lsr r3
    0x425cbc:  stceq  p8, c14, [r0, #-756]

than i was stuck... because when i go 425cb4-F4000(ASLR) it give me "331cb4" ida address... but in IDA, there is no that address, as you can see on picture... Tried to watch and breakpoint those 0x425cb4, 0x425cb8, 0x425cbc...

but no luck...

here is IDA PRO part...

as you can see here even don't have 331cb4 address...

so what can it be problem here, because functions don't match... and how could you solve this? if you are working on that...

Updated September 7, 2017 by Goran

[sn0wqt 42.6k iPhone X 13.3]

2 hours ago, Goran said:

Here it is in details... i have iPhone 6s, that app is ARM64 and ARM7, so i thinned binary to ARMv7, and it works on phone...

i found value for diamonds in app it is I64 in iGG,

attached to lldb, do image list...

w s e -- 0xiGGaddress and got this in lldb...

* thread #1: tid = 0x36f39, 0x00425cb4 covetHome, stop reason = watch 1
    frame #0: 0x00425cb4 covetHome
-> 0x425cb4:  andlo  r6, r1, r0, lsr r11
    0x425cb8:  andlt  r6, r7, r0, lsr r3
    0x425cbc:  stceq  p8, c14, [r0, #-756]

than i was stuck... because when i go 425cb4-F4000(ASLR) it give me "331cb4" ida address... but in IDA, there is no that address, as you can see on picture... Tried to watch and breakpoint those 0x425cb4, 0x425cb8, 0x425cbc...

but no luck...

here is IDA PRO part...

as you can see here even don't have 331cb4 address...

so what can it be problem here, because functions don't match... and how could you solve this? if you are working on that...

DID U REMOVE ASLR FROM THE BIN?

[Goran 1.9k]

25 minutes ago, Mr Cub3s said:

DID U REMOVE ASLR FROM THE BIN?

nope, why to remove ASLR when i substract it from hex....

[Goran 1.9k]

@K_K you solved me many mistery, can you tell me why this code look like this???
also i sent you pm about code in CoinDozer..

Thanks man a lot for all your help..

[K_K 167.5k iPhone 13 Pro Max 15.1]

Ask yourself are you hacking 32 or 64 bit? I'd go with the 64 bit if I were you. It looks as though r1 is storing the value but I'd have to have a look myself and see.

[BigDaddy284 2.6k iPhone 7 11.3.1]

Dude, you need to post a tutorial like this for beginners. I spent weeks looking at tutorials and reading up but always felt i was missing something.

Even with the broken english in places, after reading your post with screen shots i feel i was on the right path and when i get some free time next will jump back on it. 

Please make a tutorial, exactly as above. Given all the infomation for what you're doing at each point. Alot of neebs could benefit from this. 

Also @Ted2sup, always around to help ?

[Goran 1.9k]

6 minutes ago, BigDaddy284 said:

Dude, you need to post a tutorial like this for beginners. I spent weeks looking at tutorials and reading up but always felt i was missing something.

Even with the broken english in places, after reading your post with screen shots i feel i was on the right path and when i get some free time next will jump back on it. 

Please make a tutorial, exactly as above. Given all the infomation for what you're doing at each point. Alot of neebs could benefit from this. 

Also @Ted2sup, always around to help ?

am begginer and when i get basics, i will make tutorial like you never seen before... to make it clear once for all... cuz i get many troubles by now.. because of lack of information and deformations... in tutorials....

19 minutes ago, K_K said:

Ask yourself are you hacking 32 or 64 bit? I'd go with the 64 bit if I were you. It looks as though r1 is storing the value but I'd have to have a look myself and see.

binary was ARM64bit, but i thinned binary, and it works on iPhone 6s.. i found with iGG value its I64, and in lldb gave me this weird function, so i ask, what means this function??? why have codes like that???

-> 0x425cb4:  andlo  r6, r1, r0, lsr r11
    0x425cb8:  andlt  r6, r7, r0, lsr r3
    0x425cbc:  stceq  p8, c14, [r0, #-756]

[Rook 567k iPad Pro (2nd gen) 17.4 Donor]

13 minutes ago, Goran said:

am begginer and when i get basics, i will make tutorial like you never seen before... to make it clear once for all... cuz i get many troubles by now.. because of lack of information and deformations... in tutorials....

binary was ARM64bit, but i thinned binary, and it works on iPhone 6s.. i found with iGG value its I64, and in lldb gave me this weird function, so i ask, what means this function??? why have codes like that???

-> 0x425cb4:  andlo  r6, r1, r0, lsr r11
    0x425cb8:  andlt  r6, r7, r0, lsr r3
    0x425cbc:  stceq  p8, c14, [r0, #-756]

What happens if you go to that offset?