Help/Support Whats this Function? LLDB

Goran · September 7, 2017

On 9/7/2017 at 6:14 PM, Mr Cub3s said:

i'll ask you one question, do u know what's aslr?

Expand

"IMAGE LIST"

of course, i got ASLR in this case "F4000", but that is also have nothing with this on LLDB, aslr is important for IDA PRO, BUT WHAT TO DO IN THIS CASE? IF YOU GOTZ THIS ONE, WHAT YOU WILL DO NEXT IN THIS CASE?

Oxytyramine · September 7, 2017

On 9/7/2017 at 6:25 PM, Goran said:

"IMAGE LIST"

of course, i got ASLR in this case "F4000", but that is also have nothing with this on LLDB, aslr is important for IDA PRO, BUT WHAT TO DO IN THIS CASE? IF YOU GOTZ THIS ONE, WHAT YOU WILL DO NEXT IN THIS CASE?

Expand

lmaoo

i didn't understand a word... are u doing this for arm64 binaries? if yes, you need to add the bias to the offset you find in lldb

Goran · September 7, 2017

On 9/7/2017 at 6:31 PM, Mr Cub3s said:

lmaoo

i didn't understand a word... are u doing this for arm64 binaries? if yes, you need to add the bias to the offset you find in lldb

Expand

Here it is in details... i have iPhone 6s, that app is ARM64 and ARM7, so i thinned binary to ARMv7, and it works on phone...

i found value for diamonds in app it is I64 in iGG,

attached to lldb, do image list...

w s e -- 0xiGGaddress and got this in lldb...

* thread #1: tid = 0x36f39, 0x00425cb4 covetHome, stop reason = watch 1
frame #0: 0x00425cb4 covetHome
-> 0x425cb4: andlo r6, r1, r0, lsr r11
0x425cb8: andlt r6, r7, r0, lsr r3
0x425cbc: stceq p8, c14, [r0, #-756]

than i was stuck... because when i go 425cb4-F4000(ASLR) it give me "331cb4" ida address... but in IDA, there is no that address, as you can see on picture... Tried to watch and breakpoint those 0x425cb4, 0x425cb8, 0x425cbc...

but no luck...

here is IDA PRO part...

as you can see here even don't have 331cb4 address...

so what can it be problem here, because functions don't match... and how could you solve this? if you are working on that...

Updated September 7, 2017 by Goran

Oxytyramine · September 7, 2017

On 9/7/2017 at 7:27 PM, Goran said:

Here it is in details... i have iPhone 6s, that app is ARM64 and ARM7, so i thinned binary to ARMv7, and it works on phone...

i found value for diamonds in app it is I64 in iGG,

attached to lldb, do image list...

w s e -- 0xiGGaddress and got this in lldb...

* thread #1: tid = 0x36f39, 0x00425cb4 covetHome, stop reason = watch 1
frame #0: 0x00425cb4 covetHome
-> 0x425cb4: andlo r6, r1, r0, lsr r11
0x425cb8: andlt r6, r7, r0, lsr r3
0x425cbc: stceq p8, c14, [r0, #-756]

than i was stuck... because when i go 425cb4-F4000(ASLR) it give me "331cb4" ida address... but in IDA, there is no that address, as you can see on picture... Tried to watch and breakpoint those 0x425cb4, 0x425cb8, 0x425cbc...

but no luck...

here is IDA PRO part...

as you can see here even don't have 331cb4 address...

so what can it be problem here, because functions don't match... and how could you solve this? if you are working on that...

Expand

DID U REMOVE ASLR FROM THE BIN?

Goran · September 7, 2017

On 9/7/2017 at 9:28 PM, Mr Cub3s said:

DID U REMOVE ASLR FROM THE BIN?

Expand

nope, why to remove ASLR when i substract it from hex....

Goran · September 7, 2017

@K_K you solved me many mistery, can you tell me why this code look like this???
also i sent you pm about code in CoinDozer..

Thanks man a lot for all your help..

K_K · September 7, 2017

Ask yourself are you hacking 32 or 64 bit? I'd go with the 64 bit if I were you. It looks as though r1 is storing the value but I'd have to have a look myself and see.

BigDaddy284 · September 7, 2017

Dude, you need to post a tutorial like this for beginners. I spent weeks looking at tutorials and reading up but always felt i was missing something.

Even with the broken english in places, after reading your post with screen shots i feel i was on the right path and when i get some free time next will jump back on it.

Please make a tutorial, exactly as above. Given all the infomation for what you're doing at each point. Alot of neebs could benefit from this.

Also @Ted2sup, always around to help ?

Goran · September 7, 2017

On 9/7/2017 at 10:16 PM, BigDaddy284 said:

Dude, you need to post a tutorial like this for beginners. I spent weeks looking at tutorials and reading up but always felt i was missing something.

Even with the broken english in places, after reading your post with screen shots i feel i was on the right path and when i get some free time next will jump back on it.

Please make a tutorial, exactly as above. Given all the infomation for what you're doing at each point. Alot of neebs could benefit from this.

Also @Ted2sup, always around to help ?

Expand

am begginer and when i get basics, i will make tutorial like you never seen before... to make it clear once for all... cuz i get many troubles by now.. because of lack of information and deformations... in tutorials....

On 9/7/2017 at 10:04 PM, K_K said:

Ask yourself are you hacking 32 or 64 bit? I'd go with the 64 bit if I were you. It looks as though r1 is storing the value but I'd have to have a look myself and see.

Expand

binary was ARM64bit, but i thinned binary, and it works on iPhone 6s.. i found with iGG value its I64, and in lldb gave me this weird function, so i ask, what means this function??? why have codes like that???

-> 0x425cb4: andlo r6, r1, r0, lsr r11
0x425cb8: andlt r6, r7, r0, lsr r3
0x425cbc: stceq p8, c14, [r0, #-756]

Rook · September 7, 2017

On 9/7/2017 at 10:23 PM, Goran said:

am begginer and when i get basics, i will make tutorial like you never seen before... to make it clear once for all... cuz i get many troubles by now.. because of lack of information and deformations... in tutorials....

binary was ARM64bit, but i thinned binary, and it works on iPhone 6s.. i found with iGG value its I64, and in lldb gave me this weird function, so i ask, what means this function??? why have codes like that???

-> 0x425cb4: andlo r6, r1, r0, lsr r11
0x425cb8: andlt r6, r7, r0, lsr r3
0x425cbc: stceq p8, c14, [r0, #-756]

Expand