Jump to content
Ted2

Tutorial IDA + LLDB Tutorial [Noob Friendly]

90 posts in this topic

Recommended Posts

Hello Everyone!

In this topic I'll explain/show you how you hack games with IDA using lldb &/ GDB on armv7
I'll try to make it as noob friendly as I can, it will be a long tutorial since I'll explain EVERY step.

Requirements for this tutorial:

- IDA Program -> get it HERE
- Jailbroken Phone to test it
- Hex Editor
- The binary of the game we're gonna hack -> get it HERE *
- The game, get it HERE & download v1.11
- LLDB -> For Windows, go HERE & for Mac go HERE
- Gameplayer
- Theos fully setup (not 100% neccesarry, but since you're learn hacking.. why not?) -> Setup Tutorial

* = When you're hacking armv7, I suggest you to remove aslr from the binary using THIS site, so you don't have to calculate every watchpoint & breakpoint. The binary for this tutorial, is thinned & has ASLR removed.

The game we are going to hack is called 'Trigger Fist' a dead shoot game, but good to practice with.

First thing to do, is load the binary from above into IDA, with these settings:

 

Spoiler

rR3OiqD.png

Second thing we need to do is replace the binary of the game with the one from above, since we will be using lldb & we don't want aslr to be loaded.

To do this, you'll need Filza Manager from Cydia.
First of all, copy the binary, then go to: /var/containers/bundle/appliciation/'Trigger Fist/TriggerFist.app' & paste.
Then set the binary premissions like this:

Spoiler

lqn9j63.png


To do this, you click the little 'Info' icon next to the binary name.

 

Alright, everything is set for debugging using lldb :)

First of all we need to know what we're going to hack, which is ammo & grenades.
So what we're going to do is find the values using Gameplayer, I hope everyone knows how to do that.
Write them down if you found both values.

You can also do this while you're connected with lldb, but every time you search for a value in Gameplayer, you'll need to type 'continue or c' in the lldb window.
I do this because sometimes the game changes the value even if I haven't closed it.
Not sure if this also is for this game, but it's up to you how you wanna do it.If you do not know how to find them: Your ammo starts with 30 (atleast for me, if not for you replace numbers from below with yours)

Spoiler

 

- Search for 30 in Gameplayer
- Shoot one time
- Search for 29 (or whatever value you got new)
- Shoot againt
- Search for 28 (or whatever value you got new)
- I do get one address from Gameplayer (if you still get more, shoot & search until you get one hit)
- WRITE THE ADDRESS DOWN!!

Your grenades are 2.
- Search for 2
- Throw one away
- Search for 1
- Throw one away
- search for 0
- Die 
- You got 2 grenades again after you died, so search 2
- Throw one away
- Search 1
- Do this until you get ONE hit
- WRITE THE ADDRESS DOWN!!

IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP.

 

Alright, now we need to debug, so we can get the ida offsets.

We need to debug with port 23, on mac you don't need to do anything. 
On windows you run the mux.exe program for it, but if you're on Windows 10 that won't work.
We need to do it with iFunbox, using the USB Tunnel option in the toolbox tab.

See THIS topic to do this with Windows 10

First we need to make connection with our phone, by runnning this command in SSH Terminal (open using iFunbox)
 

debugserver 127.0.0.1:23 --attach=PID 

What is 'PID', not sure what it exactly is, but I do know how to find it :p
Open the game, click Gameplayer icon & select the application if it doesn't automaticly.
This is the PID: 

Spoiler

EJtwJBQ.png

Alright, you typed it in & it should look like this: 

Spoiler

u6C69i3.png

Now go to your lldb folder & double click lldb.exe
A command promt will show up, type this: 

process connect connect://127.0.0.1:23


It should look like this:

Spoiler

D2sAm7V.png

It can take some time to make connection, depends on how fast you connection is.
When it's connected it will show you this: 

Spoiler

vSsMa32.png

Alright, so we want to know the ida offsets of the gameplayer addresses we have.
We do this by this command 
 

w s e -- 0xgameplayeraddress

which is for me

w s e -- 0x1501ca6c //ammo 
and
w s e -- 0x0ebcec60 //grenades

It should say this when you set a watchpoint:

Spoiler

7nhuFZ4.png

Type 'continue' or 'c' in the lldb window to continue the game.
Make a change in ammo, the game will freeze, this is good!
The lldb window will look like this: 

Spoiler

UOkhNHp.png


This is the ida offset: (marked with <<<<<<<<<) (WRITE IT DOWN + WRITE DOWN TO WHAT THE VALUE CHANGED)

(lldb) Process 86864 stopped
* thread #1: tid = 0x15350, 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346, stop reason = watchpoint 3
    frame #0: 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346
TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1373466:
-> 0x1527d4 <<<<<<<<<<<<<<<:  mov    r0, #0x1
   0x1527d8:  strb   r0, [r10, #430]
   0x1527dc:  mov    r0, #0x1

Also type 'register read' to know what each register means around the function. (register = R1, R2, R3, etc)
It will look like this: 

Spoiler

A8SwSH8.png


Copy the output & paste it somewhere where you can find it back & type 'ammo' above it.
How to copy it?
Select it with your mouse & hit enter, this will copy it. You can 'ctrl + c it' too, but it will ask you to quit lldb & we don't want that.

Alright, now type 'continue' or 'c' in lldb to continue the game
Make a change in grenades, the game will freeze & we know now this is good!
We also know how the lldb windows looks like & what the ida offset is. (WRITE IT DOWN = WRITE DOWN TO WHAT THE VALUE CHANGED)

Type again 'register read' & do the same progress you did with the ammo, but now type 'grenades' above it.
I suggest you to register read when the you have more then 0 grenades, otherwise it's harder to see which register is the real one.

Now we have both, close lldb.

Alright, now we know both offsets & what every register means, it's easy peasy to hack.
Let's look into the ammo function first, it looks like this: 

Spoiler

onaxkHE.png

Alright, there are most of the times multiply ways to hack something.
This is the exact code written:

LDR             R0, [R10,#0x88]
LDR             R0, [R0,#0x70]
CMP             R5, R0
BLT             loc_152764
LDR             R0, [R10,#0x88]
LDR             R1, [R0,#0xAC] //
SUB             R1, R1, #1 //
STR             R1, [R0,#0xAC] //
MOV             R0, #1  ; The address where it drops us
STRB            R0, [R10,#0x1AE]
MOV             R0, #1
STRB            R0, [R10,#0x1AF]
LDR             R0, [R10,#0x1CC]
ADD             R0, R0, #1
STR             R0, [R10,#0x1CC]
LDR             R0, [R10,#0x88]
VLDR            S0, [R0,#0x68]
VCVT.F64.F32    D2, S0
VCVT.F32.F64    S0, D2
VSTR            S0, [R10,#0x284]
LDR             R0, [R10,#0x174]
LDR             R1, =(unk_C80D00 - 0x15281C) //
B               loc_152814

Alright, we also know what all Registers means. lldb gives the values in HEX decimal
We only know the values in decimal.
We wrote down what our ammo changed to, which was for me 29.
29 in hex = 1D
Register 1 (R1) holds that value, which means that's our ammo.

Spoiler

General Purpose Registers:
        r0 = 0x1501c9c0
        r1 = 0x0000001d <-----> our ammo
        r2 = 0x00000001
        r3 = 0x15308038
        r4 = 0x00000001
        r5 = 0x00000001
        r6 = 0x00000058
        r7 = 0x00e3da94
        r8 = 0x00000000
        r9 = 0x00000000
       r10 = 0x16734cc0
       r11 = 0x00e3d374
       r12 = 0x0068f80c  TriggerFist.__TEXT.__text + 6866268
        sp = 0x00e3d374
        lr = 0x00608044  TriggerFist.__TEXT.__text + 6311316
        pc = 0x001527d4  TriggerFist.__TEXT.__text + 1373476
      cpsr = 0x60000010

 

As you can see in the code, we see some R1, R0, R5, R10 etc.
R1 is which is important for us now.
As you can see in the code above the 'register read' output, I wrote // after each instruction with a R1 in it.

Which are these four:
 

Spoiler

LDR             R1, [R0,#0xAC] //Loads the value stored in R0,#0xAC into R1 (#0xAC is a sort of variable, likely for ammo, R0 is holding a adress for some object)
SUB             R1, R1, #1 // Substracts the value of one from R1 (ammo) into R1 (ammo)
STR             R1, [R0,#0xAC] //Stores R1 (ammo) into what's stored in R0,#0xAC (#0xAC is a sort of variable, likely for ammo, R0 is holding a adress for some object)
LDR             R1, =(unk_C80D00 - 0x15281C) //I've no idea, it does load something into our ammo atleast.

 

 

I wrote down what they mean.

 

Anyways,
The sub instruction is the most used way to hack ammo
Why?

Well.. when you shoot, one bullet wil go away.. 
This instruction Substracts 1 from R1 (ammo) into R1 (ammo)

We can hack a SUB in diffrent ways.

1. NOP the instruction, what this does is skip the instruction and does nothing
2. Change the #1 to #0, which would substract 0 from our ammo.
3. Change the SUB to ADD, which would ADD ammo instead of substracting.
4. Change the SUB to MOV R1, R7, which would move the value of 803 millioin into our ammo.

We can also hack it using the first LDR from above & the STR function.

How we hack the LDR:

- LDR R1, [R0,#0xAC] to LDR R1, [R7,#0xAC] --> What this does is load R7 (803 million) into our ammo instead of what the normal value should be.

This works because it's loading uninitialized memory into R0

How we hack the STR:

- STR R1, [R0,#0xAC] to STR R7, [R0,#0xAC] --> what this does is stores R7 into R0,#AC] instead of storing our normal ammo.

When you're hacking a binary, you need to know what kind of 'HEX' it is.
How to find out:

Spoiler

 

1. go to: http://armconverter.com  @DiDA :wub:
2. copy the ida instruction into the box & click convert (SUB R1, R1, #1 in this example)
3. you see under you've diffrent outcomes
4. go back to IDA
5. select the sub instruction & click hex view, there will be highlighted number, compare this with armconverter & see which one is the same.

6. Now you know what kind of HEX it is & you can hack.

 

When you know that you can change the instruction which you like.
Let's change the SUB instruction to MOV R1, R7
The outcome in armconverter will be 0710A0E1, because this game is ARM-HEX.

Normally you patch the binary manually using a hex editor, somehow this is not working for me on this game.
Maybe for some others it does I don't know.
These are the steps if you wanna try it:

Load the same binary you loaded into IDA in HxD.
I suggest you to make a backup though.

We need to go to our SUB instruction offset, which is: 1527CC
How do I know?
See here: 

Spoiler

7XzQ8L5.png

Go to that offset in HxD, by doing 'ctrl + G' or 'edit - goto'
This is it, this is what we're gonna hack.

Spoiler

LkmnVN9.png

Alright, I'm going to hack it by MOV R1, R7 the SUB instruction.
You can do whatever you prefer, but remember do it in ARM-HEX!!

It will look like this:

Spoiler

sttQdgg.png

Now save it.
We wanna test it, but we need to sign it first.
Paste the hacked binary into var/mobile with iFunbox or whatever you like.

Type in SSH window: cd /var/mobile & then type: ldid -s TriggerFist
You're done, if it doesn't work see this topic by @shmooSign Binary Topic

Now replace it into your application folder like you did before with the same premissions.

Test the hack.

I'm using a Code Injection Template with Theos, if you never used theos, you need to set this up.
If you do paste this nic template into your /var/theos/templates/iphone/HERE
Link to template: Code Injection Template made by @DiDA

 

You set up a project like you normally do & change the tweak.xm, which looks like this:

Spoiler

d54n94Q.png

Change it to this: 

D91RAQs.png

Why? 

The first offset, is the ida hex offset & the second is the hacked offset.

Compile it & test it.

The grenades function is for you guys, you can try this on your own!
You guys have the 'read register' output, so you can do it!

Let me know if you succeed :)

Hope you learned something :)

PS: there will come some more advanced tutorial soon, also with lldb.

 

Another game you can practice with is Sniper 3D, ammo is easy & resources are same offsets but maybe more 'challenging '

 

Credits:

- @Ted2

- @shmoo see his comment, he fixed some errors: HERE

Edited by Ted2
Fixed some things through Shmoo's comment.
  • Like 24
  • Thanks 8
  • Haha 2
  • Upvote 4
  • Agree 4
  • Informative 4
  • Winner 7

Share this post


Link to post
Share on other sites

@Goran this is not Coin Dozer, coin dozer will be in my more 'advanced tutorial'

the watchpoints you get from coin dozer, are not directly the right addresses. So that's why I'll cover that in my more advanced & it will be a video.

  • Thanks 1

Share this post


Link to post
Share on other sites
3 hours ago, Ted2 said:

@Goran this is not Coin Dozer, coin dozer will be in my more 'advanced tutorial'

the watchpoints you get from coin dozer, are not directly the right addresses. So that's why I'll cover that in my more advanced & it will be a video.

m8 this can be done on android also right 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By rogojax
      First: Sorry for my bad English i hope you Understand this Tutorial!
      Hey Dawn of Titans Players! 
      Today, I'll show you how to legit hack without being banned by the system or Staff The hack is only for ViP Members! You can find it here
      I list everything you should pay attention Dont Rush the Castle too Fast! I have already done it and was banned within 30 minutes (The System bans you at this point). Dont Push the Titans with low level!  do not have Level 40 Titan at level 5 (A Staff is going to Ban you so be careful).
      Dont try to Sell the Hacked Account! This means dont write in the Global Chat that you sell your Hacked Account other Players are going to Report you.
      Dont buy too much from the God Souls Shop I got banned because i bought too much from the God Souls Shop. Dont buy too much event or exclusive relics from there, its a trap for hackers.
      I add more Points in the future.
      So please play Safe and Hack legit and dont Rush anything.
      In this Topic you can read how to unban your Device.
      Best Regards!
       
       
       
    • By Ray.SingSing.
      How to use iGMM in PUBG
      I'm sharing a guide/tutorial on how to troubleshoot iGMM for PUBG. I've consolidated most of the user issue here.

      Here are the FAQ that I'll cover in this tutorial:
      - Requirement For iGMM Activation.
      - Troubleshooting known issue. (Crash, Login)
      - X-Ray 2 Toggle.
      Tweaks requirement for IGMM:
      - Jailbroken iPhone/iPad/iPod Touch.
      - iFile / Filza / iFunBox / iTools or any other file managers for iOS.
      Please kindly download the correct filza from BigBoss Repo. 
      - Cydia Substrate (from Cydia) or Substitute (iOS 11 onwards)
      - PreferenceLoader (from Cydia).
      Troubleshooting known issue (Crash, login)
      - Unable to get past login screen?
      Resolution: Join wifi or tether hotspot and you will be able to login the game.
      - Game crashes in iGMM menu toggling?
      Resolution: Most of the crash was due to multi-tap or tapping two toggles at the same times. Have a precise tap on each toggle to enable/disable the cheats, you will avoid getting crash.
      - Crash within 15 min before game start.
      Resolution: Uninstall the old PUBG tweak as the newly updated tweak's offset conflicted with previous version. 
      Cydia > Install > PUBG > Modify > Remove. (Make sure you delete both old & new tweak, use iCleaner Pro to clear up unused dependencies, respring and have a clean installation of new deb) 
      - Filza $bash issue
      Resolution: Make sure you install filza from BigBoss Repo.
      - Grass Hack Doesn't work some times.
      Resolution: Re-enable "Disable Grass/Trees/Wheat" Toggle and it will remove all grass. It is required to do so every time the game restarted.
      (Make sure all Grass/Trees/Wheat Closer or Farther are enabled at all times)
      - Speed Hack not working. Stutter at times.
      Resolution: Tap on the Cheat and make sure there's a ✓ on the toggle. 
      Pull the slider to choose the speed. If you notice there's stutter in-game, drop the speed to 1-1.5. 
      How to activate X-Ray 2 in lobby:
      1. Start your game, Enable toggle X-Ray 1 & 2
      2. If your screen goes dark like this:
      Black Background (fail) (screenshot)
      Turn off X-Ray 2 and close the whole game. (Leave X-Ray 1 toggle on)
      3. Repeat step 1 until you get no black background like this:
      Clean Background (working) (screenshot)
      4. Toggle on and off X-Ray 2 in game whenever you need. 
      X-Ray 1 don’t have to be turn off, it can be overlapped with X-2.
      This method might require a number of tries to enable it successfully.
      X-Ray are meant to be wall-less. Therefore, do not on X-2 at all times, use the toggles if you’re entering new location or finding enemies around you.

      Video Tutorial: 
      Method 1: Lobby

      How to activate X-Ray 2 in-Game (HIGH RISK, But higher Chance for Perfect X-2):
      1. Start your game, Enable toggle X-Ray 1
      2. Start A match (solo, duo, squad), Start off in a safer spot (far location, no enemy), Enable X-Ray 2.
      If your screen goes dark like this:
      Black Background (fail) (screenshot)
      Turn off X-Ray 2 and close the whole game. (Leave X-Ray 1 toggle on)
      3. Join Back the match you left.
      4. Repeat step 1 until you get no black background like this:
      Clean Background (working) (screenshot)
      5. Toggle on and off X-Ray 2 in game whenever you need. 
      If there's any other issue that was not reflected here, do drop me a PM or leave a reply in the post. I will look into it.

      Method 2 have the best X-Ray 2 in-game as it load full resource along with the game, but it also come with high risk.
      If everything goes well and successful, you will get a perfect blue sky instead of black sky and a full distance view of X-2.
      Video Tutorial: 
      Method 2: In-Game (Higher Chance of using Perfect X-2) 
      *Video tutorial was done in Training Room w/Black sky, I'll leave the surprise for you on getting the Perfect Blue Sky in real game*
      DM me if there's any issue or tutorial you did like to add-in this tutorial. And thanks this post if it helped you!

      Credits for this amazing patcher:
      - @0xS14T3R
      - @L1TA0
      - @shmoo
      - @DiDA
    • By AffluentSky43
      Hidden Content
      React or reply to this topic to see the hidden content. More info Please do not use iTerminal. Use NewTerm2 from hashbang repo. It is a default so should already be there
      Step 1 Open Safari web browser.
      Step 2 Download the ent.xml file using the download link above. Open this file in Filza.
      Step 3 Navigate to this location – /var/mobile/Documents and ensure that the XML file is present there.
      Step 4 Once the file is in place, exit out of Filza.
      Step 5 Now launch Cydia and go to Sources > Edit > Add and enter this URL – cydia.ichitaso.com/test/.
      Step 6 Download the Dropbear Debian package from this repository. Make sure OpenSSH and OpenSSL are not installed on your device.
      Step 7 Respring your device to ensure changes get properly applied.
      Step 8 Download iTerminal app from the official App Store. You can use any other SSH client as well but I suggest using iTerminal because it’s free.
      https://itunes.apple.com/gb/app/iterminal-ssh-telnet-client/id581455211?mt=8
      Step 9 Launch iTerminal SSH client from your home screen and tap SSH.
      Step 10 Enter the following details and tap Connect.
      SSH – Your Wifi’s IP address (You can find this by navigating to Settings > Wifi > tap the blue “i” icon next to your Wifi network) Port – 2222 Username – root Password – alpine (default password unless you modified it) Step 11 Enter this command in Terminal –
      Step 12 Respring your iOS device.
      That’s all there’s to it! Remember, it may take a couple of tries to get working but it eventually will. You just need to keep at it and keep trying this command for a few times.
      If you get stuck somewhere in between, don’t hesitate to leave a comment below.
    • By Kyle2100
      This will be an updated version of my other tutorial to help better understand the process and help with any errors. 
       
      Items that will be needed:
      PC/Mac
      ios device running 10.x+
      Nonce Setter 
      ios 11.3.1 shsh blob 
      ios 11.3.1 ipsw 
      ios 11.4 ipsw 
      FutureRestore 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      What is a Nonce setter? 
      Lets you set your boot-nonce so you can restore with saved blobs.
      iOS 10 nonce setter: https://mega.nz/#!EzwABYwA!_RAT-rlQrhTUrXIXBLrSqhNAlV35Nsr7pv1Ma6Au5yI
       
      iOS 11 Nonce Setter: 
      Download IPA file (Official website
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Setting The Nonce
      How to set Nonce in iOS 11.1.2

      Step 1: Connect your device to your computer.

      Step 2: Download and unzip Cydia Impactor, select Impactctor.exe, then you need to drop and drag Nonce. ipa to Cydia Impactor.

      Step 3: Enter your Apple ID and passcode wait till this the installation is complete.

      Step 4: Then there should be a Nonce app on your iPhone. Go to Settings app -> General -> Profile -> find your Apple ID and click Trust.  

      Step 5: Continue your operation till the Root Status turns into YES.

      Step 6: Back to your PC, open the SHSH 2 blobs you have saved with Notepad or other third-party software.

      Step 7: Search generator then you’ll find its value between <string> value </string>. Copy the value. 

      Step 8: Back to your iOS device, launch NonceSet1112 app, paste the value in SET/CHANGE NONCE under boot-nonce, the click Save/Restore Now. 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      What is a IPSW?
      IPSW''' is a file format used in iTunes to install iOS firmware.  All Apple Inc.Apple devices share the same IPSW file format for iOS firmware, allowing users to Flashing technology flash their devices through iTunes on OS X and Windows.
      Where can I download the ipsw?
      ipsw.me 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      What is FutureRestore??
      futurerestore is a hacked up idevicerestore wrapper, which allows manually specifying SEP and Baseband for restoring
       
      Where can I download FutureRestore?
      https://github.com/encounter/futurerestore/releases
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
      ok, now that you know what everything is and have downloaded it all lets begin.
       
      1. Open CMD/Terminal and cd to the future restore folder (I named mine futurerestore_windows)
      example:
      cd desktop/futurerestore_windows
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      2. Open the future restore folder and drag the futurerestore.exe into the cmd
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      3. Next type this command
      -t (drag blob) -i (drag 11.4 ipsw) - -latest-baseband (drag 11.3.1 ipsw) 
      On devices with no sim (iPad/iPod) where it says latest baseband type:
      - -no-baseband 
      when I say drag “item” that means drag the file from the desktop into the cmd/terminal and every time you do that hit space before entering anything else
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      4. Hit enter and the process will begin 
       
      CONGRATULATIONS YOU ARE ON IOS 11.3.1

       
      if if you have any issues or errors send me a message and I can help you resolve it 
  • Recently Browsing   0 members

    No registered users viewing this page.


    • Administrator |
    • Global Moderator  |
    • Moderator  |
    • ViP Plus |
    • ViP |
    • Cheater  |
    • Modder  |
    • Novice Cheater |
    • Rookie Modder |
    • Contributor |
    • Senior Member |
    • Member |
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.