Jump to content
  • Sky
  • Mint
  • Azure
  • Indigo
  • Blueberry
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Pomegranate
  • Ruby Red
  • Orange
  • Banana
  • Apple
  • Emerald
  • Teal
  • Chocolate
  • Slate
  • Midnight
  • Maastricht
  • Charcoal
  • Matte Black
RudePerson

Tutorial IDA + LLDB Tutorial [Noob Friendly]

92 posts in this topic

Recommended Posts

NOTE:

iOS 11 is NOT able to run armv7, most devices run on iOS 11. I suggest NOT to hack armv7 binary, so this tutorial is KINDA useless. You can use this tutorial to reduce your knowledge. I will be making a simulair tutorial for arm64 binaries.

 

Hello Everyone!

In this topic I'll explain/show you how you hack games with IDA using lldb &/ GDB on armv7
I'll try to make it as noob friendly as I can, it will be a long tutorial since I'll explain EVERY step.

Requirements for this tutorial:

- IDA Program -> get it HERE
- Jailbroken Phone to test it
- Hex Editor
- The binary of the game we're gonna hack -> get it HERE *
- The game, get it HERE & download v1.11
- LLDB -> For Windows, go HERE & for Mac go HERE
- Gameplayer
- Theos fully setup (not 100% neccesarry, but since you're learn hacking.. why not?) -> Setup Tutorial

* = When you're hacking armv7, I suggest you to remove aslr from the binary using THIS site, so you don't have to calculate every watchpoint & breakpoint. The binary for this tutorial, is thinned & has ASLR removed.

The game we are going to hack is called 'Trigger Fist' a dead shoot game, but good to practice with.

First thing to do, is load the binary from above into IDA, with these settings:

 

Spoiler

rR3OiqD.png

Second thing we need to do is replace the binary of the game with the one from above, since we will be using lldb & we don't want aslr to be loaded.

To do this, you'll need Filza Manager from Cydia.
First of all, copy the binary, then go to: /var/containers/bundle/appliciation/'Trigger Fist/TriggerFist.app' & paste.
Then set the binary premissions like this:

Spoiler

lqn9j63.png


To do this, you click the little 'Info' icon next to the binary name.

 

Alright, everything is set for debugging using lldb :)

First of all we need to know what we're going to hack, which is ammo & grenades.
So what we're going to do is find the values using Gameplayer, I hope everyone knows how to do that.
Write them down if you found both values.

You can also do this while you're connected with lldb, but every time you search for a value in Gameplayer, you'll need to type 'continue or c' in the lldb window.
I do this because sometimes the game changes the value even if I haven't closed it.
Not sure if this also is for this game, but it's up to you how you wanna do it.If you do not know how to find them: Your ammo starts with 30 (atleast for me, if not for you replace numbers from below with yours)

Spoiler

 

- Search for 30 in Gameplayer
- Shoot one time
- Search for 29 (or whatever value you got new)
- Shoot againt
- Search for 28 (or whatever value you got new)
- I do get one address from Gameplayer (if you still get more, shoot & search until you get one hit)
- WRITE THE ADDRESS DOWN!!

Your grenades are 2.
- Search for 2
- Throw one away
- Search for 1
- Throw one away
- search for 0
- Die 
- You got 2 grenades again after you died, so search 2
- Throw one away
- Search 1
- Do this until you get ONE hit
- WRITE THE ADDRESS DOWN!!

IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP.

 

Alright, now we need to debug, so we can get the ida offsets.

We need to debug with port 23, on mac you don't need to do anything. 
On windows you run the mux.exe program for it, but if you're on Windows 10 that won't work.
We need to do it with iFunbox, using the USB Tunnel option in the toolbox tab.

See THIS topic to do this with Windows 10

First we need to make connection with our phone, by runnning this command in SSH Terminal (open using iFunbox)
 

debugserver 127.0.0.1:23 --attach=PID 

What is 'PID', not sure what it exactly is, but I do know how to find it :p
Open the game, click Gameplayer icon & select the application if it doesn't automaticly.
This is the PID: 

Spoiler

EJtwJBQ.png

Alright, you typed it in & it should look like this: 

Spoiler

u6C69i3.png

Now go to your lldb folder & double click lldb.exe
A command promt will show up, type this: 

process connect connect://127.0.0.1:23


It should look like this:

Spoiler

D2sAm7V.png

It can take some time to make connection, depends on how fast you connection is.
When it's connected it will show you this: 

Spoiler

vSsMa32.png

Alright, so we want to know the ida offsets of the gameplayer addresses we have.
We do this by this command 
 

w s e -- 0xgameplayeraddress

which is for me

w s e -- 0x1501ca6c //ammo 
and
w s e -- 0x0ebcec60 //grenades

It should say this when you set a watchpoint:

Spoiler

7nhuFZ4.png

Type 'continue' or 'c' in the lldb window to continue the game.
Make a change in ammo, the game will freeze, this is good!
The lldb window will look like this: 

Spoiler

UOkhNHp.png


This is the ida offset: (marked with <<<<<<<<<) (WRITE IT DOWN + WRITE DOWN TO WHAT THE VALUE CHANGED)

(lldb) Process 86864 stopped
* thread #1: tid = 0x15350, 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346, stop reason = watchpoint 3
    frame #0: 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346
TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1373466:
-> 0x1527d4 <<<<<<<<<<<<<<<:  mov    r0, #0x1
   0x1527d8:  strb   r0, [r10, #430]
   0x1527dc:  mov    r0, #0x1

Also type 'register read' to know what each register means around the function. (register = R1, R2, R3, etc)
It will look like this: 

Spoiler

A8SwSH8.png


Copy the output & paste it somewhere where you can find it back & type 'ammo' above it.
How to copy it?
Select it with your mouse & hit enter, this will copy it. You can 'ctrl + c it' too, but it will ask you to quit lldb & we don't want that.

Alright, now type 'continue' or 'c' in lldb to continue the game
Make a change in grenades, the game will freeze & we know now this is good!
We also know how the lldb windows looks like & what the ida offset is. (WRITE IT DOWN = WRITE DOWN TO WHAT THE VALUE CHANGED)

Type again 'register read' & do the same progress you did with the ammo, but now type 'grenades' above it.
I suggest you to register read when the you have more then 0 grenades, otherwise it's harder to see which register is the real one.

Now we have both, close lldb.

Alright, now we know both offsets & what every register means, it's easy peasy to hack.
Let's look into the ammo function first, it looks like this: 

Spoiler

onaxkHE.png

Alright, there are most of the times multiply ways to hack something.
This is the exact code written:

LDR             R0, [R10,#0x88]
LDR             R0, [R0,#0x70]
CMP             R5, R0
BLT             loc_152764
LDR             R0, [R10,#0x88]
LDR             R1, [R0,#0xAC] //
SUB             R1, R1, #1 //
STR             R1, [R0,#0xAC] //
MOV             R0, #1  ; The address where it drops us
STRB            R0, [R10,#0x1AE]
MOV             R0, #1
STRB            R0, [R10,#0x1AF]
LDR             R0, [R10,#0x1CC]
ADD             R0, R0, #1
STR             R0, [R10,#0x1CC]
LDR             R0, [R10,#0x88]
VLDR            S0, [R0,#0x68]
VCVT.F64.F32    D2, S0
VCVT.F32.F64    S0, D2
VSTR            S0, [R10,#0x284]
LDR             R0, [R10,#0x174]
LDR             R1, =(unk_C80D00 - 0x15281C) //
B               loc_152814

Alright, we also know what all Registers means. lldb gives the values in HEX decimal
We only know the values in decimal.
We wrote down what our ammo changed to, which was for me 29.
29 in hex = 1D
Register 1 (R1) holds that value, which means that's our ammo.

Spoiler

General Purpose Registers:
        r0 = 0x1501c9c0
        r1 = 0x0000001d <-----> our ammo
        r2 = 0x00000001
        r3 = 0x15308038
        r4 = 0x00000001
        r5 = 0x00000001
        r6 = 0x00000058
        r7 = 0x00e3da94
        r8 = 0x00000000
        r9 = 0x00000000
       r10 = 0x16734cc0
       r11 = 0x00e3d374
       r12 = 0x0068f80c  TriggerFist.__TEXT.__text + 6866268
        sp = 0x00e3d374
        lr = 0x00608044  TriggerFist.__TEXT.__text + 6311316
        pc = 0x001527d4  TriggerFist.__TEXT.__text + 1373476
      cpsr = 0x60000010

 

As you can see in the code, we see some R1, R0, R5, R10 etc.
R1 is which is important for us now.
As you can see in the code above the 'register read' output, I wrote // after each instruction with a R1 in it.

Which are these four:
 

Spoiler

LDR             R1, [R0,#0xAC] //Loads the value stored in R0,#0xAC into R1 (#0xAC is a sort of variable, likely for ammo, R0 is holding a adress for some object)
SUB             R1, R1, #1 // Substracts the value of one from R1 (ammo) into R1 (ammo)
STR             R1, [R0,#0xAC] //Stores R1 (ammo) into what's stored in R0,#0xAC (#0xAC is a sort of variable, likely for ammo, R0 is holding a adress for some object)
LDR             R1, =(unk_C80D00 - 0x15281C) //I've no idea, it does load something into our ammo atleast.

 

 

I wrote down what they mean.

 

Anyways,
The sub instruction is the most used way to hack ammo
Why?

Well.. when you shoot, one bullet wil go away.. 
This instruction Substracts 1 from R1 (ammo) into R1 (ammo)

We can hack a SUB in diffrent ways.

1. NOP the instruction, what this does is skip the instruction and does nothing
2. Change the #1 to #0, which would substract 0 from our ammo.
3. Change the SUB to ADD, which would ADD ammo instead of substracting.
4. Change the SUB to MOV R1, R7, which would move the value of 803 millioin into our ammo.

We can also hack it using the first LDR from above & the STR function.

How we hack the LDR:

- LDR R1, [R0,#0xAC] to LDR R1, [R7,#0xAC] --> What this does is load R7 (803 million) into our ammo instead of what the normal value should be.

This works because it's loading uninitialized memory into R0

How we hack the STR:

- STR R1, [R0,#0xAC] to STR R7, [R0,#0xAC] --> what this does is stores R7 into R0,#AC] instead of storing our normal ammo.

When you're hacking a binary, you need to know what kind of 'HEX' it is.
How to find out:

Spoiler

 

1. go to: http://armconverter.com  @DiDA :wub:
2. copy the ida instruction into the box & click convert (SUB R1, R1, #1 in this example)
3. you see under you've diffrent outcomes
4. go back to IDA
5. select the sub instruction & click hex view, there will be highlighted number, compare this with armconverter & see which one is the same.

6. Now you know what kind of HEX it is & you can hack.

 

When you know that you can change the instruction which you like.
Let's change the SUB instruction to MOV R1, R7
The outcome in armconverter will be 0710A0E1, because this game is ARM-HEX.

Normally you patch the binary manually using a hex editor, somehow this is not working for me on this game.
Maybe for some others it does I don't know.
These are the steps if you wanna try it:

Load the same binary you loaded into IDA in HxD.
I suggest you to make a backup though.

We need to go to our SUB instruction offset, which is: 1527CC
How do I know?
See here: 

Spoiler

7XzQ8L5.png

Go to that offset in HxD, by doing 'ctrl + G' or 'edit - goto'
This is it, this is what we're gonna hack.

Spoiler

LkmnVN9.png

Alright, I'm going to hack it by MOV R1, R7 the SUB instruction.
You can do whatever you prefer, but remember do it in ARM-HEX!!

It will look like this:

Spoiler

sttQdgg.png

Now save it.
We wanna test it, but we need to sign it first.
Paste the hacked binary into var/mobile with iFunbox or whatever you like.

Type in SSH window: cd /var/mobile & then type: ldid -s TriggerFist
You're done, if it doesn't work see this topic by @shmooSign Binary Topic

Now replace it into your application folder like you did before with the same premissions.

Test the hack.

I'm using a Code Injection Template with Theos, if you never used theos, you need to set this up.
If you do paste this nic template into your /var/theos/templates/iphone/HERE
Link to template: Code Injection Template made by @DiDA

 

You set up a project like you normally do & change the tweak.xm, which looks like this:

Spoiler

d54n94Q.png

Change it to this: 

D91RAQs.png

Why? 

The first offset, is the ida hex offset & the second is the hacked offset.

Compile it & test it.

The grenades function is for you guys, you can try this on your own!
You guys have the 'read register' output, so you can do it!

Let me know if you succeed :)

Hope you learned something :)

PS: there will come some more advanced tutorial soon, also with lldb.

 

Another game you can practice with is Sniper 3D, ammo is easy & resources are same offsets but maybe more 'challenging '

 

Credits:

- @Ted2

- @shmoo see his comment, he fixed some errors: HERE

Edited by RudePerson
Fixed some things through Shmoo's comment.
  • Like 27
  • Thanks 8
  • Haha 2
  • Upvote 4
  • Agree 4
  • Informative 4
  • Winner 7

Share this post


Link to post
Share on other sites

@Goran this is not Coin Dozer, coin dozer will be in my more 'advanced tutorial'

the watchpoints you get from coin dozer, are not directly the right addresses. So that's why I'll cover that in my more advanced & it will be a video.

  • Thanks 1

Share this post


Link to post
Share on other sites
3 hours ago, Ted2 said:

@Goran this is not Coin Dozer, coin dozer will be in my more 'advanced tutorial'

the watchpoints you get from coin dozer, are not directly the right addresses. So that's why I'll cover that in my more advanced & it will be a video.

m8 this can be done on android also right 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By iGods
      In this tutorial, I'll be showing you how to duplicate your favorite apps/games on your iOS 11 Electra Jailbreak. I'll be using WhatsApp as an example. Tested working on iPhone 8, 11.3.1. Take note that not all apps/games can be duplicated.
      Requirements:
      - Filza File Manager (BigBoss repo)
      - AppSync Unified (Karen's repo)
      Instructions:

      Hidden Content
      React or reply to this topic to see the hidden content. More info
    • By AboJweideh
      Instructions: 
      Use any interposer sim with edit iicid feature
      Insert your sim with interposer to the sim tray Wait for the activation pop up click dismiss press home then emergency call dial *5005*7672*00# the press call you can also use *5005*7672*88# or *5005*7672*5858# for some interposer sims if you want directly enter the iccid code/the bugged code , after activation and your on the homescreen eject your simcard and remove the interposer sim, insert the simcard again and voila your iphone is factory unlocked now you can use any sims without activation problem and no need to repeat the process the get a sim and insert it.
      Here is the code
      ICCID UPDATED / august 3
      89014104277806047589
      Any interposer sims : ex (Rsim 12,turbo sim gevey,Gpp) all with edit iccid will work
      But you can pm me if this code gets detected Hope it will not get patched easily on apple servers
      For those who are already have jailbroken iPhone you can BACK UP /VAR/ROOT/LIBRARY/LOCKDOWN FOLDER!! Then you could restore the ticket with a future iOS 12
      THIS METHOD WILL WORK WITH ANY IPHONE , JAILBROKEN / NON-JAILBROKEN
    • By mikeyb
      Ok this will only work on mac os
      If you don't own a mac use VMware there are lots a tuts for getting Vmware set up with mac even if u have a amd processor like me :p
      ok 1st download this debugger and place in /usr/bin/ set permission  775
      Hidden Content
      React or reply to this topic to see the hidden content. More info
      Ok now to begin
      1st Make sure you have xcode installed to be able to use lldb.
      1. You will have to install usbmuxed and iproxy. To do this open a terminal in mac and type 
      brew install usbmuxd when it's downloades and installed open another terminal and type
       
      iproxy 2222 22 & When it's opened new port at 2222 close terminal and open another type iproxy 6666 6666 & It will say waiting for connection leave terminal open just minimize it 2.  Connect your phone via usb cable make sure you set up VMware usb config so you can connect.
      Open 2 new teminals and 
      Type
      ssh -p 2222 root@localhost In both to connect to your device,When connected 
      In 1 terminal Type 
      debugserver device ip debugserver will start 
      in the other terminal Type
      ps ax this will show you pid of debugserver
      now type
      /electra/jailbreakd_client <debugserver pid> 1  
      Now u can close debugserver terminal and stay in pid 1
      Type 
      /usr/bin/debugserver localhost:6666 -a <game pid or game binary name> either 1 will work game will now attach
      open new terminal for lldb
      type lldb
      when lldb is ready type
      process connect connect://localhost:6666 now it will connect give it a bit sometimes lldb take long than others all depends on game. Once it have
      type image list
      Go right to the top to very 1st call you will see game name example
      Var/container/bundle/gamename  0x0000000100fa4000
      this is the aslr slide take a note of it as it changes every time you detach and re-attach game
      now you have you offset from igg ect
      type in lldb w s e -- 0xiggadress
      then
      c to continue
      when you a hit it will show like below
      value will be here:
      0x101703d78 <+7732600>: ldr    x20, [x19, #0x30]     0x <+7732604>: adrp   x24, 9017     0x101703d80 <+7732608>: add    x24, x24, #0xeb8          ; =0xeb8     0x101703d84 <+7732612>: ldr    x0, [x24] TropicThunderDev`_mh_execute_header: ->  0x101c1be88 <+13074056>: ldr    w8, [x19, #0x50]     0x101c1be8c add    w8, w8, #0x1              ; =0x1     0x101c1be90 <+13074064>: str    w8, [x19, #0x50]     0x101c1be94 <+13074068>: ldp    x29, x30, [sp, #0x70]
      now remember your aslr
      example 0x0000000100fa4000
      now subtract fa4000 from the offsets you got.
      0x101c1be8c - fa4000
      Use the new offset in ida that's all to it :p
       
  • Recently Browsing   0 members

    No registered users viewing this page.


    • Administrator |
    • Global Moderator  |
    • Moderator  |
    • ViP Plus |
    • ViP |
    • Cheater  |
    • Modder  |
    • Novice Cheater |
    • Rookie Modder |
    • Contributor |
    • Senior Member |
    • Member |
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.