Help/Support Help to hack Address (ARM64)

[godfather9797 126 iPhone 7 11.3.1]

hi
i want to  hack this game https://itunes.apple.com/us/app/tap-titans-2/id1120294802?mt=8&uo=4&at=1010lce4
the thing that i want to hack is mana ( freezing or infinity mana ), by IDA and LLDB , and this is the adress of gameplayer 10C38E830 and it is a float
so i set  watcpoint in lldb w s e -- 0x10C38E830, and i get these three addresses

0x10046c0f8:  mov    x0, x19
0x10046c0fc:  orr.16b v0, v8, v8
0x10046c100:  ldp    x29, x30, [sp, #48]

(lldb) x/i 0x10046c0f0
0x10046c0f0:  0x54000120   b.eq   0x24
(lldb) x/i 0x10046c0f4
0x10046c0f4:  0xbd02f260   str    s0, [x19, #752]
(lldb) x/i 0x10046c0f8
0x10046c0f8:  0xaa1303e0   mov    x0, x19
So the LLDB Address is  10046c0f8  , 10046c0f8 − 44000 = 1004280f8  this is the address of IDA after subtract ASLR
load thin (arm64) binary in IDA and i jumped to this address 1004280f8 and i found this function
__text:00000001004280F4                 STR             S0, [X19,#0x2F0]
 
how can i modification this Address to get freezing or infinity mana
and there are the  register When LLDB breaks
s0 = 13.6334
        s1 = 13.6
        s2 = 1.52466e-020
        s3 = 0
        s4 = -1.#QNAN
        s5 = -1.66304e+038
        s6 = 0
        s7 = 0
        s8 = 13
        s9 = 35
       s10 = 0.0333333
       s11 = 13.6
       s12 = 0
       s13 = 0
       s14 = 0
       s15 = 0

and a photo for mana inside the game
https://imgur.com/zNp0dBY

and these are the addresses above the address 1004280f8 After changed to graph view
https://imgur.com/Ooc1kUD
https://imgur.com/TL6GRva
https://imgur.com/h0KjoiZ

 

Updated December 20, 2017 by godfather9797
more information

[Guest]

On 12/20/2017 at 4:36 AM, godfather9797 said:

hi
i want to  hack this game https://itunes.apple.com/us/app/tap-titans-2/id1120294802?mt=8&uo=4&at=1010lce4
the thing that i want to hack is mana ( freezing or infinity mana ), by IDA and LLDB , and this is the adress of gameplayer 10C38E830 and it is a float
so i set  watcpoint in lldb w s e -- 0x10C38E830, and i get these three addresses

0x10046c0f8:  mov    x0, x19
0x10046c0fc:  orr.16b v0, v8, v8
0x10046c100:  ldp    x29, x30, [sp, #48]

(lldb) x/i 0x10046c0f0
0x10046c0f0:  0x54000120   b.eq   0x24
(lldb) x/i 0x10046c0f4
0x10046c0f4:  0xbd02f260   str    s0, [x19, #752]
(lldb) x/i 0x10046c0f8
0x10046c0f8:  0xaa1303e0   mov    x0, x19
So the LLDB Address is  10046c0f8  , 10046c0f8 − 44000 = 1004280f8  this is the address of IDA after subtract ASLR
load thin (arm64) binary in IDA and i jumped to this address 1004280f8 and i found this function
__text:00000001004280F4                 STR             S0, [X19,#0x2F0]
 
how can i modification this Address to get freezing or infinity mana
and there are the  register When LLDB breaks
s0 = 13.6334
        s1 = 13.6
        s2 = 1.52466e-020
        s3 = 0
        s4 = -1.#QNAN
        s5 = -1.66304e+038
        s6 = 0
        s7 = 0
        s8 = 13
        s9 = 35
       s10 = 0.0333333
       s11 = 13.6
       s12 = 0
       s13 = 0
       s14 = 0
       s15 = 0

and a photo for mana inside the game
https://imgur.com/zNp0dBY

and these are the addresses above the address 1004280f8 After changed to graph view
https://imgur.com/Ooc1kUD
https://imgur.com/TL6GRva
https://imgur.com/h0KjoiZ

 

just NOP the STR, if the game is never storing the updated mana value it will always use the initial mana value, making it infinite

[godfather9797 126 iPhone 7 11.3.1]

1 hour ago, shmoo said:

just NOP the STR, if the game is never storing the updated mana value it will always use the initial mana value, making it infinite

Thanks for your replay,
but can you help with how to use NOP function

[Guest]

8 hours ago, godfather9797 said:

Thanks for your replay,
but can you help with how to use NOP function

NOP is an instruction for 'do nothing'

 

So, in your Tweak.xm, you would do: writeData(0x1004280f4, 0x1f2003d5);

 

That should work