Help/Support How to deal with fixed value in memory with LLDB

Curtain · January 15, 2018

I want to find IDA address by LLDB.
New puzzle. Convert memory address to IDA address in any way
I found the correct memory address through other ways, but the value of this memory address does not change through the game, so the watchpoint will not be HIT when i set watchpoint, finally unable to find the IDA address.
I have tried to change the memory data, but watchpoint still does not HIT
I am grateful for any help

Edit:The Game Name is "Knives Out By NetEase Games"

Features::Characters become larger(easy to shoot)

search for 0.78(F64) with IGG ,then tap "neaby" and search for 1(auto or F64,in my case search use auto type),then search for 1.000(F64) ,you will get four or five results, change the last one(1.0000) to 5.000, characters will 5 times the size compared to the original.

@DiDA

@shmoo

@xiaov

@Mayaxaya

@Joka

Updated January 16, 2018 by Curtain

jayvee · January 15, 2018

modify it using memory editor? im sure your watchpoint hits as long as there is changes made

Curtain · January 16, 2018

19 hours ago, jayvee said:

modify it using memory editor? im sure your watchpoint hits as long as there is changes made

In general, the conditions of breakpoints triggered by the operation of the game changes, so modify the memory value can not trigger a breakpoint ,I have already tried.

jayvee · January 16, 2018

but watchpoint triggers as long as theres a changes on that address. watchpoint and breakpoint are different thing

January 16, 2018

9 hours ago, Curtain said:

In general, the conditions of breakpoints triggered by the operation of the game changes, so modify the memory value can not trigger a breakpoint ,I have already tried.

I understand what you're saying. I've had this happen to me before, but it hasn't happened in a long time.

Player size must be held in some instance variable of the player class. Since your watchpoint isn't hitting because the value never changes, I believe your best bet would be to find any function that is apart of the player class, and find the register where the this/self pointer is stored. Set a breakpoint on any LDR or STR instruction with the register where the this pointer is stored, and let it hit. Then you can examine the instance variables of that object by doing

<register>+0xnumber

. Lets say you find R0 as the register thats holding the this pointer. In GDB, you would do

x/i $r0+0x4

to access the first instance variable, then

x/i $r0+0x8

to access the second, and so on. Keep counting by 0x4. You want to keep doing this until GDB spits out 1.0. The great thing about GDB is that you can tell what kind of format you want it to put the number in. In your case it would be a float, so you would do

x/f $r0+0x4

and so on until you see 1.0.

You can also see strings this way Just do

x/s $r0+0x4

. It doesn't apply to what you're doing right now, but its just a tip for things later on. GDB is amazing. Its like a weapon

Once you do find the register/number combination that gives back 1.0, write it down. Do a hex search in IDA for

LDR Rx, [<your register/number combination>

, for 0<=x<=12. Then if you dont come up with any results, do

VLDR Sx, [<your register/number combination>]

, for 0<=x<=18.

Its very far fetched but it may work. Good luck! And great idea about changing player size.

Updated January 16, 2018 by Guest
additional info

LeePham · March 7, 2021

On 1/16/2018 at 2:55 PM, Guest said:
I understand what you're saying. I've had this happen to me before, but it hasn't happened in a long time.

Player size must be held in some instance variable of the player class. Since your watchpoint isn't hitting because the value never changes, I believe your best bet would be to find any function that is apart of the player class, and find the register where the this/self pointer is stored. Set a breakpoint on any LDR or STR instruction with the register where the this pointer is stored, and let it hit. Then you can examine the instance variables of that object by doing
<register>+0xnumber
. Lets say you find R0 as the register thats holding the this pointer. In GDB, you would do
x/i $r0+0x4
to access the first instance variable, then
x/i $r0+0x8
to access the second, and so on. Keep counting by 0x4. You want to keep doing this until GDB spits out 1.0. The great thing about GDB is that you can tell what kind of format you want it to put the number in. In your case it would be a float, so you would do
x/f $r0+0x4
and so on until you see 1.0.

You can also see strings this way Just do
x/s $r0+0x4
. It doesn't apply to what you're doing right now, but its just a tip for things later on. GDB is amazing. Its like a weapon

Once you do find the register/number combination that gives back 1.0, write it down. Do a hex search in IDA for
LDR Rx, [<your register/number combination>
, for 0<=x<=12. Then if you dont come up with any results, do
VLDR Sx, [<your register/number combination>]
, for 0<=x<=18.

Its very far fetched but it may work. Good luck! And great idea about changing player size.