[IDA Tutorial] How to Disable Memory Checks

[Guest]

When developers make a game, sometimes they include memory checks to make things harder to hack. But what are memory checks? Memory checks are checks to make sure that a certain value, for example, money has been hacked. If it has been hacked, the memory check will kick in and set it back to its original, unhacked value. This is why when you test in iGameGuardian, GDB, LLDB, etc. your hack will not work. But we want our hacks to work, so here is how to disable them This is also only an example function

Hidden Content

General background info: R0 holds your previous value of money. R5 holds the cost. R10 holds the new value of money after you bought something. The IDA offset for money will be 0xA99F8: STR R10, [R6, #32].

Here is the example function that I came up with:

0xA99C0 CMP R0, R10 //compare R10 with R0
0xA99C4 BLE 0xA99E8 //branch to 0xA99E8 if it is less than or equal to
0xA99C8 LDR R0, [R6, #32] //load R6+32 into R0
0xA99CC SUB R5, R0, R10 //subtract R0 (previous money value) with R5 (cost) and put that value into R10
0xA99D0 MOV R0, R6 //move R6 into R0
0xA99D4 BL 0x30E7B0 //branch with link to 0x30E7B0
0xA99D8 ADD R1, R0, R5 //add R0 with R1 and put that value into R5
0xA99DC MOV R0, R6 //move R6 into R0
0xA99E0 BL 0x30E7C0 //branch with link to 0x30E7C0
0xA99E4 MOV R0, R6 //move R6 into R0
0xA99E8 BL 0x30E7D0 //branch with link to 0x30E7D0
0xA99EC ADD R1, R0, R5 //add R0 with R1 and put that value into R5
0xA99F0 MOV R0, R6 //move R6 into R0
0xA99F8 STR R10, [R6, #32] //IDA offset, store R10 (new money value) into R6+32

          I'm sure you know that the equivalent of spending in a game is subtracting. Knowing that, logically you would change 0xA99CC to MOV R10, R7. And you are right for thinking that , but it won't work because of the memory check. Earlier you read that R0 holds the previous value of money, R5 holds cost, and R10 holds the new value after spending.

          So you want to look for a "CMP" (compare) instruction that compares the previous value of money with the new value of money that is followed by a branch to somewhere. If the branch is BGT (branch if greater than), BLT (branch if less than), BNE (branch if not equal), or BLE (branch if less than or equal to), you usually have found the memory check. And there is one, at the beginning of the function: 0xA99C0: CMP R0, R10 followed by 0xA99C4: BLE 0xA99F8, or our IDA offset. That is telling the game to compare R10 with R0 and branch to 0xA99C4, or our IDA offset, and store the unhacked money value into R6+32 if R10 is less than or equal to R0.

          To defeat the memory check, you can NOP the branch to 0xA99F8 (our IDA offset) or change CMP R0, R10 to CMP R0, R0 or CMP R10, R10 so that the memory check (the CMP R0, R10) occurs but has no effect because the branch is NOP'ed or it is comparing itself to itself. And now you can change the SUB R5, R0, R10 (0xA99CC) to MOV R10, R7, and it will work!

Recap:
- R0 holds our previous value of money, R5 holds cost, and R10 holds the new value of money.
- Our IDA offset is 0xA99F8, STR R10, [R6, #32].
- Memory checks usually compare an old value of something with a new value of something, followed by a branch. They usually are BNE's (branch if not equal), BGT's (branch if greater than), BLT (branch if less than), or BLE's (branch if less than or equal to)
- You can NOP the branch after the CMP to disable memory checks, or you can change CMP RX, RY to CMP RX, RX or CMP RY, RY to compare values to itself rather than comparing values to another value.

Extra info:
- Never NOP a CMP before a branch because a branch is literally a true or false type of instruction, and by doing that it the game will write both true and false, which will result in a crash.
- Breakpoints really help with memory checks, if you set a breakpoint on what you think is a memory check, you will know if you got it if it hits or not.
- If a breakpoint for what you think is a memory check hits, type "info r" for GDB or "reg re" in LLDB. That will let you see what registers hold what, and you can determine if you found the memory check or not. For example, if what you think you've found the memory check for a CMP R0, R3 followed by a BNE (branch if not equal), and the registers R0 and R3 are equal to each other, you have probably found the memory check.
- This only applies to you if NOP'ing the branch does not work, or if you just decide to hack the CMP. Always check if the CMP is in ARM or thumb, and patch accordingly. If you patch a thumb instruction with an ARM instruction the game will crash. But how will you know if it is in thumb or in ARM? What you have to do it highlight the hex in IDA then go to "Hex View 1". If the hex is like this:

00 00 00 00

it is in ARM, but if the hex is like this:

00 00

it is in thumb. Think of it like this: an arm is longer than a thumb, so logically hex in ARM will be longer than hex in thumb.

I hope this helped! Also be sure to ask any questions if you have any

Updated April 24, 2015 by Guest

[Amuyea 86.9k iPhone 7 Plus 14.3]

Good to know that

[AnotherLurker 1.5k]

Good job

[Curtain 485 31 8.1.2]

let me see

 

e ...

 

0xA99C0 CMP R0, R10 //compare R10 with R0
0xA99C4 BLE 0xA99E8 //branch to 0xA99E8 if it is less than or equal to

 

 

 

if R10 less or eq  R0,then branch to 0xA99E8..

so why you wrote 0xA99F8

 

is it wrong ?

Updated April 24, 2015 by zzmutu

[Guest]

let me see

 

e ...

 

0xA99C0 CMP R0, R10 //compare R10 with R0

0xA99C4 BLE 0xA99E8 //branch to 0xA99E8 if it is less than or equal to

 

 

 

if R10 less or eq  R0,then branch to 0xA99E8..

so why you wrote 0xA99F8

 

is it wrong ?

It's not wrong, it should be like that  

 

You don't always have to branch to a function, you can also branch directily to offsets. 

[version 5 6]

Nice

[ipaarchive.com 11k]

lets see what took you over 1 hour to patch 

cant see any checks but anyway there are 3 ways to do what you want:

change cost to 0 

change your money on the load 

change the final money

Updated April 24, 2015 by iOSv64

[Guest]

lets see what took you over 1 hour to patch

cant see any checks but anyway there are 3 ways to do what you want:

change cost to 0

change your money on the load

change the final money

Well it took me an hour because I was doing x/i in GDB because my SSH is screwed up, and yeah I knew that. I just wanted to hack the SUB because it was quicker

 

edit: actually, as a challenge for myself I could time myself and see how long it takes me to make the cost 0, thanks for that idea

Updated April 24, 2015 by Guest

[ipaarchive.com 11k]

Well it took me an hour because I was doing x/i in GDB because my SSH is screwed up, and yeah I knew that. I just wanted to hack the SUB because it was quicker

 

edit: actually, as a challenge for myself I could time myself and see how long it takes me to make the cost 0, thanks for that idea

there is also a 4th solution , just mov r0 #0 bx lr the whole function ahah

[Guest]

there is also a 4th solution , just mov r0 #0 bx lr the whole function ahah

Oh yeah I forgot about that, I'm guessing that's how free store was done in FG: Quest for Stuff? (never tried it myself)

 

00207047