Jump to content
shmoo

TuT [IDA Tutorial]How to Disable Memory Checks

120 posts in this topic

Recommended Posts

When developers make a game, sometimes they include memory checks to make things harder to hack. But what are memory checks? Memory checks are checks to make sure that a certain value, for example, money has been hacked. If it has been hacked, the memory check will kick in and set it back to its original, unhacked value. This is why when you test in iGameGuardian, GDB, LLDB, etc. your hack will not work. But we want our hacks to work, so here is how to disable them :snoop: This is also only an example function :snoop:

Hidden Content

    React or reply to this topic to see the hidden content. More info


I hope this helped! Also be sure to ask any questions if you have any :)

Edited by shmoo
  • Like 29
  • Thanks 10
  • Haha 1
  • Upvote 67
  • Agree 3
  • Informative 3

Share this post


Link to post
Share on other sites

let me see (y)

 

e ...

 

0xA99C0 CMP R0, R10 //compare R10 with R0
0xA99C4 BLE 0xA99E8 //branch to 0xA99E8 if it is less than or equal to

 

 

 

if R10 less or eq  R0,then branch to 0xA99E8..

so why you wrote 0xA99F8

 

is it wrong ?

Edited by zzmutu

Share this post


Link to post
Share on other sites
  • Topic Author
  • let me see (y)

     

    e ...

     

    0xA99C0 CMP R0, R10 //compare R10 with R0

    0xA99C4 BLE 0xA99E8 //branch to 0xA99E8 if it is less than or equal to

     

     

     

    if R10 less or eq  R0,then branch to 0xA99E8..

    so why you wrote 0xA99F8

     

    is it wrong ?

    It's not wrong, it should be like that :) 

     

    You don't always have to branch to a function, you can also branch directily to offsets. 

    Share this post


    Link to post
    Share on other sites

    lets see what took you over 1 hour to patch  :wallbash:


    cant see any checks but anyway there are 3 ways to do what you want:

    rGpKGk8.png

    change cost to 0 

    change your money on the load 

    change the final money

    Edited by iOSv64

    Share this post


    Link to post
    Share on other sites
  • Topic Author
  • lets see what took you over 1 hour to patch :wallbash:

    cant see any checks but anyway there are 3 ways to do what you want:

    rGpKGk8.png

    change cost to 0

    change your money on the load

    change the final money

    Well it took me an hour because I was doing x/i in GDB because my SSH is screwed up, and yeah I knew that. I just wanted to hack the SUB because it was quicker

     

    edit: actually, as a challenge for myself I could time myself and see how long it takes me to make the cost 0, thanks for that idea :)

    Edited by shmoo
    • Upvote 1

    Share this post


    Link to post
    Share on other sites

    Well it took me an hour because I was doing x/i in GDB because my SSH is screwed up, and yeah I knew that. I just wanted to hack the SUB because it was quicker

     

    edit: actually, as a challenge for myself I could time myself and see how long it takes me to make the cost 0, thanks for that idea :)

    there is also a 4th solution , just mov r0 #0 bx lr the whole function ahah

    Share this post


    Link to post
    Share on other sites
  • Topic Author
  • there is also a 4th solution , just mov r0 #0 bx lr the whole function ahah

    Oh yeah I forgot about that, I'm guessing that's how free store was done in FG: Quest for Stuff? (never tried it myself)

     

    00207047

    • Like 1

    Share this post


    Link to post
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now


    • Similar Content

      • By Fadexz
        Here's how to install iGameGuardian without "Initialisation Error". I figured I would make a tutorial because there isn't much out there.

        Hidden Content
        React or reply to this topic to see the hidden content. More info
      • By KingRalph
        Updated tutorial: 


        What Is Theos?
        Theos is a cross-platform suite of development tools for managing, developing, and deploying iOS software without the use of Xcode. It is an important tool for people building extensions (tweaks) for jailbroken iOS; most extension developers use Theos.


        What Is setuptheos?
        setuptheos is a deb file I created that will automatically install theos and all it's dependencies. It started off as a deb file I created for my convenience, but as I continued development, I realized that the other members could benefit from it, so I decided to make it public for your convenience.

        How Do I Install setuptheos?
        For iOS:
        Just download the DEB from the link below!

        Then find the deb on your device, and install it using filza! (tap the DEB and press install)

        For Mac:
        Download the zip archive from the link below!

        Then unarchive it in $HOME

        How Do I Use setuptheos?
        For iOS:
        First, make sure you have all the required dependencies installed:

        Then, make sure you have a reliable wi-fi connection. Then, install the deb from the link above. Then open MobileTerminal and type the following code:
        su alpine //or your root password setuptheos.sh If you want to set up everything at once, type this in terminal instead:
        su alpine //or your root password setuptheos.sh setupAll setuptheos will always display a message in terminal that will notify you when the process is complete.
        For more info, refer to the video tutorials
        For Mac:
        First install the latest version of python from https://www.python.org/downloads/

        Open terminal and type the following commands:
        cd sudo ~/setuptheos_python_assets/setuptheos.py If you want to setup everything at once, type this:
        cd sudo ~/setuptheos_python_assets/setuptheos.py setupAll For more info, refer to the video tutorials

        Why Should I Use setuptheos for iOS?
        1: setuptheos installs the most up to date theos version with arm64 support
        2: setuptheos installs the most up to date iOS sdk
        3: setuptheos installs essential repositories for iOS development
        4: setuptheos installs essential and most up to date iOS headers
        5: setuptheos takes less than 2 minutes to fully configure everything! (super fast)
        6: setuptheos cleans up all junk files that it creates
        7: setuptheos accepts user input! (Install what you want!)
        8: setuptheos has a "setupAll" option! Useful for setting up everything at once! >:^D
        9: setuptheos installs custom NIC templates (courtesy of iOSGods)

        Why should I use setuptheos for Mac?
        1: setuptheos installs the most up to date build of theos with arm64 support
        2: setuptheos installs essential and most up to date iOS headers
        3: setuptheos takes less than 2 minutes to fully configure everything! (super fast)
        4: setuptheos can be reused multiple times!
        5: setuptheos installs custom NIC templates (courtesy of iOSGods)

        Screenshot(s)
        For iOS:


        For Mac:



        Video Tutorial:
        For iOS:
         

        For Mac:
         
         


        More Information:
        For more information on theos, iOS, and mobilesubstrate, click the link(s) below:
        http://iphonedevwiki.net/index.php/Theos
        http://theiphonewiki.com
        http://CydiaSubstrate.com

        Change log:
        For iOS:
         


        For Mac:


        Credits:

        @KingRalph - For making the deb
        @DiDA - For helping to fix errors

        Don't leech my code and try and take credit for it. I. Will. Find. You.
         
        View the source code on github
      • By LegitSouljaa
        So, I thought hard about this, in ability to block ads on my mobile device entirely. I really hate using any types of VPN's which slows my internet, and I have no risk of security with my IP being public, so I never use it. However, with me thinking I said, what about a DNS, which routes your request which blocks those ads. It's better, faster, and more efficient than using a VPN.
        I did some searching, and come across this site, 

        Hidden Content
        React or reply to this topic to see the hidden content. More info This site was all I needed. How to use it?
        On your mobile device, navigate to Settings > Wifi > (Select the (i) bubble on your connected network). Scroll to the bottom where you will see "DNS", which should match your router gateway IP. Change that DNS to anything preferred DNS(IP) on that site. When you're done, you're ad free on your entire device. No VPN's.
         
        Also, family protection.
        For advanced moderate safe web for your family, it also provides that, in which block ads & block adult sites, which can be applied to your router to be used as a DNS in the entire house. As of for me, my entire home internet is (Ad Free)!.
         
         
      • By Pro
        Cheaters, are you tired of having to use the same old credit pop-ups in your tweaks/patchers? Today, I'm going to show you how to go from this
         

         
        to this
         

         
         
        Requirements:
        Theos
        iFile/iFilza/Whatever (I prefer iFile for this)
        Knowledge on making a tweak
        RKDropdownAlert files
         
        Instructions:
        1. Download the files for RKDropdownAlert here: https://www.dropbox.com/s/6i04lvg9tea18ls/RKDropdownAlert.zip?dl=0
         
        2. Have a project made from Theos. This can be a new/old one; it won't matter. In my case, I will be making a new project, using the template found here: https://iosgods.com/topic/6289-update-13template-custom-cscsci-nictheos-template/
         
        3. Take the files you downloaded, unarchive them, and copy them into your project folder. Your project folder should look like this after doing so if you use the template provided above:
         
         
         
         
        If you don't know how to hack with IDA, simply remove the writeData.h folder, as you won't need it.
         
        4. Remove everything that's in the Tweak.xm, unless you plan on making a tweak with the project that you have. If that's the case, please have
         
         
        5. Now that you have everything you want removed, add this to the top of your Tweak.xm
        #import "RKDropdownAlert.h"   @interface AppDelegate : NSObject <RKDropdownAlertDelegate> @end   @implementation AppDelegate   -(BOOL)dropdownAlertWasDismissed { return YES; }   -(BOOL)dropdownAlertWasTapped:(RKDropdownAlert*)alert; {     return true; } @end Change "AppDelegate" to whatever class you're using for your credits pop-up.
         
        6. Go add eveything else you want in your tweak, features for some hack, whatever. After you're done with that (if you even did anything), add this to the bottom of your Tweak.xm
        %hook AppDelegate -(void)applicationDidBecomeActive:(id)argument {   [RKDropdownAlert title:@"RKDropdownAlert Test" message:@"Isn't this better than UIAlertView?" backgroundColor:[UIColor yellowColor] textColor:[UIColor orangeColor] time:10];   return %orig; }   %end Again, change AppDelegate to whatever class you're using.   You can change the text by simply changing what's inside the quotations. I will leave it for now. You can also change the colors of the background and text of the view. Where it says [uIColor yellowColor] as well as orange, there is a list of default colors found here: http://foobarpig.com/iphone/uicolor-cheatsheet-color-list-conversion-from-and-to-rgb-values.html. With that, you can change yellow and orange to whatever's on there, except for clear, otherwise you won't see your view/text!   7. In your Makefile, find the line that says ProjectName_FILES = Tweak.xm, and add RKDropdownAlert.m (ProjectName is of course the name of the project you made) After you've done this, this is what your Makefile should look like, if you've used the template:     8. After that, you can compile it and test it on whatever app you use it on!     Credits: @Pro (Me) for showing this to you guys @DiDA for showing this to me and having me make this tut @0xBL4Z3R He pretty much started it all
      • By Ted2
        Hello Everyone!
        In this topic I'll explain/show you how you hack games with IDA using lldb &/ GDB on armv7
        I'll try to make it as noob friendly as I can, it will be a long tutorial since I'll explain EVERY step.
        Requirements for this tutorial:
        - IDA Program -> get it HERE
        - Jailbroken Phone to test it
        - Hex Editor
        - The binary of the game we're gonna hack -> get it HERE *
        - The game, get it HERE & download v1.11
        - LLDB -> For Windows, go HERE & for Mac go HERE
        - Gameplayer
        - Theos fully setup (not 100% neccesarry, but since you're learn hacking.. why not?) -> Setup Tutorial
        * = When you're hacking armv7, I suggest you to remove aslr from the binary using THIS site, so you don't have to calculate every watchpoint & breakpoint. The binary for this tutorial, is thinned & has ASLR removed.
        The game we are going to hack is called 'Trigger Fist' a dead shoot game, but good to practice with.
        First thing to do, is load the binary from above into IDA, with these settings:
         
        Second thing we need to do is replace the binary of the game with the one from above, since we will be using lldb & we don't want aslr to be loaded.
        To do this, you'll need Filza Manager from Cydia.
        First of all, copy the binary, then go to: /var/containers/bundle/appliciation/'Trigger Fist/TriggerFist.app' & paste.
        Then set the binary premissions like this:

        To do this, you click the little 'Info' icon next to the binary name.
         
        Alright, everything is set for debugging using lldb
        First of all we need to know what we're going to hack, which is ammo & grenades.
        So what we're going to do is find the values using Gameplayer, I hope everyone knows how to do that.
        Write them down if you found both values.
        You can also do this while you're connected with lldb, but every time you search for a value in Gameplayer, you'll need to type 'continue or c' in the lldb window.
        I do this because sometimes the game changes the value even if I haven't closed it.
        Not sure if this also is for this game, but it's up to you how you wanna do it.If you do not know how to find them: Your ammo starts with 30 (atleast for me, if not for you replace numbers from below with yours)
        Alright, now we need to debug, so we can get the ida offsets.
        We need to debug with port 23, on mac you don't need to do anything. 
        On windows you run the mux.exe program for it, but if you're on Windows 10 that won't work.
        We need to do it with iFunbox, using the USB Tunnel option in the toolbox tab.
        See THIS topic to do this with Windows 10
        First we need to make connection with our phone, by runnning this command in SSH Terminal (open using iFunbox)
         
        debugserver 127.0.0.1:23 --attach=PID What is 'PID', not sure what it exactly is, but I do know how to find it
        Open the game, click Gameplayer icon & select the application if it doesn't automaticly.
        This is the PID: 
        Alright, you typed it in & it should look like this: 
        Now go to your lldb folder & double click lldb.exe
        A command promt will show up, type this: 
        process connect connect://127.0.0.1:23
        It should look like this:
        It can take some time to make connection, depends on how fast you connection is.
        When it's connected it will show you this: 
        Alright, so we want to know the ida offsets of the gameplayer addresses we have.
        We do this by this command 
         
        w s e -- 0xgameplayeraddress which is for me w s e -- 0x1501ca6c //ammo  and w s e -- 0x0ebcec60 //grenades It should say this when you set a watchpoint:
        Type 'continue' or 'c' in the lldb window to continue the game.
        Make a change in ammo, the game will freeze, this is good!
        The lldb window will look like this: 

        This is the ida offset: (marked with <<<<<<<<<) (WRITE IT DOWN + WRITE DOWN TO WHAT THE VALUE CHANGED)
        (lldb) Process 86864 stopped * thread #1: tid = 0x15350, 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346, stop reason = watchpoint 3 frame #0: 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1373466: -> 0x1527d4 <<<<<<<<<<<<<<<: mov r0, #0x1 0x1527d8: strb r0, [r10, #430] 0x1527dc: mov r0, #0x1 Also type 'register read' to know what each register means around the function. (register = R1, R2, R3, etc)
        It will look like this: 

        Copy the output & paste it somewhere where you can find it back & type 'ammo' above it.
        How to copy it?
        Select it with your mouse & hit enter, this will copy it. You can 'ctrl + c it' too, but it will ask you to quit lldb & we don't want that.
        Alright, now type 'continue' or 'c' in lldb to continue the game
        Make a change in grenades, the game will freeze & we know now this is good!
        We also know how the lldb windows looks like & what the ida offset is. (WRITE IT DOWN = WRITE DOWN TO WHAT THE VALUE CHANGED)
        Type again 'register read' & do the same progress you did with the ammo, but now type 'grenades' above it.
        I suggest you to register read when the you have more then 0 grenades, otherwise it's harder to see which register is the real one.
        Now we have both, close lldb.
        Alright, now we know both offsets & what every register means, it's easy peasy to hack.
        Let's look into the ammo function first, it looks like this: 
        Alright, there are most of the times multiply ways to hack something.
        This is the exact code written:
        LDR             R0, [R10,#0x88] LDR             R0, [R0,#0x70] CMP             R5, R0 BLT             loc_152764 LDR             R0, [R10,#0x88] LDR             R1, [R0,#0xAC] // SUB             R1, R1, #1 // STR             R1, [R0,#0xAC] // MOV             R0, #1  ; The address where it drops us STRB            R0, [R10,#0x1AE] MOV             R0, #1 STRB            R0, [R10,#0x1AF] LDR             R0, [R10,#0x1CC] ADD             R0, R0, #1 STR             R0, [R10,#0x1CC] LDR             R0, [R10,#0x88] VLDR            S0, [R0,#0x68] VCVT.F64.F32    D2, S0 VCVT.F32.F64    S0, D2 VSTR            S0, [R10,#0x284] LDR             R0, [R10,#0x174] LDR             R1, =(unk_C80D00 - 0x15281C) // B               loc_152814 Alright, we also know what all Registers means. lldb gives the values in HEX decimal
        We only know the values in decimal.
        We wrote down what our ammo changed to, which was for me 29.
        29 in hex = 1D
        Register 1 (R1) holds that value, which means that's our ammo.
        As you can see in the code, we see some R1, R0, R5, R10 etc.
        R1 is which is important for us now.
        As you can see in the code above the 'register read' output, I wrote // after each instruction with a R1 in it.
        Which are these four:
         
         
        I wrote down what they mean.
         
        Anyways,
        The sub instruction is the most used way to hack ammo
        Why?
        Well.. when you shoot, one bullet wil go away.. 
        This instruction Substracts 1 from R1 (ammo) into R1 (ammo)
        We can hack a SUB in diffrent ways.
        1. NOP the instruction, what this does is skip the instruction and does nothing 2. Change the #1 to #0, which would substract 0 from our ammo. 3. Change the SUB to ADD, which would ADD ammo instead of substracting. 4. Change the SUB to MOV R1, R7, which would move the value of 803 millioin into our ammo. We can also hack it using the first LDR from above & the STR function.
        How we hack the LDR:
        - LDR R1, [R0,#0xAC] to LDR R1, [R7,#0xAC] --> What this does is load R7 (803 million) into our ammo instead of what the normal value should be. This works because it's loading uninitialized memory into R0 How we hack the STR:
        - STR R1, [R0,#0xAC] to STR R7, [R0,#0xAC] --> what this does is stores R7 into R0,#AC] instead of storing our normal ammo. When you're hacking a binary, you need to know what kind of 'HEX' it is.
        How to find out:
        When you know that you can change the instruction which you like.
        Let's change the SUB instruction to MOV R1, R7
        The outcome in armconverter will be 0710A0E1, because this game is ARM-HEX.
        Normally you patch the binary manually using a hex editor, somehow this is not working for me on this game.
        Maybe for some others it does I don't know.
        These are the steps if you wanna try it:
        Load the same binary you loaded into IDA in HxD.
        I suggest you to make a backup though.
        We need to go to our SUB instruction offset, which is: 1527CC
        How do I know?
        See here: 
        Go to that offset in HxD, by doing 'ctrl + G' or 'edit - goto'
        This is it, this is what we're gonna hack.
        Alright, I'm going to hack it by MOV R1, R7 the SUB instruction.
        You can do whatever you prefer, but remember do it in ARM-HEX!!
        It will look like this:
        Now save it.
        We wanna test it, but we need to sign it first.
        Paste the hacked binary into var/mobile with iFunbox or whatever you like.
        Type in SSH window: cd /var/mobile & then type: ldid -s TriggerFist
        You're done, if it doesn't work see this topic by @shmoo: Sign Binary Topic
        Now replace it into your application folder like you did before with the same premissions.
        Test the hack.
        I'm using a Code Injection Template with Theos, if you never used theos, you need to set this up.
        If you do paste this nic template into your /var/theos/templates/iphone/HERE
        Link to template: Code Injection Template made by @DiDA
         
        You set up a project like you normally do & change the tweak.xm, which looks like this:
        Change it to this: 

        Why? 
        The first offset, is the ida hex offset & the second is the hacked offset.
        Compile it & test it.
        The grenades function is for you guys, you can try this on your own!
        You guys have the 'read register' output, so you can do it!
        Let me know if you succeed
        Hope you learned something
        PS: there will come some more advanced tutorial soon, also with lldb.
         
        Another game you can practice with is Sniper 3D, ammo is easy & resources are same offsets but maybe more 'challenging '
         
        Credits:
        - @Ted2
        - @shmoo see his comment, he fixed some errors: HERE
    • Recently Browsing   0 members

      No registered users viewing this page.


      • Administrator |
      • Global Moderator  |
      • Moderator  |
      • ViP Plus |
      • ViP |
      • Cheater |
      • Modder  |
      • Novice Cheater |
      • Rookie Modder |
      • Contributor |
      • Senior Member |
      • Member |
    ×

    Important Information

    We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.