Help/Support How to change this to false in ARM64

latestz · July 18, 2018

There's so few ARM64 tutorial here. I learnt ARMv7 in here, but trying to do the hack in ARM64 make my mind blown.

Here's the ARMv7:

PUSH            {R4-R7,LR}
ADD             R7, SP, #0xC
PUSH.W          {R8,R10,R11}
SUB             SP, SP, #0x18
MOV             R10, R0
MOV             R0, R2
BLX.W           _objc_retain
MOV             R11, R0
MOV             R0, #(selRef_shouldCheckForUpdate - 0xA90A)
ADD             R0, PC  ; selRef_shouldCheckForUpdate
LDR             R1, [R0] ; "shouldCheckForUpdate"
MOV             R0, R10 ; void *
BLX.W           _objc_msgSend
CMP             R0, #0
BEQ.W           loc_AAB4

I try to skip all lines after CMP and go to loc_AAB4 by changing MOV R0, #(selRef_shouldCheckForUpdate - 0xA90A) to MOV R0, #0. However in ARM64, my eyes dropped to the ground.

SUB             SP, SP, #0x60
STP             X26, X25, [SP,#0x50+var_40]
STP             X24, X23, [SP,#0x50+var_30]
STP             X22, X21, [SP,#0x50+var_20]
STP             X20, X19, [SP,#0x50+var_10]
STP             X29, X30, [SP,#0x50+var_s0]
ADD             X29, SP, #0x50
MOV             X20, X0
MOV             X0, X2
BL              _objc_retain
MOV             X19, X0
ADRP            X8, #selRef_shouldCheckForUpdate@PAGE
LDR             X1, [X8,#selRef_shouldCheckForUpdate@PAGEOFF] ; char *
MOV             X0, X20 ; void *
BL              _objc_msgSend
CBZ             W0, loc_ADCC

Anyone could help me here? I changed MOV X20, X0 to MOV X20, #0 and it crashed. Thanks in advance!

Joka · July 18, 2018

Hack the top instruction of the function, the "SUB SP, SP, #0x60" and change it to MOV W0, #0 RET (or 00008052 C0035FD6 for the hexes).

Updated July 18, 2018 by Joka

latestz · July 18, 2018

Hey thanks for the help! But it crashed though. Any way around? @Joka

Laxus · July 18, 2018

where is the CBZ branch to?

latestz · July 18, 2018

I screenshot it for better depiction:

https://imgur.com/a/FfCRvuE

https://imgur.com/a/awiH2yT

I initially wanted to disable the check for update popup, but for testing purposes, I think it's better to achieve a TRUE value instead of FALSE as I described in the original post. So that if the popup keep come out when I open the app I knows the hack works. (the popup is time based, it display only once a day)

@Laxus

Updated July 18, 2018 by latestz