Jump to content

Hacking with GDB Breakpoints


25 posts in this topic

Recommended Posts

Updated (edited)

Hi! :D

This tutorial is gonne be hacking with GDB Breakpoints.

Read & study this tutorial by @shmoo about strings first, cause it's really necessarily.
https://iosgods.com/topic/26584-ida-tutorialhow-to-hack-with-strings/

 

Breakpoints are extremely useful, once your breakpoint gets hit the game will freeze.

You probably think, why the f*** is that useful you stupid b****

Well, now you can read which registers hold what value, you can see back traces (functions/places that are also called once breakpoint was hit), you can read memory & allot more.
They are also useful if you aren't sure if you're at the right place, for example you had a string called Coins & did some xReffing & you end up somewhere but you're not sure if it's anything useful. What you can do now, is set a breakpoint on the offset you are in IDA & make a change in the coins.
If the place where you were in IDA has anything to do with coins, the game should freeze when you make a change in coins.

Requirements
- GDB, repo: https://shmoo419.github.io/
- IDA, get it from the forum.
- A Game (or use my example game):
https://itunes.apple.com/nz/app/war-heroes-top-strategy-games/id1142744199?mt=8
- Some experience with strings & ARM

Crack the binary & load the binary into IDA & wait till it's done.

This game I'm hacking is some sort of game like Clash Of Royale.
You have 3 towers, or whatever they're called.
The middle one, is the most important one. If that one is broken aka dead, you win.
You have 4 cards you can make use of, each has it's own damage amount.

So, what we're going to try is hack the damage of a card.
There's not really a specific way of finding such a thing.
Some games have obvious strings & some games have not.

To open strings window in IDA, you go to: View - Open Sub Views - Strings
If I search for the word "damage", I'm getting 50 results, not that much but still a struggle to read.
I like to click on the "Length" button in IDA, so it sorts the results & it's much cleaner:

Spoiler

5qc5CN8.png

 

I like to go from top through bottom, so let's double click the first string & xRef it:

Spoiler

2mQI10i.png

 

If you don't know what xRef means, please read shmoo's tutorial on strings & come back later.

When I click the first result, I've some sub_x functions around the string

The ones with a straight red line are from the damageReduction string, the other are from damage string:

Spoiler

Amv2mfZ.png

 

I like to think sub_x functions with more than 70 xRefs are useless. (XRefs is just to see where the function is getting used by other functions)
However, sometimes function look interesting & you might want to try them out anyways.
It's really just experience that will tell your brain whether the function can be useful or no.

The sub_10000F7F0 & sub_100012158 have too many xRefs, first one above 300 & the other above 900.
You don't wanna modify a function that is getting used/called in another 300 functions.
Neither would a developer code a damage function that is getting used in another 300 functions, cause that would likely cause instability.

However, the sub_100190A78 has only one xRef & sub_100190A8C has only one xRef too.
sub_100190A8C seems to be for the damage_reduction string (sounds useful too tho).
But let's focus on sub_100190A78:

Spoiler

adLJknq.png

 

It's a really short function.
 

STR W1, [X0,#0x2C] // Store whatever value W1 is holding into X0+0x2C
RET               // RETurn the function (end it).

 

Alright, we aren't sure whether this function is the right one for damage or not.
We have two options:
1. Try modify the function & see what happens
2. Set a breakpoint on the function & see if it hits.

While some people may recommend option 1 because they don't know how to use a debugger, I don't.
Cause if you keep trying without debugging it CAN be a LONG LONG night, however sometimes you just find it in the first try :p

So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed.
You have to make calculations in order to get the right offset.
IDA Offset + ASLR Slide with a Hex Calculator would do.

But since Shmoo has it's built in feature in gdb, you don't have to make any calculations.
Just this command in GDB & it will do it for you: set add-aslr-bp on

We need to actually start GDB first, open Putty & SSH into your device.
Then type "gdb" & hit enter & it should start.

Then you have to attach to the game, I recommend attaching with the PID but I think binary names are also supported.
How to find your PID: You can find it with GamePlayer, iGameGuardian etc or type this into your putty window: "ps ax | grep 'binary name'"
Attach command: attach "PID"

It will attach, it may show scary lines of "code" but that's normal. Aslong as your game froze, it's fine.
Type "continue" or "c" in short to unfreeze the game.

How to set a breakpoint:
Before you do, enter this command first: set add-aslr-bp on
Breakpoint command: break *0xoffset / b *0xofffset

For me that would be: break *0x100190A78. (see picture above, the sub_x functions is 100190A78)
Now let me play a match & see whether it hits or no.

So the game froze when the tower was hit, this is a good thing!
From here you can do multiply things:
- you can read registers (reading what for example W0, W1, W20 is holding at the time of the breakpoint being hit)
- you can read back traces to see which places where also called when the breakpoint was hit
- you can read memory

So let's read the registers by typing this command: "info registers" --> this will show all normal registers, "info all-registers" will also show float values.
Remember: X & W is basically the same, they'll hold the same value.
My X1 shows me it's 162, which is correct cause the enemies tower's health went down with 162.

Alright, so now we have to hack the damage amount.
If you may know, W23 & W29 hold huge ass values that never change.
If we store that value instead of our orignal value X1, we'll have a One Hit Kill :)

// ------- Original: -------
STR             W1, [X0,#0x2C]
RET

// ------- Hacked: ------
STR             W23, [X0,#0x2C]
RET

So I'm going to do this with code injection, I assumed you know how to do that, if not do research on the forum.

I compiled it with theos, installed it & I got a One Hit Kill :)

However, this function had only one instruction that could be hacked, so the part where we read the register wasn't really needed.

I'll make a video soon enough with an longer function example.

 

I hope you learned how to work with breakpoints & how you can read the registers.

Understand that this tutorial is absolutely noob, some games require allot of back tracing etc etc

 

Useful GDB Commands:

Auto Add Aslr To Breakpoint: add aslr-bp on
Breakpoint: break *0xIDAOffset or b *0xIDAOffset
Reading Normal Registers: info registers
Reading All Registers: info all-registers (usefull for floats, damage, health etc are most of times float)

Find more here: https://lldb.llvm.org/lldb-gdb.html

 

Updated by RudePerson
  • Like 7
  • Winner 4
Posted

Quote from aforementioned tutorial: So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed, while armv7 can have it removed.

So that means while loading binary in IDA we have to load armv7 binary instead of arm64?

 

 

 

 

Posted
3 minutes ago, MeSailesh7 said:

Quote from aforementioned tutorial: So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed, while armv7 can have it removed.

So that means while loading binary in IDA we have to load armv7 binary instead of arm64?

 

 

 

 

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

Posted
14 minutes ago, RudePerson said:

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

Sentence removed as well haha....anyway thanks a lot mate....will try it today and I think if you are free we need some videos on ted2 youtube channel as well, it’s just an request from a subscriber ?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Our picks

    • Bully: Anniversary Edition Cheats v1.4.1 +1 [ Dev Menu ]
      Modded/Hacked App: Bully: Anniversary Edition by Rockstar Games, Inc.
      Bundle ID: com.rockstargames.bully
      iTunes Store Link: https://apps.apple.com/us/app/bully-anniversary-edition/id1148321705?uo=4&at=1010lce4


      Hack Features:
      Jump to (will lose current progress)
      - Ability to jump to any Mission in-game. From Chapter 1 to Chapter 6.
      - Ability to jump to any Classes in-game. Art, Biology, Gym, Geography, Math, English, Chemistry, Music, Photography, Shop.
      - Ability to play any Minigames such as Arcade, Mowing House 1/2/3, Mowing Part 1/2/3, Paper Route Intro, Paper Route, Keep Ups, Penalty Shots, Bike Store & Tattoos.
      - Teleport to any location in-game. Asylum (Ouside), Blue Skies Industrial Part (Trailer Part), Bullworth Town (Outside), Carnival (Outside), New Coventry (Outside), Old Bullworth Gardens (Park), Old Bullworth Vale (Town), High Striker (Carnival Games), etc, etc. 
       
      Interrupt time-space continuum
      - Ability to Change Time.
      - Ability to Change Season. Summer, Fall, Winter, Spring.
      - Cycle Weather.
       
      Cheats
      - Toggle FPS (Display and Frames Per Second counter at the bottom of your screen).
      - Heal (Heal yourself).
      - Give Money (Give yourself unlimited money. The more you tap on this option the more money you will get).
      - Disable Crime
      - Give Bike
      - Invulnerability a.k.a God Mode / Never Die
      - Unlimited Sprint
      - Unlimited Ammo
      - Max Ammo
      - One Shot Kills
      - All Pranks
      - All Weapons
      - All Moves
      - All Grapples
      - All Clothing
      - Pass mission (Pass your current mission with success).
      - Fail mission (Fail your current mission).
       

      Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/topic/135424-bully-anniversary-edition-v11-jailed-cheats-1-debug-menu/


      iOS Hack Download Link: https://iosgods.com/topic/113583-bully-anniversary-edition-cheats-v11-1-dev-menu/
      • 1,321 replies
    • SimCity BuildIt Cheats v1.66.1 +1 [ Freeze Currencies ]
      Modded/Hacked App: SimCity BuildIt By EA Swiss Sarl
      Bundle ID: com.ea.simcitymobile.bv
      iTunes Store Link: https://apps.apple.com/us/app/simcity-buildit/id913292932?uo=4


      Hack Features:
      - Infinite Currencies


      Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/topic/124792-arm64-simcity-buildit-v1412-jailed-cheats-1/


      iOS Hack Download Link: https://iosgods.com/topic/157687-simcity-buildit-cheats-v1415-1/
      • 669 replies
    • Aqua Match Cheats v0.230.1 +5
      Modded/Hacked App: Aqua Match By PLR Worldwide Sales Limited
      Bundle ID: com.playrix.aquamatch
      App Store Link: https://apps.apple.com/us/app/aqua-match/id6502511364?uo=4

       

      📌 Mod Requirements

      - Jailbroken iPhone or iPad.
      - iGameGod / Filza / iMazing.
      - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak (from Sileo, Cydia or Zebra).

       

      🤩 Hack Features

      - Freeze Moves
      - Freeze Life
      - Freeze Boosters
      - Freeze Coins
      - Freeze Gems



      ⬇️ iOS Hack Download Link: https://iosgods.com/topic/196699-aqua-match-cheats-v02301-5/
      • 2 replies
    • Star Wars™: Galaxy of Heroes Cheats v0.36.8 +8
      Modded/Hacked App: Star Wars™: Galaxy of Heroes By Electronic Arts
      Bundle ID: com.ea.starwarscapital.bv
      iTunes Link: https://itunes.apple.com/us/app/star-wars-galaxy-of-heroes/id921022358?mt=8&uo=4&at=1010lce4


      Mod Requirements
      - Jailbroken iPhone/iPad/iPod Touch.
      - iFile / Filza / iFunBox / iTools or any other file managers for iOS.
      - Cydia Substrate (from Cydia).
      - PreferenceLoader (from Cydia).


      Hack Features
      - No Skill Cooldown time / Skill Always Available. Linked with enemy. Enable when it's your turn, disable when it's enemies turn. Timing is key.
      - One Hit Kill / Very High Damage. This is linked with you and the enemy, use with Skip Enemy Turn feature or enable disable when you attack via the In-Game Mod Menu! Do not kill the last enemy with OHK otherwise the game will crash. This feature is only for x64 or ARM64 iDevices: iPhone 5s, 6, 6 Plus, 6s, 6s Plus, 7, 7 Plus, iPod Touch 6G, iPad Air, Air 2, Pro & iPad Mini 2, 3, 4 and later.
      - Always Your Turn / Skip Enemy Turn. It's always your turn, you're always attacking.
      - Auto Win. You must use this with One Hit Kill in order for it to work. Kill 1 Enemy and you will auto win the battle.
      - Only 1 Encounter on All Missions.
      -- God Mode / Never Die thanks to the features above.

      This hack is now an In-Game Mod Menu. This means you can toggle switches on/off while in a fight. Since God Mode is linked, turn it off when you're attacking and turn it on when the enemy is attacking to do damage but not receive damage. Same goes for the other features.
      • 3,130 replies
    • Homematch - Home Design Games v2.17.2 +2 Jailed Cheats [ Unlimited Currencies ]
      Modded/Hacked App: Homematch - Home Design Games By TAPBLAZE, LLC
      Bundle ID: com.tapblaze.homecraft
      iTunes Store Link: https://apps.apple.com/us/app/homematch-home-design-games/id1438898374?uo=4


      Hack Features:
      - Unlimited Coins
      - Unlimited Gems


      Jailbreak required hack(s): [Mod Menu Hack] Homematch - Home Design Games v1.92.3 +2 Cheats [ Unlimited Currencies ] - Free Jailbroken Cydia Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 13 replies
    • Homematch - Home Design Games v2.17.2 +2 Cheats [ Unlimited Currencies ]
      Modded/Hacked App: Homematch - Home Design Games By TAPBLAZE, LLC
      Bundle ID: com.tapblaze.homecraft
      iTunes Store Link: https://apps.apple.com/us/app/homematch-home-design-games/id1438898374?uo=4


      Hack Features:
      - Unlimited Coins
      - Unlimited Gems


      Non-Jailbroken & No Jailbreak required hack(s): [Non-Jailbroken Hack] Homematch - Home Design Games v1.92.3 +2 Jailed Cheats [ Unlimited Currencies ] - Free Non-Jailbroken IPA Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 7 replies
    • Hero's Adventure v1.2.117 +6 Jailed Cheats [ Damage & Defence ]
      Modded/Hacked App: Hero's Adventure By X.D. Network Inc.
      Bundle ID: com.xd.dxlzz.global
      iTunes Store Link: https://apps.apple.com/us/app/heros-adventure/id6711347049?uo=4

       


      🤩 Hack Features

      - Damage Multiplier
      - Defence Multiplier
      - Give All Items -> Head into Settings > Other and toggle the User Agreement button.
      - Unlock All Achievements -> Head into Settings > Other and toggle the Privacy Policy button.
      -- All DLC Purchased
      -- Guest Login Enabled
      • 140 replies
    • Hero's Adventure v1.2.117 +6 Cheats [ Damage & Defence ]
      Modded/Hacked App: Hero's Adventure By X.D. Network Inc.
      Bundle ID: com.xd.dxlzz.global
      iTunes Store Link: https://apps.apple.com/us/app/heros-adventure/id6711347049?uo=4

       
       

      🤩 Hack Features

      - Damage Multiplier
      - Defence Multiplier
      - Give All Items -> Head into Settings > Other and toggle the User Agreement button.
      - Unlock All Achievements -> Head into Settings > Other and toggle the Privacy Policy button.
      -- All DLC Purchased
      -- Guest Login Enabled
      • 31 replies
    • Pal Go: Tower Defense TD v0.3.86 [+7 Cheats]
      Modded/Hacked App: Pal Go: Tower Defense TD By Playwind Ltd
      Bundle ID: com.playwindgames.freedefender
      iTunes Store Link: https://apps.apple.com/us/app/pal-go-tower-defense-td/id6479316663?uo=4


       

      🚀 Hack Features

      - [VIP] Freeze Currency (Currency will not decrease when used)

      - [VIP] Currency Always Enough (Buy even when you don't have enough currency)

      - [Free] Higher Recruit Energy (Gives 500 Recruit Energy Every Wave)

      - [Free] Always Can Drag Hero

      - [Free] Skip Ads

      - [Free] No Attack Cooldown

      - [Free] Global Speed Multiplier (Enable Inside Battle)

       

      Warning


      Do not use on main account. There is a chance of ban. Not responsible for any bans.

       


      🍏 For Non-Jailbroken & No Jailbreak required hacks: https://iosgods.com/forum/79-no-jailbreak-section/
      🤖 Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      • 54 replies
    • Pal Go: Tower Defense TD v0.3.86 [+7 Jailed Cheats]
      Modded/Hacked App: Pal Go: Tower Defense TD By Playwind Ltd
      Bundle ID: com.playwindgames.freedefender
      iTunes Store Link: https://apps.apple.com/us/app/pal-go-tower-defense-td/id6479316663?uo=4


       

      Hack Features

      - [VIP] Freeze Currency (Currency will not decrease when used)

      - [VIP] Currency Always Enough (Buy even when you don't have enough currency)

      - [Free] Higher Recruit Energy (Gives 500 Recruit Energy Every Wave)

      - [Free] Always Can Drag Hero

      - [Free] Skip Ads

      - [Free] No Attack Cooldown

      - [Free] Global Speed Multiplier (Enable Inside Battle)

       

      Warning


      Do not use on main account. There is a chance of ban. Not responsible for any bans.

       

      Jailbreak required iOS hacks: https://iosgods.com/forum/5-game-cheats-hack-requests/
      Modded Android APKs: https://iosgods.com/forum/68-android-section/
      • 79 replies
    • Exfil: Loot & Extract v6.1.1 Debug Menu [+10 Cheats]
      Modded/Hacked App: Exfil: Loot & Extract By Kwalee Ltd
      Bundle ID: com.eightsec.roguehero
      iTunes Store Link: https://apps.apple.com/us/app/exfil-loot-extract/id6448720577?uo=4


       

      🤩 Hack Features

      - Debug Menu (Enable and debug menu will appear)
       
      • 18 replies
    • Exfil: Loot & Extract v6.1.1 Debug Menu [+10 Jailed Cheats]
      Modded/Hacked App: Exfil: Loot & Extract By Kwalee Ltd
      Bundle ID: com.eightsec.roguehero
      iTunes Store Link: https://apps.apple.com/us/app/exfil-loot-extract/id6448720577?uo=4

       

      🤩 Hack Features

      - Debug Menu (Enable and debug menu will appear)
      • 18 replies
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines