Jump to content

Hacking with GDB Breakpoints


25 posts in this topic

Recommended Posts

Updated (edited)

Hi! :D

This tutorial is gonne be hacking with GDB Breakpoints.

Read & study this tutorial by @shmoo about strings first, cause it's really necessarily.
https://iosgods.com/topic/26584-ida-tutorialhow-to-hack-with-strings/

 

Breakpoints are extremely useful, once your breakpoint gets hit the game will freeze.

You probably think, why the f*** is that useful you stupid b****

Well, now you can read which registers hold what value, you can see back traces (functions/places that are also called once breakpoint was hit), you can read memory & allot more.
They are also useful if you aren't sure if you're at the right place, for example you had a string called Coins & did some xReffing & you end up somewhere but you're not sure if it's anything useful. What you can do now, is set a breakpoint on the offset you are in IDA & make a change in the coins.
If the place where you were in IDA has anything to do with coins, the game should freeze when you make a change in coins.

Requirements
- GDB, repo: https://shmoo419.github.io/
- IDA, get it from the forum.
- A Game (or use my example game):
https://itunes.apple.com/nz/app/war-heroes-top-strategy-games/id1142744199?mt=8
- Some experience with strings & ARM

Crack the binary & load the binary into IDA & wait till it's done.

This game I'm hacking is some sort of game like Clash Of Royale.
You have 3 towers, or whatever they're called.
The middle one, is the most important one. If that one is broken aka dead, you win.
You have 4 cards you can make use of, each has it's own damage amount.

So, what we're going to try is hack the damage of a card.
There's not really a specific way of finding such a thing.
Some games have obvious strings & some games have not.

To open strings window in IDA, you go to: View - Open Sub Views - Strings
If I search for the word "damage", I'm getting 50 results, not that much but still a struggle to read.
I like to click on the "Length" button in IDA, so it sorts the results & it's much cleaner:

  Reveal hidden contents

 

I like to go from top through bottom, so let's double click the first string & xRef it:

  Reveal hidden contents

 

If you don't know what xRef means, please read shmoo's tutorial on strings & come back later.

When I click the first result, I've some sub_x functions around the string

The ones with a straight red line are from the damageReduction string, the other are from damage string:

  Reveal hidden contents

 

I like to think sub_x functions with more than 70 xRefs are useless. (XRefs is just to see where the function is getting used by other functions)
However, sometimes function look interesting & you might want to try them out anyways.
It's really just experience that will tell your brain whether the function can be useful or no.

The sub_10000F7F0 & sub_100012158 have too many xRefs, first one above 300 & the other above 900.
You don't wanna modify a function that is getting used/called in another 300 functions.
Neither would a developer code a damage function that is getting used in another 300 functions, cause that would likely cause instability.

However, the sub_100190A78 has only one xRef & sub_100190A8C has only one xRef too.
sub_100190A8C seems to be for the damage_reduction string (sounds useful too tho).
But let's focus on sub_100190A78:

  Reveal hidden contents

 

It's a really short function.
 

STR W1, [X0,#0x2C] // Store whatever value W1 is holding into X0+0x2C
RET               // RETurn the function (end it).

 

Alright, we aren't sure whether this function is the right one for damage or not.
We have two options:
1. Try modify the function & see what happens
2. Set a breakpoint on the function & see if it hits.

While some people may recommend option 1 because they don't know how to use a debugger, I don't.
Cause if you keep trying without debugging it CAN be a LONG LONG night, however sometimes you just find it in the first try :p

So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed.
You have to make calculations in order to get the right offset.
IDA Offset + ASLR Slide with a Hex Calculator would do.

But since Shmoo has it's built in feature in gdb, you don't have to make any calculations.
Just this command in GDB & it will do it for you: set add-aslr-bp on

We need to actually start GDB first, open Putty & SSH into your device.
Then type "gdb" & hit enter & it should start.

Then you have to attach to the game, I recommend attaching with the PID but I think binary names are also supported.
How to find your PID: You can find it with GamePlayer, iGameGuardian etc or type this into your putty window: "ps ax | grep 'binary name'"
Attach command: attach "PID"

It will attach, it may show scary lines of "code" but that's normal. Aslong as your game froze, it's fine.
Type "continue" or "c" in short to unfreeze the game.

How to set a breakpoint:
Before you do, enter this command first: set add-aslr-bp on
Breakpoint command: break *0xoffset / b *0xofffset

For me that would be: break *0x100190A78. (see picture above, the sub_x functions is 100190A78)
Now let me play a match & see whether it hits or no.

So the game froze when the tower was hit, this is a good thing!
From here you can do multiply things:
- you can read registers (reading what for example W0, W1, W20 is holding at the time of the breakpoint being hit)
- you can read back traces to see which places where also called when the breakpoint was hit
- you can read memory

So let's read the registers by typing this command: "info registers" --> this will show all normal registers, "info all-registers" will also show float values.
Remember: X & W is basically the same, they'll hold the same value.
My X1 shows me it's 162, which is correct cause the enemies tower's health went down with 162.

Alright, so now we have to hack the damage amount.
If you may know, W23 & W29 hold huge ass values that never change.
If we store that value instead of our orignal value X1, we'll have a One Hit Kill :)

// ------- Original: -------
STR             W1, [X0,#0x2C]
RET

// ------- Hacked: ------
STR             W23, [X0,#0x2C]
RET

So I'm going to do this with code injection, I assumed you know how to do that, if not do research on the forum.

I compiled it with theos, installed it & I got a One Hit Kill :)

However, this function had only one instruction that could be hacked, so the part where we read the register wasn't really needed.

I'll make a video soon enough with an longer function example.

 

I hope you learned how to work with breakpoints & how you can read the registers.

Understand that this tutorial is absolutely noob, some games require allot of back tracing etc etc

 

Useful GDB Commands:

Auto Add Aslr To Breakpoint: add aslr-bp on
Breakpoint: break *0xIDAOffset or b *0xIDAOffset
Reading Normal Registers: info registers
Reading All Registers: info all-registers (usefull for floats, damage, health etc are most of times float)

Find more here: https://lldb.llvm.org/lldb-gdb.html

 

Updated by RudePerson
  • Like 7
  • Winner 4
Posted

Quote from aforementioned tutorial: So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed, while armv7 can have it removed.

So that means while loading binary in IDA we have to load armv7 binary instead of arm64?

 

 

 

 

Posted
  On 8/22/2018 at 1:01 AM, MeSailesh7 said:

Quote from aforementioned tutorial: So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed, while armv7 can have it removed.

So that means while loading binary in IDA we have to load armv7 binary instead of arm64?

 

 

 

 

Expand  

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

Posted
  On 8/22/2018 at 1:05 AM, RudePerson said:

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

Expand  

Sentence removed as well haha....anyway thanks a lot mate....will try it today and I think if you are free we need some videos on ted2 youtube channel as well, it’s just an request from a subscriber ?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Our picks

    • Dragons & Diamonds v2.0.62 [ +9 Jailed ] Auto Win
      Modded/Hacked App: Dragons & Diamonds By Kiloo
      Bundle ID: com.kiloo.dragonsanddiamonds
      iTunes Store Link: https://apps.apple.com/us/app/dragons-diamonds/id1223359380?uo=4

      Hack Features:

      - Gems

      - Gold

      - Energy

      - Battle Cost 0

      - Play Any LvL

      - HP [ Hit Enemy ]

      - DMG

      - Auto Win [ Just One Hit ]

      - Enemy Freeze


      Jailbreak required hack(s): https://iosgods.com/forum/5-game-cheats-hack-requests/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 12 replies
    • Dragons & Diamonds v2.0.62 [ +9 Cheats ] Auto Win
      Modded/Hacked App: Dragons & Diamonds By Kiloo
      Bundle ID: com.kiloo.dragonsanddiamonds
      iTunes Store Link: https://apps.apple.com/us/app/dragons-diamonds/id1223359380?uo=4


      Hack Features:
      - Gems

      - Gold

      - Energy

      - Battle Cost 0

      - Play Any LvL

      - HP [ Hit Enemy ]

      - DMG

      - Auto Win [ Just One Hit ]

      - Enemy Freeze


      Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 9 replies
    • ATHENA:Blood Twins v1.0.3 +2 Cheats
      Modded/Hacked App: ATHENA:Blood Twins By EFUN FUSION COMPANY LIMITED
      Bundle ID: com.eu.eud3
      App Store Link: https://apps.apple.com/us/app/athena-blood-twins/id6738407542?uo=4

       

       

      📌 Mod Requirements

      - Jailbroken iPhone or iPad.
      - iGameGod / Filza / iMazing.
      - Cydia Substrate, ElleKit, Substitute or libhooker depending on your jailbreak (from Sileo, Cydia or Zebra).

       

      🤩 Hack Features

      - Damage Multiplier
      - Defense Multiplier

       

      ⬇️ iOS Hack Download Link


      Hidden Content

      Download Hack







       

      📖 iOS Installation Instructions

      STEP 1: Download the .deb hack file from the link above. Use Safari, Google Chrome or other iOS browsers to download.
      STEP 2: Once the file has downloaded, tap on it and then you will be prompted on whether you want to open the deb with iGameGod or copy it to Filza.
      STEP 3: If needed, tap on the downloaded file again, then select ‘Normal Install’ from the options on your screen.
      STEP 4: Let iGameGod/Filza finish the cheat installation. If it doesn’t install successfully, see the note below.
      STEP 5: Open the game, log in to your iOSGods account when asked, then toggle on the features you want and enjoy!

       

      NOTE: If you have any questions or problems, read our Jailbreak iOS Hack Troubleshooting & Frequently Asked Questions & Answers topic. If you still haven't found a solution, post your issue below and we'll do our best to help! If the hack does work for you, please post your feedback below and help out other fellow members that are encountering issues.

       

      🙌 Credits

      - AlyssaX64

       

      📷 Cheat Video/Screenshots

      N/A

       

      More iOS App Hacks
      If you’re looking for Non-Jailbroken & No Jailbreak required iOS IPA hacks, visit the iOS Game Cheats & Hacks or the iOSGods App for a variety of modded games and apps for non-jailbroken iOS devices.

      Modded Android APKs
      Need modded apps or games for Android? Check out the latest custom APK mods, cheats & more in our Android Section.
      • 3 replies
    • ATHENA:Blood Twins v1.0.3 +2 Jailed Cheats
      Modded/Hacked App: ATHENA:Blood Twins By EFUN FUSION COMPANY LIMITED
      Bundle ID: com.eu.eud3
      App Store Link: https://apps.apple.com/us/app/athena-blood-twins/id6738407542?uo=4

       

       

      📌 Mod Requirements

      - Non-Jailbroken/Jailed or Jailbroken iPhone or iPad.
      - Sideloadly or alternatives.
      - Computer running Windows/macOS/Linux with iTunes installed.

       

      🤩 Hack Features

      - Damage Multiplier
      - Defense Multiplier

       

      ⬇️ iOS Hack Download IPA Link


      Hidden Content

      Download via the iOSGods App







       

      📖 PC Installation Instructions

      STEP 1: Download the pre-hacked .IPA file from the link above to your computer. To download from the iOSGods App, see our iOSGods App IPA Download Tutorial which includes a video example.
      STEP 2: Download Sideloadly and install it on your Windows or Mac.
      STEP 3: Open Sideloadly on your computer, connect your iOS device, and wait until your device name appears in Sideloadly.
      STEP 4: Once your iDevice is recognized, drag the modded .IPA file you downloaded and drop it into the Sideloadly application.
      STEP 5: Enter your Apple Account email, then press “Start.” You’ll then be asked to enter your password. Go ahead and provide the required information.
      STEP 6: Wait for Sideloadly to finish sideloading/installing the hacked IPA. If there are issues during installation, please read the note below.
      STEP 7: Once the installation is complete and you see the app on your Home Screen, you will need to go to Settings -> General -> Profiles / VPN & Device Management. Once there, tap on the email you entered from step 6, and then tap on 'Trust email@iosgods.com'.
      STEP 8: Now go to your Home Screen and open the newly installed app and everything should work fine. You may need to follow further per app instructions inside the hack's popup in-game.

      NOTE: iOS/iPadOS 16 and later, you must enable Developer Mode. For free Apple Developer accounts, you will need to repeat this process every 7 days. If you have any questions or problems, read our Sideloadly FAQ section of the topic and if you don't find a solution, please post your issue below and we'll do our best to help! If the hack does work for you, post your feedback below and help out other fellow members that are encountering issues.

       

      🙌 Credits

      - AlyssaX64

       

      📷 Cheat Video/Screenshots

      N/A
      • 1 reply
    • Zombastic: Time to Survive v1.6.1 [ +1+++ Jailed ] Currency Max
      Modded/Hacked App: Zombastic: Time to Survive By Playmotional Limited
      Bundle ID: com.playmotional.survival
      iTunes Store Link: https://apps.apple.com/us/app/zombastic-time-to-survive/id6475173073?uo=4


      Hack Features:
      - Currency & Resources Unlimited [ Disable When Playing ] 





      Jailbreak required hack(s): https://iosgods.com/forum/5-game-cheats-hack-requests/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 29 replies
    • Zombastic: Time to Survive v1.6.1 [ +1+++ Cheats ] Currency Max
      Modded/Hacked App: Zombastic: Time to Survive By Playmotional Limited
      Bundle ID: com.playmotional.survival
      iTunes Store Link: https://apps.apple.com/us/app/zombastic-time-to-survive/id6475173073?uo=4


      Hack Features:
      - Currency & Resources Unlimited [ Disable When Playing ] 





      Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 35 replies
    • Spin Break: Roulette Battle v1.5.3 [ +5 Cheats ] Currency Max
      Modded/Hacked App: Spin Break: Roulette Battle By Fifty-one percent Corp.
      Bundle ID: com.FiftyOnePercent.SpinBreak
      iTunes Store Link: https://apps.apple.com/us/app/spin-break-roulette-battle/id6462842820?uo=4

      Hack Features:

      - Currency Max

      - Energy Max

      - LvL Rewards Gold

      - Hero Status [ HP DMG DEF Luck Gold ]

      - Enemy Status [ ATK HP DEF 0 ]

       
      Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 31 replies
    • Spin Break: Roulette Battle v1.5.3 [ +5 Jailed ] Currency Max
      Modded/Hacked App: Spin Break: Roulette Battle By Fifty-one percent Corp.
      Bundle ID: com.FiftyOnePercent.SpinBreak
      iTunes Store Link: https://apps.apple.com/us/app/spin-break-roulette-battle/id6462842820?uo=4


      Mod Requirements:
      - Non-Jailbroken/Jailed or Jailbroken iPhone/iPad/iPod Touch.
      - Sideloadly / Cydia Impactor or alternatives.
      - A Computer Running Windows/macOS/Linux with iTunes installed.


      Hack Features:

      - Currency Max

      - Energy Max

      - LvL Rewards Gold

      - Hero Status [ HP DMG DEF Luck Gold ]

      - Enemy Status [ ATK HP DEF 0 ]


      Jailbreak required hack(s): https://iosgods.com/forum/5-game-cheats-hack-requests/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
      • 25 replies
    • Treasure Party: Puzzle Fun! v3.0.16 [ +3 Jailed ] Coins Max
      Modded/Hacked App: Treasure Party: Puzzle Fun! By PlayQ Inc.
      Bundle ID: net.playq.treasureparty4
      iTunes Store Link: https://apps.apple.com/us/app/treasure-party-puzzle-fun/id1668898401?uo=4

       
      Hack Features

      - Coins
      - Lives
      - Moves



      Jailbreak required iOS hacks: https://iosgods.com/forum/5-game-cheats-hack-requests/
      Modded Android APKs: https://iosgods.com/forum/68-android-section/
      • 17 replies
    • Treasure Party: Puzzle Fun! v3.0.16 [ +3 Cheats ] Coins Max
      Modded/Hacked App: Treasure Party: Puzzle Fun! By PlayQ Inc.
      Bundle ID: net.playq.treasureparty4
      iTunes Store Link: https://apps.apple.com/us/app/treasure-party-puzzle-fun/id1668898401?uo=4

       

      Hack Features

      - Coins
      - Lives
      - Moves



      For Non-Jailbroken & No Jailbreak required hacks: https://iosgods.com/forum/79-no-jailbreak-section/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/

       

      iOS Hack Download Link


      Hidden Content

      Download Hack
      • 12 replies
    • Adventure Bay - Farm Games v1.39.17 [ +4 Cheats ] Currency Max
      Modded/Hacked App: Adventure Bay - Farm Games By Gamegos Teknoloji A.S.
      Bundle ID: com.gamegos.adventure.bay.paradise.farm
      iTunes Store Link: https://apps.apple.com/us/app/adventure-bay-farm-games/id1578449819?uo=4
       

      🤩 Hack Features

      - Gems
      - Coins
      - Energy
      - Avatar Unlock
      • 13 replies
    • Adventure Bay - Farm Games v1.39.17 [ +4 Jailed ] Currency Max
      Modded/Hacked App: Adventure Bay - Farm Games By Gamegos Teknoloji A.S.
      Bundle ID: com.gamegos.adventure.bay.paradise.farm
      iTunes Store Link: https://apps.apple.com/us/app/adventure-bay-farm-games/id1578449819?uo=4


      🤩 Hack Features

      - Gems
      - Coins
      - Energy
      - Avatar Unlock
      • 18 replies
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines