Tutorial Hacking with GDB Breakpoints

Ted2 · August 22, 2018

Hi!

This tutorial is gonne be hacking with GDB Breakpoints.

Read & study this tutorial by @shmoo about strings first, cause it's really necessarily.
https://iosgods.com/topic/26584-ida-tutorialhow-to-hack-with-strings/

Breakpoints are extremely useful, once your breakpoint gets hit the game will freeze.

You probably think, why the f*** is that useful you stupid b****

Well, now you can read which registers hold what value, you can see back traces (functions/places that are also called once breakpoint was hit), you can read memory & allot more.
They are also useful if you aren't sure if you're at the right place, for example you had a string called Coins & did some xReffing & you end up somewhere but you're not sure if it's anything useful. What you can do now, is set a breakpoint on the offset you are in IDA & make a change in the coins.
If the place where you were in IDA has anything to do with coins, the game should freeze when you make a change in coins.

Requirements
- GDB, repo: https://shmoo419.github.io/
- IDA, get it from the forum.
- A Game (or use my example game):
https://itunes.apple.com/nz/app/war-heroes-top-strategy-games/id1142744199?mt=8
- Some experience with strings & ARM

Crack the binary & load the binary into IDA & wait till it's done.

This game I'm hacking is some sort of game like Clash Of Royale.
You have 3 towers, or whatever they're called.
The middle one, is the most important one. If that one is broken aka dead, you win.
You have 4 cards you can make use of, each has it's own damage amount.

So, what we're going to try is hack the damage of a card.
There's not really a specific way of finding such a thing.
Some games have obvious strings & some games have not.

To open strings window in IDA, you go to: View - Open Sub Views - Strings
If I search for the word "damage", I'm getting 50 results, not that much but still a struggle to read.
I like to click on the "Length" button in IDA, so it sorts the results & it's much cleaner:

Spoiler

I like to go from top through bottom, so let's double click the first string & xRef it:

Spoiler

If you don't know what xRef means, please read shmoo's tutorial on strings & come back later.

When I click the first result, I've some sub_x functions around the string

The ones with a straight red line are from the damageReduction string, the other are from damage string:

Spoiler

I like to think sub_x functions with more than 70 xRefs are useless. (XRefs is just to see where the function is getting used by other functions)
However, sometimes function look interesting & you might want to try them out anyways.
It's really just experience that will tell your brain whether the function can be useful or no.

The sub_10000F7F0 & sub_100012158 have too many xRefs, first one above 300 & the other above 900.
You don't wanna modify a function that is getting used/called in another 300 functions.
Neither would a developer code a damage function that is getting used in another 300 functions, cause that would likely cause instability.

However, the sub_100190A78 has only one xRef & sub_100190A8C has only one xRef too.
sub_100190A8C seems to be for the damage_reduction string (sounds useful too tho).
But let's focus on sub_100190A78:

Spoiler

It's a really short function.

STR W1, [X0,#0x2C] // Store whatever value W1 is holding into X0+0x2C
RET               // RETurn the function (end it).

Alright, we aren't sure whether this function is the right one for damage or not.
We have two options:
1. Try modify the function & see what happens
2. Set a breakpoint on the function & see if it hits.

While some people may recommend option 1 because they don't know how to use a debugger, I don't.
Cause if you keep trying without debugging it CAN be a LONG LONG night, however sometimes you just find it in the first try

So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed.
You have to make calculations in order to get the right offset.
IDA Offset + ASLR Slide with a Hex Calculator would do.

But since Shmoo has it's built in feature in gdb, you don't have to make any calculations.
Just this command in GDB & it will do it for you: set add-aslr-bp on

We need to actually start GDB first, open Putty & SSH into your device.
Then type "gdb" & hit enter & it should start.

Then you have to attach to the game, I recommend attaching with the PID but I think binary names are also supported.
How to find your PID: You can find it with GamePlayer, iGameGuardian etc or type this into your putty window: "ps ax | grep 'binary name'"
Attach command: attach "PID"

It will attach, it may show scary lines of "code" but that's normal. Aslong as your game froze, it's fine.
Type "continue" or "c" in short to unfreeze the game.

How to set a breakpoint:
Before you do, enter this command first: set add-aslr-bp on
Breakpoint command: break *0xoffset / b *0xofffset

For me that would be: break *0x100190A78. (see picture above, the sub_x functions is 100190A78)
Now let me play a match & see whether it hits or no.

So the game froze when the tower was hit, this is a good thing!
From here you can do multiply things:
- you can read registers (reading what for example W0, W1, W20 is holding at the time of the breakpoint being hit)
- you can read back traces to see which places where also called when the breakpoint was hit
- you can read memory

So let's read the registers by typing this command: "info registers" --> this will show all normal registers, "info all-registers" will also show float values.
Remember: X & W is basically the same, they'll hold the same value.
My X1 shows me it's 162, which is correct cause the enemies tower's health went down with 162.

Alright, so now we have to hack the damage amount.
If you may know, W23 & W29 hold huge ass values that never change.
If we store that value instead of our orignal value X1, we'll have a One Hit Kill

// ------- Original: -------
STR             W1, [X0,#0x2C]
RET

// ------- Hacked: ------
STR             W23, [X0,#0x2C]
RET

So I'm going to do this with code injection, I assumed you know how to do that, if not do research on the forum.

I compiled it with theos, installed it & I got a One Hit Kill

However, this function had only one instruction that could be hacked, so the part where we read the register wasn't really needed.

I'll make a video soon enough with an longer function example.

I hope you learned how to work with breakpoints & how you can read the registers.

Understand that this tutorial is absolutely noob, some games require allot of back tracing etc etc

Useful GDB Commands:

Auto Add Aslr To Breakpoint: add aslr-bp on
Breakpoint: break *0xIDAOffset or b *0xIDAOffset
Reading Normal Registers: info registers
Reading All Registers: info all-registers (usefull for floats, damage, health etc are most of times float)

Find more here: https://lldb.llvm.org/lldb-gdb.html

Updated August 22, 2018 by RudePerson

Joka · August 21, 2018

Sweet!

Crimson · August 21, 2018

WOW GREAT!

Pradeep6868 · August 21, 2018

Thank you daddy❤️

Rook · August 21, 2018

Thank you for sharing this.

Ted2 · August 21, 2018

Understand that hacking with strings & a debugger is really trial and error.

Some games do require hours just to get a feature, some are just obvious & too easy.

Kira · August 21, 2018

Let's drink some Heineken dude.

MeSailesh7 · August 22, 2018

Quote from aforementioned tutorial: So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed, while armv7 can have it removed.

So that means while loading binary in IDA we have to load armv7 binary instead of arm64?

Ted2 · August 22, 2018

3 minutes ago, MeSailesh7 said:

Quote from aforementioned tutorial: So we are going to set a breakpoint on the function.
First you need to know this about arm64 binaries:
arm64 binaries have a ASLR Slide which can't be removed, while armv7 can have it removed.

So that means while loading binary in IDA we have to load armv7 binary instead of arm64?

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

MeSailesh7 · August 22, 2018

14 minutes ago, RudePerson said:

Nope! Armv7 is outdated, iOS 11 can't even run it anymore which means hacking armv7 is useless. I took armv7 as a example that you could remove aslr in the past. But maybe I should remove that sentences.

Sentence removed as well haha....anyway thanks a lot mate....will try it today and I think if you are free we need some videos on ted2 youtube channel as well, it’s just an request from a subscriber ?