Tutorial [ARM64] IDA + LLDB Tutorial [Noob Friendly]

Ted2 · January 10, 2022

Hello Everyone!

In this topic, I'll be teaching you how to hack with lldb watchpoints & IDA step by step.

Quick note: Watchpoints doesn't seem to work on iOS 11 so you need a phone below that iOS.

Requirements:

- IDA Program -> get it HERE
- Jailbroken Phone

- iGameGod - iMemEditor or whatever alternatives.
- LLDB -> Follow THIS topic
- * Theos _> Follow this: Setup Tutorial

* = You can also edit the game's binary manually with a Hex Editor, but this is a pain in the ass to keep replacing each time.

Setup a theos project

If you already know how to setup a theos project & how to use it correctly, skip this part.

For the sake of this tutorial, use this sdk
and use this .nic template

This video will show you how to setup a theos project:

- https://youtu.be/eplJ2118cv0

NOTE: I am using Putty because I'm on windows. If you're on a Mac, you can just use terminal. Type this command to SSH into your device: ssh [email protected] & then type the default password "alpine"

LLDB

The game we are going to hack is called "Bloody Harry", you can get it HERE:

We will be hacking our ammo.

I hope you installed lldb as I said with the linked topic from my Requirements list, if not, do it now.

You can basically just type "lldb" in your SSH window & it will look like this:

Spoiler

Now you have lldb started, you have to attach to the game by this command:

attach "PID" / attach "Binary Name"

I always use PID, cause I'm too lazy to search for the binary name.
You can find the PID by attaching the game to GamePlayer & then the number next to the Game's name is the PID.

It will now connect & it should look something like this:

Spoiler

ASLR

We need to do ONE more VERY IMPORTANT thing before we start setting watchpoints. Since we are hacking arm64, we have to deal with a ASLR slide.

You can find this ASLR slide by typing this command in your SSH window:

image list

or 

image list "binary name"

However, it somehow doesn't support binaries with a space in them. So type the first one & scroll up to where [ 0] starts:

Spoiler

As you may see, in my case [ 1] is the line I need. Cause that points to Bloody Harry:

[  1] A0825C08-EAE4-3748-ADB5-042D675A380A 0x000000010007c000 /var/containers/Bundle/Application/4D84AA61-4639-402A-96F0-11CAC3A3F8C8/Bloody Harry.app/Bloody Harry

0x000000010007c000 is what I need. However, I only need to remember 7c000

Your slide is likely diffrent. For example if you had this:
0x0000000100080000

80000 is the only thing you need to remember.

Watchpoints

We are ready to set watchpoints now!

In order to set a watchpoint, we need to find the memory address with, in my case GamePlayer.

I assume everyone knows how to work with a memory searcher such as GamePlayer, if not:

 - Search for your current ammo value in Gameplayer
- Shoot one time
- Search for the new value
- Shoot againt
- Search for the new value
- Do this till you get 1 / 2 matches.

IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP.

How to set a watchpoint:

w s e -- 0xGamePlayerAddress

Example: w s e -- 0x109098E10

So get your GamePlayerAddress & then set a watchpoint.

I keep getting 2 matches in Game Player, so I will set 2 watchpoints:

Spoiler

NOTE: Sometimes the "new value" isn't correct, just in my case. Please remember the ammo in the next step.

So our watchpoint has been set, in order to get the IDA address, we'll have to make a change in our ammo.

This is the step where you HAVE to remember your ammo value it's going to change to.

My current ammo is: 65 & I'm going to shoot one bullet, which will leave me with 64 bullets.

Watchpoint 1 Hit:

Spoiler

frame #0 = our IDA offset according to lldb (ignore the 000... before the first "1".

Type "register read" in lldb & paste the output in a note somewhere, we are going to need this later.

I like to organize it like this:

Spoiler

Now let's see if our watchpoint 2 will also hit, type "c" or "continue" in lldb & see what happens:

Spoiler

It's not saying anything about watchpoint 2, but it does stop so it might be usefull.

Do the same steps you did for watchpoint one: make a note, paste the "read register" output & organize it like mine if you like.

We know our IDA Offset according to lldb, however we need to remove the aslr slide from it.

Go to this website: https://www.calculator.net/hex-calculator.html

In the first box, type your offset lldb gave you & in the second box put your ASLR & you subtract it!

Let's do this for watchpoint one first, the one with the red circle around it is the REAL offset in IDA:

Write it in your note, something like: Real Offset: "your offset"

Spoiler

Now you do the same for the second watchpoint.

Register Read Output

The register output will show you which register holds what value when the watchpoint was hit (when the game froze)

This is really usefull for us. We can read which register holds our ammo & then hack that in IDA later.

However, the values are in hexDecimal & we only know our decimal value of our ammo.

Mine is 62, so go to some "Decimal To Hex" converter online such as this one:

https://www.binaryhexconverter.com/decimal-to-hex-converter

Convert your number & search it in your "register read" output.

Mine is: 3E & I found a match:

x8 = 0x000000000000003e

NOTE: the X could be a W in IDA.

Do the same for your second watchpoint

IDA

Alright, first let's go to the offset of watchpoint 1 first in IDA

You can do this by pressing the "G" button in IDA View:

Spoiler

The yellow colored line is where it brings us:

Spoiler

So you might think, this must be the line we have to change.

But this is wrong, you know which register holds our ammo (X8 ) so you will be looking for that.

This is our matches with X8:

W8 = Our ammo, X & W is basically the same

10092DED8                 LDR             W8, [X19,#0x40] //Load X19+0x40 into W8
10092DEE4                 ADD             W8, W8, W20	  //Add W20 to W8 into W8	
10092DEE8                 STR             W8, [X19,#0x40] //STR W8 into X19+0x40
10092DEF0                 LDR             X8, [X1,#0x10] //Load X1+0x10 into X8
10092DEF4                 LDR             X8, [X8,#0x50] //Load X8+0x50 into X8
10092DEF8                 BLR             X8			//Not important to really know, but it's some sort of branch
10092DF00                 LDR             X8, [X19,#0x10] //Load X19+0x10 into X8
10092DF0C                 LDR             X2, [X8,#0x188] //Load X8+0x188 into X2
10092DF10                 LDR             X8, [X2,#0x10] //Load X2+0x10 into X8
10092DF14                 LDR             X8, [X8,#0x50] //Load X8+0x50 into X8
10092DF18                 BLR             X8			//Not important to really know, but it's some sort of branch

Thing such as: X19+0x40 = 
X19 = a memory address, 0x40 is a variable that holds something. 
Together it will point to a address where the memory is at

That's allot of matches, however the matches with #0x40 in them seems interesting to me.

First: whatever X19+0x40 holds is getting loaded into W8 (our ammo register)

Then: W8 is getting stored into X19+0x40, it looks like it's updating it.

But we can't be sure until we try something.

So how I would try to hack this is this:

LDR             W8, [X19,#0x40]
- Change to: MOV W8, #0xfffff --> this will move the hex value 0xfffff into W8
- Change to: LDR W8, [X23] ---> X23 is a register that has it's own high value. In this way this get's loaded into our ammo.

STR             W8, [X19,#0x40]
- Change W8 to W23 --> This will store a high value into X19+0x40 (which what we think is where our ammo memory is at)
- Change it to a NOP, this will skip the instruction & in this way the ammo can't be stored.

I'm going with the last option.

Compiling a hack with theos

Open your tweak.xm from your theos project & find this:

    if(GetPrefBool(@"key1")) {
      vm_writeData(0x123456, 0x123456); //The first value should be the offset & the second value the hackedHex
    }

If I wanted to change it to NOP I would change it to this:

    if(GetPrefBool(@"key1")) {
      vm_writeData(0x10092DEE8, 0x1F2003D5); // 
    }

How do I know it would be "0x1F2003D5"?

Well iOSGods has this awesome website: http://armconverter.com/

I typed "NOP" & in the " ARM64 HEX" box I got the Hex of it.

You can convert any valid arm instruction here, so if you wanted to hack the LDR, you could have written this in the box:

LDR W8, [X23] & it would give you this value: 0xE80240B9

Save your tweak.xm & go back to your SSH window.

Type in: cd /your/directory/of/your/project, for me that would be: cd /var/root/bloodyharry

Hit enter & now type: "mpi" & if that gives you a error, type "make package install"

This will compile it into a .deb & automaticly install it for you.

Open your settings & enable the first toggle.

NOTE: @"key1" is used to recognize the toggle key of your Root.plist inside /"yourproject"/"projectName"Settings/Resources/Root.plist

See this topic for more info about patchers: https://iosgods.com/topic/444-tutorial-how-to-make-a-preference-bundle/

NOTE: You can skip step 1 & 2 in that topic, you already did that by creating a project.

Open the game & voila since I NOP'ed the STR, my ammo won't substract!

Ammo succesfully hacked :

So after all we didn't need the second watchpoint.

But if the first watchpoint's location just didn't work out, you could move to watchpoint 2

When you're hacking ammo in ALLOT of cases you'll see something like this:

SUB W8, W8, #1 //SUBstract 1 from w8 into w8

If you see this from a watchpoint, you're basically sure that it's the right thing to hack.

You could NOP it or change the #1 with a #0 (use armconverter)

Try to hack the gold yourself

If you're confused about some parts, leave a comment.

Other useful topic for this tutorial:

- https://iosgods.com/topic/852-tutorial-how-to-hack-using-ida/

NOTE: This tutorial is old & the registers are armv7 registers. But this may help you understand how instruction works (instructions = STR, LDR, MOV, CMP etc etc)

- https://iosgods.com/topic/19378-how-to-defeatremove-aslr-on-ios-9-armv7-and-arm64-devices/

Good luck on your journey!

Updated January 10, 2022 by Rook
Weird yellow font fix