Tutorial IDA + LLDB Tutorial

Discussion in 'Apple iOS' started by harald4211, Aug 19, 2018.

  1. harald4211

    harald4211 New Member

    1
    1
    3
    Credits:
    95
    NOTE:

    iOS 11 is NOT able to run armv7, most devices run on iOS 11. I suggest NOT to hack armv7 binary, so this tutorial is KINDA useless. You can use this tutorial to reduce your knowledge.

    Hello Everyone!

    In this topic I'll explain/show you how you hack games with IDA using lldb &/ GDB on armv7
    I'll try to make it as noob friendly as I can, it will be a long tutorial since I'll explain EVERY step.

    Requirements for this tutorial:

    - IDA Program
    - Jailbroken Phone to test it
    - Hex Editor
    - The binary of the game we're gonna hack -> get it Please login or register to view links or downloads! *
    - The game, get it Please login or register to view links or downloads! & download v1.11
    - LLDB
    - Gameplayer
    - Theos fully setup (not 100% neccesarry)

    * = When you're hacking armv7, I suggest you to remove aslr from the binary so you don't have to calculate every watchpoint & breakpoint. The binary for this tutorial, is thinned & has ASLR removed.

    The game we are going to hack is called 'Trigger Fist' a dead shoot game, but good to practice with.

    First thing to do, is load the binary from above into IDA, with these settings:
    [​IMG]
    Second thing we need to do is replace the binary of the game with the one from above, since we will be using lldb & we don't want aslr to be loaded.

    To do this, you'll need Filza Manager from Cydia.
    First of all, copy the binary, then go to: /var/containers/bundle/appliciation/'Trigger Fist/TriggerFist.app' & paste.
    Then set the binary premissions like this:
    [​IMG]
    To do this, you click the little 'Info' icon next to the binary name.

    Alright, everything is set for debugging using lldb [​IMG]

    First of all we need to know what we're going to hack, which is ammo & grenades.
    So what we're going to do is find the values using Gameplayer, I hope everyone knows how to do that.
    Write them down if you found both values.

    You can also do this while you're connected with lldb, but every time you search for a value in Gameplayer, you'll need to type 'continue or c' in the lldb window.
    I do this because sometimes the game changes the value even if I haven't closed it.
    Not sure if this also is for this game, but it's up to you how you wanna do it.If you do not know how to find them: Your ammo starts with 30 (atleast for me, if not for you replace numbers from below with yours)
    - Search for 30 in Gameplayer
    - Shoot one time
    - Search for 29 (or whatever value you got new)
    - Shoot againt
    - Search for 28 (or whatever value you got new)
    - I do get one address from Gameplayer (if you still get more, shoot & search until you get one hit)
    - WRITE THE ADDRESS DOWN!!

    Your grenades are 2.
    - Search for 2
    - Throw one away
    - Search for 1
    - Throw one away
    - search for 0
    - Die
    - You got 2 grenades again after you died, so search 2
    - Throw one away
    - Search 1
    - Do this until you get ONE hit
    - WRITE THE ADDRESS DOWN!!

    IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP.
    Alright, now we need to debug, so we can get the ida offsets.

    We need to debug with port 23, on mac you don't need to do anything.
    On windows you run the mux.exe program for it, but if you're on Windows 10 that won't work.
    We need to do it with iFunbox, using the USB Tunnel option in the toolbox tab.

    First we need to make connection with our phone, by runnning this command in SSH Terminal (open using iFunbox)
    What is 'PID', not sure what it exactly is, but I do know how to find it [​IMG]
    Open the game, click Gameplayer icon & select the application if it doesn't automaticly.
    This is the PID:
    [​IMG]
    Alright, you typed it in & it should look like this:
    [​IMG]
    Now go to your lldb folder & double click lldb.exe
    A command promt will show up, type this:
    It should look like this:
    [​IMG]
    It can take some time to make connection, depends on how fast you connection is.
    When it's connected it will show you this:
    [​IMG]

    Alright, so we want to know the ida offsets of the gameplayer addresses we have.
    We do this by this command.
    It should say this when you set a watchpoint:
    [​IMG]
    Type 'continue' or 'c' in the lldb window to continue the game.
    Make a change in ammo, the game will freeze, this is good!
    The lldb window will look like this:
    [​IMG]
    This is the ida offset: (marked with <<<<<<<<<) (WRITE IT DOWN + WRITE DOWN TO WHAT THE VALUE CHANGED)
    Also type 'register read' to know what each register means around the function. (register = R1, R2, R3, etc)
    It will look like this:
    [​IMG]
    Copy the output & paste it somewhere where you can find it back & type 'ammo' above it.
    How to copy it?
    Select it with your mouse & hit enter, this will copy it. You can 'ctrl + c it' too, but it will ask you to quit lldb & we don't want that.

    Alright, now type 'continue' or 'c' in lldb to continue the game
    Make a change in grenades, the game will freeze & we know now this is good!
    We also know how the lldb windows looks like & what the ida offset is. (WRITE IT DOWN = WRITE DOWN TO WHAT THE VALUE CHANGED)

    Type again 'register read' & do the same progress you did with the ammo, but now type 'grenades' above it.
    I suggest you to register read when the you have more then 0 grenades, otherwise it's harder to see which register is the real one.

    Now we have both, close lldb.

    Alright, now we know both offsets & what every register means, it's easy peasy to hack.
    Let's look into the ammo function first, it looks like this:
    [​IMG]
    Alright, there are most of the times multiply ways to hack something.
    This is the exact code written:
    Alright, we also know what all Registers means. lldb gives the values in HEX decimal
    We only know the values in decimal.
    We wrote down what our ammo changed to, which was for me 29.
    29 in hex = 1D
    Register 1 (R1) holds that value, which means that's our ammo.
    As you can see in the code, we see some R1, R0, R5, R10 etc.
    R1 is which is important for us now.
    As you can see in the code above the 'register read' output, I wrote // after each instruction with a R1 in it.

    Which are these four:
    I wrote down what they mean.



    Anyways,
    The sub instruction is the most used way to hack ammo
    Why?

    Well.. when you shoot, one bullet wil go away..
    This instruction Substracts 1 from R1 (ammo) into R1 (ammo)

    We can hack a SUB in diffrent ways.
    We can also hack it using the first LDR from above & the STR function.

    How we hack the LDR:
    How we hack the STR:
    When you're hacking a binary, you need to know what kind of 'HEX' it is.
    When you know that you can change the instruction which you like.
    Let's change the SUB instruction to MOV R1, R7
    The outcome in armconverter will be 0710A0E1, because this game is ARM-HEX.

    Normally you patch the binary manually using a hex editor, somehow this is not working for me on this game.
    Maybe for some others it does I don't know.
    These are the steps if you wanna try it:

    Load the same binary you loaded into IDA in HxD.
    I suggest you to make a backup though.

    We need to go to our SUB instruction offset, which is: 1527CC
    How do I know?
    See here:
    [​IMG]
    Go to that offset in HxD, by doing 'ctrl + G' or 'edit - goto'
    This is it, this is what we're gonna hack.
    [​IMG]
    Alright, I'm going to hack it by MOV R1, R7 the SUB instruction.
    You can do whatever you prefer, but remember do it in ARM-HEX!!

    It will look like this:
    [​IMG]
    Now save it.
    We wanna test it, but we need to sign it first.
    Paste the hacked binary into var/mobile with iFunbox or whatever you like.

    Type in SSH window: cd /var/mobile & then type: ldid -s TriggerFist
    You're done,
    Now replace it into your application folder like you did before with the same premissions.

    Test the hack.
     
    Starh likes this.

Share This Page