FAQs:
1q. Where do you get the IDA offset?
1a. Once you setup a watchpoint using GP offset and play the game; the watchpoint will trigger (froze your game). GDB will then display the value and offset. The offset lies on $pc if it is triggered.
2q. What are the different between breakpoints and watchpoint? Can't I just use b*0xXXXXXX" where XXXXXX is the offset from GP?
2a. watchpoint will trigger the correct offset for IDA. Breakpoint will trigger if you have the offset for IDA. No you cannot use breakpoint for GP offset. Put it this way; watchpoint is used for memory address and breakpoint is used for offsets in the binary.
3q. What are $pc, $r0, $r1, etc... and why are we using them for?
3a. Some of you may wonder why we use the following commands:
display/i $pc
display $r0
display $r1
display $r2
display $r3
display $r4
These commands will display your result. $pc display your offsets. Between $r0-$r4; one of those will display your current value search. If you search for coins; it may display your current value plus the value that is taken away or being added.
4q. Is there an easier way to type in GDB instead of typing the whole words such as attach Zombieville?
4a. Yes; you can just type : att Zom
Utilities for this tutorial:
- Your brain
- A PC
- Your iDevice
- Zombieville 2 1.3 IPA
- GDB on iDevice( http://www.mediafire.com/download/36l5cwzou2y25th/gdb_ios7.deb
- Gameplayer on iDevice
- IDA on PC
- ARM Converter
Incase:
You need to know the code to disable or delete breakpoints/watchpoints.
Delete breakpoint/watchpoint:
>del b
Disable breakpoint/watchpoint:>disable b
II,LLDB Debugging a game with Gameplayer (From Acatraz)
Things you need:
- Game you want to hack. In this tutorial I reference Across Age 2 HD
- Gameplayer: from the repo "yuan.duowan.com"
- Mac (You can vmware too. This works fine)
- Xcode with commandline tools installed (this gives you lldb)
- Usbmuxd (This is used to connect to the device with SSH and lldb through usb, if you have shitty Wi-Fi . It's recommended to do it through usb though for the most stable environment.) http://cgit.sukimashita.com/usbmuxd.git/snapshot/usbmuxd-1.0.8.tar.gz
Extract it somewhere convenient - Debugserver file in usr/bin on iDevice and set permissions. get it here: http://mediafire.com/?c6rvt6yp062l6pb
- I expect you to be adept at IDA hacking already and have used GDB. I will not be covering the basics.
Instructions:
- Assuming you have everything set up like above. Open up 4 terminals. Technically you only need 3 if you want to do ssh over wifi. But I will show how to do it through usb.
- Now in two of them we are going to run usbmuxd. the command is as follows.
//Window #1 Running this command is for ssh purposes. You can ignore this if you would rather just do it over wifi
sudo python /directory structure to usbmuxd/usbmuxd/python-client/tcprelay.py -t 22:2222
//Window#2 This the port we are forwarding for lldb to connect to.
sudo python /directory structure to usbmuxd/usbmuxd/python-client/tcprelay.py -t 12345:12345
Once those are running you can minimize them as you wont need to do anything further in those windows.
- Now in the 3rd window lets ssh into the device. This is how you do it through usbmuxd
ssh -p 2222 root@localhost
- If you are sshing through wifi you need the devices local ip.
ssh root@deviceip
- In the 4th terminal lets get lldb running. simply type "lldb" without the quotes.
- Now lets get our game running. Now lets attach the debugserver to the game
debugserver localhost:12345 --attach=process id or games binary name
- Now in lldb lets connect to the debugserver
process connect connect://localhost:12345
It will take a few minutes for lldb to connect. If you get section errors you need to start from step 5 again. Hence close out the game and stuff. Otherwise when you attempt to run commands and continue the process will exit automatically.
- Assuming you have managed to successfully connect to the debugserver with lldb. Lets continue the game and search a value in gameplayer.
- Now that you have an address to set a watchpoint for from gameplayer lets set it in lldb.
w s e -- 0xaddress
You can delete watchpoints by running
w del 1
You can delete all watchpoints at once by running
w del
- Lets continue the game. In my case in Across Age 2 I searched for gold. So when i got gold the watchpoint broke at an LDR. Now i usually have ida open when im debugging. But you can in lldb disassemble the function by running "dis" after the watchpoint breaks.
- I noticed above the ldr that the watchpoint broke on , an add. Which is to be expected since I gained gold. Now lets say you want to edit this address in lldb to test it. run this command
memory write --s 2 0xaddress hex
"--s 2" is size. You need to call this otherwise lldb default thinks you are attempting to write 1 byte. Hex needs to be backwards. So for example 1c38 is 381c backwards.
- If you have a suspicious address in ida you want to check by setting a breakpoint in lldb, this is the command.
break s -a 0xaddress
You can delete break points by running
break del 1
You can delete all breakpoints with
break del
- Now you should have a basic understanding of how lldb works. Some lldb commands can be run while the game is running even.
0 comments: