Tutorial [iOS] Using LLDB w/ Watchpoints and a memory editor to find and test offsets! [No IDA]
- Thread starter TheArmKing
- Start date
hi @
TheArmKing
i just want to ask, why do i get different codes from LLDB and IDA PRO.
i got a hit from offset - 0x101dceb88 and tried to search the address in IDA PRO and it's showing different.
I dump the binary file and globalmeta.dat using Il2CppDumper-v6.5.3
Open the binary file in IDA PRO x64 and run the ida.py and script.json.
One more thing, I used DLG memor and put to FLOAT search, the current float value of the 2 address was 6.00000 but in lldb its showing
(lldb) w s e -- 0x1207B6D5C
Watchpoint created: Watchpoint 1: addr = 0x1207b6d5c size = 8 state = enabled type = w
new value: 2933075911039254528
(lldb) w s e -- 0x28EE74490
Watchpoint created: Watchpoint 2: addr = 0x28ee74490 size = 8 state = enabled type = w
new value: 1086324736
Please see the Picture.
TheArmKing
i just want to ask, why do i get different codes from LLDB and IDA PRO.
i got a hit from offset - 0x101dceb88 and tried to search the address in IDA PRO and it's showing different.
I dump the binary file and globalmeta.dat using Il2CppDumper-v6.5.3
Open the binary file in IDA PRO x64 and run the ida.py and script.json.
One more thing, I used DLG memor and put to FLOAT search, the current float value of the 2 address was 6.00000 but in lldb its showing
(lldb) w s e -- 0x1207B6D5C
Watchpoint created: Watchpoint 1: addr = 0x1207b6d5c size = 8 state = enabled type = w
new value: 2933075911039254528
(lldb) w s e -- 0x28EE74490
Watchpoint created: Watchpoint 2: addr = 0x28ee74490 size = 8 state = enabled type = w
new value: 1086324736
Please see the Picture.
BTW I figured it out, i just need to substract the HEX value to the address base on the image list. thanks for the tutorial.
Tools used:
IDA Pro, Putty (for lldb command), LLDB, IGameGod
What I did:
1. First I run the Game.
2. Used IGameGod and found a value. 0x125affa9c = 3.5 (FLOAT)
3. Run Putty, logged in as root, lldb, attach (pid number)
(lldb) attach 66524
Process 66524 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x000000019c5fe198 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x19c5fe198 <+8>: ret
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x19c5fe19c <+0>: mov x16, #-0x20
0x19c5fe1a0 <+4>: svc #0x80
0x19c5fe1a4 <+8>: ret
Executable module set to "/private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/xxxxx.app/xxxxxx".
Architecture set to: arm64-apple-ios-.
4. Run image list (path) and noted the HEX number 0118000
image list /private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/BNEI0335.app/BNEI0335
[ 0] E6DA5503-9359-326D-8118-0D3503EC2F14 0x0000000100118000 /private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/xxxx.app/xxxx
5. Set watchpoint for 0x125affa9c but the value is showing 1080033280, in Igamegod/dlgmemor the value is 3.5 Float. Please explain?
(lldb) w s e -- 0x125affa9c
Watchpoint created: Watchpoint 1: addr = 0x125affa9c size = 8 state = enabled type = w
new value: 1080033280
6. Then I continue.
(lldb) c
Process 66524 resuming
Problem:
Can't find the address in IDA because watchpoint is not working when I change the value in IGameGod/DLGmemor.
Please not that the value can't be change in Game.
Is there a way to make a breakpoint/watchpoint for me to find the offset in IDA but it's impossible to change the VALUE in Game.
Can change only using IGameGod/DLGmemor.
I know that IDA offset = (watchpoint hit address) - (0118000)
IDA Pro, Putty (for lldb command), LLDB, IGameGod
What I did:
1. First I run the Game.
2. Used IGameGod and found a value. 0x125affa9c = 3.5 (FLOAT)
3. Run Putty, logged in as root, lldb, attach (pid number)
(lldb) attach 66524
Process 66524 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x000000019c5fe198 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x19c5fe198 <+8>: ret
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x19c5fe19c <+0>: mov x16, #-0x20
0x19c5fe1a0 <+4>: svc #0x80
0x19c5fe1a4 <+8>: ret
Executable module set to "/private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/xxxxx.app/xxxxxx".
Architecture set to: arm64-apple-ios-.
4. Run image list (path) and noted the HEX number 0118000
image list /private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/BNEI0335.app/BNEI0335
[ 0] E6DA5503-9359-326D-8118-0D3503EC2F14 0x0000000100118000 /private/var/containers/Bundle/Application/7449FC03-3312-4469-ABB5-46AC9BA2FEEF/xxxx.app/xxxx
5. Set watchpoint for 0x125affa9c but the value is showing 1080033280, in Igamegod/dlgmemor the value is 3.5 Float. Please explain?
(lldb) w s e -- 0x125affa9c
Watchpoint created: Watchpoint 1: addr = 0x125affa9c size = 8 state = enabled type = w
new value: 1080033280
6. Then I continue.
(lldb) c
Process 66524 resuming
Problem:
Can't find the address in IDA because watchpoint is not working when I change the value in IGameGod/DLGmemor.
Please not that the value can't be change in Game.
Is there a way to make a breakpoint/watchpoint for me to find the offset in IDA but it's impossible to change the VALUE in Game.
Can change only using IGameGod/DLGmemor.
I know that IDA offset = (watchpoint hit address) - (0118000)
