User Tag List

Thread: ~ TUTORIAL ~ IDA Pro Basics ~ For Modding iOS Games ~

Results 1 to 1 of 1
  1. #1 ~ TUTORIAL ~ IDA Pro Basics ~ For Modding iOS Games ~ 
    Member Darkcon's Avatar
    Join Date
    Jul 2014
    Thanked 37 Times in 8 Posts
    6 Post(s)
    0 Thread(s)
    Aloha !
    IDA is an Interactive Disassembler and in this tutorial im going to explain some of the program basics.

    Steps of doing:
    1. Collect some game info --> What could be hacked? What names the functions could have?
    2. Load the Binary into IDA -->Check if "arm7" is checked.
    3. Let the IDA time to load.
    4. After that open up a HeXEditor (HxD Edit, ResourceHacker, etc...) and put the Binary in it.

    Useful searches:
    (the big ones are the key words)

    Player's Life: life,health,damage,hp,live,power
    • e.g: CSoldierHero::takeDamage
    • e.g: CPlayer::removeHealth

    Points: points,score,mp
    • e.g: Game::UpdatePoints
    • e.g: Game::AddPoints
    • e.g: Game::loadScore

    Ammo: ammo,shoot,shot,fire,weapon
    • e.g CPlayer:rocessShooting
    • e.g CPlayer::fire
    • e.g xxx::subAmmo

    If you have other things like 'speed' or 'suns' or something just try different options

    • level = level up cheats
    • powerups = megajump,doodlejump
    • some keywords depend on the game.. rpg,action,fun,...
    • kill = splinter cell
    • Unlock is an important keyword

    WHAT TO DO...?
    • ADD(e.g score): set to MOV R0,#480000 000*
    • set the registers or the value after #xx to very high
    • SUB(e.g ammo): change to ADD,NOP it. Or set the SUB to #0
    • RSB(reverse subtract --take damage): NOP it or set the registers to low or try to change to an ADD
    • LDR(e.g score,...): change the Register to Register 7(R7) or to an MOV R0,#480000 000*
    • STR(e.g setLife): Change the register to R7 or MOV R0,#480000 000*
    • SUBS/ADDS (same like SUB and ADD)

    • ADD R[color=#ff0000;]3[/color],R3 [color=#0000ff;]#1 [/color] -->[color=#0000ff;]01[/color] [color=#ff0000;]3[/color]0 83 E2
    • SUB R[color=#ff0000;]3[/color],R3 [color=#0000ff;]#1 [/color] --> [color=#0000ff;]01[/color] [color=#ff0000;]3[/color]0 43 E2
    • ADD R1,R3,R3 --> 01 30 83[color=#00ff00;] E0[/color]
    • SUB R1,R3,R3 --> 01 30 83[color=#00ff00;] E0[/color]
    • MOV R0,#480000 00 = 12 03 A0 E3 -->very high value (you know the PvZ Hack where the sun turns into 9999? thats a MOV R0, #480000 00)
    • MOV R0,#1 = 01 00 A0 E3 (often used for functions like : isXXX or hasXXX (e.g: player::hasAllWeapons if you use an MOV R0,#1 it always returns the value 1 so you have all Weapons))
    • MOV R0,#0 = 00 00 A0 E3 (often used for isXXX and hasXXX functions(e.g: player::needFood if you use MOV R0,#0 it always returns 0 , so you do not need food))
    • 2Byte BX LR : 7047 -->deletes a function
    • 2Byte Nop : C046 -->NOP = No operation for one command
    • 4Byte BX LR : 1EFF2FE1 -->deletes a function
    • 4Byte Nop : 0000A0E1 -->NOP = No operation[/color]

    Above mostly all Branch commands there have to be a CMP(compare) and because of this CMP it branches
    • e.g: BEQ(branch if equal) above: CMP R3,R2
    • so it doesnt branch because R3 not equal to R2
    • if CMP R2,R2 and then BEQ then it branches
    • BEQ = Branch if equal (cmp r2,r2)
    • BNE = Branch if not equal (cmp r3,r11)
    • BLT = Branch if lower than(cmp r2,r3)
    • BGT = Branch if greater than(cmp r3,r1)

    I think more you dont need. And I dont know more ONE SENTENCE IS IMPORTANT: "try it!"
    Without trying you can't succeeed.

    So go ahead and try!
    • Plist: editing - Hex editing - IDA Hacking
    • Plist: Just download some Games and rehack plists
    • Hex: Download savefile and Compare and learn with it some hex.

    1. Use the Offset DB and go with IDA to the Location.
    2. Check the function and what was changed.
    3. Download some Binarys and Compare them.Read Tutorial

    First I learned the Code of BX LR and NOP and how to use them. Then I learned SUB and ADD with Fragger and so on. After that I looked into the Registers with LDR and STR. Then I have learned the MOV R0,#480000 for a very high value. Also MOV R0 #0/1. Last day ive learned RSB. How to use and how to change.

    I just sometimes use it for checking a functions and their registers(e.g when I don't know what registers are low in there and what high).

    In Brothers in Arm: Hour of Heroes
    • CSoldierHero UnlockAllWeapons

    Double click on it..
    > Make an XRef from the Ttle of the function (highlight the function and press X)
    > Then there should be an BNE(branch not equal) it branches if not equal
    > If you change it to and B(branch no conditions) it always branches and you have your weapons unlocked..
    > This means yo can't change the function directly.. you have to check from where it comes
    • BNE,BLT,BGT,BEQ --> B = Change the last byte to an EA if it is 4 Byte XX XX XX EA
    • BNE,BLT,BGT,BEQ --> B = Change the last byte to an E0 if it is 2 Byte XX E0

    If you hack ammo and you know there is a SUB Rx, Rx #1 which sumtracts your ammo the look above there should be a CMP.

    If there is a CMP which compares thesame register as the SUB subtracts then you are right and it could be the CMP that compares if Rx = 0

    IF Rx = 0 it reloads your gun so if you NOP (0100A0E1) the CMP it doesnt reload as it doesnt compare if Rx is equal 0

    You often find CMPs above Branches. This means you have two options:
    Either you make the BXX to only aB so it branches all the time(look at branches). Or you set the CMP as neede: e.g:

    BNE(BranchNotEqual) so it branches when the comparison result isnt equal
    --> CMP R2,R3 if R2 and R3 have different values it branches as they aren't equal

    Credits: Me, Myself and Darkcon
    If i helped you, please click the "Thanks" button.
    Reply With Quote   ~ TUTORIAL ~ IDA Pro Basics ~ For Modding iOS Games ~ Send PM  

  2. ~ TUTORIAL ~ IDA Pro Basics ~ For Modding iOS Games ~
    Join Date
    Jul 2014

Similar Threads

  1. [Tutorial] AutoHack Advanced Tutorial
    By eAx in forum General Discussion
    Replies: 152
    Last Post: 08-16-2017, 11:10 AM
  2. Brave Frontier modding tutorial
    By MasterJ in forum Brave Frontier
    Replies: 23
    Last Post: 07-29-2016, 06:15 AM
  3. ~ TUTORIAL ~ Modding Brave Frontier using IDA pro
    By Darkcon in forum Public Hacks and Mods
    Replies: 11
    Last Post: 12-20-2015, 10:17 AM
  4. Been self modding some games on Android
    By Defyeler in forum Forum Ideas / Questions / Bug Reports
    Replies: 2
    Last Post: 05-14-2015, 10:13 PM
  5. Replies: 4
    Last Post: 03-14-2015, 04:22 PM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts