[IDA] Android Hacking and Modding

P
Offline

P3triiX

Hardcore Lv. 9
EXP
SB Cash
8
Device
Samsung Galaxy S69EdgeX
#1
IDA Pro Basics (Instructions Of IDA)
Here is a good tutorial for anyone who is willing to learn what the arm assembly language is and how do you understand it.
This is a very useful tutorial to understand the basic instructions in IDA


Steps of doing:

1. Check the Game --> What could be hacked? What names the functions could have?

2. Load the Binary(lib file in lib folder) in IDA -->Check if load resources is checked

3. Let the IDA time to load

4. After that open up a Hexeditor and put the Binary in it

______________________________________________

Useful searches:

(the big ones are the key words)


Player's Life: life,health,damage,hp,live,power

e.g: CSoldierHero::takeDamage
e.g: CPlayer::removeHealth

Points: points,score,mp

e.g: Game::UpdatePoints
e.g: Game::AddPoints
e.g: Game::loadScore

Ammo: ammo,shoot,shot,fire,weapon

e.g CPlayer:: ProcessShooting
e.g CPlayer::fire
e.g xxx::subAmmo

If you have other things like 'speed' or 'suns' or something just try different options

Extras:

-level -->level up cheats
-powerups -->megajump,doodlejump
-some keywords depend on the game.. rpg,action,fun,...
-kill -->splinter cell
-Unlock --> Unlock is an important keyword *

______________________________________________

WHAT TO DO...?

ADD(e.g score): set to MOV R0,#480000000*
set the registers or the value after #xx to very high

SUB(e.g ammo): change to ADD,NOP it. Or set the SUB to #0

RSB(reverse subtract --take damage): NOP it or set the registers to low or try to change to an ADD

LDR(e.g score,...): change the Register to Register 7(R7) or to an MOV R0,#480000000*

STR(e.g setLife): Change the register to R7 or MOV R0,#480000000*

SUBS/ADDS (same like SUB and ADD)

______________________________________________

CODES:

ADD R3,R3 #1 -->01 30 83 E2
SUB R3,R3 #1 --> 01 30 43 E2

ADD R1,R3,R3 --> 01 30 83 E0
SUB R1,R3,R3 --> 01 30 43 E0

MOV R0,#48000000 = 12 03 A0 E3 -->very high value (you know the PvZ Hack where the sun turns into 9999? thats a MOV R0, #48000000)

MOV R0,#1 = 01 00 A0 E3 (often used for functions like : isXXX or hasXXX (e.g: player::hasAllWeapons if you use an MOV R0,#1 it always returns the value 1 so you have all Weapons))

MOV R0,#0 = 00 00 A0 E3 (often used for isXXX and hasXXX functions(e.g: player::needFood if you use MOV R0,#0 it always returns 0 , so you do not need food))

2Byte BX LR : 7047 -->deletes a function
2Byte Nop : C046 -->NOP = No operation

4Byte BX LR : 1EFF2FE1 -->deletes a function
4Byte Nop : 0000A0E1 -->NOP = No operation

_____________________________________________________

Branches:

Above mostly all Branch commands there have to be a CMP(compare) and because of this CMP it branches

e.g: BEQ(branch if equal) above: CMP R3,R2

so it doesnt branch because R3 not equal to R2

if CMP R2,R2 and then BEQ then it branches



BEQ = Branch if equal (cmp r2,r2)
BNE = Branch if not equal (cmp r3,r11)
BLT = Branch if lower than(cmp r2,r3)
BGT = Branch if greater than(cmp r3,r1)


_______________________________________________________



ONE SENTENCE IS IMPORTANT: "try it!"

Without trying you can't succeed.

So go ahead and try!

Plist editing - Hex editing - IDA Hacking

Plist: Just download some Games and rehack plists

Hex: Download savefile and Compare and learn with it some hex.

IDA: 1. Use the Offset DB and go with IDA to the Location. Check the function and what was changed. 2. Download some Binarys and Compare them. 3. Read Tutorials

My knowledge:

BX LR - NOP - SUB - ADD - LDR - STR - MOV - RSB


Just one last Thing: GDB isnt the horror. I dont like GDB. I can't work with it.

I just sometimes use it for checking a functions and their registers(e.g when I don't know what registers are low in there and what high).


Unlock:

In Brothers in Arm: Hour of Heroes

CSoldierHero UnlockAllWeapons

Double click on it..

Make an XRef from the Ttle of the function (highlight the function and press X)

Then there should be an BNE(branch not equal) it branches if not equal

If you change it to and B(branch no conditions) it always branches and you have your weapons unlocked..

This means yo can't change the function directly.. you have to check from where it comes

BNE,BLT,BGT,BEQ --> B = Change the last byte to an EA if it is 4 Byte XX XX XX EA
BNE,BLT,BGT,BEQ --> B = Change the last byte to an E0 if it is 2 Byte XX E0



CMP

If you hack ammo and you know there is a SUB Rx, Rx #1 which sumtracts your ammo the look above there should be a CMP.
If there is a CMP which compares thesame register as the SUB subtracts then you are right and it could be the CMP that compares if Rx = 0

IF Rx = 0 it reloads your gun

so if you NOP (0100A0E1) the CMP it doesnt reload as it doesnt compare if Rx is equal 0



You often find CMPs above Branches. This means you have two options: Either you make the BXX to only aB so it branches all the time(look at branches). Or you set the CMP as neede: e.g:

BNE(BranchNotEqual) so it branches when the comparison result isnt equal --> CMP R2,R3 if R2 and R3 have different values it branches as they aren't equal

This is a tutorial found on the web . For more info just answere below and I'll try to reply ;)
 
A

Ads Manager

Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#2
Re: Tutorial [IDA] Android Hacking and Modding

Here's the download link for IDA PRO v6.6 (160.6 MB) :

You do not have permission to view link Log in or register now.
 
V
Offline

ViiP3R

APK Fanatic Lv. 5
EXP
SB Cash
0
Device
Samsung Galaxy S3 - Android 4.4.2 ROOTED
#3
Re: Tutorial [IDA] Android Hacking and Modding

For me it worked, mostly - I mean a few things! Thanks so much, my first mod is going to come out today.
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#6
Re: Tutorial [IDA] Android Hacking and Modding

That's not the right string.

Also, it should contain "SUB" and then you'd need to replace it with "ADD" to have the desired result.
 
Izzeran
Offline

Izzeran

Addicted Lv. 3
EXP
SB Cash
0
Device
Sony Xperia Z
#7
Re: Tutorial [IDA] Android Hacking and Modding

Should i change this 1st SUB into ADD or do something else,function is called Player::substractDonuts(int) i guess its correct one ?

into this
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#8
Re: Tutorial [IDA] Android Hacking and Modding

Yes it should be the one. But of course you need to do it with the HeX editor and not with IDA.
 
Izzeran
Offline

Izzeran

Addicted Lv. 3
EXP
SB Cash
0
Device
Sony Xperia Z
#9
Re: Tutorial [IDA] Android Hacking and Modding

i get that part that it has to be doen with hex editor, im just checking if its the right thing im doing - i just PSed that picture as an example. Which HEX editor software do u recommend.
H:lol: Hex Editor or some other
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#10
Re: Tutorial [IDA] Android Hacking and Modding

I use H:lol:. Anyway only way to know if it's 'the right' string, is to test the game.
 
Izzeran
Offline

Izzeran

Addicted Lv. 3
EXP
SB Cash
0
Device
Sony Xperia Z
#11
Ok, now how do i find correct AoB inside hex editor, i mean which AoB is there to take out of IDA and where do i do that conversion of function SUB SP, SP, #0:lol:4 to HEX which i have to find inside H:lol: and ofc change it with ADD SP, SP, #0:lol:4

Sorry if this is a bit borring for you , but this is best way for me to find answers.

We can type inside Shoutbox if its better so that way we wont spam this thread that much, unless somebody else would have a good use of this
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#12
Re: Tutorial [IDA] Android Hacking and Modding

No I think it's better to talk here so it could help someone else.

You need ARM ASM to Hex converter to convert SUB bla bla bla bla to HeX and then using H:lol: you need to go to the hex value of the original string and replace it with the modded one.
 
Izzeran
Offline

Izzeran

Addicted Lv. 3
EXP
SB Cash
0
Device
Sony Xperia Z
#13
Trivial question : Spacing should be same as in IDA or those 5 spaces can be 1 inside ARS AMS converter + we use 4 bytes not 2 , right?
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#14
Re: Tutorial [IDA] Android Hacking and Modding

1 space is enough. You need to take 2 bytes usually.
 
Izzeran
Offline

Izzeran

Addicted Lv. 3
EXP
SB Cash
0
Device
Sony Xperia Z
#15
2 bytes drops multiple hits in hxd and i tried to add 2nd function after the 1st one and scan for it combined AoB but it doesn't hit anything neither if i add function in front of it excluding one behind, but 4 bytes makes 1 single result.

After im done with H:lol: i can just simply save or?

and i guess my gamelib.so is ready to be packed into .apk what compression method should I use when I'm packing it in or its all the same

But should i do something else afterwards
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#16
Re: Tutorial [IDA] Android Hacking and Modding

I do not understand your message. Anyway when you put it again into the apk file, you need to sign it.
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#18
Re: Tutorial [IDA] Android Hacking and Modding

Yes you can sign apks with that tool.
 
Izzeran
Offline

Izzeran

Addicted Lv. 3
EXP
SB Cash
0
Device
Sony Xperia Z
#19
Re: Tutorial [IDA] Android Hacking and Modding

i have decompiled apk but i cant find something like game killer or anything similar to it to sign it. or should i just use sign apk from APK multi tool without doing anything
 
Sbenny
Offline

Sbenny

SB Cartel Lv. Max
Staff member
Admin
Elite Mod Squad
SB Cash
7,082
Postbit Brush (3 Days) Magic Brush (3 Days) Country Flags (Permanent) Musicizer!
Gender
Male
Device
OnePlus 1 - Huawei P10 Lite Android Oreo
Country
Italy
#20
Re: Tutorial [IDA] Android Hacking and Modding

Game killer? You didn't need to decompile the apk.. Anyway you can sign it using apk multitool. It has got several functions including the sign apk.