Hi. My name is George. Sorry if i have a bad english but i´m from Spain.
I was reading your post about how to hack a Freemium App.
The main reason i read that article was because i am really interested in Decrypt ( Decypth ) save games of iOS Games.
I follow your “guide” but i could complete it because i had a mess.
My Question is, how can i modify the save game once i have it as XML in the Mac OSX Terminal ?
For example, i am trying to do it with Iron Man 3, so i don’t need to write the long command, i only need how to modify the save game when i have it as an XML file in the terminal …
I use GDB & IDA pro a lot, but please, if you could i would like you to write the terminal commands in order to follow them…. THANKS, i love your WordPress a lot. You are Great.
I don’t fully understand your issue. If you have a XML file just edit it with a text editor.
To convert binary plists to XML just use plutil command line util.
Other than that there are per game specifics. Some sign the save game settings so that needs to be patched or create an util to sign the modified files.
Sorry. I know its difficult to understand… I follow the Guide from this web http://reverse.put.as/2011/03/29/hacking-a-freemium-ios-app-contract-killer-or-unlimited-play-without-spending-a-dime-or-any-other-currency/ but i don’t know how do you can edit the memory before it is encrypted …
Thats watch you wrote
“So my idea was to modify memory before it’s encrypted. I tried to modify one byte from the money, by computing the offset from R0 where it’s located and modifying its value – for example, from 500 to 900. This doesn’t work for some reason, probably some further checks. While doing this, I reversed the crypt routine (it’s a simple xor with a table) so I could write a small decrypt or”
how could i modify the memory before its encrypted ?
“So my idea was to modify memory before it’s encrypted. I tried to modify one byte from the money, by computing the offset from R0 where it’s located and modifying its value – for example, from 500 to 900. ” but how ?
You have to decrypt the binary, disassemble and find where the right place is to breakpoint and modify the values.
Then you have to run the application under a debugger (gdb or lldb) and modify the values.
To resume, you need to reverse engineer the binary and understand where you need to patch or modify things.
There’s no game trainer that I know for iOS so you can’t compare memory values for example.
>>>>>>> ssh root@ip
>>>>>>> att GameID
>>>>>>> b *0xADRESS ( the address of the Encrypt function from the binary decrypted )
when game stops
>>>>>>> x/30s $r0
now i can see the save game uncrypted… What to do next if i only want to change a value ?
Use the set command to modify memory.
——> att AppID
——> b *0xADRESS
——> x/30s $r0
Now i can see ( Its an example )
——> 0xADRESS000 “\ ”
How can i change the value for coins using the terminal once i am in this stage ??
Thanks. I know it is frustrating for you.
Google is your friend: http://stackoverflow.com/questions/3305164/how-to-modify-memory-contents-using-gdb
Ok… it helps me.
Its supposed i know where is the offset with the breakpoint. Should i mod the values of the Decrypt/Encrypt function ? Or when the save game inst encrypted yet i have to mod the save game ?
I have no idea about your target. There are many ways of doing game trainers. You could modify memory in value and game will save the value itself and everything is good, you could create save games with your own data, and so on. Depends on the target.
Your email address will not be published. Required fields are marked *