iPhone: Dumping Game Memory and Injecting Custom Code into Games

Prerequisites: 

iPhone

=Overview=
This is a tutorial for game hacking, this is the first degree of hacking for Iphone games yet and I'm hoping that it will evolve into something bigger. This kind of hacking if done correctly could lead to code injection to make your character jump 1000ft instead of 2ft, make your car go 20x faster and lead to invunerability in fighting games. I'm hoping that someone takes this idea and make a terminal app to make this alot easier for people (searchers and what not) but since this is the first of its kind for iphone you'll have to live with using the GNU debugger as your weapon lol. Which is very strong if used correctly.
This tutorial Explains how to Lock your game, Dump multiple copies of your Memory so that they may be compared to find special addresses, then inject your custom address values back into the game.

LETS BEGIN :]

1.SSH to your iphone from your OS.

Windows - Putty - PuTTY Download Page
Mac Os/Linux - Terminal

2. Go to Cydia and install GNU Debugger if you havn't already.

3.Take the non-encrypted IPA that you have on your computer and extract it. (if you downloaded it cracked then its already non-encrypted)
Inside of the .app folder you will see a file with the name of the game on there with no extension.

Example:
Im hacking TouchGrind.app so when I go inside of it I see a file called just "TouchGrind" (Its usually the biggest file in that folder)

Now boot up a file transfer application that supports SFTP (also known as SSH-FTP). WinSCP for Windows is good, as are Transmit (Shareware, but excellent) and Cyberduck (Free) for Mac, and gFTP for Linux. Test it by setting up a connection to your iPhone (get your iPhone***8217;s IP address from Settings ***8211;> Wi-Fi ***8211;> Right-arrow next to your wifi conneciton ***8211;> IP Address) over the SFTP protocol. The username for the connection is ***8216;root***8217;, and the default password is ***8216;alpine***8217;.

Then upload your MainDataFile (the file inside of your .app folder that we just talked about, Mines "TouchGrind") to /var/root/
We will be using this file later.

4.SSH to your iphone from your OS. (Same Username and Password - root:alpine)

Windows - Putty - PuTTY Download Page
Mac Os/Linux - Terminal

Now we are going to get the stack size of the program in the memory so that when we try to make a dump of our memory later we can know exactly how much to dump so we don't get to big of a file and then there would be no point in trying to hack the game lol.

While in SSH with your iphone use the command
Code:
otool -l MAINDATAFILE | grep crypt

Note: Replace the words MAINDATAFILE with the name of the file that we just uploaded to our Iphone, remember mine was TouchGrind.
Now you should get something like this

Code:
cryptoff 4096
cryptsize 913408
cryptid 0

We want the cryptsize number (Yours Will probably be different). cryptoff should be 4096 and cryptid should be 0. Now take your cryptsize number and convert it from decimal to hex. You can easily do this with this website.

DECIMAL to BINARY conversion, DECIMAL to HEX converter, Decimal to Hexadecimal convertor

913408 converted to hex is DF000 (Yours will be different then mine)

SAVE THIS HEX Value! Write it into a text file in your computer or write it down

5.Now go back to your dashboard on your iphone and Boot the game you want to Hack up. Once it***8217;s running, type the following into your ssh tunnel on your computer and press Enter:
Code:
ps ax

You***8217;ll get a massive list of every running process on your phone. It looks similar to this:
Code:
PID TT STAT TIME COMMAND
1 ?? s 0:00.00 /sbin/launchd
12 ?? s 0:00.00 /usr/sbin/mDNSResponder -launchd
13 ?? s 0:00.00 /usr/sbin/notifyd
14 ?? s 0:00.00 /usr/sbin/syslogd
15 ?? s 0:00.00 /usr/sbin/configd
19 ?? s 0:00.00 /usr/sbin/update
20 ?? s 0:00.00 /usr/libexec/lockdownd
23 ?? s 0:00.00 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
24 ?? s 0:00.00 /usr/sbin/fairplayd
28 ?? s 0:00.00 /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter
29 ?? s 0:00.00 /usr/sbin/BTServer
819 ?? s 0:00.00 /usr/sbin/mediaserverd
1325 ?? s 0:00.00 /System/Library/CoreServices/SpringBoard.app/SpringBoard
1327 ?? s 0:00.00 /var/stash/Applications.1SLxl9/MobilePhone.app/MobilePhone
1695 ?? s 0:00.00 /var/stash/Applications.1SLxl9/MobileMail.app/MobileMail
1705 ?? s 0:00.00 /System/Library/Frameworks/SystemConfiguration.framework/SCHelper
1790 ?? s 0:00.00 /var/mobile/Applications/3015A1D1-0421-31A2-2DD9-15E0A2F235A1/TouchGrindl.app/TouchGrind
1791 ?? s 0:00.00 /usr/libexec/launchproxy /usr/sbin/sshd -i
1792 ?? 0:00.00 /usr/sbin/sshd -i
1797 ?? s 0:00.00 /usr/libexec/amfid
1793 s000 s 0:00.00 -sh
1798 s000 + 0:00.00 ps ax

The very first column that says PID is what we***8217;re interested in. PID stands for Process ID, and it***8217;s a number that gets assigned to each running process. One of these processes is the currently running app, so scan down through the final column (COMMAND) until you find your app. In my case, the app I ran is TouchGrind, and its pid is 1790. Make a note of your PID.

In your terminal window, type the following ***8212; but replace the letters PID with the actual PID number you just found:
Code:
gdb -p PID

So, for example, I would type:
Code:
gdb -p 1790

Now you SEE WHAT JUST HAPPENED - YOUR APP FROZE. This meens that all the values for that game are locked.

3. Now we are going to make our first dump of the memory! You should be in the (gdb) prompt while doing this. Remember that Hex value that I told you to save, well now here is were you use it. Replace the text "HexValueHere" with your hex value that you saved.

So now we will type:
Code:
dump ihex memory dump1.dmp 0x2000 0xHexValueHere

My Example:
dump ihex memory dump1.dmp 0x2000 0xDF000

What this line of code is saying is Dump the Memory(dump) in Hex format(ihex) starting from offset from 0x2000 to your value and naming it dump1.dmp.

CONGRADULATIONS you just made your first Game Memory Dump. Now the points of these dumps are to get 2 different dumps that have different values in them so that you can compare them and find the address of sayyy your score and edit it.

Example:
You boot your game of Touchgrind and get 16,847 during the game, well during that you

1.Freeze the game with that score:
gdp -p ProcessID (remember your process id)

2.Dump the memory:
dump ihex memory dump1.dmp 0x2000 0xHexValueHere

3.Unfreeze the game:
quit

Then you skate for 20 more seconds and now you have a score of 53,832

1.Freeze the game with that score:
gdp -p ProcessID (remember your process id)

2.Dump the memory AGAIN and rename it to dump2.dmp:
dump ihex memory dump2.dmp 0x2000 0xHexValueHere

3.Unfreeze the game:
quit

6.Fire up your SFTP client again and navigate to /var/root. Now there should be a files called ***8216;dump1.dmp & dump2.dmp' there

7. Compare your 2 dumps ECT...... (tons of tutorials online on how to compare dumps, Sketch will probably write one.)

8. To inject your code boot back up through ssh, Run your app again. Freeze it again with your pid.
Code:
gdb -p 1790

Then now for the fun part,TESTING INJECTION of code!!!
While in gdb.

code:
set * (Address You want to hack) = (Orginal + New Offset)
set * 0x08049d24 = 0x40003000 + 0x000034

Tutorial Written
By LoGiKz of OneHitGamer.com

REVIEW:
Everything you just did was accually really simple , you just have to get the concept down. You just did this in this order and this can be used as a refernce if you dont wan't to go back through everything.

1. Put the games data file on your Ipod
Extract and SFTP

2. Get the CryptID and Convert to Hex
otool -l MAINDATAFILE | grep crypt

3. Get the ProcessID
ps ax

4. Freeze the game
gdb -p ProcessID

5. Dump the Memory as many times as needed with the values you supplied
dump ihex memory dump1.dmp 0x2000 0xHexValueHere

6. Inject Code
set * (Address You want to hack) = (Orginal + New Offset)

Shout to the Iphone Dev Team - I got alot of my research from them.
If someone with Iphone Toolchain Exp. would like to get together to design a better terminal program then email me, it would be a awesome experience.

Thank you,
LoGiKz/zkoolkyle