here's the picture:Īfter you can see, the corresponding hex for 'CMP R0, #0' instruction, is 00 00 50 E3. let's highlight the 'CMP R0, #0' and push the 'Hex View-A' button in IDA.
to see the corresponding HEX values of ARM instructions, we can switch to HEX-VIEW in IDA. all we can do is modify the HEX that stands for the ARM instructions. but there's one little problem: in the hex-editor, we can't just write ARM instructions. it's called NOP (no operation) so all we have to do is to overwrite the 'CMP R0, #0' with 'NOP' and the 'BEQ loc_C45E8' with another NOP. well, in ARM as well as ASM, there is one instruction that does nothing.
#HEX WORKSHOP V5 HOW TO#
how to do this? we can't just delete the instructions. what can we do about it? well, we can wipe out these 2 instructions: the CMP R0,#0 and BEQ loc_C45E8. so now we know that if R0=0 the 'not enough money' message is showed.
#HEX WORKSHOP V5 CODE#
so the code CMP R0, #0 BEQ loc_C45E8 can be interpreted as: IF R0 = 0 then go to location C45E8 (the BEQ stands for 'branch if equal') ok. so 'BL sub_C45E8' will call the function located at 'C45E8' the CMP stands for 'compare'. it's the equivalant of 'call' instruction ion ASM. it's the equivalent of 'JMP' instruction in ASM. well, as it's name suggest, the value in R4 is moved(copied) to R2. there are also instructions like 'mov R2, R4'. if this function returns 1 in R0, then the mission is unlocked. another example: function IsMissionUnlocked. if it's 1 then the player has succesfully been created. after the function is executed, R0 could hold 1 or 0 (true or false). let's say we have the function 'CreatePlayer'. R0 is the most common register that returns a value from a function. and you must also have some basic knowledge of ASM/ARM in ARM we'll work with registers.
Now just click ok, and the following should appear: right click on 'loc_C7278' and choose 'jump to xref to operand' (or click it and press 'X'). so le't see who calls this 'not enough money' routine. if you look more carefully, you can see we have cross references for location 'loc_C7278' which is the beginning of our 'not enough money' message dialog. you will be here:Īfter you can see the 'not enough money' dialog message is build here (containg the 'you can't afford this item yet.' and the 'Ok' button of the message dialog) we want to find where the game calls this 'not enough money'. Now click ok having the 'sub_C6EF8+390' line highlighted. to see this, we right-click on it and select 'jump to xref to operand' (or click on it and press 'X'). let's see where it's used in the program. The 'aNotEnoughMoney' is the operand containg the 'not enough money' string. Now we just double click on it and we will be here: here's the picture:Īnd voila! IDA found the message. Now just write the 'not enough money' in the search form and press ok. we want to look for our 'error' message with 'not enough money'. all the game strings(messages, texts, errors etc) are displayed here. we need to track down a 'not enough money' message, so open the STRINGS subview in ida: View->Open subview->Strings (or by pressing SHIFT+F12). this is for switching from 'graph view' to 'text view'. Now click on 'TEXT VIEW' like in the above picture. when IDA finishes, the following screen should appear: now you'll have to wait until IDA finishes analysing the file. a message box will appear telling you something about 'thumb mode' and 'arm mode'. Just choose 'ARM' as processor type from the drop-down list and click okĪ message should appear that tells you if it's ok to change the processor type to arm. now DRAG&DROP the 'PvZ' file into IDA shortcut on your desktop. Write down on a piece of paper that message or just remember it. try to buy something that you don't have money for. play the game a little until you arrive at crazy dave's shop. PART 1 first i'm going to show you how to do a hack when you get an 'error' message like 'not enough money' etc
#HEX WORKSHOP V5 PRO#
ipa package (open it with winrar) b) ida pro v5.5 c) a hex-editor (i use hex workshop) 2. It has no extension and it is found inside the 'game.app' folder on your idevice. What do we need? a) first of all we need the main file (the executable file) of the game we want to hack.