clugh
commented
8 years ago It has been a few months since I've used the debugger, so I'm a little fuzzy on the details, but if I recall correctly, I had to use an old version (6.5) of IDA on a physical arm Kitkat device. Every other configuration I tried was very unstable. Even when it was working, I never figured out a good way to easily get the contents of variables, so I had to copy blocks of memory into a hex editor to make heads or tails of the info.
I have since switched to Frida for tracing functions. It doesn't allow you to step through execution line by line, but I can easily see all the inputs and outputs of any function. I use the x86 version in Bluestacks, as the function name refers directly to the offset in memory, so if I find sub_442999, for example, I can attach to module.base_address + 0x442999.
See Interceptor.attach for more info on attaching to an address. I originally tried to leverage as much of the Python API as possible, so I'm currently using enumerate_modules to find the base address, but Module.findBaseAddress is probably a better way to go about it.
You can also check out my old handlers and test repos or the old frida branch of my proxy for some reference material. They aren't useful as-is, though, as Supercell stripped the debug symbols for the crypto functions in later releases.
I started using custom scripts in lieu of frida-trace/tracer.py to reduce overhead. You can see a good example here.
Note: Since you'll be using frida-server on a remote device over ADB, you'll have to use frida.get_usb_device().attach() instead of frida.attach(). Assuming it hasn't already made it into their standard releases, you can find a test build of frida-server for x86 here.
Hey,
I've been working on writing command specs for 24113. Staring at the hex is a bit limited as the structure of that message seems much more complicated than simpler ones like 24403/24413/24405 which I have working (but not clean enough for a PR yet).
I've been trying to debug the game with ida but struggling a bit. I can decompile the libg.so and locate the place parsing the message (I think sub_A66C4 on ARM), but without seeing some actual data going through to inspect and step through I'm a bit stuck on writing my own parser.
I've tried to debug the game by loading the apk/classes.dex in ida, which work fine, but i can't find how to step into the libg.so. I've spent hours on google trying to find how to do it with no success (closest I've found was someone suggesting having 2 instances, one for the dex and the other for the .so, but no explanation on how to link the two).
If you could spend a few minutes explaining how you do it, it would allow me to contribute more message specs too.
Thanks