Ted2

Thanks guys!

Hey I think this is something that checks if the value is legit: BLX.W _objc_msgSend in hex it is: AA F3 14 CF But NOP is in hex: 00BF So I guess that won't work, so how can I nop this? thankyouu in advance

Heyy, So I wanna try hack a game using LLDB, but I didn't got far, since I can't even SSH into my iPhone 6s Some info: - iPhone 6S running ios 9.3.3 Jailbroken - Using Macbook pro - OpenSSH is installed on my phone Run command: ssh root@***.***.***.*** error: ssh: connect to host ***.***.***.*** port 22: Network is unreachable help would be awesome

Is this the whole function? cause I don't see .end method somewhere. So please can you write the whole function>

There are 3 cases can cause this problem: Case 1. The most possible reason is that you enabled Find My iPhone on your iPad or iPhone, you can temporary disable it then try to restore again, and re-enable it after restore completed. To turn off Find My iPhone on an iOS device, tap Settings > iCloud, then tap to turn off Find My iPhone. Case 2. Your iPad or iPhone is busy. E.g, you do a restore with iTunes and the restore processing is not completed, then you do a restore with iBackupBot, the error will occurred. Your can try to restore your iPad or iPhone two more times. Case 3. If you try the method in case 1 and case 2 and the problem still not resolved, you can try restore your device with iTunes on a different known-good computer. If the errors persist on another computer, the device may need service, just take it to Apple Store.

thankyouu

thankyou m8

thankss

Hey there, A few days ago, I figured out how a game I've been hacking for years added protection to their game. Their protection compared stored values with the original values in classes.dex (smali files) What does crc do? The crc protection will detect if the game files has been modified. For example you change a simple coin value from 0x9 to 0xfff, the game will notice the original code is changed and it will probably crash the game. crc protection has it's own value/key which is stored somewhere in resources as a string. Example: 0x7f050017 How do we bypass it? I've never seen this kind of protection in any game before, but that might be because I don't really hack that much anymore. Anyways, I've read somewhere that this kind of protection gets more popular, so that's why I'll teach you how we bypass it. As I said, this protection compares using .classes.dex Open up a text editor which can read .smali files, go to 'find in files' and locate your decompiled apk. Search for: classes.dex. I'm not sure how much hits you get, I got 2 hits. 1: .method private static a(Ljava/util/zip/ZipFile;Ljava/util/zip/ZipEntry;Ljava/io/File;Ljava/lang/String;)V .locals 6 .prologue .line 308 invoke-virtual {p0, p1}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream; move-result-object v1 .line 310 const-string v0, ".zip" invoke-virtual {p2}, Ljava/io/File;->getParentFile()Ljava/io/File; move-result-object v2 invoke-static {p3, v0, v2}, Ljava/io/File;->createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File; move-result-object v2 .line 312 const-string v0, "MultiDex" new-instance v3, Ljava/lang/StringBuilder; invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V const-string v4, "Extracting " invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v2}, Ljava/io/File;->getPath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v3 invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I .line 314 :try_start_0 new-instance v3, Ljava/util/zip/ZipOutputStream; new-instance v0, Ljava/io/BufferedOutputStream; new-instance v4, Ljava/io/FileOutputStream; invoke-direct {v4, v2}, Ljava/io/FileOutputStream;-><init>(Ljava/io/File;)V invoke-direct {v0, v4}, Ljava/io/BufferedOutputStream;-><init>(Ljava/io/OutputStream;)V invoke-direct {v3, v0}, Ljava/util/zip/ZipOutputStream;-><init>(Ljava/io/OutputStream;)V :try_end_0 .catchall {:try_start_0 .. :try_end_0} :catchall_0 .line 316 :try_start_1 new-instance v0, Ljava/util/zip/ZipEntry; const-string v4, "classes.dex" <-----> invoke-direct {v0, v4}, Ljava/util/zip/ZipEntry;-><init>(Ljava/lang/String;)V .line 318 invoke-virtual {p1}, Ljava/util/zip/ZipEntry;->getTime()J move-result-wide v4 invoke-virtual {v0, v4, v5}, Ljava/util/zip/ZipEntry;->setTime(J)V .line 319 invoke-virtual {v3, v0}, Ljava/util/zip/ZipOutputStream;->putNextEntry(Ljava/util/zip/ZipEntry;)V .line 321 const/16 v0, 0x4000 new-array v4, v0, [B .line 322 invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I move-result v0 .line 323 :goto_0 const/4 v5, -0x1 if-eq v0, v5, :cond_0 .line 324 const/4 v5, 0x0 invoke-virtual {v3, v4, v5, v0}, Ljava/util/zip/ZipOutputStream;->write([BII)V .line 325 invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I move-result v0 goto :goto_0 .line 327 :cond_0 invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->closeEntry()V :try_end_1 .catchall {:try_start_1 .. :try_end_1} :catchall_1 .line 329 :try_start_2 invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V .line 331 const-string v0, "MultiDex" new-instance v3, Ljava/lang/StringBuilder; invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V const-string v4, "Renaming to " invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {p2}, Ljava/io/File;->getPath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v3 invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I .line 332 invoke-virtual {v2, p2}, Ljava/io/File;->renameTo(Ljava/io/File;)Z move-result v0 if-nez v0, :cond_1 .line 333 new-instance v0, Ljava/io/IOException; new-instance v3, Ljava/lang/StringBuilder; invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V const-string v4, "Failed to rename \"" invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 const-string v4, "\" to \"" invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {p2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 const-string v4, "\"" invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v3 invoke-direct {v0, v3}, Ljava/io/IOException;-><init>(Ljava/lang/String;)V throw v0 :try_end_2 .catchall {:try_start_2 .. :try_end_2} :catchall_0 .line 337 :catchall_0 move-exception v0 invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V .line 338 invoke-virtual {v2}, Ljava/io/File;->delete()Z throw v0 .line 329 :catchall_1 move-exception v0 :try_start_3 invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V throw v0 :try_end_3 .catchall {:try_start_3 .. :try_end_3} :catchall_0 .line 337 :cond_1 invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V .line 338 invoke-virtual {v2}, Ljava/io/File;->delete()Z .line 340 return-void .end method this method is long as hell, doesn't seem to have any value or key like 0x7f050017 etc. Also, it didn't seem any intresting to me cause it didn't got any intresting .smali places like com/gamecreators/gamename, just android/support. Let's look at hit 2 first. .method public a()Z .locals 6 .prologue const/4 v1, 0x0 .line 34 new-instance v0, Ljava/util/zip/ZipFile; iget-object v2, p0, Lcom/companyname/test/e;->a:Landroid/content/Context; invoke-virtual {v2}, Landroid/content/Context;->getPackageCodePath()Ljava/lang/String; move-result-object v2 invoke-direct {v0, v2}, Ljava/util/zip/ZipFile;-><init>(Ljava/lang/String;)V .line 35 const-string v2, "classes.dex" <-----> invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry; move-result-object v2 .line 36 const-string v3, "classes2.dex" <------> invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry; move-result-object v3 .line 38 invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream; move-result-object v2 .line 39 invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream; move-result-object v0 .line 41 invoke-direct {p0, v2}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String; move-result-object v3 .line 42 invoke-direct {p0, v0}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String; move-result-object v0 .line 47 :try_start_0 invoke-direct {p0}, Lcom/companyname/test/e;->b()Ljava/security/PublicKey; move-result-object v2 .line 48 const v4, 0x7f050017 ### invoke-direct {p0, v4}, Lcom/companyname/test/e;->a(I)[B move-result-object v4 .line 49 const v5, 0x7f050016 ### invoke-direct {p0, v5, v4, v2}, Lcom/companyname/test/e;->a(I[BLjava/security/PublicKey;)Z :try_end_0 .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0 move-result v2 .line 51 if-eqz v2, :cond_1 .line 52 const v4, 0x7f050016 ### :try_start_1 invoke-direct {p0, v4, v3, v0}, Lcom/companyname/test/e;->a(ILjava/lang/String;Ljava/lang/String;)Z :try_end_1 .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1 move-result v0 .line 58 :goto_0 if-eqz v2, :cond_0 if-eqz v0, :cond_0 const/4 v1, 0x1 :cond_0 return v1 .line 55 :catch_0 move-exception v0 move v0, v1 :goto_1 move v2, v0 move v0, v1 goto :goto_0 :catch_1 move-exception v0 move v0, v2 goto :goto_1 :cond_1 move v0, v1 goto :goto_0 .end method This one gets intresting. Values are in this function marked with ### + the location (which I did rename) are intresting. com/companyname/test/e. Okay, I believe there are like 5 ways to bypass the check. I'm gonna tell you the most simple one. The function name, what does it say? (the beginning of code I added) .method public a()Z Z = BOOLEAN in smali. Let's look under the function name: .method public a()Z .locals 6 .prologue const/4 v1, 0x0 0x0 = false 0x1 = true Since we're pretty sure the method is the crc protection, change 0x0 to 0x1. Recompile - sign & test. Why? .Method public a()Z translated should me something like: isOrignalClasses.Dex or hasNotBeenModified etc it automaticly returns to false, but we want it to true. Hope I explained it a bit well, it's complicated so hard to explain. Credit: @Ted2

better not be bluestacks 2... thnx anyways

SOLVED, can't really explain how cause that will be diffrent in any app. Anyways, it's a good protection by the devs.

Lol nice

I can recompile, install it & open it. Once I run the game it's totally bugging around, freezing, crashing etc etc. VERY anoying cause I've no idea how they added this kind of protection

@ZahirSher??

Yea, but ANY code I do will get noticed, very anoying. Not even a hack code, just any.

Hi,I try to modify some code in a game (smali)But whatever I try, the game is bugging around (closing app, closing gameplay, freezing etc), and that's not because my code cause this works on older versions. I think they added some protection but I don't know if there is any protection like that already. I think they added some protection to it, not sure but yea.Anyone knows how this can be done by the devs?

MOV R0, R7? not a expert but..

Contact the developers?

Ted is in

great hack dude!

Thnx mate

But the normal LDR Function started with R1.. But lemme try #I'mnoob edit: Crash

You mean at the LDR function? If yes, it crashes now. Oh, so I did it wrong?

Heyy, This was the code I tried hacking: MOV R1, #(_OBJC_IVAR_$_State.coins - 0x3B080) ; Coins *coins; ADD R1, PC ; Coins *coins; LDR R1, [R1] ; Coins *coins; ----- LDR R0, [R0,R1] BX LR TO: MOV R1, #(_OBJC_IVAR_$_State.coins - 0x3B080) ; Coins *coins; ADD R1, PC ; Coins *coins; MOV R1, R7 ----- LDR R0, [R0,R1] BX LR But the coins went from 200 to 0 Did I hack the wrong thing?