Ted2

In

Did you delete the current JB app? If not do it & then try the website again.

I'm god

Awesome

Thankss

Hello Everyone! In this tutorial I'll try to explain as good as possibile how to make a non jailbroken hacked ipa. I expect you to have a little knowledge for how to install things from GitHub. Requirements: Link for Theos: https://github.com/theos/theos/wiki/Installation I suggest you not to install it to /opt, since this can give you some installation struggle with theos jailed. I have it installed into /users/joey/projects. Once you've set up theos onto your mac, we need to get theos jailed. Link for theos-jailed:https://github.com/kabiroberai/theos-jailed Once you downloaded it, you'll need to do the following: 1. Unzip the file you downloaded 2. Double Click the 'install' file. note: if this gives you a error, this is probably because theos is installed somewhere else than theos-jailed thinks fix it by running this code in terminal: Cd into your unzipped theos-jailed folder cd /path/to/unzipped/theos/jailed/folder --> for me it would be cd /users/joey/desktop/theos-jailed-master, cause I installed it here. Run this command in the folder: export THEOS=/absolute/path/to/theos --> for me it would be export THEOS=/users/joey/projects/theos. now double click install again & it should work. Installation is done now! So, you installed it, now we need to setup a project like you normally would on your phone, but now in terminal which is: /path/to/theos/bin/nic.pl --> for me it would be /users/joey/projects/theos/bin/nic.pl You'll get this: Choose 'iphone/jailed', which would be number 7 for me. It will ask you some questions how you wanna call it etc, do this good. Especially the 'path to .ipa'. Now you'll get 2 simple files. 1. Tweak.xm 2. Make file Now you'll write your tweak how you normally would & make changes to your makefile if you want to. I'm pretty sure you can not only hack with hooks, since ZahirSher made a Injustice 2 non jailbroken .ipa hack too & this is sub_x. You should need to setup WriteData.h like you normally would and add this into your tweak.xm. Once you build your tweak, you'll need to cd into the location of your tweak: cd /path/to/your/tweak/folder What you'll need to do now, is run this command in terminal: 'Make Info' This is where you need xCode, terminal will give you the instructions what to do in terminal etc. Once everything is done in xCode, it will give you the command to install your hacked .ipa (cd into your project again) Command: Make Package Install Profile='profilemadewithxcode' Now it's on your phone & you can get the full .ipa using iFunbox etc. There is also another way, for this you'll need AppSigner & Cydia Impactor The 'Payload' folder will be located here: '/path/to/your/tweak/folder/.theos/_/Payload' In the PayLoad folder, you''ll see a file that ends with .app Drag that file into AppSigner, rename things you wanna rename & sign it. It will ask you where you wanna save it, that's up to you. Once it's done, install it using Cydia Impactor! Enjoy! Credits: @Ted2 for tutorial kabiroberai for theos-jailed If you have a question, ask below & I'll try to answer. I'm not a expert, but maybe I can help.

Noice mate

Holy sh!t

hero works, I love you!

Got a bucn of errors lol. /var/mobile/kimk/theos/include/substrate.h:310:20: note: candidate function [with Type_ = void] not viable: no known conversion from 'void **' to 'const char *' for 2nd argument static inline void MSHookFunction(MSImageRef image, const char *name, Ty... ^ /var/mobile/kimk/theos/include/substrate.h:284:20: note: candidate template ignored: deduced conflicting types for parameter 'Type_' ('void' vs. 'void *') static inline void MSHookFunction(Type_ *symbol, Type_ *replace, Type_ *... ^ /var/mobile/kimk/theos/include/substrate.h:303:20: note: candidate template ignored: could not match 'type-parameter-0-0 *' against 'void' static inline void MSHookFunction(const char *name, Type_ *replace, Type... ^ /var/mobile/kimk/theos/include/substrate.h:293:20: note: candidate function template not viable: requires 2 arguments, but 3 were provided static inline void MSHookFunction(Type_ *symbol, Type_ *replace) {

Yes sorry.. #import <UIKit/UIKit.h> #import <substrate.h> #import <Foundation/Foundation.h> //tweak.xm by Chrizk0// //template by DiDA// #define PLIST_PATH @"/var/mobile/Library/Preferences/com.Ted2.KimK.plist" inline bool GetPrefBool(NSString *key) { return [[[NSDictionary dictionaryWithContentsOfFile:PLIST_PATH] valueForKey:key] boolValue]; } //make up any function relevant to your symbols.// int (*orig_Cash)(void *self); //*static included before any function to obfuscate while decreasing size in compilation.*// static int Cash(void *self) { if(GetPrefBool(@"key1")) { return 987654321; } else { return orig_Cash(self); } } static bool Cheat(void *self) { if(GetPrefBool(@"key2")) { return FALSE; } else { return orig_Cheat(self); } } //define your symbols with mshookfunction.// __attribute__((constructor)) void DylibMain(){ MSHookFunction(MSFindSymbol(NULL, "__Z16Player_AwardCashP7SPlayeri"),(void*)Cash, (void**)&orig_Cash); MSHookFunction(MSFindSymbol(NULL, "__Z22SceneManager_IsCheaterP13SSceneManager"),(void*)Cheat, (void**)&orig_Cheat); } %end

Hi, I'm making a hack but I got into a weird problem. I made a patcher using a template from here, hacking the game using the 'new mshook way by shmoo'. Whenever I turn the hack ON in settings, the hack aint working. (int) Whenever I turn it OFF, it works perfectly fine. (int) BUT when i turn a boolean function, 'isCheater' ON, it does work. I've checked my tweak.xm, but it's fine. I'm confused as f**k Anyone got a solution?

Thanks!

So, if I wanna know the armv7 offset I gotta thin the binary & then I can figure the armv64 offset out too? Or am I wrong here

Ok thankyou! alright, thnx both of you

Hi, I'm trying to learn LLDB, I got a offset but it's arm64 for sure, can we get the armv7 offset too? Or can we figure the armv7 offset out using the armv64? Hope someone knows the answer! Thankyouu

This does not jailbreak your device. It rejailbreaks it. So get the jailbreak first from official Pangu Site & when that app crashes, you use the site you just used. http://en.pangu.io/help.html

Sometimes things got written like: "name" in the apk function. Then you search in ios strings for that. If the android functiok doesn't have in the hack function something like "name" try to find the closest thing that does, find that in ios strings & try to scroll to the right function that looks like the android one. I think there are other ways too, but this is one way.. Atleast I think

We actually got it working yesterday.. We just had to ignore the error lol

Solved, thank @Zimon & @xiaov & @UnboundGodz

Alright, I tried it again, rebooted first, closed all applications, still same problem. Terminal Window 1: iPhone-van-Joey:~ root# debugserver 192.168.***.***:23 --attach=FraggerFree debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89 for arm64. Attaching to process FraggerFree... Listening to port 23 for a connection from 192.168.***.***... Waiting for debugger instructions for process 0. Terminal window 2: MacBook-Pro:~ Joey$ lldb (lldb) process connect connect://192.168.***.***:23 Process 746 stopped * thread #1: tid = 0x16b3, 0x2111f8a8 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP frame #0: 0x2111f8a8 libsystem_kernel.dylib`mach_msg_trap + 20 libsystem_kernel.dylib`mach_msg_trap: -> 0x2111f8a8 <+20>: pop {r4, r5, r6, r8} 0x2111f8ac <+24>: bx lr libsystem_kernel.dylib`mach_msg_overwrite_trap: 0x2111f8b0 <+0>: mov r12, sp 0x2111f8b4 <+4>: push {r4, r5, r6, r8} I don't get the problem My device isn't slow at all, iphone 6s are not slow at all

Yes on every app.. Alright i'll try the first thing but second thing is done already

Hi! I've been trying to connect LLDB to a application this whole day, but it doesnt seem to work... Also Zimon tried helping me using TeamViewer, no succes. The process always stops... (lldb) process connect connect://192.168.x.x:23 Process 975 stopped * thread #1: tid = 0x3f69, 0x0000000180d58fd8 libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP frame #0: 0x0000000180d58fd8 libsystem_kernel.dylib`mach_msg_trap + 8 libsystem_kernel.dylib`mach_msg_trap: -> 0x180d58fd8 <+8>: ret libsystem_kernel.dylib`mach_msg_overwrite_trap: 0x180d58fdc <+0>: movn x16, #0x1f 0x180d58fe0 <+4>: svc #0x80 0x180d58fe4 <+8>: ret (lldb) c Process 975 resuming Process 975 exited with status = -1 (0xffffffff) lost connection Why is this happening? I've tried replacing the debugserver file that zimon used too, not working either.. I'm on iOS 9.3.3 on a iPhone 6s Hope someone can help! Thankyou in advance!

I've read somewhere that it's not always the exact offset. Not sure if that was lldb or gdb..

Stay on 9.3.3, also 9.3.3 is jailbreakable & it's awesome ?