Happy Secret

28 minutes ago, Laxus said:

You can use Ted2 Menu and build it or you can request Rook to access the tool if you plan on making cheat

https://iosgods.com/topic/137415-iosgods-online-theos-easily-make-compile-your-tweaks/?do=findComment&comment=4377206

Thanks for the advice. I don’t have a jailbroken device. I am pretty much a very casual hacker. I am not sure if I am eligible to make cheat for iOSGods.

And I have no experience on Ted2 Menu yet. Haha. 

1 hour ago, AyeJayyy said:

Yoo thx but how do I find this?? I can't click on anything

Do you how to do offset patching yourself? (DIY)

Two simple way

1. Follow this guide to use H5GG - 

2. Download a Hex Editor for your platform (Windows/Mac). Follow above tutorial to download the decrypted binary -> Edit the "UnityFramework" binary -> repackage the ipa then sideload. 

Or if you do not know how to DIY yourself, then may need iOSGods leader here to make this iOSGods App ready. 

@Rook @Laxus @Zahir Do you know who can help make a iOSGods ready hack with the above offset? 

1 minute ago, Rook said:

Which app is this?

Idle VLogger latest version 

3 minutes ago, Rook said:

Perfect! We did implement new fixes to 0.3.0 with added support for more apps.

Happy to hear!

But not sure why when load the metadata dump and UnityFramework with https://armconverter.com/il2cppdumper/. 
I still got follow message.

Starting il2cppdumper on 2023-01-20 16:18:39.216587

Initializing metadata...
Metadata Version: 29
Initializing il2cpp file...
Il2Cpp Version: 29
Searching...
System.InvalidOperationException: Sequence contains no matching element
  at System.Linq.Enumerable.First[TSource] (System.Collections.Generic.IEnumerable`1[T] source, System.Func`2[T,TResult] predicate) [0x00015] in <d22af090bceb4be792f53595cf074724>:0 
  at Il2CppDumper.Macho64.MapVATR (System.UInt64 addr) [0x0000d] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.SectionHelper.FindMetadataRegistrationV21 () [0x00097] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.SectionHelper.FindMetadataRegistration () [0x00035] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.Macho64.PlusSearch (System.Int32 methodCount, System.Int32 typeDefinitionsCount, System.Int32 imageCount) [0x00011] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.Program.Init (System.String il2cppPath, System.String metadataPath, Il2CppDumper.Metadata& metadata, Il2CppDumper.Il2Cpp& il2Cpp) [0x002f9] in <db8182c1b351438a8097566295703173>:0 
ERROR: An error occurred while processing.

Total time for il2cppdumper: 0:00:03.610366

========

Il2cppdumper did not produce any files. Probably something is wrong with the executable or metadata?

14 minutes ago, Rook said:

Thank you for the report. Shall be investigated!

Interesting, I can install the new iGG v0.3.0 with Idle Vlogger. I can also use the metadata dumper feature as well. 

I also experienced a few recently.

Example, Idle Vlogger 

I can install with H5GG but not iGameGod. 

Already pass tutorial, not sure why. 

iGameGod got a new feature - Dumping iOS Unity's global-metadata.dat from Memory/Runtime using iGameGod. 
Let me see if it helps or not

On 1/19/2023 at 10:46 PM, AlyssaX64 said:

It could be protected global metadata or unsupported unity version. 

Try frida-il2cpp-bridge module to dump the app at runtime instead:

https://github.com/vfsfitvnm/frida-il2cpp-bridge

Cool, does it support non-jailbroken iOS device? 
 

i only have non-jailbroken device 

Oh my God!!! This is really CRAZY nice feature!!!!!!!

See anything can learn 

Looking for tutorial

Hack found

@Aye Jayy

@faalshe

@S1MostHated

@Domon Mondo

Need some help. Not sure why consecutive two games hit this "System.InvalidOperationException: Sequence contains no matching element" message. 

1. Lamar-Idle Vlogger
2. Frozen City

Both use UnityFramework file and global-metadata.dat file as input to https://armconverter.com/il2cppdumper/

Below is the sample result for Lamar-Idle Vlogger

Task status for ID: 1a5f3f7f-cc14-43be-bbb5-02310e551ac3Edit and restart
Current status:  error-il2cppdumper-35

Starting il2cppdumper on 2023-01-19 13:27:25.709076

Initializing metadata...
Metadata Version: 29
Initializing il2cpp file...
Il2Cpp Version: 29
Searching...
System.InvalidOperationException: Sequence contains no matching element
  at System.Linq.Enumerable.First[TSource] (System.Collections.Generic.IEnumerable`1[T] source, System.Func`2[T,TResult] predicate) [0x00015] in <d22af090bceb4be792f53595cf074724>:0 
  at Il2CppDumper.Macho64.MapVATR (System.UInt64 addr) [0x0000d] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.SectionHelper.FindMetadataRegistrationV21 () [0x00097] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.SectionHelper.FindMetadataRegistration () [0x00035] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.Macho64.PlusSearch (System.Int32 methodCount, System.Int32 typeDefinitionsCount, System.Int32 imageCount) [0x00011] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.Program.Init (System.String il2cppPath, System.String metadataPath, Il2CppDumper.Metadata& metadata, Il2CppDumper.Il2Cpp& il2Cpp) [0x002f9] in <db8182c1b351438a8097566295703173>:0 
ERROR: An error occurred while processing.

Total time for il2cppdumper: 0:00:03.897344

========

Il2cppdumper did not produce any files. Probably something is wrong with the executable or metadata?

Is it I am missing some important skill or knowledge ?

Both game are under Hack Request, trying to see if I can find a solution. Unfortunately, blocked by this.

Not sure why, I can’t even sideload the decrypted version with Sideloadly. Game crash on opening.

Also, the metadata file looks like included quite some foul language. IL2CPP dumping failed as well.

Dont even know how to get started, sorry can’t help. 

Completely dead ended for live hook on non-jailbroken.

Tried 

1. Interceptor.replace instead of Interceptor.attach —FAILED on my IPad Pro 2nd Gen

2. Remove memory protection —FAILED on my IPad Pro 2nd Gen

For now, I will Iive with live patch first.
May be later see if H5GG would update embedded Frida version to latest. Then could give it a try.

Thanks

What type of string? You can’t do it with iGameGod or HG55?
 

Thx 

Although you said for newbies, I still don’t know how to use

11 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

Update:

1. It works every time on my iPad Pro (9.7) but not work on my iPad Pro 2nd Generation.

2. Both are on iPad OS 16.2

Completely no idea what happens. 
 

Luckily the live patching work across device. Just the Interceptor failed on one.

I guess it is the implementation of Interceptor causing problem. Because the statement simply hang and not returning, app’s console log show nothing. We just see the Interceptor call invoked, then nothing more in log and not progressing.

So, it is probably not invalid memory access stuff.

Looking for possible solutions.

6 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

I am not able to find out what causing the game hang yet. But I seem happened after I tried to clean up the script. It could also because I mess up the code.

Let me try a bit more today.

Test Result:

1. try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} - NOT WORK

2. let frontapp = h5frida.get_frontmost_application();

    frontapp.pid; - THIS WORK

But the hook seems not always work, sometime it cause game hang (not exit) on applying the hook.

Need some more study.

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

I mean c++ hook like on Ted2 mod menu

Never use Ted2 mod menu. I don’t have a jailbroken device now. 
 

is it a simple deb that I can inject and try out? 

3 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod ! 

It's good that "normal" hook with c++ work 

Am….are we talking the same hook? You seems have special expectation on that word “normal”.

My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";

let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to call

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

let found = false;
for(let i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        //if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}

if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";

//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
    let frontapp = h5frida.get_frontmost_application();
    if(frontapp && frontapp.pid == pid) break;
    
    alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
            + "Please switch the target APP to the foreground to run, and then click OK to continue...");
}

 

Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)

Cool, let me give them a try. 
If I remember correctly, h5frida.enumerate_processes() return process within Frida only. I only see Gadget in it previously.

Below one could work, frontmost app should be the game

• let frontapp = h5frida.get_frontmost_application();
• frontapp.pid

This one, I am not so sure. 

• h5gg.getProcList("UnityFramework")[0].pid

There is a version of h5gg works cross-process app, which is requires jailbroken. Hopefully, these commands does not need that version.

9 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself 

GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!

Not sure if there has any drawback/issue yet.

Will give another try later tonight!

If it really works, I will definitely make another Tutorial.

Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.