Happy Secret

4 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Nice, that's pretty cool

I never tried debug a game with xCode.

Nice tut, gonna link it on my tut  

Thanks for the support. 
 

if you are on Mac, Xcode is a pretty good option. Free and suppprt signing and Sideload with your our own Apple developer certificate.

57 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

yeah but where do you find the static-inline folder on Documents app (iOS) ? 

Yeah itunes can do it if im right, but well this tut is for newbies that don't know how to share files 

Don't need the Documents app (iOS).

Use the Apple's iOS Files app (default install). It can access the static-inline-hook folder if we Sideload with "Enable File Sharing" on.  

UPDATE: You can achieve this with JIT from Sideloadly/Altstore/etc now

First and foremost this trick is not for everyone.

It is mostly for those casual hacker who will do some dynamic hacking with debugger, while won’t spend a lot of time in front of PC.

Casual, in a sense that he/she does not have a jailbroken device.

He/she would like to do some causal hacking with in travel or away from PC.

This Trick allow you to test your hack with H5GG in real-time.
YES, no need to repackage and re-sideload.

Requirements:

h5gg.require(7.8);

var modules = h5gg.getRangesList("UnityFramework"); //module file name

var base = modules[0].start; //module base addr in runtime memory

var addr = Number(base) + 0x1B39598; //offset

patchBytes(addr,  "200080D2C0035FD6"); //bytes

/********************************************************/
//Usually only jailbroken devices can do this, but we have a trick
function patchBytes(addr, hex) {
    for(i = 0;i<hex.length/2;i++) {
        var item = parseInt(hex.substring(i*2, i*2+2), 16);
        h5gg.setValue(addr+i,item, "U8");
    }
}
/********************************************************/

16 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Yeah but transfer the patched UnityFramework to the PC ?

The patched one in static-inline-hook folder, AirDrop it to Mac, repackage the ipa and Sideload again.

Just want to say, for Mac user, you do not necessarily need 3u Tools (or alike).

Of course, 3u Tools is a great tool to have.

1 hour ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

On part 2, i will probably make a tut with a mod menu, but for the first part i just wanted to people know how to patch and hook. 

And also, afaik Documents app doesn't let you access app content in /Documents of Subway Surfer (in the case of the tutorial) even if the app has File Sharing enable. (at least on a fully jailed phone)

I will edit the topic once i have time to add Discord link and official Github

If you are on Mac, you can actually AirDrop the framework file to Mac. This is my default option

25 minutes ago, namcyeon said:

@Happy Secret You can try second method with hook, but it's not working with me.

It works for me, even with the ActiveCodePatch patched UnityFramework binary. Probably it just need an artificial anchor point on the same address.

I tested the get_CanJump hack only.

5 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything.

 

HTML + JS injection is fine. But UnityFramework need to patch once before ActiveCodePatch works, this is never mentioned in their example scripts. Not even in GitHub. 
 

But yes, I can understand there will always be a gap between what we can do with jailbroken or not. H5GG already made a huge step forward to close the gap. It will be a plus, if we can help improve documentation a bit.

5 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

yep you are right ! 

welcome !

I have just test it again and finally worked.

it is really 

• First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

You will probably want to include a hint/note to your tutorial about this.

The error message is not sufficient. It can’t explain what to expect.

Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken.

Hope there is a way to do pure in memory hook / patch (without modifying the binary).

Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

40 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

edit :

oh you mean the UnityFramework patched ? well i didn't looked at the data at the offset 0x1B...98, but it's seems normal to me that's it's not 2000...FD6, otherwise it will always be enable. i think that it creates another function on the UnityFramework (at another place) and at 0x1B...98, it calls it.

so if there is no script running, we shouldn't be able to jump always, but when we load our script, it probably jump to our created function in the UnityFramework, and so it return 2000..FD6 at our function (maybe at 0x264ab4c) and if we unload the script, the original bytes in the memory will load again making "normal jumps"

 

(this is my personal analysis, it may not be 100% right but this is how i visual it) 

video : https://streamable.com/5g6nvz

So, it could be my concept is wrong from beginning.
First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder.

The patched version of UnityFramework has embedded a new function inside. 
 

From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect.

First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

Let me test it our again later tonight.

Thanks for the help.

Update on the hook:

Not sure why I got hook fail as well.

Index
frida(脚本日志）script log:
Frameworks/UnitFramework.frame-work/UnitvFramework:0x1b39598-
HOOK失敗！
Frameworks/UnityFramework.frame-work/UnityFramework:0x1b39598-HOOK-Failed!
未签名该地址，修补文件将生成在APP的
Documents/static-inline-hook目录中，请将该目录中所有文件替换到 ipa中的.app目录并重新签名安装！
The offset has not been patched, the patched file will be generated in the Documents/static-inline-hook directory of the APP, please replace all the files in this directory to the app directory in the ipa and re-sign and reinstall!

Issue for me is: The h5frida internal function find_hook_block always return NULL, and reporting “cannot parse hook info!” In NSLog.

This internal function is being use for ActiveCodePatch and StaticInlineHookFunction.

I don’t know how to debug further.

Quick test result:

1. I also got the the UnityFramework patched by h5frida and stored inside static-inline-hook folder

2. With a detail look into it, the hex code of the instruction (patched) doesn't look right to me.

Orignal at 0x1B39598 is FD7BBFA9FD030091

- stp x29, x30, [sp, #-0x10]!
- mov x29, sp

After patch at 0x1B39598 is CF2A9914FD030091

- b #0x264ab4c
- mov x29, sp

What we are expecting at 0x1B39598 is 200080D2C0035FD6, Right??

- mov x0, #1
- ret 

Tested in game, always Can Jump is not working. Same as my try in another game these few days. 

I am using iPadOS 16.2 (non-jailbreak) with iPad Pro 2nd Gen.  

This is brilliant. Let me follow exactly what you done here.

Not sure why my try with another game was not successful. The patched instruction is not the instruction I want. Odd.

let me follow yours and see how it works.

thanks again in creating this. 

Reported an issue in H5GG GitHub with more detail and screenshot, NSLog, etc

https://github.com/H5GG/H5GG/issues/35

Not sure why I got "The bytes to patch have changed, please revert to original file and try again" error when execute the ActiveCodePatch function. 

I did tried with an unmodified UnityFramework file. Still failed. 

Any idea why? @tuancc

icic...thanks !

Hi,

Are there are any smart way to port my own hack from one version of the game to newer version? (binary hack)

Currently, I am doing Hex string string manually everything. It takes quite sometime. 

I feel like there must be smarter way. 

Learning to hack more.thanks

Thanks for sharing…

I am a bit confused for the last part.

Quote

To make it work, you need to hook the get_SpeedModifier and not the SET, even if you use the SET. 

How to hook the get to take effect to set? Your code seems not including this part?

also, I am not sure why you want to set with default value again at last?

It will not override our earlier 5x set?

Thx, but I don’t use Telegram.

I am on their discord.

On 9/1/2022 at 4:15 PM, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

after you can calc the base adress :

 

//get bin or framework

var framework = h5gg.getRangesList("UnityFramework");

//calculate base adresse + offset to prepare patch

var adr = Number(framework[0].start) + 0xOffset;

//patch offset

f***base(adr,"C0035FD6");

 

i think there are better examples in the link

Hello, the link document is gone. Can help upload one back? Thanks in advance

Thx for sharing

On 1/9/2023 at 11:37 PM, Rook said:

You can still use theos to create your tweak then inject it with Sideloadly.

@Rook Thanks, are there any tutorial on theos tweak for non-jailbreak device?

I thought theos tweak is for jailbroken only. Sorry for my ignorance 

Keeping leaning hack

Learning how it works, thx

Very nicely explained with the “this” argument tutorial. Thx, I understand a lot more the logic behind now.