Happy Secret
Contributor-
Posts
532 -
Joined
-
Last visited
Everything posted by Happy Secret
-
@Rook Please check PM, need help on my VIP renewal
-
HTML + JS injection is fine. But UnityFramework need to patch once before ActiveCodePatch works, this is never mentioned in their example scripts. Not even in GitHub. But yes, I can understand there will always be a gap between what we can do with jailbroken or not. H5GG already made a huge step forward to close the gap. It will be a plus, if we can help improve documentation a bit.
-
I have just test it again and finally worked. it is really First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable. You will probably want to include a hint/note to your tutorial about this. The error message is not sufficient. It can’t explain what to expect. Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken. Hope there is a way to do pure in memory hook / patch (without modifying the binary). Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.
-
So, it could be my concept is wrong from beginning. First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder. The patched version of UnityFramework has embedded a new function inside. From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect. First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable. Let me test it our again later tonight. Thanks for the help.
-
Update on the hook: Not sure why I got hook fail as well. Index frida(脚本日志)script log: Frameworks/UnitFramework.frame-work/UnitvFramework:0x1b39598- HOOK失敗! Frameworks/UnityFramework.frame-work/UnityFramework:0x1b39598-HOOK-Failed! 未签名该地址,修补文件将生成在APP的 Documents/static-inline-hook目录中,请将该目录中所有文件替换到 ipa中的.app目录并重新签名安装! The offset has not been patched, the patched file will be generated in the Documents/static-inline-hook directory of the APP, please replace all the files in this directory to the app directory in the ipa and re-sign and reinstall! Issue for me is: The h5frida internal function find_hook_block always return NULL, and reporting “cannot parse hook info!” In NSLog. This internal function is being use for ActiveCodePatch and StaticInlineHookFunction. I don’t know how to debug further.
-
Quick test result: 1. I also got the the UnityFramework patched by h5frida and stored inside static-inline-hook folder 2. With a detail look into it, the hex code of the instruction (patched) doesn't look right to me. Orignal at 0x1B39598 is FD7BBFA9FD030091 - stp x29, x30, [sp, #-0x10]! - mov x29, sp After patch at 0x1B39598 is CF2A9914FD030091 - b #0x264ab4c - mov x29, sp What we are expecting at 0x1B39598 is 200080D2C0035FD6, Right?? - mov x0, #1 - ret Tested in game, always Can Jump is not working. Same as my try in another game these few days. I am using iPadOS 16.2 (non-jailbreak) with iPad Pro 2nd Gen.
-
Help/Support Porting Hack from one version to newer version of the game
Happy Secret replied to Happy Secret 's topic in Help & Support
icic...thanks ! -
Learning to hack more.thanks
-
Thx for sharing
-
@Rook Thanks, are there any tutorial on theos tweak for non-jailbreak device? I thought theos tweak is for jailbroken only. Sorry for my ignorance
-
Keeping leaning hack
-
Learning how it works, thx
-
Tutorial [Tutorial] Simple way to alter/change a function's argument values
Happy Secret replied to BenGorr's topic in Tutorials
Very nicely explained with the “this” argument tutorial. Thx, I understand a lot more the logic behind now. -
Trying to learn more. Thx
-
I want to learn H5GG like above mentioned as well
-
Help/Support How to find a unity framework offset with lldb on IDA ?
Happy Secret replied to DeMoN3X's topic in Help & Support
Are you referring to base address for UnityFramework for ASLR subtraction? See if below help lldb) image list UnityFramework -
Help/Support IDA PRO + LLDB “JumpAsk” Failed
Happy Secret replied to 0xWeiss's topic in Help & Support
Oh...I missed one important message... This actually solve my problem. I should use base address of UnityFramework as the ASLR to remove. (not the base address of the game process binary) In my case, when removing ASLR, I need to include the leading "10" in the address as well