Happy Secret

Don't need the Documents app (iOS). Use the Apple's iOS Files app (default install). It can access the static-inline-hook folder if we Sideload with "Enable File Sharing" on.

UPDATE: You can achieve this with JIT from Sideloadly/Altstore/etc now First and foremost this trick is not for everyone. It is mostly for those casual hacker who will do some dynamic hacking with debugger, while won’t spend a lot of time in front of PC. Casual, in a sense that he/she does not have a jailbroken device. He/she would like to do some causal hacking with in travel or away from PC. This Trick allow you to test your hack with H5GG in real-time. YES, no need to repackage and re-sideload. Requirements: - Xcode - Subway Surfers Credits : @tuancc the H5GG tool @ꞋꞌꞋꞌꞋꞌꞋꞌ for the tutorial on H5GG tutorial

The patched one in static-inline-hook folder, AirDrop it to Mac, repackage the ipa and Sideload again. Just want to say, for Mac user, you do not necessarily need 3u Tools (or alike). Of course, 3u Tools is a great tool to have.

If you are on Mac, you can actually AirDrop the framework file to Mac. This is my default option

It works for me, even with the ActiveCodePatch patched UnityFramework binary. Probably it just need an artificial anchor point on the same address. I tested the get_CanJump hack only.

HTML + JS injection is fine. But UnityFramework need to patch once before ActiveCodePatch works, this is never mentioned in their example scripts. Not even in GitHub. But yes, I can understand there will always be a gap between what we can do with jailbroken or not. H5GG already made a huge step forward to close the gap. It will be a plus, if we can help improve documentation a bit.

I have just test it again and finally worked. it is really First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable. You will probably want to include a hint/note to your tutorial about this. The error message is not sufficient. It can’t explain what to expect. Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken. Hope there is a way to do pure in memory hook / patch (without modifying the binary). Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

So, it could be my concept is wrong from beginning. First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder. The patched version of UnityFramework has embedded a new function inside. From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect. First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable. Let me test it our again later tonight. Thanks for the help.

Update on the hook: Not sure why I got hook fail as well. Index frida(脚本日志）script log: Frameworks/UnitFramework.frame-work/UnitvFramework:0x1b39598- HOOK失敗！ Frameworks/UnityFramework.frame-work/UnityFramework:0x1b39598-HOOK-Failed! 未签名该地址，修补文件将生成在APP的 Documents/static-inline-hook目录中，请将该目录中所有文件替换到 ipa中的.app目录并重新签名安装！ The offset has not been patched, the patched file will be generated in the Documents/static-inline-hook directory of the APP, please replace all the files in this directory to the app directory in the ipa and re-sign and reinstall! Issue for me is: The h5frida internal function find_hook_block always return NULL, and reporting “cannot parse hook info!” In NSLog. This internal function is being use for ActiveCodePatch and StaticInlineHookFunction. I don’t know how to debug further.

Quick test result: 1. I also got the the UnityFramework patched by h5frida and stored inside static-inline-hook folder 2. With a detail look into it, the hex code of the instruction (patched) doesn't look right to me. Orignal at 0x1B39598 is FD7BBFA9FD030091 - stp x29, x30, [sp, #-0x10]! - mov x29, sp After patch at 0x1B39598 is CF2A9914FD030091 - b #0x264ab4c - mov x29, sp What we are expecting at 0x1B39598 is 200080D2C0035FD6, Right?? - mov x0, #1 - ret Tested in game, always Can Jump is not working. Same as my try in another game these few days. I am using iPadOS 16.2 (non-jailbreak) with iPad Pro 2nd Gen.

This is brilliant. Let me follow exactly what you done here. Not sure why my try with another game was not successful. The patched instruction is not the instruction I want. Odd. let me follow yours and see how it works. thanks again in creating this.

Reported an issue in H5GG GitHub with more detail and screenshot, NSLog, etc https://github.com/H5GG/H5GG/issues/35

Not sure why I got "The bytes to patch have changed, please revert to original file and try again" error when execute the ActiveCodePatch function. I did tried with an unmodified UnityFramework file. Still failed. Any idea why? @tuancc

icic...thanks !

Hi, Are there are any smart way to port my own hack from one version of the game to newer version? (binary hack) Currently, I am doing Hex string string manually everything. It takes quite sometime. I feel like there must be smarter way.

Learning to hack more.thanks

Thanks for sharing… I am a bit confused for the last part. How to hook the get to take effect to set? Your code seems not including this part? also, I am not sure why you want to set with default value again at last? It will not override our earlier 5x set?

Thx, but I don’t use Telegram. I am on their discord.

Hello, the link document is gone. Can help upload one back? Thanks in advance

Thx for sharing

@Rook Thanks, are there any tutorial on theos tweak for non-jailbreak device? I thought theos tweak is for jailbroken only. Sorry for my ignorance

Keeping leaning hack

Learning how it works, thx

Very nicely explained with the “this” argument tutorial. Thx, I understand a lot more the logic behind now.