Happy Secret

It works for me, even with the ActiveCodePatch patched UnityFramework binary. Probably it just need an artificial anchor point on the same address. I tested the get_CanJump hack only.

HTML + JS injection is fine. But UnityFramework need to patch once before ActiveCodePatch works, this is never mentioned in their example scripts. Not even in GitHub. But yes, I can understand there will always be a gap between what we can do with jailbroken or not. H5GG already made a huge step forward to close the gap. It will be a plus, if we can help improve documentation a bit.

I have just test it again and finally worked. it is really First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable. You will probably want to include a hint/note to your tutorial about this. The error message is not sufficient. It can’t explain what to expect. Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken. Hope there is a way to do pure in memory hook / patch (without modifying the binary). Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

So, it could be my concept is wrong from beginning. First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder. The patched version of UnityFramework has embedded a new function inside. From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect. First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable. Let me test it our again later tonight. Thanks for the help.

Update on the hook: Not sure why I got hook fail as well. Index frida(脚本日志）script log: Frameworks/UnitFramework.frame-work/UnitvFramework:0x1b39598- HOOK失敗！ Frameworks/UnityFramework.frame-work/UnityFramework:0x1b39598-HOOK-Failed! 未签名该地址，修补文件将生成在APP的 Documents/static-inline-hook目录中，请将该目录中所有文件替换到 ipa中的.app目录并重新签名安装！ The offset has not been patched, the patched file will be generated in the Documents/static-inline-hook directory of the APP, please replace all the files in this directory to the app directory in the ipa and re-sign and reinstall! Issue for me is: The h5frida internal function find_hook_block always return NULL, and reporting “cannot parse hook info!” In NSLog. This internal function is being use for ActiveCodePatch and StaticInlineHookFunction. I don’t know how to debug further.

Quick test result: 1. I also got the the UnityFramework patched by h5frida and stored inside static-inline-hook folder 2. With a detail look into it, the hex code of the instruction (patched) doesn't look right to me. Orignal at 0x1B39598 is FD7BBFA9FD030091 - stp x29, x30, [sp, #-0x10]! - mov x29, sp After patch at 0x1B39598 is CF2A9914FD030091 - b #0x264ab4c - mov x29, sp What we are expecting at 0x1B39598 is 200080D2C0035FD6, Right?? - mov x0, #1 - ret Tested in game, always Can Jump is not working. Same as my try in another game these few days. I am using iPadOS 16.2 (non-jailbreak) with iPad Pro 2nd Gen.

This is brilliant. Let me follow exactly what you done here. Not sure why my try with another game was not successful. The patched instruction is not the instruction I want. Odd. let me follow yours and see how it works. thanks again in creating this.

Reported an issue in H5GG GitHub with more detail and screenshot, NSLog, etc https://github.com/H5GG/H5GG/issues/35

Not sure why I got "The bytes to patch have changed, please revert to original file and try again" error when execute the ActiveCodePatch function. I did tried with an unmodified UnityFramework file. Still failed. Any idea why? @tuancc

icic...thanks !

Hi, Are there are any smart way to port my own hack from one version of the game to newer version? (binary hack) Currently, I am doing Hex string string manually everything. It takes quite sometime. I feel like there must be smarter way.

Learning to hack more.thanks

Thanks for sharing… I am a bit confused for the last part. How to hook the get to take effect to set? Your code seems not including this part? also, I am not sure why you want to set with default value again at last? It will not override our earlier 5x set?

Thx, but I don’t use Telegram. I am on their discord.

Hello, the link document is gone. Can help upload one back? Thanks in advance

Thx for sharing

@Rook Thanks, are there any tutorial on theos tweak for non-jailbreak device? I thought theos tweak is for jailbroken only. Sorry for my ignorance

Keeping leaning hack

Learning how it works, thx

Very nicely explained with the “this” argument tutorial. Thx, I understand a lot more the logic behind now.

Trying to learn more. Thx

I want to learn H5GG like above mentioned as well

Are you referring to base address for UnityFramework for ASLR subtraction? See if below help lldb) image list UnityFramework

Oh...I missed one important message... This actually solve my problem. I should use base address of UnityFramework as the ASLR to remove. (not the base address of the game process binary) In my case, when removing ASLR, I need to include the leading "10" in the address as well