Sterling0x1

f for respect

I've been playing around with android in the past few days, and worked out a way to be able to make mods on my device without using a computer. For iOS moddders it's not something new, but on android it can be a little more tricky and complex, but not impossible, so I'm sharing it with you guys. This tutorial is not for beginners, be familiar with Linux system, you need to have basic modding skills, understanding how memory hacking, debuggers (LLDB in my case) and ARM64 work. First I had to create a modding environment on my device, the following tools were essential: - Rooted device - Kali NetHunter installed with CHROOT (this is essential I will go into details later, modded kernel not necessary) - GameGuardian - LLDB (installed in kali system) - MT FIle Manager - Arm to Hex Converter - apktool (optional, in case you don't have MT, install it via kali system) - Hex Editor (optional in case you don't have MT) - Something to sign the APK with (optional, MT does that too) Kali NetHunter: Kali is well known in hacking community. Pentesters favourite platform. Nethunter is Kali's mobile version for several network analysis and hacking, but in my case the most important part is, it creates a fully working Linux Subsystem on the device with terminal. Most CLI tools I would use on a Linux system work on android this way. The Linux Subsystem is running on the top of the Android system, it has full access to android filesystem and processes. Don't need a modified kernel, CHROOT all that's needed for the Linux Subsystem. GameGuardian: Lets call it GG from now on, it is the best existing memory hack tool for android. Need no further explanation. (Shout out to @NoFearGG, helped me big time figuring out some GG features) LLDB: My favourite debugger. I've tried to run it from Termux, it wouldn't attach to process, but Kali's LLDB worked just fine. Install it via apt from Kali terminal. MT File Manager: The most powerful tool for android modders. It contains Hex editor, Dex Editor (yes browse and rewrite small code without decompiling the apk, it works like a charm), Sign APK, and much more. Some features require VIP subscription, however there is v2.5 cracked on XDA developers (Current version is 2.9). I strongly recommend using this, but there are ways around it. The rest is quite obvious, no need further explanation. So modding environment is ready, lets hack. I downloaded a simple game (Tiny Towers) for demonstration. I start the game, run GG. Open Nethunter terminal in Kali mode. Run LLDB. attach the game (GG displays the game's PID). After I attached LLDB to the process I had to pass some signals to the process without lldb stopping every time. This is very important as it causes the game crash most of the times as there are way too many signal stops (e.g. SIGPWR) . I could achieve this by using the "process handle" command. See what SIGXXX you're getting and pass them all to the process, (lldb) pro hand -p true -s false SIGPWR NAME PASS STOP NOTIFY ========== ===== ===== ====== SIGPWR true false true When done I just continued the process. With GG I found the value I wanted to hack. I set a watchpoint on that memory address and when the value changed I got a hit. This is basic debugging, you know what to do here, not going into more details. Now this part is very important and again I have NoFear to thank for this. When i had a watchpoint hit, i got a memory address, but i needed to figure out the actual offset in lib.so. To do this I copy the watch hit address to GG. Hit goto in options (top right corner), paste the address then save it. Hit goto option again and hit the "XA" button under the address line. Here either find the relevant lib.so or in my case it didn't display it, so had to find that memory range where my watchpoint hit was. Save it, go to saved tab, select both address, and from options select "Calculate Offset, XOR" then select offset. the result will be the actual offset in lib.so. If its not clear I'm sure if you ask NoFear nicely, he will post a video. I loaded the lib.so in MT's HEX editor, made my hex patches and tested the apk. Worked fine. I opened classes.dex in the apk with MT's hex editor (MT automatically decompiles and recompiles the dex on the go), added my toast message, saved it, MT recompiled dex and signed the apk automatically so I was good to go. Thats pretty much it, if you have modding experience this won't be too hard, for newbies it will take some studying. Here is the mod I made, nothing fancy, just a simple game: Credits: @Sterling0x1 @NoFearGG @Antiklor (sorting out my armhexconverter script)

Mod APK Game Name: Tiny Tower Rooted Device: Not Required. Google Play Store Link: https://play.google.com/store/apps/details?id=com.nimblebit.tinytower&hl=en_GB Hack Features: Demo app for on device hacking. - Unlimited Premium Currency (get some) iOS Jailbreak & Non-Jailbroken Hack(s): https://iosgods.com/forum/5-game-cheats-hack-requests/ For more fun, check out the Club(s): https://iosgods.com/clubs/ Android Mod APK Download Link: Signed, only works on ARM64 devices. [Hidden Content] Installation Instructions: STEP 1: Download the Modded APK file above using your favorite browser or a download manager of your choice. STEP 2: Copy the file over to your Android device via USB or wirelessly. Skip this step if you're using your Android device to download the mod. STEP 3: Browse to the location where the hacked APK is stored using a file manager of your choice. STEP 4: Tap on the .APK mod file then tap 'Install' and the installation should begin. STEP 5A: If the mod contains an OBB file, extract it if it's archived and copy the folder to /Android/obb. STEP 5B: If the mod contains a DATA file/folder, extract it if it's archived and copy the folder to /Android/data. STEP 6: Once the installation is complete, everything should be ready. Enjoy! NOTE: If you have any questions or problems, read our Frequently Asked Questions topic. If you still haven't found a solution, post your issue down below and we'll do our best to help! If the hack does work for you, post your feedback below and help out other fellow members that are encountering issues. Credits: - Sterling0x1 Cheat Video/Screenshots: N/A

Thanks I give it a go

Ios12? 😵 nice

it works fine in wine

I see. I thought it would use the vpn as original Lazarus did, that’s why it seemed a bit fishy.

this is the binary from lazarusjailed https://mega.nz/#!rl4WSQ4Q!tF6Hn9sVXMvr-pTapcaMB2t_C8GTwiKulmCjNnR9I3Q this is the binary from original lazarusproject I built just now https://mega.nz/#!es4CjaLQ!vHDKzN2keRUfBZLeR4jptKPu7sjnTjHll_ZYNi6wFC8 I reversed both, voucher_swap binary contains literally nothing that would reference to any vpn activity, apart from a few strings that says: __cstring:000000010000CF8A 00000010 C Revokes Blocked __cstring:000000010000CF9A 00000014 C [+] Revokes Blocked __cstring:000000010000CFAE 0000000E C Block Revokes __cstring:000000010000D1F0 00000011 C Blocking Revokes __cstring:000000010000D267 00000015 C Disabled app revokes __objc_methname:000000010000E819 0000000F C disableRevokes

so I went to reverse this app and found this so far. voucher_swap bundled into the IPA but nothing else. as I browse strings I found this, __cstring:000000010000D0E3 0000004B C /Users/josephshenton/Desktop/LazarusJailed/voucher_swap/voucher_swap/log.c which lead to this 🤔

how come he never updated source code to 1.1.2 on GitHub 🤔? Also I don't understand how kernel exploit would be relevant to certificate revokes (maybe I miss something). someone please explain

How is this different from this? https://github.com/useignition/Lazarus

ignore this, I had 1 extra byte in it thats why 😛

I wonder if anyone experienced anything like this 0.0 if I change the binary to hacked binary impactor crashes and wouldn't install the app. otherwise it installs it fine.

I did on 6.8. Haven’t really played around with 7.0’s debugger on 64bit, that’s why I was wondering if anyone did.