Sterling0x1

f for respect

I've been playing around with android in the past few days, and worked out a way to be able to make mods on my device without using a computer. For iOS moddders it's not something new, but on android it can be a little more tricky and complex, but not impossible, so I'm sharing it with you guys. This tutorial is not for beginners, be familiar with Linux system, you need to have basic modding skills, understanding how memory hacking, debuggers (LLDB in my case) and ARM64 work. First I had to create a modding environment on my device, the following tools were essential: - Rooted device - Kali NetHunter installed with CHROOT (this is essential I will go into details later, modded kernel not necessary) - GameGuardian - LLDB (installed in kali system) - MT FIle Manager - Arm to Hex Converter - apktool (optional, in case you don't have MT, install it via kali system) - Hex Editor (optional in case you don't have MT) - Something to sign the APK with (optional, MT does that too) Kali NetHunter: Kali is well known in hacking community. Pentesters favourite platform. Nethunter is Kali's mobile version for several network analysis and hacking, but in my case the most important part is, it creates a fully working Linux Subsystem on the device with terminal. Most CLI tools I would use on a Linux system work on android this way. The Linux Subsystem is running on the top of the Android system, it has full access to android filesystem and processes. Don't need a modified kernel, CHROOT all that's needed for the Linux Subsystem. GameGuardian: Lets call it GG from now on, it is the best existing memory hack tool for android. Need no further explanation. (Shout out to @NoFearGG, helped me big time figuring out some GG features) LLDB: My favourite debugger. I've tried to run it from Termux, it wouldn't attach to process, but Kali's LLDB worked just fine. Install it via apt from Kali terminal. MT File Manager: The most powerful tool for android modders. It contains Hex editor, Dex Editor (yes browse and rewrite small code without decompiling the apk, it works like a charm), Sign APK, and much more. Some features require VIP subscription, however there is v2.5 cracked on XDA developers (Current version is 2.9). I strongly recommend using this, but there are ways around it. The rest is quite obvious, no need further explanation. So modding environment is ready, lets hack. I downloaded a simple game (Tiny Towers) for demonstration. I start the game, run GG. Open Nethunter terminal in Kali mode. Run LLDB. attach the game (GG displays the game's PID). After I attached LLDB to the process I had to pass some signals to the process without lldb stopping every time. This is very important as it causes the game crash most of the times as there are way too many signal stops (e.g. SIGPWR) . I could achieve this by using the "process handle" command. See what SIGXXX you're getting and pass them all to the process, (lldb) pro hand -p true -s false SIGPWR NAME PASS STOP NOTIFY ========== ===== ===== ====== SIGPWR true false true When done I just continued the process. With GG I found the value I wanted to hack. I set a watchpoint on that memory address and when the value changed I got a hit. This is basic debugging, you know what to do here, not going into more details. Now this part is very important and again I have NoFear to thank for this. When i had a watchpoint hit, i got a memory address, but i needed to figure out the actual offset in lib.so. To do this I copy the watch hit address to GG. Hit goto in options (top right corner), paste the address then save it. Hit goto option again and hit the "XA" button under the address line. Here either find the relevant lib.so or in my case it didn't display it, so had to find that memory range where my watchpoint hit was. Save it, go to saved tab, select both address, and from options select "Calculate Offset, XOR" then select offset. the result will be the actual offset in lib.so. If its not clear I'm sure if you ask NoFear nicely, he will post a video. I loaded the lib.so in MT's HEX editor, made my hex patches and tested the apk. Worked fine. I opened classes.dex in the apk with MT's hex editor (MT automatically decompiles and recompiles the dex on the go), added my toast message, saved it, MT recompiled dex and signed the apk automatically so I was good to go. Thats pretty much it, if you have modding experience this won't be too hard, for newbies it will take some studying. Here is the mod I made, nothing fancy, just a simple game: Credits: @Sterling0x1 @NoFearGG @Antiklor (sorting out my armhexconverter script)

Mod APK Game Name: Tiny Tower Rooted Device: Not Required. Google Play Store Link: https://play.google.com/store/apps/details?id=com.nimblebit.tinytower&hl=en_GB Hack Features: Demo app for on device hacking. - Unlimited Premium Currency (get some) iOS Jailbreak & Non-Jailbroken Hack(s): https://iosgods.com/forum/5-game-cheats-hack-requests/ For more fun, check out the Club(s): https://iosgods.com/clubs/ Android Mod APK Download Link: Signed, only works on ARM64 devices. [Hidden Content] Installation Instructions: STEP 1: Download the Modded APK file above using your favorite browser or a download manager of your choice. STEP 2: Copy the file over to your Android device via USB or wirelessly. Skip this step if you're using your Android device to download the mod. STEP 3: Browse to the location where the hacked APK is stored using a file manager of your choice. STEP 4: Tap on the .APK mod file then tap 'Install' and the installation should begin. STEP 5A: If the mod contains an OBB file, extract it if it's archived and copy the folder to /Android/obb. STEP 5B: If the mod contains a DATA file/folder, extract it if it's archived and copy the folder to /Android/data. STEP 6: Once the installation is complete, everything should be ready. Enjoy! NOTE: If you have any questions or problems, read our Frequently Asked Questions topic. If you still haven't found a solution, post your issue down below and we'll do our best to help! If the hack does work for you, post your feedback below and help out other fellow members that are encountering issues. Credits: - Sterling0x1 Cheat Video/Screenshots: N/A

Thanks I give it a go

Ios12? 😵 nice

I see. I thought it would use the vpn as original Lazarus did, that’s why it seemed a bit fishy.

this is the binary from lazarusjailed https://mega.nz/#!rl4WSQ4Q!tF6Hn9sVXMvr-pTapcaMB2t_C8GTwiKulmCjNnR9I3Q this is the binary from original lazarusproject I built just now https://mega.nz/#!es4CjaLQ!vHDKzN2keRUfBZLeR4jptKPu7sjnTjHll_ZYNi6wFC8 I reversed both, voucher_swap binary contains literally nothing that would reference to any vpn activity, apart from a few strings that says: __cstring:000000010000CF8A 00000010 C Revokes Blocked __cstring:000000010000CF9A 00000014 C [+] Revokes Blocked __cstring:000000010000CFAE 0000000E C Block Revokes __cstring:000000010000D1F0 00000011 C Blocking Revokes __cstring:000000010000D267 00000015 C Disabled app revokes __objc_methname:000000010000E819 0000000F C disableRevokes

so I went to reverse this app and found this so far. voucher_swap bundled into the IPA but nothing else. as I browse strings I found this, __cstring:000000010000D0E3 0000004B C /Users/josephshenton/Desktop/LazarusJailed/voucher_swap/voucher_swap/log.c which lead to this 🤔

how come he never updated source code to 1.1.2 on GitHub 🤔? Also I don't understand how kernel exploit would be relevant to certificate revokes (maybe I miss something). someone please explain

How is this different from this? https://github.com/useignition/Lazarus

Really? Noice. What method did you use? I only knew of one working method as everything was linked

You could add 1hit kill aswell. Look up my offset dump, if need help I show you how it was done. Interesting hack

Yeah I looked at your code on github. I didn’t realise you can play around with variables like this. Pretty clever piece of code I was well surprised to see it.

yea he did lmao #pro

I actually had some thoughts on dominations just now. The thing is, in this game, the server only checks inventory and currencies once. When you start the game. Also there is a way to unlock unlimited currency again in shooting range. Kinda noob dev tbh. That function which done the checking had direct branches to the getters, which made it extremely simple hardcoding the new values into the function simply overwriting the getter branches with mov w0, #1 In dominations I doubt they done such poor work

It does have god mode feature aswell ? i kinda cut “oninjurerpc” function in “half” which resulted in never dying haha this game was well fun to hack i couldn’t say much about dominations, I’ve never actually looked at it, as you guys already pwned the hell out of it :))))))

No probs

I see it’s standoff 2 that is. I’d expect the dev to fix all these hacks in the new game as I suppose it’s not just an update but an entire new game. I might dl it and take a look actually, I wonder what’s new

The whole point of these offset dumps, is that other modders can see and learn different hacking techniques if interested enough. (like Laxus do) I might have updated offsets too somewhere, as far as I remember I did update this game in here unless they pushed new update since. I was clearly away for good ? I could provide the binary for the old version if anyone interested in updating this to latest version.

Datatodtomapper did the server side check for currencies and inventory items. If you look at my hack you see how it works. I forced 1 on the server side check, so when you started the game the server got 1 currency sent from client that is why currencies and stuff reset to 1 on game start every time, that way we didn’t trigger ban then we just unlocked unlimited money in shooting range and done. You’re asking good questions, don’t be shy to ask if something not clear

Hell yeah it sniffs well, but do not support inject Good member in my sniff folder ahah

Lately quite few people asked about branching, so I figured I make a little write up about it. It is not as advanced as it seems, if you understand the code flow and how branches manipulate that. Think about it this way. Branches will break the code flow and execute whatever is at the address where it points to. Similar to water, as it runs in rivers, or turns to a different direction, maybe a new path opens up... Code flow is similar, but we can use conditions ? Take a good look at this image. So what we see in there kinda explains what branches are and what they mean. I normally ignore conditional branches as "CBZ, CBNZ, TBZ, TBNZ" as I can get the same effect with a simple unconditional branch "B" to the right loc or a NOP. You can play with them, as you change them around, you'd get the opposite effect "CBZ to CBNZ" and so on. I'd stick with "B and BL" for now and some examples behind the logic. B - unconditional branching Branch hex value somehow looks like this: 05 00 00 14 05 00 00 - This is the distance between the start offset and target offset. 14 - branch's opcode. 1 - unconditional b 4 - branching to a forward address in binary So basically we branching 5 instructions (or call it 5 lines) forward (underneath if you look at it in ida). If it looked like this: 05 00 00 17 7 - branching to a backwards address in the binary. Some examples (note that this is most useful in binaries with symbols): That word hack game I hacked the other day. Developer left debug functions in the game so I hooked up existing menu buttons with those functions with simple unconditional branching. you find the debug function: BuyGem 100289D20 then find a button to hook it too. I normally search for "click, press" or if it has social media buttons you can search those. InboxButtonClicked 100074DF8 From here on its pretty straight forward. Load up armconverter.com go to branch tab and add the offsets: Current offset: 100074DF8 // inbox button Instruction to write: B #0x100074DF8 // unconditionally branches to BuyGem you get a hex value. Set that to first line of inbox button. Other example. look at this image so we have two options. premium and premium plus. If we want to force premium, we can use branch but if you take a look the offsets, you see we'd have to branch 1 line under so we can just simply NOP the instruction. if we want to get premium + we'd have to branch to that loc address instead. This way we can manipulate the code to flow the way we want it to without conditionals. BL - Branch with link This one works slightly differently. It takes the code flow to another function, executes that and flow returns to the original one and carries on. 80 F6 4B 94 80 F6 4B - distance between the two address 94 - Branch with Link's opcode 9 - Branch with link 4 - branching forward same as "B" if it was 97 it would branch backwards. Example: You find a game with cool down. BL StartCooldown Then you see this function: ResetCooldown Change it to BL ResetCooldown What happens in game? When it should execute the function that starts the cool down, it will reset it instead.