TripMX

I see I see, so here's the new situation: I have done these things: Properly cracked Monkey City's binary Thinned the binary Removed ASLR Now, I have two cracked binaries: Monkey City binary CRACKED (ASLR removed) Monkey City binary CRACKED + THINNED (ASLR removed) My iOS device is an iPad Air 2 running iOS 8.3 [ARMv8 (64-bit)] ....so, what should I do next in IDA Pro? From my above posts, you can see that I've failed to get results. What specific offset/function should I seek to alter to actually get some results on my current iOS device to prove that I'm at least capable of getting results? To make things simple, could you just tell me which function to find and which offset to target (the same one you used)? Also, it MUST be able to work on my current iOS device, so that's why I need to know if I'm going to be hacking the thinned cracked binary or original cracked binary for the sake of it working on my ARMv8 [64-bit] device.

Hey UncoildedLobster, I've actually took a lot of time and decided to fire up THEOS on my current iOS (8.3), and it happens to WORK! Now, I have done some testing.... In the past (around 3 years ago), I was able to hook some custom functions into an onine-only game called Galaxy Empire. Here's the video that I made for it from 3 years ago; I had dubbed it a "bug", but it was me who actually used MS hooking on it: Normally, making that much metal so fast is impossible. I did this visual hack just for fun at the time. Now, as far as I know, method hooking and MS hacking seem like the same thing to me.......I used THEOS and wrote my own hooks to the functions/methods, and then generated the .dylib and put it in the MobileSubstrate folder; there you have it. ***I hacked this on my iPad 2 [iOS 5.1.1] (ARM v7) 3 years ago with the above video results*** Anyways, over the years, many things have changed, and the old ARM architectures have been modified quite a bit, so when I tried to hack the updated Galaxy Empire yesterday on my iPad Air 2 [iOS 8.3] with THEOS, first off, when I dumped the headers (with both class-dump and class-dump-z, mind you), some of the crucial headers from 3 years ago have just.........disappeared (not found/dumped), so I couldn't replicate what I did 3 years ago with Galaxy Empire. All the headers are full of FB, Flurry, UMAN, MAT, and other ad-tracking content.....there USED to be headers with blatant hackable functions: HERE'S one of those headers from 3 years ago dumped via iOS 5.1.1: /* * Generated by class-dump 3.1.2. * * class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve Nygard. */ #import "AAGameData.h" @class AASystem, NSArray, NSMutableArray, NSString; @interface AAPlanet : AAGameData { double next_refresh_time; double diameter; double metal; double metal_perhour; double metal_max; double crystal; double crystal_perhour; double crystal_max; double deuterium; double deuterium_perhour; double deuterium_max; double energy_used; double energy_max; double metal_energy; double crystal_energy; double deuterium_energy; double solar_plant_energy; double fusion_energy; double solar_satellite_energy; double radar_energy; double protected_time; unsigned long long planet_id; unsigned long long system_id; unsigned long long empire_id; unsigned long long user_id; unsigned long long alliance_id; unsigned long long field_max; unsigned long long field_max_end; unsigned long long field_current; unsigned long long user_score; int attackLimit; int planet_type; int planet_activity; int planet_icon; unsigned int temp_min; unsigned int temp_max; unsigned int planet_position; unsigned int system_position; unsigned int galaxy_position; unsigned int metal_mine_percent; unsigned int crystal_mine_percent; unsigned int deuterium_mine_percent; unsigned int solar_plant_percent; unsigned int fusion_reactor_percent; unsigned int solar_satelite_percent; unsigned int produce_percent; unsigned int pirate_level; unsigned int new_gift_id; unsigned int gift_id; unsigned int sensorArrayRange; NSString *debris_desc; NSString *planet_name; NSString *user_name; NSString *alliance_name; AASystem *_system; NSMutableArray *buildings; NSMutableArray *buildingEvents; NSMutableArray *fleets; NSMutableArray *fleetBuildingEvents; NSArray *radarFleets; NSMutableArray *moonArray; NSMutableArray *moonTransmitRechargeEvent; NSArray *kryptonArray; BOOL is_protected; BOOL is_underattack; BOOL destoried; BOOL has_debris; BOOL is_radar_able; BOOL is_radar_on; BOOL is_moon; double energy_left; } + (id)keyPathsForValuesAffectingValueForKey:(id)fp8; - (void)setKryptonArray:(id)fp8; - (id)kryptonArray; - (void)setField_max_end:(unsigned long long)fp8; - (unsigned long long)field_max_end; - (void)setSensorArrayRange:(unsigned int)fp8; - (unsigned int)sensorArrayRange; - (void)setMoonTransmitRechargeEvent:(id)fp8; - (id)moonTransmitRechargeEvent; - (void)setMoonArray:(id)fp8; - (id)moonArray; - (void)setIs_moon:(BOOL)fp8; - (BOOL)is_moon; - (void)setGift_id:(unsigned int)fp8; - (unsigned int)gift_id; - (void)setNext_refresh_time:(double)fp8; - (double)next_refresh_time; - (void)setPirate_level:(unsigned int)fp8; - (unsigned int)pirate_level; - (void)setRadar_energy:(double)fp8; - (double)radar_energy; - (void)setRadarFleets:(id)fp8; - (id)radarFleets; - (void)setIs_radar_on:(BOOL)fp8; - (BOOL)is_radar_on; - (void)setIs_radar_able:(BOOL)fp8; - (BOOL)is_radar_able; - (void)setPlanet_activity:(int)fp8; - (int)planet_activity; - (void)setIs_underattack:(BOOL)fp8; - (BOOL)is_underattack; - (void)setDebris_desc:(id)fp8; - (id)debris_desc; - (void)setUser_score:(unsigned long long)fp8; - (unsigned long long)user_score; - (void)setHas_debris:(BOOL)fp8; - (BOOL)has_debris; - (void)setSolar_satellite_energy:(double)fp8; - (double)solar_satellite_energy; - (void)setFusion_energy:(double)fp8; - (double)fusion_energy; - (void)setSolar_plant_energy:(double)fp8; - (double)solar_plant_energy; - (void)setDeuterium_energy:(double)fp8; - (double)deuterium_energy; - (void)setCrystal_energy:(double)fp8; - (double)crystal_energy; - (void)setMetal_energy:(double)fp8; - (double)metal_energy; - (void)setSystem:(id)fp8; - (id)system; - (void)setProduce_percent:(unsigned int)fp8; - (unsigned int)produce_percent; - (void)setSolar_satelite_percent:(unsigned int)fp8; - (unsigned int)solar_satelite_percent; - (void)setFusion_reactor_percent:(unsigned int)fp8; - (unsigned int)fusion_reactor_percent; - (void)setSolar_plant_percent:(unsigned int)fp8; - (unsigned int)solar_plant_percent; - (void)setDeuterium_mine_percent:(unsigned int)fp8; - (unsigned int)deuterium_mine_percent; - (void)setCrystal_mine_percent:(unsigned int)fp8; - (unsigned int)crystal_mine_percent; - (void)setMetal_mine_percent:(unsigned int)fp8; - (unsigned int)metal_mine_percent; - (void)setFleetBuildingEvents:(id)fp8; - (id)fleetBuildingEvents; - (void)setFleets:(id)fp8; - (id)fleets; - (void)setBuildingEvents:(id)fp8; - (id)buildingEvents; - (void)setBuildings:(id)fp8; - (id)buildings; - (void)setDestoried:(BOOL)fp8; - (BOOL)destoried; - (void)setEnergy_max:(double)fp8; - (double)energy_max; - (void)setEnergy_used:(double)fp8; - (double)energy_used; - (void)setDeuterium_max:(double)fp8; - (double)deuterium_max; - (void)setDeuterium_perhour:(double)fp8; - (double)deuterium_perhour; - (void)setDeuterium:(double)fp8; - (double)deuterium; - (void)setCrystal_max:(double)fp8; - (double)crystal_max; - (void)setCrystal_perhour:(double)fp8; - (double)crystal_perhour; - (void)setCrystal:(double)fp8; - (double)crystal; - (void)setMetal_max:(double)fp8; - (double)metal_max; - (void)setMetal_perhour:(double)fp8; - (double)metal_perhour; - (void)setMetal:(double)fp8; - (double)metal; - (void)setAlliance_name:(id)fp8; - (id)alliance_name; - (void)setUser_name:(id)fp8; - (id)user_name; - (void)setPlanet_name:(id)fp8; - (id)planet_name; - (void)setDiameter:(double)fp8; - (double)diameter; - (void)setField_current:(unsigned long long)fp8; - (unsigned long long)field_current; - (void)setField_max:(unsigned long long)fp8; - (unsigned long long)field_max; - (void)setGalaxy_position:(unsigned int)fp8; - (unsigned int)galaxy_position; - (void)setSystem_position:(unsigned int)fp8; - (unsigned int)system_position; - (void)setPlanet_position:(unsigned int)fp8; - (unsigned int)planet_position; - (void)setAlliance_id:(unsigned long long)fp8; - (unsigned long long)alliance_id; - (void)setUser_id:(unsigned long long)fp8; - (unsigned long long)user_id; - (void)setEmpire_id:(unsigned long long)fp8; - (unsigned long long)empire_id; - (void)setSystem_id:(unsigned long long)fp8; - (unsigned long long)system_id; - (unsigned long long)planet_id; - (void)setPlanet_type:(int)fp8; - (int)planet_type; - (void)setTemp_max:(unsigned int)fp8; - (unsigned int)temp_max; - (void)setTemp_min:(unsigned int)fp8; - (unsigned int)temp_min; - (void)setProtected_time:(double)fp8; - (double)protected_time; - (void)setIs_protected:(BOOL)fp8; - (BOOL)is_protected; - (void)setAttackLimit:(int)fp8; - (int)attackLimit; - (void)setPlanet_icon:(int)fp8; - (int)planet_icon; - (void)refreshResources:(id)fp8; - (unsigned int)deuterium_mine_discount; - (unsigned int)crystal_mine_discount; - (unsigned int)metal_mine_discount; - (double)energy_left; - (void)dealloc; - (void)setPlanet_id:(unsigned long long)fp8; - (void)updateFleetHangingCompletedWithDic:(id)fp8; - (void)updateBuildingUpdateWithDic:(id)fp8; - (void)updateResourcesWithDic:(id)fp8; - (void)updateWithDic:(id)fp8; - (id)initWithDic:(id)fp8; @end/* ^: So, as you can see, pretty much this entire header is hookable. Unfortunately, these headers no longer exist in the current version of the game, so I have nothing to show for a current hook for this game.

Hey UncoiledLobster (delicacy? ), I used to do MS hooking the old-fashioned way DIRECTLY on the iPad some years ago, but I gave it up after a THEOS update broke the whole system. I have an "updated" version running on my device, but I'm afraid that it might not work.....getting these things to work is a real b**** sometimes, but I'll try it out again for you. BTW, what iOS firmware are you using?

Hahaha, when I saw the video, I almost choked on the beverage I was drinking! That is so INSAAAANE!!

Asphalt 8: Airborne, baby!

So in theory: ARM x32 LDR R1, R0 is NOT the same as ARM x64 LDR X1, X0 ....even if the identical offset happens to be within the identical function?

Just wait for that popup to go away on its own; you at least owe the diligent hacker that.

MOBIUS FINAL FANTASY (Japanese version) MOBIUS FINAL FANTASY (Japanese version) VERSION: v1.4.043 iTunes URL: https://itunes.apple.com/jp/app/mobius-final-fantasy/id987942897?mt=8 Requested Features: 1-Hit KO Instant Break Enemy Skills Always Available Enemies Don't Recover From Break States Etc. NOTE: These are the same requested features that exist in the ENGLISH version of the hack made by Sterling Archer. I'm really hoping he could hack this version as well. I can provide the cracked .ipa if necessary. Jailbroken or Non-Jailbroken: Jailbroken Thank you very much for your time and consideration.

Okay, after taking a look at some of the tutorials here, I've discovered that I could manually thin the binary so that I could simply get rid of the 64-bit ARM portion AND somehow attempt to remove ASLR, supposedly making it "easier" to find the correct functions/memory addresses....so I'll try that. When you hacked Monkey City, did you use GDB or purely used your eyes with IDA Pro?

Hmm, when I read the Forum Rules before posting this, I didn't find anything on posting links referencing .ipa files. If it is a violation, then it should be removed; I just didn't find it in the Forum Rules or Posting Guidelines.

Try this link and choose the version that suits your firmware: LINK HERE EDIT: Even if you DID have the latest version cracked, the SDK being used is likely incompatible with iOS 8 (as it is iOS 9). If the game is online-only, then you're screwed.

Okay, thanks, I've tried to hack the 32-bit cracked binary, but still no success. Here's what I've done: I've hacked the following in the Monkey City code: SEARCHED FUNCTION: -[ADCV4VCCurrency addVideoCredit] ORIGINAL OFFSET and INSTRUCTIONS: _text:00617A3A ADDS R3, #1 MODIFIED OFFSET and INSTRUCTION: _text:00617A3A ADDS R3, #0xC8 ^: I had assumed that the original offset instructions meant that after you watch the video, you will receive 1 Bloonstone, which would be added to the R3 register, so I modified it to #0xC8 (200) instead of 1.....I thought this would give out 200 Bloonstones instead of 1 after watching the video. Didn't work. SEARCHED FUNCTION: -[ADCV4VCCurrency checkReward] ORIGINAL OFFSET and INSTRUCTIONS: __text:00617AA0 LDR R1, [R1] ; int_ video_credit_balance MODIFIED OFFSET and INSTRUCTION: __text:00617AA0 LDR R1, [R7] ^: I figured that I could change the amount of Bloonstones received from watching a video with this function since the previous modification didn't work. I thought I could load (LDR) the R7 (high amount) register into R1....but still nothing happened. Here's a list of searched functions that I've encountered that I *THINK* are hackable: Just to let you know, I'm not using GDB (are you?) and the iOS device that I'm using to test this hack is an iPad Air 2 (64-bit architecture, right?), so will hacking the 32-bit part of the binary work on my device as it is or do I also have to hack the 64-bit part? Could you please lead me into the right direction so I could at least get something to work with hacking this game? Sorry for the trouble, and thank you for your help thus far!

Hey Diversityy, thank you so much for taking the time to give me an IDA assignment! I've tried to hack the game (Monkey City) with IDA Pro, but I can't seem to find any registers (the "R0, R1" etc.-type), I only see the "X0, X1," etc.-type, and I don't think I could just store (STR) an "R7" value into them because it doesn't work like that in x64 bit. I searched for "currency" and found lots of functions. Can you give me a hint on what I should do? BTW, are you using GDB to find the offsets or are you purely using IDA Pro to view, read through, and find the the offsets/critical instructions in the functions manually?

lanouar3G, thank you very much for updating your Star Wars: Galaxy of Heroes hack to v0.5.11! We really appreciate your time and effort!

Update has already been released: https://iosgods.com/topic/33867-star-wars%E2%84%A2-galaxy-of-heroes-v0511-cheats-1/

***TripMX Great Music Expedition*** >>>14th PHASE REQUEST WEEK<<< Hello Explorers!! Today marks the beginning of the 14th PHASE REQUEST WEEK! NOTE: The Explorers Board has been updated and Discovery Code rewards have been given! -->Check out to see what's changed in the Explorers Board on the campaign page! WARNING: All 14th PHASE Discovery Code entries are now locked. -->Explorers that did not post a Discovery Code will have to wait until the next PHASE. ^: This is the Mysterious Treasure Map + Map Key for this PHASE! -->Explorers, with your current items, you may now make your requests and post them here. NOTICE: The treasure map scanner recharges during REQUEST WEEK. 14th PHASE REQUEST WEEK ends on 08/14/2016. Campaign Page HERE: TripMX Great Music Expedition ALTERNATIVE LINK HERE: TripMX Great Music Expedition Explorers, Happy Requesting!

Hello fellow IDA hackers, Some weeks ago, I had posted a thread asking for help with IDA hacking, but the problem (although assumingly basic) still wasn't solved. THREAD HERE: https://iosgods.com/topic/32534-ida-attempt-trouble-with-ida-hacking/?view=findpost&p=1109430 So, I'm asking an IDA hacker to give me an easy assignment. Assign me an iOS app/game to hack. All I require is for you to personally hack the binary first to prove that the hack works before giving me the assignment, as I want to reproduce the same results. Thanks in advance!

Hi lanouar3G, please update the hack if you can. Thank you! New version is 0.5.11.

WARNING!!! ^: Chance to get VIP Pass or PHASE SONG has INCREASED! This week's PHASE SONG is called LEVEL 2. Date Created: 06/18/2012 Artist Comments: I originally made this song for a friend who as an aspiring rapper so that he could practice spitting lyrics, but he never got around to it, so that's how this song came to be. While making this song, I imagined walking down a dark alley...scary huh? 14th PHASE week ends on 08/07/2016. Good luck Explorers!! Campaign page HERE: http://www.tripmx.netii.net/gme/campaign.html ALTERNATIVE LINK HERE: http://www.tripmx.freecms.pro/campaign.html

Hello everyone, I just released a new song remix! Have any of you watched the TV series "FRINGE"? Well, I've decided to remix the intro! This is actually a complete remix of the 1985 intro theme. ***NEW MUSIC RELEASE*** SONG: FRINGE Theme Song (Paranoid MX edit) || GENRE: 80s Retro REMIX ***HEADPHONES OR SURROUND SOUND SPEAKERS RECOMMENDED FOR BEST EXPERIENCE*** Thank you all for your time, and please enjoy!!

Anyone out there able to help me with this?

***TripMX Great Music Expedition*** >>>13th PHASE REQUEST WEEK<<< Hello Explorers!! Today marks the beginning of the 13th PHASE REQUEST WEEK! NOTE: The Explorers Board has been updated and Discovery Code rewards have been given! -->Check out to see what's changed in the Explorers Board on the campaign page! WARNING: All 13th PHASE Discovery Code entries are now locked. -->Explorers that did not post a Discovery Code will have to wait until the next PHASE. ^: This is the Mysterious Treasure Map + Map Key for this PHASE! -->Explorers, with your current items, you may now make your requests and post them here. NOTICE: The treasure map scanner recharges during REQUEST WEEK. 13th PHASE REQUEST WEEK ends on 07/31/2016. Campaign Page HERE: TripMX Great Music Expedition ALTERNATIVE LINK HERE: TripMX Great Music Expedition Explorers, Happy Requesting!

Ohhh, so it's impossible?

Hey lanouar3G, thank you very much for all of your hard work and making hack(s) for this game!! We all really appreciate your work! If I may ask, would it be possible for you to continue trying to hacking more of the game, like maybe try to allow us to have No Cool Down and other hacked advantages, please? Thank you very much so far, and keep up the excellent work!!

Anybody able to help me with this issue?