Liam Crayden

Thanks for this tip. I was able to see a function further down that was altering the value, so targeting that made the patch work. All working now as expected (and I can stop wondering if I'm doing my offsets wrong now! 😅)

I am working on a custom speed tweak for a Unity based game. I'm on a jailed iPhone with iGG Jailed and Custom Offset Patcher injected. I also have Frida Gadget injected. I have identified the correct Il2cpp instance function - which is a float value. The default value is 1.00. I want to increase it to 3.00 by changing the return value. The get_Speed function: [Address(RVA = "0x2FF3D4C", Offset = "0x2FF3D4C", VA = "0x2FF3D4C")] LDR S0, [X0,#0x10] RET The set_Speed function: [Address(RVA = "0x2FF3D54", Offset = "0x2FF3D54", VA = "0x2FF3D54")] STR S0, [X0,#0x10] RET Using Frida I have verified that the set_Speed function is called at the time that I expect it, so I think the best way to do it would be to override the input value (set by a server call with some horrid protobuf thing). I have tried putting the offset as 2FF3D54 and the patch as 00F0271EC0035FD6 (which is just max float value and a return - FMOV S0, #31.00000000 RET). It doesn't work. I then wondered if I needed to get the exact offset so I also use Frida to find the base address of UnityFramework and add 0x2FF3D54 to it - that didn't work either. No matter what I try, the speed does not change. I have also tried the same technique with the get_Speed function, where I just return 3f. It doesn't work. HOWEVER. If I use Frida to call the function with my own custom value (3f) then it works immediately (I do Il2cpp.gc.choose... to find the instance, then call the set_Speed method). Where am I going wrong? I've also tried this on an iPhone 6S with Dopamine jailbreak, get-task-allow, and with JIT enabled. Nothing changes.

Useful, thanks

thx!