marc726
Member-
Posts
35 -
Joined
-
Last visited
Profile Information
-
iDevice
iPhone X
-
iOS Version
14.3
-
Jailbroken
Yes
-
Rooted
No
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
marc726's Achievements
-
I will! I don’t think im at a level where this is possible for me at the moment. Ill have to come back to this at another time when im more experienced.
-
Mod Menu Hack Random Dice : Defense v7.7.6 +5 Cheats
marc726 replied to Zahir 's topic in ViP Cheats
Hi @Zahir could this be updated for 7.8.1? thank you! -
ty
-
ty
-
I've sat here looking at the screen trying to look at call trees for every function trying to find a solution. All I know is that the LIAPP function is not called by anything that the disassembler has found. fb_is_jailbroken shows as the only function in Frida that is triggered. Tried to trace the function but nada. I feel like DNSpy is giving a hint it involves public class TitleScene, however everything is obfuscated. I do not have enough experience to be trying my hand at this unfortunately.
-
Mod Menu Hack Random Dice : Defense By 111% v7.9.3 - JB bypass
marc726 replied to Saitama's topic in ViP Cheats
Hi @Saitama would you mind updating for 7.8.0? Thank you. I've tried for over a week to understand. Made progress but every time I think I get the address for LIAPP it still gives me an error. 😪 -
Random Dice Defense
-
This is the message I get. I search for instances of "JP1" "Appguard" "shut down" "security policy" but no results except irrelevant results for the last two.
-
marc726 started following LIAPP Jailbreak Detection Bypass
-
I'm so sorry I didn't see your reply! I tried to change address 006add08 to: mov x30,#0x0 ret since the complier showed no arguments for the ret function at 006add0c, I assume it returns the register at x30. As told here https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/RET I am still met with the LIAPP screen after about 15 seconds. I agree with the CheatDetection class and I'm going to eliminate any chance DNSpy can show me the answer. Also the game is Random Dice Defense.
-
Yea, NOP RET all functions in that class still gets LIAPP called on me. I'm honestly stumped. I'm guessing the check lies in the UnityFramework file somewhere. Frida points to fb_is_jailbroken C:\Users\%%%%\AppData\Local\Programs\Python\Python311\Scripts>frida-trace -U -i "*jail*" -n "Random Dice" Instrumenting... fb_is_jailbroken: Loaded handler at "C:\\Users\\%%%%\\AppData\\Local\\Programs\\Python\\Python311\\Scripts\\__handlers__\\UnityFramework\\fb_is_jailbroken.js" _Z24replaced_jailbreakStatusP11objc_objectP13objc_selectori: Loaded handler at "C:\\Users\\%%%%%\\AppData\\Local\\Programs\\Python\\Python311\\Scripts\\__handlers__\\zzzzzLiberty.dylib\\_Z24replaced_jailbreakStatusP11o_658fd25a.js" Started tracing 2 functions. Press Ctrl+C to stop. Process terminated and Ghidra shows ************************************************************** * FUNCTION * ************************************************************** bool __cdecl _fb_is_jailbroken(ID param_1, SEL param_2) bool w0:4 <RETURN> ID x0:8 param_1 SEL x1:8 param_2 undefined8 Stack[-0x10]:8 local_10 XREF[2]: 006adce8(W), 006add08(*) _fb_is_jailbroken XREF[2]: Entry Point(*), isJailBrokenDevice:005966fc(T), isJailBrokenDevice:005966fc(j) 006adce8 fd 7b bf a9 stp x29,x30,[sp, #local_10]! 006adcec fd 03 00 91 mov x29,sp 006adcf0 68 4d 02 d0 adrp x8,0x505b000 006adcf4 08 31 45 f9 ldr x8,[x8, #0xa60]=>DAT_0505ba60 = ?? 006adcf8 1f 05 00 b1 cmn x8,#0x1 006adcfc a1 00 00 54 b.ne LAB_006add10 LAB_006add00 XREF[1]: 006add24(j) 006add00 68 4d 02 d0 adrp x8,0x505b000 006add04 00 61 69 39 ldrb param_1,[x8, #0xa58]=>DAT_0505ba58 = ?? 006add08 fd 7b c1 a8 ldp x29=>local_10,x30,[sp], #0x10 006add0c c0 03 5f d6 ret LAB_006add10 XREF[1]: 006adcfc(j) 006add10 60 4d 02 d0 adrp param_1,0x505b000 006add14 00 80 29 91 add param_1=>DAT_0505ba60,param_1,#0xa60 = ?? 006add18 41 20 02 f0 adrp param_2,0x4ab8000 006add1c 21 40 02 91 add param_2=>PTR_LOOP_04ab8090,param_2,#0x90 = 048a0778 006add20 74 32 e3 94 bl __stubs::_dispatch_once undefined _dispatch_once() 006add24 f7 ff ff 17 b LAB_006add00 Decomplier shows bool _fb_is_jailbroken(ID param_1,SEL param_2) { if (DAT_0505ba60 != -1) { __stubs::_dispatch_once(&DAT_0505ba60,&PTR_LOOP_04ab8090); } return (bool)DAT_0505ba58; } which represents the entire function.
-
Unfortunately no known public bypass tweaks works at the moment. The only known bypass is on this site but I wanted to try my hand at it. I think I was able to narrow down the function to something called "_fb_is_jailbroken" thanks to Frida. My problem now is looking at the assembly and figuring out what's what, if there are other calls, etc. As for DNSpy, I have the feeling that it's not what I'm looking for. DNSpy does show a class "CheatingDetector" and it does have a function labeled "onDetectedThreatWithLIAPP()" but it doesn't help me outside of that. It's quite the headache for someone who doesn't have experience in assembly or reverse engineering 😪 Here's the list from DNSpy in case you were interested: using System; using Il2CppDummyDll; // Token: 0x02000A35 RID: 2613 [Token(Token = "0x2000A35")] public class CheatingDetector : ManagerSingleton<CheatingDetector> { // Token: 0x06004895 RID: 18581 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004895")] [Address(RVA = "0x1D67DFC", Offset = "0x1D67DFC", VA = "0x1D67DFC", Slot = "10")] protected override void Awake() { } // Token: 0x06004896 RID: 18582 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004896")] [Address(RVA = "0x1D67E50", Offset = "0x1D67E50", VA = "0x1D67E50")] public void onDetectedThreatWithLIAPP() { } // Token: 0x06004897 RID: 18583 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004897")] [Address(RVA = "0x1D67E58", Offset = "0x1D67E58", VA = "0x1D67E58")] public void OnCheaterDetected(int DBBABCBBDCBDBCDDBDDBCCB) { } // Token: 0x06004898 RID: 18584 RVA: 0x00010A10 File Offset: 0x0000EC10 [Token(Token = "0x6004898")] [Address(RVA = "0x1D6808C", Offset = "0x1D6808C", VA = "0x1D6808C")] public ValueTuple<bool, string> CheckCheat() { return default(ValueTuple<bool, string>); } // Token: 0x06004899 RID: 18585 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004899")] [Address(RVA = "0x1D68804", Offset = "0x1D68804", VA = "0x1D68804")] public void SaveChatBlockTime(string ACDABDBDABCCACBABDCDCDC, int BBDBBBDCBBDCCABCAACAABC) { } // Token: 0x0600489A RID: 18586 RVA: 0x00010A28 File Offset: 0x0000EC28 [Token(Token = "0x600489A")] [Address(RVA = "0x1D6839C", Offset = "0x1D6839C", VA = "0x1D6839C")] public ValueTuple<bool, bool> CheckReport(string ACDABDBDABCCACBABDCDCDC) { return default(ValueTuple<bool, bool>); } // Token: 0x0600489B RID: 18587 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x600489B")] [Address(RVA = "0x1D68970", Offset = "0x1D68970", VA = "0x1D68970")] public CheatingDetector() { } }
-
Thanks
-
Hi all. I was wondering what the best way to find and address the AppGuard/LiAPP detection on a certain app. I was using a decompiler on the UnityFramework file and I also tried using DNSpy for the Assembly file. My issue is: 1. I can find a Class for “CheatDetector” in DNSpy using the assembly file that has a method for LIAPP but im not sure how to address it in the Live Offset program. I tried to NOP the offsets of the functions but nada. 2. I can also find instances in the UnityFramework file where it tries to find paths of common jailbroken thing such as Cydia. I'm not understanding which I should be addressing given that both show points of interest for detecting JB. Any help would be appreciated.
-
Mod Menu Hack Random Dice : Defense v7.7.6 +5 Cheats
marc726 replied to Zahir 's topic in ViP Cheats
Hi@Zahir Would it be possible to get an update to this mod menu? It was updated again to 7.7.11. Sorry for the bother again