𓄼 . f v c k . 𓄹

8 minutes ago, Kobina said:

yeah i did that and type theos in mterminal  but it didn't show the ted2 mod menu step-up like the video in my mterminal

Then 3 possibilities :

1) your alias for 'theos' does not link to the correct patch, (maybe you installed theos twice on a diff directory).

2) you unzip/open the template of Ted2. 

3) you did put the template in a wrong directory.

Please follow the official instruction here :

https://theos.dev/docs/installation-ios

or here :

1 hour ago, Kobina said:

when i look at var/theos/templates i don't see any ios but when i go to vendor/template i see ios. Does it mean i need to copy the ios that is in vendor and put it into the var/theos/template? i can make a short video of what i see when i go to var/theos/template and vendor/template.

 

Any theos template need to be at $THEOS/template. If you have it installed at /var/theos/template then put it there. if /opt/theos/template then there.

Make sure to not unzip the template.

6 hours ago, Kobina said:

how about hacking unity games using tweak xm? do you have a link for it?

look about Ted2 mod menu

50 minutes ago, Kobina said:

you have a link of how to do it?

you have a link of how to do it?

Yeah, the one in my first reply, it's maybe the Part 2 or 3 regarding the hooking part

22 hours ago, Kobina said:

i can't get ted2 theos template  to work for me. Can i use this method for mobile substrate one?

MSHookFunction() won't work for games using UnityFramework file afaik.

You need use HOOK() for UnityFrameworks files.

Start with the Part 1, and follow the topics.

Mhh Mhhhh, very nice detection tho ! 

3 hours ago, Happy Secret said:

Update:

1. It works every time on my iPad Pro (9.7) but not work on my iPad Pro 2nd Generation.

2. Both are on iPad OS 16.2

Completely no idea what happens. 
 

Luckily the live patching work across device. Just the Interceptor failed on one.

I guess it is the implementation of Interceptor causing problem. Because the statement simply hang and not returning, app’s console log show nothing. We just see the Interceptor call invoked, then nothing more in log and not progressing.

So, it is probably not invalid memory access stuff.

Looking for possible solutions.

Mhhh okay okay thanks for testing  

On 1/11/2023 at 12:56 PM, Naegi Komaeda said:

Hello, I have problem with a game called mystic messenger mod that created by AlyssaX64. When I open it, it just crash. I try for another game and most of it works for my iphone. My iphone is 16 ios version and I'm using Iphone 12 non jailbroken. I comment on her thread but it seems she/he doesnt read it

Ps. This is my first time using mod on Ios since I always using Android. So please don't be harsh to me

Are you using the Non-Jailbreak menu ?

If you installed a cheat for Jailbreak and sideload it for non-JB, it gonna crash. The code need to be adapt, and so only non-jailbroken mods can work on non-JB.

If you already did some search on the DLLs, and all was obfuscated then u need to dump an older version and check for things related to "cheat" "ban" "anti" "anit" (yeah i saw a game making this kind of protection , and compare it with latest dump.

Here a few projects i found on github, maybe there is an anticheat provided. Keep in mind that google and Github is best friend...

https://github.com/Oifox/Forward-Assault-Mod-Source

https://github.com/DarksideH/Forward-Assault-Esp

https://github.com/Im-TEC/Masskill

https://github.com/Im-TEC/Telekill

You need to make a difference between your player and others players, here on the video you showed, you probably made god mod but for every instances. U need to make it only if its not yours by adding a check.

See:

48 minutes ago, Happy Secret said:

Test Result:

1. try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} - NOT WORK

2. let frontapp = h5frida.get_frontmost_application();

    frontapp.pid; - THIS WORK

But the hook seems not always work, sometime it cause game hang (not exit) on applying the hook.

Need some more study.

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

27 minutes ago, Happy Secret said:

Am….are we talking the same hook? You seems have special expectation on that word “normal”.

My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.

I mean c++ hook like on Ted2 mod menu.

34 minutes ago, Happy Secret said:

h5gg.getProcList("UnityFramework")[0].pid

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

var session = h5frida.attach(pid);
 

I saw this code on github for the second option. (getProcList), idk if it requires JB or not 

8 hours ago, Happy Secret said:

How to get process ID in script? 

let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";

let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to call

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

let found = false;
for(let i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        //if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}

if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";

//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
    let frontapp = h5frida.get_frontmost_application();
    if(frontapp && frontapp.pid == pid) break;
    
    alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
            + "Please switch the target APP to the foreground to run, and then click OK to continue...");
}

Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)

2 hours ago, Happy Secret said:

GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!

Not sure if there has any drawback/issue yet.

Will give another try later tonight!

If it really works, I will definitely make another Tutorial.

Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod ! 

It's good that "normal" hook with c++ work 

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself 

Mhh Mhh okay that's what i would try, im not a pro, but this is what i would do :

35 minutes ago, rafgeekee said:

Forceable set Amount  to 9999 for all Items.

 

You can maybe try to get the field with the Update() function (if there is). else, ive seen somwhere on the web where you can use other function from the class but i didn't tried, Lmk if it worked.

So, if no Update() function :

//just a poc to get the idear
void(*old_func)(void *instance);
void func(void *instance) {
        if ([switches isSwitchOn:@"9999 Items"]) {
            //int Amount
            *(int *) ((uint64_t) instance + 0x1C) = 9999;
    }
    old_func(instance);
}

setup(){
	//a function in the same class. use Update if there is, if not try another function (Init for ex)
	HOOK(0x1ABB3A8, func, old_func);
}

42 minutes ago, rafgeekee said:

Forceable set IsUnlimited to True for all Items.

 

do the same thing.

43 minutes ago, rafgeekee said:

auto modInit = reinterpret_cast<void(*) (void *, CRefItem, int, bool)>(getRealOffset(0x1ABB3A8));

Afaik, when there is a Type and you don't have his definition, just make a pointer to it like this ;

//taking ur code
auto modInit = reinterpret_cast<void(*) (void *, void *, int, bool)>(getRealOffset(0x1ABB3A8));

replace the CRefItem with void *,  that way it gonna make a pointer on the undifined type and with luck it not gonna crash

50 minutes ago, rafgeekee said:

//this_ is probably a func where this_ + 0x1C = int Amount;
//you can't patch a field without its pointer. like search for "0x1C" in your dump.cs you gonna have a tons of results.
// but if u have pointer + 0x1C, its unique

*(int*)[UIKeyPatch address:@"0x1C" ptr:this_] = 9999;

 

using this is the same as . 

*(int *) ((uint64_t) instance + 0x1C) = 9999;

53 minutes ago, rafgeekee said:

3) IsAttached arg will always be False - which may not always be the case - would be nice to know how to get the original passed args

 

i guess, once you hooked Init, you can easly called it and put "true" on the func parameter, it gonna overwrite it probably.

//POC
modInit(this_, paramName ,9999, true);

Hope it could help you, tho all this is my knowledge, things might not be 100% right 

don't start hacking on UE4 games, they are kinda hard, try first with some IL2CPP/Mono games (Unity3D)

1 hour ago, Happy Secret said:

Cool, thx. Not aware of that. 
Do you have a good source of it? I don’t familiar GitHub and how to build. It often take me long time.

it was a long time ago but i dis not build it, it was already done 

4 hours ago, Happy Secret said:

Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

8 hours ago, Happy Secret said:

Thanks for the support. 
 

if you are on Mac, Xcode is a pretty good option. Free and suppprt signing and Sideload with your our own Apple developer certificate.

 

Yeah but sadly i don't have a mac

Try to restart the phone, or if JB run : 

ldrestart 

It will reboot in a JB state and refresh the storage

Nice, that's pretty cool

I never tried debug a game with xCode.

Nice tut, gonna link it on my tut  

1 hour ago, Happy Secret said:

The patched one in static-inline-hook folder, AirDrop it to Mac, repackage the ipa and Sideload again.

Just want to say, for Mac user, you do not necessarily need 3u Tools (or alike).

Of course, 3u Tools is a great tool to have.

yeah but where do you find the static-inline folder on Documents app (iOS) ? 

Yeah itunes can do it if im right, but well this tut is for newbies that don't know how to share files 

14 minutes ago, Happy Secret said:

If you are on Mac, you can actually AirDrop the framework file to Mac. This is my default option

Yeah but transfer the patched UnityFramework to the PC ?