𓄼 . f v c k . 𓄹

14 minutes ago, Happy Secret said:

If you are on Mac, you can actually AirDrop the framework file to Mac. This is my default option

Yeah but transfer the patched UnityFramework to the PC ?

18 minutes ago, CaIIMeZeus said:

I want to add some mini information too..

you can get new edited binary file from "Documents" app which comes built in app with iDevices. so you can earn time with 3u tools.

Also you guys can use customized and good looking menus written by HTML for your menus too. You can join our server from this link : https://discord.gg/h5gg.

We will be waiting for you to make a tutorial for Unity5D which allows you to make all version ESP hacks for UnityFramework binary games with few clicks.

On part 2, i will probably make a tut with a mod menu, but for the first part i just wanted to people know how to patch and hook. 

And also, afaik Documents app doesn't let you access app content in /Documents of Subway Surfer (in the case of the tutorial) even if the app has File Sharing enable. (at least on a fully jailed phone)

I will edit the topic once i have time to add Discord link and official Github

11 minutes ago, Kobina said:

okay thanks sorry but i have one more question can you use the unity framework with the script in ida and test the offset using the hex editor?

you can load the ida.py script or whatever python script to get class names and func names yeah, and yeah you can patch with any hex editor but a better way would be using iGameGod and Live Offset Patcher tool in the settings 

2 minutes ago, Kobina said:

one more question is inotia plus dis the right binary?

Idk i never played the game, check if there is a directory named Frameworks/UnityFramework or something like this, 

if there this mean that the real binary is UnityFramework (so use this on iDA)

of not, it's the default binary file on the .app

Here is a guide that may help you : 

7 hours ago, namcyeon said:

i think, a better way is make a app in windows to patch the unityframework file instead of running the mod script to patch it. Then after sideloadly, we can use the mod script. But i have no idea about how to make that app, lol

H5GG doesn't work like this, it wouldn't be possible since apps are Sandbox on jailed devices.

The only solution is to patch all your offset at once, and replace only once the framework file.

19 minutes ago, Happy Secret said:

HTML + JS injection is fine. But UnityFramework need to patch once before ActiveCodePatch works, this is never mentioned in their example scripts. Not even in GitHub. 
 

But yes, I can understand there will always be a gap between what we can do with jailbroken or not. H5GG already made a huge step forward to close the gap. It will be a plus, if we can help improve documentation a bit.

Tuancc said it was for advanced modders only, i guess that's why it'd documented that way.

Yeah they didn't made any guide for that, that's why i made one

11 minutes ago, Happy Secret said:

It works for me, even with the ActiveCodePatch patched UnityFramework binary. Probably it just need an artificial anchor point on the same address.

I tested the get_CanJump hack only.

You only need to "prepare" the UnityFramwork once, after that you can hook/patch the offset. No need to replace with a new UnityFramework file if you switch between ActiveCodePatch/StaticInlineHookFunction.

16 minutes ago, Happy Secret said:

I have just test it again and finally worked.

it is really 

• First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

You will probably want to include a hint/note to your tutorial about this.

The error message is not sufficient. It can’t explain what to expect.

 

Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken.

Hope there is a way to do pure in memory hook / patch (without modifying the binary).

 

Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything.

Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB.

10 minutes ago, namcyeon said:

@Happy Secret You can try second method with hook, but it's not working with me.

can you provide more details ?

On 1/12/2023 at 3:09 PM, Happy Secret said:

Thanks for sharing…

 

I am a bit confused for the last part.

How to hook the get to take effect to set? Your code seems not including this part?

also, I am not sure why you want to set with default value again at last?

It will not override our earlier 5x set?

 

 

My bad, i wrote this beeing pressed by the time. I have edited the topic. Lmk if it worked

14 minutes ago, Laxus said:

Have you tried instance variable hook? Does it work?

 

nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/
there is a doc on how to use writeInt / writeFloat.

57 minutes ago, namcyeon said:

I had tried hooking, but it's not working 😑, stuck at 

if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

2 minutes ago, Happy Secret said:

So, it could be my concept is wrong from beginning.
First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder.

The patched version of UnityFramework has embedded a new function inside. 
 

From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect.

 

First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

 

Let me test it our again later tonight.

Thanks for the help.

yep you are right ! 

welcome !

11 minutes ago, papastweak said:

Haven't tested hooks yet but code patching works! Tested on Iphone 12 Pro Max, 16.1.2

that's cool, could you edit your answer and tell me if hook works ?

4 hours ago, Happy Secret said:

Quick test result:

1. I also got the the UnityFramework patched by h5frida and stored inside static-inline-hook folder

2. With a detail look into it, the hex code of the instruction (patched) doesn't look right to me.

Orignal at 0x1B39598 is FD7BBFA9FD030091

- stp x29, x30, [sp, #-0x10]!
- mov x29, sp

After patch at 0x1B39598 is CF2A9914FD030091

- b #0x264ab4c
- mov x29, sp

What we are expecting at 0x1B39598 is 200080D2C0035FD6, Right??

- mov x0, #1
- ret 

Tested in game, always Can Jump is not working. Same as my try in another game these few days. 

I am using iPadOS 16.2 (non-jailbreak) with iPad Pro 2nd Gen.  

Mhh i did the tutorial on an A14, iOS 15.1 and the patch/hook worked well.

maybe H5GG doesn't support iOS 16 atm, but it's weard since we hook the app framework and not any device framework.

i don't understand how you got the bytes at 0x1B39598, i didn't used ida, i simply checked the function on dnSpy, patched it on JB with the LOP tool from iOSGods, it worked so i did it on H5GG, and it worked too 

edit :

oh you mean the UnityFramework patched ? well i didn't looked at the data at the offset 0x1B...98, but it's seems normal to me that's it's not 2000...FD6, otherwise it will always be enable. i think that it creates another function on the UnityFramework (at another place) and at 0x1B...98, it calls it.

so if there is no script running, we shouldn't be able to jump always, but when we load our script, it probably jump to our created function in the UnityFramework, and so it return 2000..FD6 at our function (maybe at 0x264ab4c) and if we unload the script, the original bytes in the memory will load again making "normal jumps"

(this is my personal analysis, it may not be 100% right but this is how i visual it) 

video : https://streamable.com/5g6nvz

58 minutes ago, Kobina said:

how do you use it?

it's documented on his github and on iOSGods, simply check search bar 

2 hours ago, namcyeon said:

About the hooking, is it working on the no jailbreak? 

yes, it's the point of the tut 

29 minutes ago, Rook said:

Your tutorials are so well written! ❤️

Hello Hello,

Here is finally a tutorial to patch or even hook on Non-JB/JB. 

This tutorial will cover the non-JB way because that's what's interesting , but this way can work on JB.

We will see the complete installation of H5GG, and an example of offset patching, and another with hooking. The source code will also be provided. Nothing better to feel in paradise. 

Requirements:
- PC (or a way of managing iPA files)
- Sideloadly
- 3u Tools to view the app documents
- Subway Surfer

• 1)

Since Critical Strike has serious issues with their games, I can't base my tutorial on this game. So let's go on a new one : Subway Surfer

First, download the Subway Surfer iPA : HERE

Then we will need 3 other files specific to H5GG for offset patching / hooking:

Simply see the instruction : HERE

You can delete the "hookme.test.dylib" cuz we don't need it.

You should have this :

Now, simply extract the iPA, copy the 3 files and move to the .app folder and paste it there. It should look like this :

Now simply ZIP the Payload, and rename it To WhatEver.ipa

Now we need to download the .deb that we gonna inject to the iPA : HERE

Now, we gonna need to Sideload the iPA WITH these settings :

We will need to use File Sharing later in the tutorial, so enable it. Don't forget to inject the H5GG.deb file.

We did like 50% of the work now hehe 

• 2)

Now, we gonna code (or Ctrl+C, Ctrl+V) :

I use EasyHTML app on the AppStore to code it.

Offset Patching/Hooking on H5GG is done by injecting a .js script so, let's write it. you have a sample: HERE

Below is an edited version to work on Subway Surfer 3.6.0.

Offset Patching code :

h5gg.require(7.9); 
var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib");
if(!h5frida) throw "Failed to load h5frida plugin";

function ActiveCodePatch(fpath, vaddr, bytes) {
    if(!h5frida.ActiveCodePatch(fpath, vaddr, bytes)) {
        var result = h5frida.ApplyCodePatch(fpath, vaddr, bytes);
        alert(fpath+":0x"+vaddr.toString(16)+"-修改失败!\n" + fpath+":0x"+vaddr.toString(16)+"-PatchFailed!\n" + result);return false;
    } return true;
}
function DeactiveCodePatch(fpath, vaddr, bytes) {
    return h5frida.DeactiveCodePatch(fpath, vaddr, bytes);
}

/*HERE IS OUR OFFSET PATCHING CODE*/

//public bool get_CanJump() -> 0x1B39598
//Enable a hack at 0x1B39598 with HEX : 200080D2C0035FD6
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6");

Well here we arn't using a template, we just want to patch our offset so we will enable it by default.

If you are using a template, just make a if statement, and use this code to disable the Offset Patching :

//this is just a POC
if (switch_Jump) {
    ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6");
} else {
    //when you desactivate a patch, it need to be the same HEX that you use to enable the hack.
    DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6");
}

Now, inject the script with H5GG by clicking the "Scripts" button, and select the JavaScript file from there.

Once this done, you should see this "error" (my offset is not the same on the picture, its normal i was testing another one. Ignore it):

A big alert for just telling us to overwrite a file , dont panic haha we gonna fix it !

If you want to replace the file without PC :

In theory, just change the UnityFramework given by H5GG with the old one. detailed step :

So this is where we need 3uTools. Go to the applications on your phone using 3utools, and select subway surfer then "view" (because you normally activated File Sharing). you should be able to see this :

Navigate to the directory until you find the UnityFramework file. then copy it, and replace it with the one of the Playload folder of the iPA. like this :

We don't see it on the pic, but the file patch is :

Payload\SubwaySurf.app\Frameworks\UnityFramework.framework

Ofc, delete the old one. i kept it & renamed just for demonstration.

Then, simply delete the app on your device, repack the new Payload folder and again Sideload the new iPA with the edited UnityFramework. you don't need to enable file sharing exept if you want to patch a new offset. but no need if you follow the tutorial

Then run the script again on the new sideloaded iPA, and you should be able to Jump every time due to the Offset Patching .

Now, lets go to Hooking !

I will make a new script with this content (an edited version of the github one) :

h5gg.require(7.9); //设定最低需求的H5GG版本号//min version support for H5GG
var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib");
if(!h5frida) throw "加载h5frida插件失败\n\nFailed to load h5frida plugin";
if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))
    throw "加载frida-gadget守护模块失败\n\nFailed to load frida-gadget daemon module";
var procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";
var pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
var found = false;
for(var i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}
if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";
var session = h5frida.attach(pid);
if(!session) throw "frida附加进程失败\n\nfrida attach process failed";

//监听frida目标进程连接状态, 比如异常退出
session.on("detached", function(reason) {
    alert("frida目标进程会话已终止(frida target process session terminated):\n"+reason);
});

var frida_script_line = frida_script("getline"); //safari console will auto add 2 line
var frida_script_code = "("+frida_script.toString()+")()"; //将frida脚本转换成字符串
var script = session.create_script(frida_script_code); //注入frida的js脚本代码

if(!script) throw "frida注入脚本失败\n\nfrida inject script failed!";
script.on('message', function(msg) {
    if(msg.type=='error') {
        script.unload(); //如果脚本发生错误就停止frida脚本
        try {if(msg.fileName=="/frida_script.js") msg.lineNumber += frida_script_line-1;} catch(e) {}
        if(Array.isArray(msg.info)) msg.info.map(function(item){ try { if(item.fileName=="/frida_script.js")
            item.lineNumber += frida_script_line-1;} catch(e) {}; return item;});
        var errmsg = JSON.stringify(msg,null,1).replace(/\/frida_script\.js\:(\d+)/gm,
            function(m,c,o,a){return "/frida_script.js:"+(Number(c)+frida_script_line-1);});
        alert("frida(脚本错误)script error:\n"+errmsg.replaceAll("\\n","\n"));
    }
    
    if(msg.type=='send')
        alert("frida(脚本消息)srcipt msg:\n"+JSON.stringify(msg.payload,null,1));
    if(msg.type=='log')
        alert("frida(脚本日志)script log:\n"+msg.payload);
});

if(!script.load()) throw "frida启动脚本失败\n\nfrida load script failed"; //启动脚本
function frida_script() { if(arguments.length) return new Error().line; 
                         
                         
            /*HERE IS OUR HOOKING*/
                         
                         
var Jump = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework",
    0x1B39598,
    "bool",
    ["pointer"],
    function(instance) {
        //return 1 for true, 0 for false
        return 1;
    }
);
                        
   
}

You can hook any function type, just change the return type of the function.

//public float get_SpeedModifier() -> 0x1234567
var Speed = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework",
    0x1234567,
    "float",
    ["pointer"],
    function(instance) {
        return 9999;
    }

);

Well, that's all hehe, hope you could achieve your goals ! 

ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1212121, "YOUR HEX");
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x8989898, "YOUR HEX");
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x6565656, "YOUR HEX");

Credits :

@tuancc H5GG tool

- Me for the tuto

Feel free to ask questions about it if its related to the topic

If your app is crashing, you can see this 

H5GG Discord : https://discord.gg/h5gg

H5GG Github : https://github.com/H5GG/H5GG

Maybe usefull : 

wait, arn't we already in 2023 ?  

8 hours ago, Happy Secret said:

Hello, the link document is gone. Can help upload one back? Thanks in advance

here is the chinese telegram of H5GG, they share a lot of scripts : https://t.me/h5gg_cn

and here is a forked repo of the one i gaved :

https://github.com/iRedddy/h5gg-files

1 hour ago, Mina Kim said:

D’accord merci mais j’ai pas vraiment compris comment on fait pour le re sign avec Sideloadly ? 

De quoi la version ?

tu as installer l'application de quel manière ? 

si tu l'a installé avec iosgods (version gratuite) le certificat a été revoke et tu peux rien y faire. 

utilise dont sideloadly qui te permet d'avoir ton propre certificat pour 7 jours. 

(il doit y avoir pleins de tutos sur youtube)

3 minutes ago, Kobina said:

 STR             W20, [SP,#0x60+var_58] 

i tried it changing with  MOV X0, #0x7F000000 which works but then it changes to 0 or when it doesn't it goes to negative or sometimes it doesn't but still reload the gun   

show the full arm function, here you are changing the Store instruction, but there might be other ways not buggy

9 hours ago, Laxus said:

Teach me this please /cdn-cgi/mirage/41ff1f68243607f4e9ea12c2548c6d54d43598dd57117816f22e2d670dcc8f0b/1280/https://iosgods.com/uploads/emoticons/default_happycry.gif

7 hours ago, Happy Secret said:

I want to learn H5GG like above mentioned as well

well, ima make a tutorial then when i have time 

@Mina Kim Ton application a été revoke, ça veux dire qu'elle n'est plus signée et qu'elle ne peut donc pas s'ouvrir. re sign la avec Sideloadly