0xSolana

Start with the Part 1, and follow the topics.

3 hours ago, Happy Secret said:

Update:

1. It works every time on my iPad Pro (9.7) but not work on my iPad Pro 2nd Generation.

2. Both are on iPad OS 16.2

Completely no idea what happens. 
 

Luckily the live patching work across device. Just the Interceptor failed on one.

I guess it is the implementation of Interceptor causing problem. Because the statement simply hang and not returning, app’s console log show nothing. We just see the Interceptor call invoked, then nothing more in log and not progressing.

So, it is probably not invalid memory access stuff.

Looking for possible solutions.

Mhhh okay okay thanks for testing  

On 1/11/2023 at 12:56 PM, Naegi Komaeda said:

Hello, I have problem with a game called mystic messenger mod that created by AlyssaX64. When I open it, it just crash. I try for another game and most of it works for my iphone. My iphone is 16 ios version and I'm using Iphone 12 non jailbroken. I comment on her thread but it seems she/he doesnt read it

Ps. This is my first time using mod on Ios since I always using Android. So please don't be harsh to me

Are you using the Non-Jailbreak menu ?

If you installed a cheat for Jailbreak and sideload it for non-JB, it gonna crash. The code need to be adapt, and so only non-jailbroken mods can work on non-JB.

If you already did some search on the DLLs, and all was obfuscated then u need to dump an older version and check for things related to "cheat" "ban" "anti" "anit" (yeah i saw a game making this kind of protection , and compare it with latest dump.

Here a few projects i found on github, maybe there is an anticheat provided. Keep in mind that google and Github is best friend...

https://github.com/Oifox/Forward-Assault-Mod-Source

https://github.com/DarksideH/Forward-Assault-Esp

https://github.com/Im-TEC/Masskill

https://github.com/Im-TEC/Telekill

You need to make a difference between your player and others players, here on the video you showed, you probably made god mod but for every instances. U need to make it only if its not yours by adding a check.

See:

48 minutes ago, Happy Secret said:

Test Result:

1. try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} - NOT WORK

2. let frontapp = h5frida.get_frontmost_application();

    frontapp.pid; - THIS WORK

But the hook seems not always work, sometime it cause game hang (not exit) on applying the hook.

Need some more study.

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

27 minutes ago, Happy Secret said:

Am….are we talking the same hook? You seems have special expectation on that word “normal”.

My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.

I mean c++ hook like on Ted2 mod menu.

34 minutes ago, Happy Secret said:

h5gg.getProcList("UnityFramework")[0].pid

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

var session = h5frida.attach(pid);
 

I saw this code on github for the second option. (getProcList), idk if it requires JB or not 

8 hours ago, Happy Secret said:

How to get process ID in script? 

let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";

let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to call

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

let found = false;
for(let i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        //if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}

if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";

//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
    let frontapp = h5frida.get_frontmost_application();
    if(frontapp && frontapp.pid == pid) break;
    
    alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
            + "Please switch the target APP to the foreground to run, and then click OK to continue...");
}

Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)

2 hours ago, Happy Secret said:

GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!

Not sure if there has any drawback/issue yet.

Will give another try later tonight!

If it really works, I will definitely make another Tutorial.

Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod ! 

It's good that "normal" hook with c++ work 

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself 

Mhh Mhh okay that's what i would try, im not a pro, but this is what i would do :

35 minutes ago, rafgeekee said:

Forceable set Amount  to 9999 for all Items.

 

You can maybe try to get the field with the Update() function (if there is). else, ive seen somwhere on the web where you can use other function from the class but i didn't tried, Lmk if it worked.

So, if no Update() function :

//just a poc to get the idear
void(*old_func)(void *instance);
void func(void *instance) {
        if ([switches isSwitchOn:@"9999 Items"]) {
            //int Amount
            *(int *) ((uint64_t) instance + 0x1C) = 9999;
    }
    old_func(instance);
}

setup(){
	//a function in the same class. use Update if there is, if not try another function (Init for ex)
	HOOK(0x1ABB3A8, func, old_func);
}

42 minutes ago, rafgeekee said:

Forceable set IsUnlimited to True for all Items.

 

do the same thing.

43 minutes ago, rafgeekee said:

auto modInit = reinterpret_cast<void(*) (void *, CRefItem, int, bool)>(getRealOffset(0x1ABB3A8));

Afaik, when there is a Type and you don't have his definition, just make a pointer to it like this ;

//taking ur code
auto modInit = reinterpret_cast<void(*) (void *, void *, int, bool)>(getRealOffset(0x1ABB3A8));

replace the CRefItem with void *,  that way it gonna make a pointer on the undifined type and with luck it not gonna crash

50 minutes ago, rafgeekee said:

//this_ is probably a func where this_ + 0x1C = int Amount;
//you can't patch a field without its pointer. like search for "0x1C" in your dump.cs you gonna have a tons of results.
// but if u have pointer + 0x1C, its unique

*(int*)[UIKeyPatch address:@"0x1C" ptr:this_] = 9999;

 

using this is the same as . 

*(int *) ((uint64_t) instance + 0x1C) = 9999;

53 minutes ago, rafgeekee said:

3) IsAttached arg will always be False - which may not always be the case - would be nice to know how to get the original passed args

 

i guess, once you hooked Init, you can easly called it and put "true" on the func parameter, it gonna overwrite it probably.

//POC
modInit(this_, paramName ,9999, true);

Hope it could help you, tho all this is my knowledge, things might not be 100% right 

don't start hacking on UE4 games, they are kinda hard, try first with some IL2CPP/Mono games (Unity3D)

1 hour ago, Happy Secret said:

Cool, thx. Not aware of that. 
Do you have a good source of it? I don’t familiar GitHub and how to build. It often take me long time.

it was a long time ago but i dis not build it, it was already done 

4 hours ago, Happy Secret said:

Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

8 hours ago, Happy Secret said:

Thanks for the support. 
 

if you are on Mac, Xcode is a pretty good option. Free and suppprt signing and Sideload with your our own Apple developer certificate.

 

Yeah but sadly i don't have a mac

Try to restart the phone, or if JB run : 

ldrestart 

It will reboot in a JB state and refresh the storage

Nice, that's pretty cool

I never tried debug a game with xCode.

Nice tut, gonna link it on my tut  

1 hour ago, Happy Secret said:

The patched one in static-inline-hook folder, AirDrop it to Mac, repackage the ipa and Sideload again.

Just want to say, for Mac user, you do not necessarily need 3u Tools (or alike).

Of course, 3u Tools is a great tool to have.

yeah but where do you find the static-inline folder on Documents app (iOS) ? 

Yeah itunes can do it if im right, but well this tut is for newbies that don't know how to share files 

14 minutes ago, Happy Secret said:

If you are on Mac, you can actually AirDrop the framework file to Mac. This is my default option

Yeah but transfer the patched UnityFramework to the PC ?

18 minutes ago, CaIIMeZeus said:

I want to add some mini information too..

you can get new edited binary file from "Documents" app which comes built in app with iDevices. so you can earn time with 3u tools.

Also you guys can use customized and good looking menus written by HTML for your menus too. You can join our server from this link : https://discord.gg/h5gg.

We will be waiting for you to make a tutorial for Unity5D which allows you to make all version ESP hacks for UnityFramework binary games with few clicks.

On part 2, i will probably make a tut with a mod menu, but for the first part i just wanted to people know how to patch and hook. 

And also, afaik Documents app doesn't let you access app content in /Documents of Subway Surfer (in the case of the tutorial) even if the app has File Sharing enable. (at least on a fully jailed phone)

I will edit the topic once i have time to add Discord link and official Github

11 minutes ago, Kobina said:

okay thanks sorry but i have one more question can you use the unity framework with the script in ida and test the offset using the hex editor?

you can load the ida.py script or whatever python script to get class names and func names yeah, and yeah you can patch with any hex editor but a better way would be using iGameGod and Live Offset Patcher tool in the settings 

2 minutes ago, Kobina said:

one more question is inotia plus dis the right binary?

Idk i never played the game, check if there is a directory named Frameworks/UnityFramework or something like this, 

if there this mean that the real binary is UnityFramework (so use this on iDA)

of not, it's the default binary file on the .app

Here is a guide that may help you : 

7 hours ago, namcyeon said:

i think, a better way is make a app in windows to patch the unityframework file instead of running the mod script to patch it. Then after sideloadly, we can use the mod script. But i have no idea about how to make that app, lol

H5GG doesn't work like this, it wouldn't be possible since apps are Sandbox on jailed devices.

The only solution is to patch all your offset at once, and replace only once the framework file.