0xSolana

16 minutes ago, Happy Secret said:

I have just test it again and finally worked.

it is really 

• First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

You will probably want to include a hint/note to your tutorial about this.

The error message is not sufficient. It can’t explain what to expect.

 

Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken.

Hope there is a way to do pure in memory hook / patch (without modifying the binary).

 

Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything.

Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB.

10 minutes ago, namcyeon said:

@Happy Secret You can try second method with hook, but it's not working with me.

can you provide more details ?

On 1/12/2023 at 3:09 PM, Happy Secret said:

Thanks for sharing…

 

I am a bit confused for the last part.

How to hook the get to take effect to set? Your code seems not including this part?

also, I am not sure why you want to set with default value again at last?

It will not override our earlier 5x set?

 

 

My bad, i wrote this beeing pressed by the time. I have edited the topic. Lmk if it worked

14 minutes ago, Laxus said:

Have you tried instance variable hook? Does it work?

 

nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/
there is a doc on how to use writeInt / writeFloat.

57 minutes ago, namcyeon said:

I had tried hooking, but it's not working 😑, stuck at 

if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

2 minutes ago, Happy Secret said:

So, it could be my concept is wrong from beginning.
First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder.

The patched version of UnityFramework has embedded a new function inside. 
 

From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect.

 

First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

 

Let me test it our again later tonight.

Thanks for the help.

yep you are right ! 

welcome !

11 minutes ago, papastweak said:

Haven't tested hooks yet but code patching works! Tested on Iphone 12 Pro Max, 16.1.2

that's cool, could you edit your answer and tell me if hook works ?

4 hours ago, Happy Secret said:

Quick test result:

1. I also got the the UnityFramework patched by h5frida and stored inside static-inline-hook folder

2. With a detail look into it, the hex code of the instruction (patched) doesn't look right to me.

Orignal at 0x1B39598 is FD7BBFA9FD030091

- stp x29, x30, [sp, #-0x10]!
- mov x29, sp

After patch at 0x1B39598 is CF2A9914FD030091

- b #0x264ab4c
- mov x29, sp

What we are expecting at 0x1B39598 is 200080D2C0035FD6, Right??

- mov x0, #1
- ret 

Tested in game, always Can Jump is not working. Same as my try in another game these few days. 

I am using iPadOS 16.2 (non-jailbreak) with iPad Pro 2nd Gen.  

Mhh i did the tutorial on an A14, iOS 15.1 and the patch/hook worked well.

maybe H5GG doesn't support iOS 16 atm, but it's weard since we hook the app framework and not any device framework.

i don't understand how you got the bytes at 0x1B39598, i didn't used ida, i simply checked the function on dnSpy, patched it on JB with the LOP tool from iOSGods, it worked so i did it on H5GG, and it worked too 

edit :

oh you mean the UnityFramework patched ? well i didn't looked at the data at the offset 0x1B...98, but it's seems normal to me that's it's not 2000...FD6, otherwise it will always be enable. i think that it creates another function on the UnityFramework (at another place) and at 0x1B...98, it calls it.

so if there is no script running, we shouldn't be able to jump always, but when we load our script, it probably jump to our created function in the UnityFramework, and so it return 2000..FD6 at our function (maybe at 0x264ab4c) and if we unload the script, the original bytes in the memory will load again making "normal jumps"

(this is my personal analysis, it may not be 100% right but this is how i visual it) 

video : https://streamable.com/5g6nvz

58 minutes ago, Kobina said:

how do you use it?

it's documented on his github and on iOSGods, simply check search bar 

2 hours ago, namcyeon said:

About the hooking, is it working on the no jailbreak? 

yes, it's the point of the tut 

29 minutes ago, Rook said:

Your tutorials are so well written! ❤️

Hello Hello,

Here is finally a tutorial to patch or even hook on Non-JB/JB. 

This tutorial will cover the non-JB way because that's what's interesting , but this way can work on JB.

We will see the complete installation of H5GG, and an example of offset patching, and another with hooking. The source code will also be provided. Nothing better to feel in paradise. 

Requirements:
- PC (or a way of managing iPA files)
- Sideloadly
- 3u Tools to view the app documents
- Subway Surfer

• 1)

Since Critical Strike has serious issues with their games, I can't base my tutorial on this game. So let's go on a new one : Subway Surfer

First, download the Subway Surfer iPA : HERE

Then we will need 3 other files specific to H5GG for offset patching / hooking:

Simply see the instruction : HERE

You can delete the "hookme.test.dylib" cuz we don't need it.

You should have this :

Now, simply extract the iPA, copy the 3 files and move to the .app folder and paste it there. It should look like this :

Now simply ZIP the Payload, and rename it To WhatEver.ipa

Now we need to download the .deb that we gonna inject to the iPA : HERE

Now, we gonna need to Sideload the iPA WITH these settings :

We will need to use File Sharing later in the tutorial, so enable it. Don't forget to inject the H5GG.deb file.

We did like 50% of the work now hehe 

• 2)

Now, we gonna code (or Ctrl+C, Ctrl+V) :

I use EasyHTML app on the AppStore to code it.

Offset Patching/Hooking on H5GG is done by injecting a .js script so, let's write it. you have a sample: HERE

Below is an edited version to work on Subway Surfer 3.6.0.

Offset Patching code :

h5gg.require(7.9); 
var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib");
if(!h5frida) throw "Failed to load h5frida plugin";

function ActiveCodePatch(fpath, vaddr, bytes) {
    if(!h5frida.ActiveCodePatch(fpath, vaddr, bytes)) {
        var result = h5frida.ApplyCodePatch(fpath, vaddr, bytes);
        alert(fpath+":0x"+vaddr.toString(16)+"-修改失败!\n" + fpath+":0x"+vaddr.toString(16)+"-PatchFailed!\n" + result);return false;
    } return true;
}
function DeactiveCodePatch(fpath, vaddr, bytes) {
    return h5frida.DeactiveCodePatch(fpath, vaddr, bytes);
}

/*HERE IS OUR OFFSET PATCHING CODE*/

//public bool get_CanJump() -> 0x1B39598
//Enable a hack at 0x1B39598 with HEX : 200080D2C0035FD6
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6");

Well here we arn't using a template, we just want to patch our offset so we will enable it by default.

If you are using a template, just make a if statement, and use this code to disable the Offset Patching :

//this is just a POC
if (switch_Jump) {
    ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6");
} else {
    //when you desactivate a patch, it need to be the same HEX that you use to enable the hack.
    DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6");
}

Now, inject the script with H5GG by clicking the "Scripts" button, and select the JavaScript file from there.

Once this done, you should see this "error" (my offset is not the same on the picture, its normal i was testing another one. Ignore it):

A big alert for just telling us to overwrite a file , dont panic haha we gonna fix it !

If you want to replace the file without PC :

In theory, just change the UnityFramework given by H5GG with the old one. detailed step :

So this is where we need 3uTools. Go to the applications on your phone using 3utools, and select subway surfer then "view" (because you normally activated File Sharing). you should be able to see this :

Navigate to the directory until you find the UnityFramework file. then copy it, and replace it with the one of the Playload folder of the iPA. like this :

We don't see it on the pic, but the file patch is :

Payload\SubwaySurf.app\Frameworks\UnityFramework.framework

Ofc, delete the old one. i kept it & renamed just for demonstration.

Then, simply delete the app on your device, repack the new Payload folder and again Sideload the new iPA with the edited UnityFramework. you don't need to enable file sharing exept if you want to patch a new offset. but no need if you follow the tutorial

Then run the script again on the new sideloaded iPA, and you should be able to Jump every time due to the Offset Patching .

Now, lets go to Hooking !

I will make a new script with this content (an edited version of the github one) :

h5gg.require(7.9); //设定最低需求的H5GG版本号//min version support for H5GG
var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib");
if(!h5frida) throw "加载h5frida插件失败\n\nFailed to load h5frida plugin";
if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))
    throw "加载frida-gadget守护模块失败\n\nFailed to load frida-gadget daemon module";
var procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";
var pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
var found = false;
for(var i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}
if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";
var session = h5frida.attach(pid);
if(!session) throw "frida附加进程失败\n\nfrida attach process failed";

//监听frida目标进程连接状态, 比如异常退出
session.on("detached", function(reason) {
    alert("frida目标进程会话已终止(frida target process session terminated):\n"+reason);
});

var frida_script_line = frida_script("getline"); //safari console will auto add 2 line
var frida_script_code = "("+frida_script.toString()+")()"; //将frida脚本转换成字符串
var script = session.create_script(frida_script_code); //注入frida的js脚本代码

if(!script) throw "frida注入脚本失败\n\nfrida inject script failed!";
script.on('message', function(msg) {
    if(msg.type=='error') {
        script.unload(); //如果脚本发生错误就停止frida脚本
        try {if(msg.fileName=="/frida_script.js") msg.lineNumber += frida_script_line-1;} catch(e) {}
        if(Array.isArray(msg.info)) msg.info.map(function(item){ try { if(item.fileName=="/frida_script.js")
            item.lineNumber += frida_script_line-1;} catch(e) {}; return item;});
        var errmsg = JSON.stringify(msg,null,1).replace(/\/frida_script\.js\:(\d+)/gm,
            function(m,c,o,a){return "/frida_script.js:"+(Number(c)+frida_script_line-1);});
        alert("frida(脚本错误)script error:\n"+errmsg.replaceAll("\\n","\n"));
    }
    
    if(msg.type=='send')
        alert("frida(脚本消息)srcipt msg:\n"+JSON.stringify(msg.payload,null,1));
    if(msg.type=='log')
        alert("frida(脚本日志)script log:\n"+msg.payload);
});

if(!script.load()) throw "frida启动脚本失败\n\nfrida load script failed"; //启动脚本
function frida_script() { if(arguments.length) return new Error().line; 
                         
                         
            /*HERE IS OUR HOOKING*/
                         
                         
var Jump = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework",
    0x1B39598,
    "bool",
    ["pointer"],
    function(instance) {
        //return 1 for true, 0 for false
        return 1;
    }
);
                        
   
}

You can hook any function type, just change the return type of the function.

//public float get_SpeedModifier() -> 0x1234567
var Speed = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework",
    0x1234567,
    "float",
    ["pointer"],
    function(instance) {
        return 9999;
    }

);

Well, that's all hehe, hope you could achieve your goals ! 

ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1212121, "YOUR HEX");
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x8989898, "YOUR HEX");
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x6565656, "YOUR HEX");

Credits :

@tuancc H5GG tool

- Me for the tuto

Feel free to ask questions about it if its related to the topic

If your app is crashing, you can see this 

H5GG Discord : https://discord.gg/h5gg

H5GG Github : https://github.com/H5GG/H5GG

Maybe usefull : 

wait, arn't we already in 2023 ?  

8 hours ago, Happy Secret said:

Hello, the link document is gone. Can help upload one back? Thanks in advance

here is the chinese telegram of H5GG, they share a lot of scripts : https://t.me/h5gg_cn

and here is a forked repo of the one i gaved :

https://github.com/iRedddy/h5gg-files

1 hour ago, Mina Kim said:

D’accord merci mais j’ai pas vraiment compris comment on fait pour le re sign avec Sideloadly ? 

De quoi la version ?

tu as installer l'application de quel manière ? 

si tu l'a installé avec iosgods (version gratuite) le certificat a été revoke et tu peux rien y faire. 

utilise dont sideloadly qui te permet d'avoir ton propre certificat pour 7 jours. 

(il doit y avoir pleins de tutos sur youtube)

3 minutes ago, Kobina said:

 STR             W20, [SP,#0x60+var_58] 

i tried it changing with  MOV X0, #0x7F000000 which works but then it changes to 0 or when it doesn't it goes to negative or sometimes it doesn't but still reload the gun   

show the full arm function, here you are changing the Store instruction, but there might be other ways not buggy

9 hours ago, Laxus said:

Teach me this please /cdn-cgi/mirage/41ff1f68243607f4e9ea12c2548c6d54d43598dd57117816f22e2d670dcc8f0b/1280/https://iosgods.com/uploads/emoticons/default_happycry.gif

7 hours ago, Happy Secret said:

I want to learn H5GG like above mentioned as well

well, ima make a tutorial then when i have time 

@Mina Kim Ton application a été revoke, ça veux dire qu'elle n'est plus signée et qu'elle ne peut donc pas s'ouvrir. re sign la avec Sideloadly

On 12/13/2022 at 6:48 PM, Dialiba said:

J’ai téléchargé les app sous format ipa sur iosg et je les ai installé avec sideloadly mais maintenant elles ne fonctionnent plus.

c'est normal, il faut resigner tout les 7 jours

On 1/9/2023 at 8:14 PM, ME1NY said:

So basically i can hook objc functions but cant use offsets and it will work?

you can hook Objc function on non-JB, with %hook.

but well in 2022 asaik no games use Objc lol, its more likly for VPN app or stuff like this that only need Objc. you could find like isPremium objc function and use %hook to reture true or stuff like this.

but if u wanna go in offset patching and hooking on jailed u gonna need to use H5GG atm

3 hours ago, ME1NY said:

Is there any way to make non-jailbreak hack with OBJ-C?

you can "hack" Objc by hook Objc code on jailed, but can't hook a dynamic adress.

if you want to hook like JB (an instance variable for example you gonna need to use H5GG that can patch offset (dynamic) , hook any c++ func/meth in the app, and can make script like GG for android. H5GG use JS tho

tho it's kinda limitless cuz u need to compile an ipa each time you hook an Offset, so try your offset on JB, and make a hack after with H5GG for non-JB support

@weselito Esign has this feature, tho it's kinda buggy if the iPA > 1 Go

but well u can inject a dylib there

10 hours ago, marc726 said:

/cdn-cgi/mirage/41ff1f68243607f4e9ea12c2548c6d54d43598dd57117816f22e2d670dcc8f0b/1280/https://i.imgur.com/M1qiVoz.jpg

This is the message I get. I search for instances of "JP1" "Appguard" "shut down" "security policy" but no results except irrelevant results for the last two.

mhhh then they encrypted the strings... well i have no idear about what you try atm... 

maybe in this case just navigate to all namespaces and classes trough the .dll using DnSpy, but this takes a lot of time 

25 minutes ago, marc726 said:

I'm so sorry I didn't see your reply! 

I tried to change address 006add08 to:

mov x30,#0x0
ret
 

since the complier showed no arguments for the ret function at 006add0c, I assume it returns the register at x30. As told here https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/RET
I am still met with the LIAPP screen after about 15 seconds. 

I agree with the CheatDetection class and I'm going to eliminate any chance DNSpy can show me the answer. Also the game is Random Dice Defense. 

have you tried to search for the strings that the pop up shows inside iDA string view ?

mhh 

Mhh it seems to be acting like this :

bool _fb_is_jailbroken(ID param_1,SEL param_2) {
  if (the check has determine that your device is JB) {
    alert("your device is JB");
    return true;
  }
  return false;
}

(my analysis only)

I would return false. As i said, i think the class CheatDetection is useless, i think it uses other thing to determine if jailbreak or not. Have you checked method names containing Jaibreak/root keywords ?