𓄼 . f v c k . 𓄹

On 12/13/2022 at 6:48 PM, Dialiba said:

J’ai téléchargé les app sous format ipa sur iosg et je les ai installé avec sideloadly mais maintenant elles ne fonctionnent plus.

c'est normal, il faut resigner tout les 7 jours

On 1/9/2023 at 8:14 PM, ME1NY said:

So basically i can hook objc functions but cant use offsets and it will work?

you can hook Objc function on non-JB, with %hook.

but well in 2022 asaik no games use Objc lol, its more likly for VPN app or stuff like this that only need Objc. you could find like isPremium objc function and use %hook to reture true or stuff like this.

but if u wanna go in offset patching and hooking on jailed u gonna need to use H5GG atm

3 hours ago, ME1NY said:

Is there any way to make non-jailbreak hack with OBJ-C?

you can "hack" Objc by hook Objc code on jailed, but can't hook a dynamic adress.

if you want to hook like JB (an instance variable for example you gonna need to use H5GG that can patch offset (dynamic) , hook any c++ func/meth in the app, and can make script like GG for android. H5GG use JS tho

tho it's kinda limitless cuz u need to compile an ipa each time you hook an Offset, so try your offset on JB, and make a hack after with H5GG for non-JB support

@weselito Esign has this feature, tho it's kinda buggy if the iPA > 1 Go

but well u can inject a dylib there

10 hours ago, marc726 said:

/cdn-cgi/mirage/41ff1f68243607f4e9ea12c2548c6d54d43598dd57117816f22e2d670dcc8f0b/1280/https://i.imgur.com/M1qiVoz.jpg

This is the message I get. I search for instances of "JP1" "Appguard" "shut down" "security policy" but no results except irrelevant results for the last two.

mhhh then they encrypted the strings... well i have no idear about what you try atm... 

maybe in this case just navigate to all namespaces and classes trough the .dll using DnSpy, but this takes a lot of time 

25 minutes ago, marc726 said:

I'm so sorry I didn't see your reply! 

I tried to change address 006add08 to:

mov x30,#0x0
ret
 

since the complier showed no arguments for the ret function at 006add0c, I assume it returns the register at x30. As told here https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/RET
I am still met with the LIAPP screen after about 15 seconds. 

I agree with the CheatDetection class and I'm going to eliminate any chance DNSpy can show me the answer. Also the game is Random Dice Defense. 

have you tried to search for the strings that the pop up shows inside iDA string view ?

mhh 

Mhh it seems to be acting like this :

bool _fb_is_jailbroken(ID param_1,SEL param_2) {
  if (the check has determine that your device is JB) {
    alert("your device is JB");
    return true;
  }
  return false;
}

(my analysis only)

I would return false. As i said, i think the class CheatDetection is useless, i think it uses other thing to determine if jailbreak or not. Have you checked method names containing Jaibreak/root keywords ?

3 hours ago, marc726 said:

Unfortunately no known public bypass tweaks works at the moment. The only known bypass is on this site but I wanted to try my hand at it. I think I was able to narrow down the function to something called "_fb_is_jailbroken" thanks to Frida. My problem now is looking at the assembly and figuring out what's what, if there are other calls, etc. 

As for DNSpy, I have the feeling that it's not what I'm looking for. DNSpy does show a class "CheatingDetector"  and it does have a function labeled "onDetectedThreatWithLIAPP()" but it doesn't help me outside of that. 

It's quite the headache for someone who doesn't have experience in assembly or reverse engineering 😪

Here's the list from DNSpy in case you were interested:
 

using System;
using Il2CppDummyDll;

// Token: 0x02000A35 RID: 2613
[Token(Token = "0x2000A35")]
public class CheatingDetector : ManagerSingleton<CheatingDetector>
{
	// Token: 0x06004895 RID: 18581 RVA: 0x00002050 File Offset: 0x00000250
	[Token(Token = "0x6004895")]
	[Address(RVA = "0x1D67DFC", Offset = "0x1D67DFC", VA = "0x1D67DFC", Slot = "10")]
	protected override void Awake()
	{
	}

	// Token: 0x06004896 RID: 18582 RVA: 0x00002050 File Offset: 0x00000250
	[Token(Token = "0x6004896")]
	[Address(RVA = "0x1D67E50", Offset = "0x1D67E50", VA = "0x1D67E50")]
	public void onDetectedThreatWithLIAPP()
	{
	}

	// Token: 0x06004897 RID: 18583 RVA: 0x00002050 File Offset: 0x00000250
	[Token(Token = "0x6004897")]
	[Address(RVA = "0x1D67E58", Offset = "0x1D67E58", VA = "0x1D67E58")]
	public void OnCheaterDetected(int DBBABCBBDCBDBCDDBDDBCCB)
	{
	}

	// Token: 0x06004898 RID: 18584 RVA: 0x00010A10 File Offset: 0x0000EC10
	[Token(Token = "0x6004898")]
	[Address(RVA = "0x1D6808C", Offset = "0x1D6808C", VA = "0x1D6808C")]
	public ValueTuple<bool, string> CheckCheat()
	{
		return default(ValueTuple<bool, string>);
	}

	// Token: 0x06004899 RID: 18585 RVA: 0x00002050 File Offset: 0x00000250
	[Token(Token = "0x6004899")]
	[Address(RVA = "0x1D68804", Offset = "0x1D68804", VA = "0x1D68804")]
	public void SaveChatBlockTime(string ACDABDBDABCCACBABDCDCDC, int BBDBBBDCBBDCCABCAACAABC)
	{
	}

	// Token: 0x0600489A RID: 18586 RVA: 0x00010A28 File Offset: 0x0000EC28
	[Token(Token = "0x600489A")]
	[Address(RVA = "0x1D6839C", Offset = "0x1D6839C", VA = "0x1D6839C")]
	public ValueTuple<bool, bool> CheckReport(string ACDABDBDABCCACBABDCDCDC)
	{
		return default(ValueTuple<bool, bool>);
	}

	// Token: 0x0600489B RID: 18587 RVA: 0x00002050 File Offset: 0x00000250
	[Token(Token = "0x600489B")]
	[Address(RVA = "0x1D68970", Offset = "0x1D68970", VA = "0x1D68970")]
	public CheatingDetector()
	{
	}
}

 

Mhhh i am not sure that this class is usefull for JB détection...

It seems dealing with "real cheat" but, if it's whatever dealing with JB, i would NOP / RET all of theses meth/functions.

All of them have obfuscated parameters, it's hard to know with what it's dealing. and also, ive search for this class online and it seems to be private, there is no documentation from Unity3D about it...

On 12/17/2022 at 11:50 PM, marc726 said:

Hi all. I was wondering what the best way to find and address the AppGuard/LiAPP detection on a certain app. I was using a decompiler on the UnityFramework file and I also tried using DNSpy for the Assembly file. My issue is:

 

1. I can find a Class for “CheatDetector”  in DNSpy using the assembly file that has a method for LIAPP but im not sure how to address it in the Live Offset program. I tried to NOP the offsets of the functions but nada.

2. I can also find instances in the UnityFramework file where it tries to find paths of common jailbroken thing such as Cydia. 

 

I'm not understanding which I should be addressing given that both show points of interest for detecting JB. Any help would be appreciated. 

Have you first tried FlyJb X ? 

If you open the game, and enable FlyJb after its useless since the game will store that you are Jailbreak. 

Steps :

1) Delete the game. 

2) Re install it BUT DON'T OPEN IT

3) Open FlyJb and from there, enable ur app. you can use A-bypass if you want, i use FlyJB but use any good alternatives.

4) Open your game 

If that didn't work, you probably need to work with DnSpy...

Afaik you can't NOP a class, try to look functions / methods, maybe bool functions store if you are jailbreak or no. 

You can also search for function names containing "jailbreak", "root". 

I think the first method should work tbh, but if not good luck for the second one, it's gonna be a lot of work to test them 

use Laxus link to test if you have the right offset, than you can use theos to compile them and make a nicely mod menu, you can use Ted2 template, it's great documented and not complicated to use. There is also theos installation tutorial. in the tutorial section 

2 hours ago, The blazers said:

Idk why but it won’t for me since the gui disappears

disable your orientation lock before open the game

wow 😯 

1 hour ago, Dialiba said:

Aurais tu un lien de tuto par hasard 🤣?

https://iosgods.com/topic/130167-windowsmacosm1wi-fi-introducing-sideloadly-working-cydia-impactor-alternative/

tu as telecharger avec l'appli iosgods ou sideloadly ? dans tout les cas je pense que le certificat est perimé, tu peux resigner avec sideloadly, il y a des tutos a propos de ça sur iosgods

Well, now it's part 3 of the tutorial series . Part 2 here if you haven't seen it yet.

In this tutorial, we gonna see hooking, it's usefull when you need to return a specific value, without having to check de hex value of it.

Since critical Strike has again been updated, v11.452 is outdated. I'm gonna use v11.604

I let you load your DLLs in DnSpy and we meet right after.

Lets Start !

Requirements:
- Jailbroken iPhone/iPad/iPod Touch.
- Filza
- DnSpy
- Theos
- Ted2 Theos template
- Critical Strike v11.604
- ARM notions.

Suggestion : 

- Ability to connect an Apple ID account to decrypt apps from there (for example paid apps) 

There are a lot of public Apple ID account shared in Telegram (working only for App Store), where you can connect and install apps (for example one of them has all GTA purchased)

- And why not, if the first option is possible, sharing the iPA in the Decrypted AppStore website, so that anyone typing "GTA" get the iPA ? 

I don't know if this can compromise the privacy data that iosgods puts in place

removing ASLR is not possible since a few years, but you can use getRealOffset, and it should work  

topic about ASLR in recent iOS version

Thanks for sharing

coool

23 minutes ago, Ambrosianyc said:

I'd like to see if i can mod land expansions in an SS game. Do you have some ideas for what I would search for in IDA? 

hum not really, im not an iDA fan atm, better ask puddin

On 11/6/2022 at 11:27 PM, Jacksonlane24 said:

weird it crashes on launch on my iphone

i have updated the topic, and published another version without crash 

On 10/1/2022 at 7:04 AM, parkers said:

still can't get the app to stop crashing after uninstalling and changing the title several times and toggling different variations of the rgb and keep normal title buttons.

any ideas?

new version has been published for fix that

basically a game server sides only important things, otherwise it would use to much 4G and if bad wifi, some lags.

for an FPS game for example, they will never server side the recoil value, for the reason ⬆️. but currency is just a simple value in a server, so it can be done. 

so as Puddin said, you can cheat other methods that may or may not work for a SS game

mhhh mhhhhhh