lxdx
-
Posts
797 -
Joined
-
Last visited
Posts posted by lxdx
-
-
27 minutes ago, Happy Secret said:
Am….are we talking the same hook? You seems have special expectation on that word “normal”.
My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.
I mean c++ hook like on Ted2 mod menu.
34 minutes ago, Happy Secret said:h5gg.getProcList("UnityFramework")[0].pid
try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}
var session = h5frida.attach(pid);
I saw this code on github for the second option. (getProcList), idk if it requires JB or not
-
1
-
-
8 hours ago, Happy Secret said:
How to get process ID in script?
let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to calltry {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}
let found = false;
for(let i=0;i<procs.length;i++) {
if(procs[i].pid==pid) {
//if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
found = true;
}
}if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";
//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
let frontapp = h5frida.get_frontmost_application();
if(frontapp && frontapp.pid == pid) break;
alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
+ "Please switch the target APP to the foreground to run, and then click OK to continue...");
}Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)
-
2 hours ago, Happy Secret said:
GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!
Not sure if there has any drawback/issue yet.Will give another try later tonight!
If it really works, I will definitely make another Tutorial.
Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.
Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod !
It's good that "normal" hook with c++ work
-
@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?
I do not have XCode, otherwise i would test it by myself
-
Mhh Mhh okay that's what i would try, im not a pro, but this is what i would do :
35 minutes ago, rafgeekee said:Forceable set Amount to 9999 for all Items.
You can maybe try to get the field with the Update() function (if there is). else, ive seen somwhere on the web where you can use other function from the class but i didn't tried, Lmk if it worked.
So, if no Update() function :
//just a poc to get the idear void(*old_func)(void *instance); void func(void *instance) { if ([switches isSwitchOn:@"9999 Items"]) { //int Amount *(int *) ((uint64_t) instance + 0x1C) = 9999; } old_func(instance); } setup(){ //a function in the same class. use Update if there is, if not try another function (Init for ex) HOOK(0x1ABB3A8, func, old_func); }
42 minutes ago, rafgeekee said:Forceable set IsUnlimited to True for all Items.
do the same thing.
43 minutes ago, rafgeekee said:auto modInit = reinterpret_cast<void(*) (void *, CRefItem, int, bool)>(getRealOffset(0x1ABB3A8));
Afaik, when there is a Type and you don't have his definition, just make a pointer to it like this ;
//taking ur code auto modInit = reinterpret_cast<void(*) (void *, void *, int, bool)>(getRealOffset(0x1ABB3A8));
replace the CRefItem with void *, that way it gonna make a pointer on the undifined type and with luck it not gonna crash
50 minutes ago, rafgeekee said://this_ is probably a func where this_ + 0x1C = int Amount; //you can't patch a field without its pointer. like search for "0x1C" in your dump.cs you gonna have a tons of results. // but if u have pointer + 0x1C, its unique *(int*)[UIKeyPatch address:@"0x1C" ptr:this_] = 9999;
using this is the same as .
*(int *) ((uint64_t) instance + 0x1C) = 9999;
53 minutes ago, rafgeekee said:3) IsAttached arg will always be False - which may not always be the case - would be nice to know how to get the original passed args
i guess, once you hooked Init, you can easly called it and put "true" on the func parameter, it gonna overwrite it probably.
//POC modInit(this_, paramName ,9999, true);
Hope it could help you, tho all this is my knowledge, things might not be 100% right
-
1
-
1
-
-
don't start hacking on UE4 games, they are kinda hard, try first with some IL2CPP/Mono games (Unity3D)
-
1 hour ago, Happy Secret said:
Cool, thx. Not aware of that.
Do you have a good source of it? I don’t familiar GitHub and how to build. It often take me long time.it was a long time ago but i dis not build it, it was already done
-
4 hours ago, Happy Secret said:
Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.
use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs
-
8 hours ago, Happy Secret said:
Thanks for the support.
if you are on Mac, Xcode is a pretty good option. Free and suppprt signing and Sideload with your our own Apple developer certificate.
Yeah but sadly i don't have a mac
-
1
-
-
Try to restart the phone, or if JB run :
ldrestart
It will reboot in a JB state and refresh the storage
-
Nice, that's pretty cool
I never tried debug a game with xCode.
Nice tut, gonna link it on my tut
-
1 hour ago, Happy Secret said:
The patched one in static-inline-hook folder, AirDrop it to Mac, repackage the ipa and Sideload again.
Just want to say, for Mac user, you do not necessarily need 3u Tools (or alike).
Of course, 3u Tools is a great tool to have.
yeah but where do you find the static-inline folder on Documents app (iOS) ?
Yeah itunes can do it if im right, but well this tut is for newbies that don't know how to share files
-
14 minutes ago, Happy Secret said:
If you are on Mac, you can actually AirDrop the framework file to Mac. This is my default option
Yeah but transfer the patched UnityFramework to the PC ?
-
18 minutes ago, CaIIMeZeus said:
I want to add some mini information too..
you can get new edited binary file from "Documents" app which comes built in app with iDevices. so you can earn time with 3u tools.
Also you guys can use customized and good looking menus written by HTML for your menus too. You can join our server from this link : https://discord.gg/h5gg.
We will be waiting for you to make a tutorial for Unity5D which allows you to make all version ESP hacks for UnityFramework binary games with few clicks.
On part 2, i will probably make a tut with a mod menu, but for the first part i just wanted to people know how to patch and hook.
And also, afaik Documents app doesn't let you access app content in /Documents of Subway Surfer (in the case of the tutorial) even if the app has File Sharing enable. (at least on a fully jailed phone)
I will edit the topic once i have time to add Discord link and official Github
-
11 minutes ago, Kobina said:
okay thanks sorry but i have one more question can you use the unity framework with the script in ida and test the offset using the hex editor?
you can load the ida.py script or whatever python script to get class names and func names yeah, and yeah you can patch with any hex editor but a better way would be using iGameGod and Live Offset Patcher tool in the settings
-
2 minutes ago, Kobina said:
one more question is inotia plus dis the right binary?
Idk i never played the game, check if there is a directory named Frameworks/UnityFramework or something like this,
if there this mean that the real binary is UnityFramework (so use this on iDA)
of not, it's the default binary file on the .app
-
Here is a guide that may help you :
-
7 hours ago, namcyeon said:
i think, a better way is make a app in windows to patch the unityframework file instead of running the mod script to patch it. Then after sideloadly, we can use the mod script. But i have no idea about how to make that app, lol
H5GG doesn't work like this, it wouldn't be possible since apps are Sandbox on jailed devices.
The only solution is to patch all your offset at once, and replace only once the framework file.
-
-
19 minutes ago, Happy Secret said:
HTML + JS injection is fine. But UnityFramework need to patch once before ActiveCodePatch works, this is never mentioned in their example scripts. Not even in GitHub.
But yes, I can understand there will always be a gap between what we can do with jailbroken or not. H5GG already made a huge step forward to close the gap. It will be a plus, if we can help improve documentation a bit.
Tuancc said it was for advanced modders only, i guess that's why it'd documented that way.
Yeah they didn't made any guide for that, that's why i made one
11 minutes ago, Happy Secret said:It works for me, even with the ActiveCodePatch patched UnityFramework binary. Probably it just need an artificial anchor point on the same address.
I tested the get_CanJump hack only.
You only need to "prepare" the UnityFramwork once, after that you can hook/patch the offset. No need to replace with a new UnityFramework file if you switch between ActiveCodePatch/StaticInlineHookFunction.
-
16 minutes ago, Happy Secret said:
I have just test it again and finally worked.
it is really
- First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.
You will probably want to include a hint/note to your tutorial about this.
The error message is not sufficient. It can’t explain what to expect.
Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken.
Hope there is a way to do pure in memory hook / patch (without modifying the binary).
Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.
Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything.
Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB.
10 minutes ago, namcyeon said:@Happy Secret You can try second method with hook, but it's not working with me.
can you provide more details ?
-
On 1/12/2023 at 3:09 PM, Happy Secret said:
Thanks for sharing…
I am a bit confused for the last part.
How to hook the get to take effect to set? Your code seems not including this part?
also, I am not sure why you want to set with default value again at last?
It will not override our earlier 5x set?
My bad, i wrote this beeing pressed by the time. I have edited the topic. Lmk if it worked
-
14 minutes ago, Laxus said:
Have you tried instance variable hook? Does it work?
nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/
there is a doc on how to use writeInt / writeFloat. -
57 minutes ago, namcyeon said:
I had tried hooking, but it's not working 😑, stuck at
if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))
if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it
H5GG Tricks to do Live (online) Code Patching for Non-Jailbroken Devices !
in H5GG & iGameGod
Posted
Mhhh so you mean H5GG hook is working some times if debugging is on ?