0xSolana

Mhh Mhh okay that's what i would try, im not a pro, but this is what i would do : You can maybe try to get the field with the Update() function (if there is). else, ive seen somwhere on the web where you can use other function from the class but i didn't tried, Lmk if it worked. So, if no Update() function : //just a poc to get the idear void(*old_func)(void *instance); void func(void *instance) { if ([switches isSwitchOn:@"9999 Items"]) { //int Amount *(int *) ((uint64_t) instance + 0x1C) = 9999; } old_func(instance); } setup(){ //a function in the same class. use Update if there is, if not try another function (Init for ex) HOOK(0x1ABB3A8, func, old_func); } do the same thing. Afaik, when there is a Type and you don't have his definition, just make a pointer to it like this ; //taking ur code auto modInit = reinterpret_cast<void(*) (void *, void *, int, bool)>(getRealOffset(0x1ABB3A8)); replace the CRefItem with void *, that way it gonna make a pointer on the undifined type and with luck it not gonna crash using this is the same as . *(int *) ((uint64_t) instance + 0x1C) = 9999; i guess, once you hooked Init, you can easly called it and put "true" on the func parameter, it gonna overwrite it probably. //POC modInit(this_, paramName ,9999, true); Hope it could help you, tho all this is my knowledge, things might not be 100% right

don't start hacking on UE4 games, they are kinda hard, try first with some IL2CPP/Mono games (Unity3D)

it was a long time ago but i dis not build it, it was already done

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

Yeah but sadly i don't have a mac

Try to restart the phone, or if JB run : ldrestart It will reboot in a JB state and refresh the storage

Nice, that's pretty cool I never tried debug a game with xCode. Nice tut, gonna link it on my tut

yeah but where do you find the static-inline folder on Documents app (iOS) ? Yeah itunes can do it if im right, but well this tut is for newbies that don't know how to share files

Yeah but transfer the patched UnityFramework to the PC ?

On part 2, i will probably make a tut with a mod menu, but for the first part i just wanted to people know how to patch and hook. And also, afaik Documents app doesn't let you access app content in /Documents of Subway Surfer (in the case of the tutorial) even if the app has File Sharing enable. (at least on a fully jailed phone) I will edit the topic once i have time to add Discord link and official Github

you can load the ida.py script or whatever python script to get class names and func names yeah, and yeah you can patch with any hex editor but a better way would be using iGameGod and Live Offset Patcher tool in the settings

Idk i never played the game, check if there is a directory named Frameworks/UnityFramework or something like this, if there this mean that the real binary is UnityFramework (so use this on iDA) of not, it's the default binary file on the .app

Here is a guide that may help you :

H5GG doesn't work like this, it wouldn't be possible since apps are Sandbox on jailed devices. The only solution is to patch all your offset at once, and replace only once the framework file.

Tuancc said it was for advanced modders only, i guess that's why it'd documented that way. Yeah they didn't made any guide for that, that's why i made one You only need to "prepare" the UnityFramwork once, after that you can hook/patch the offset. No need to replace with a new UnityFramework file if you switch between ActiveCodePatch/StaticInlineHookFunction.

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything. Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB. can you provide more details ?

My bad, i wrote this beeing pressed by the time. I have edited the topic. Lmk if it worked

nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/ there is a doc on how to use writeInt / writeFloat.

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

yep you are right ! welcome !

that's cool, could you edit your answer and tell me if hook works ?

Mhh i did the tutorial on an A14, iOS 15.1 and the patch/hook worked well. maybe H5GG doesn't support iOS 16 atm, but it's weard since we hook the app framework and not any device framework. i don't understand how you got the bytes at 0x1B39598, i didn't used ida, i simply checked the function on dnSpy, patched it on JB with the LOP tool from iOSGods, it worked so i did it on H5GG, and it worked too edit : oh you mean the UnityFramework patched ? well i didn't looked at the data at the offset 0x1B...98, but it's seems normal to me that's it's not 2000...FD6, otherwise it will always be enable. i think that it creates another function on the UnityFramework (at another place) and at 0x1B...98, it calls it. so if there is no script running, we shouldn't be able to jump always, but when we load our script, it probably jump to our created function in the UnityFramework, and so it return 2000..FD6 at our function (maybe at 0x264ab4c) and if we unload the script, the original bytes in the memory will load again making "normal jumps" (this is my personal analysis, it may not be 100% right but this is how i visual it) video : https://streamable.com/5g6nvz

it's documented on his github and on iOSGods, simply check search bar

yes, it's the point of the tut