0xSolana

Here is a guide that may help you :

H5GG doesn't work like this, it wouldn't be possible since apps are Sandbox on jailed devices. The only solution is to patch all your offset at once, and replace only once the framework file.

Tuancc said it was for advanced modders only, i guess that's why it'd documented that way. Yeah they didn't made any guide for that, that's why i made one You only need to "prepare" the UnityFramwork once, after that you can hook/patch the offset. No need to replace with a new UnityFramework file if you switch between ActiveCodePatch/StaticInlineHookFunction.

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything. Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB. can you provide more details ?

My bad, i wrote this beeing pressed by the time. I have edited the topic. Lmk if it worked

nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/ there is a doc on how to use writeInt / writeFloat.

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

yep you are right ! welcome !

that's cool, could you edit your answer and tell me if hook works ?

Mhh i did the tutorial on an A14, iOS 15.1 and the patch/hook worked well. maybe H5GG doesn't support iOS 16 atm, but it's weard since we hook the app framework and not any device framework. i don't understand how you got the bytes at 0x1B39598, i didn't used ida, i simply checked the function on dnSpy, patched it on JB with the LOP tool from iOSGods, it worked so i did it on H5GG, and it worked too edit : oh you mean the UnityFramework patched ? well i didn't looked at the data at the offset 0x1B...98, but it's seems normal to me that's it's not 2000...FD6, otherwise it will always be enable. i think that it creates another function on the UnityFramework (at another place) and at 0x1B...98, it calls it. so if there is no script running, we shouldn't be able to jump always, but when we load our script, it probably jump to our created function in the UnityFramework, and so it return 2000..FD6 at our function (maybe at 0x264ab4c) and if we unload the script, the original bytes in the memory will load again making "normal jumps" (this is my personal analysis, it may not be 100% right but this is how i visual it) video : https://streamable.com/5g6nvz

it's documented on his github and on iOSGods, simply check search bar

yes, it's the point of the tut

Hello Hello, Here is finally a tutorial to patch or even hook on Non-JB/JB. This tutorial will cover the non-JB way because that's what's interesting , but this way can work on JB. We will see the complete installation of H5GG, and an example of offset patching, and another with hooking. The source code will also be provided. Nothing better to feel in paradise. Requirements: - PC (or a way of managing iPA files) - Sideloadly - 3u Tools to view the app documents - Subway Surfer 1) Since Critical Strike has serious issues with their games, I can't base my tutorial on this game. So let's go on a new one : Subway Surfer First, download the Subway Surfer iPA : HERE Then we will need 3 other files specific to H5GG for offset patching / hooking: Simply see the instruction : HERE You can delete the "hookme.test.dylib" cuz we don't need it. You should have this : Now, simply extract the iPA, copy the 3 files and move to the .app folder and paste it there. It should look like this : Now simply ZIP the Payload, and rename it To WhatEver.ipa Now we need to download the .deb that we gonna inject to the iPA : HERE Now, we gonna need to Sideload the iPA WITH these settings : We will need to use File Sharing later in the tutorial, so enable it. Don't forget to inject the H5GG.deb file. We did like 50% of the work now hehe 2) Now, we gonna code (or Ctrl+C, Ctrl+V) : I use EasyHTML app on the AppStore to code it. Offset Patching/Hooking on H5GG is done by injecting a .js script so, let's write it. you have a sample: HERE Below is an edited version to work on Subway Surfer 3.6.0. Offset Patching code : h5gg.require(7.9); var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib"); if(!h5frida) throw "Failed to load h5frida plugin"; function ActiveCodePatch(fpath, vaddr, bytes) { if(!h5frida.ActiveCodePatch(fpath, vaddr, bytes)) { var result = h5frida.ApplyCodePatch(fpath, vaddr, bytes); alert(fpath+":0x"+vaddr.toString(16)+"-修改失败!\n" + fpath+":0x"+vaddr.toString(16)+"-PatchFailed!\n" + result);return false; } return true; } function DeactiveCodePatch(fpath, vaddr, bytes) { return h5frida.DeactiveCodePatch(fpath, vaddr, bytes); } /*HERE IS OUR OFFSET PATCHING CODE*/ //public bool get_CanJump() -> 0x1B39598 //Enable a hack at 0x1B39598 with HEX : 200080D2C0035FD6 ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6"); Well here we arn't using a template, we just want to patch our offset so we will enable it by default. If you are using a template, just make a if statement, and use this code to disable the Offset Patching : //this is just a POC if (switch_Jump) { ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6"); } else { //when you desactivate a patch, it need to be the same HEX that you use to enable the hack. DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6"); } Now, inject the script with H5GG by clicking the "Scripts" button, and select the JavaScript file from there. Information The first JS run is just to prepare the Framework file and get a new one. This step is mandatory. More details under. Once this done, you should see this "error" (my offset is not the same on the picture, its normal i was testing another one. Ignore it): A big alert for just telling us to overwrite a file , dont panic haha we gonna fix it ! If you want to replace the file without PC : In theory, just change the UnityFramework given by H5GG with the old one. detailed step : So this is where we need 3uTools. Go to the applications on your phone using 3utools, and select subway surfer then "view" (because you normally activated File Sharing). you should be able to see this : Navigate to the directory until you find the UnityFramework file. then copy it, and replace it with the one of the Playload folder of the iPA. like this : We don't see it on the pic, but the file patch is : Payload\SubwaySurf.app\Frameworks\UnityFramework.framework Ofc, delete the old one. i kept it & renamed just for demonstration. Then, simply delete the app on your device, repack the new Payload folder and again Sideload the new iPA with the edited UnityFramework. you don't need to enable file sharing exept if you want to patch a new offset. but no need if you follow the tutorial Then run the script again on the new sideloaded iPA, and you should be able to Jump every time due to the Offset Patching . Now, lets go to Hooking ! I will make a new script with this content (an edited version of the github one) : h5gg.require(7.9); //设定最低需求的H5GG版本号//min version support for H5GG var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib"); if(!h5frida) throw "加载h5frida插件失败\n\nFailed to load h5frida plugin"; if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib")) throw "加载frida-gadget守护模块失败\n\nFailed to load frida-gadget daemon module"; var procs = h5frida.enumerate_processes(); if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list"; var pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用 var found = false; for(var i=0;i<procs.length;i++) { if(procs[i].pid==pid) { if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP"; found = true; } } if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process"; var session = h5frida.attach(pid); if(!session) throw "frida附加进程失败\n\nfrida attach process failed"; //监听frida目标进程连接状态, 比如异常退出 session.on("detached", function(reason) { alert("frida目标进程会话已终止(frida target process session terminated):\n"+reason); }); var frida_script_line = frida_script("getline"); //safari console will auto add 2 line var frida_script_code = "("+frida_script.toString()+")()"; //将frida脚本转换成字符串 var script = session.create_script(frida_script_code); //注入frida的js脚本代码 if(!script) throw "frida注入脚本失败\n\nfrida inject script failed!"; script.on('message', function(msg) { if(msg.type=='error') { script.unload(); //如果脚本发生错误就停止frida脚本 try {if(msg.fileName=="/frida_script.js") msg.lineNumber += frida_script_line-1;} catch(e) {} if(Array.isArray(msg.info)) msg.info.map(function(item){ try { if(item.fileName=="/frida_script.js") item.lineNumber += frida_script_line-1;} catch(e) {}; return item;}); var errmsg = JSON.stringify(msg,null,1).replace(/\/frida_script\.js\:(\d+)/gm, function(m,c,o,a){return "/frida_script.js:"+(Number(c)+frida_script_line-1);}); alert("frida(脚本错误)script error:\n"+errmsg.replaceAll("\\n","\n")); } if(msg.type=='send') alert("frida(脚本消息)srcipt msg:\n"+JSON.stringify(msg.payload,null,1)); if(msg.type=='log') alert("frida(脚本日志)script log:\n"+msg.payload); }); if(!script.load()) throw "frida启动脚本失败\n\nfrida load script failed"; //启动脚本 function frida_script() { if(arguments.length) return new Error().line; /*HERE IS OUR HOOKING*/ var Jump = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "bool", ["pointer"], function(instance) { //return 1 for true, 0 for false return 1; } ); } You can hook any function type, just change the return type of the function. //public float get_SpeedModifier() -> 0x1234567 var Speed = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework", 0x1234567, "float", ["pointer"], function(instance) { return 9999; } ); Well, that's all hehe, hope you could achieve your goals ! Usefull To "Enable" all your offset at once, you can just call the ActiveCodePatch function as much as u need on the script. it will proceed each offset at once, so that u need to replace the UnityFramework file once only ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1212121, "YOUR HEX"); ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x8989898, "YOUR HEX"); ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x6565656, "YOUR HEX"); Usefull Better would be to make a full working mod menu on JB, and convert it to H5GG after, cuz its a pain to test offset with H5GG lol Credits : @tuancc H5GG tool - Me for the tuto Feel free to ask questions about it if its related to the topic If your app is crashing, you can see this H5GG Discord : https://discord.gg/h5gg H5GG Github : https://github.com/H5GG/H5GG Maybe usefull :

wait, arn't we already in 2023 ?

here is the chinese telegram of H5GG, they share a lot of scripts : https://t.me/h5gg_cn and here is a forked repo of the one i gaved : https://github.com/iRedddy/h5gg-files

tu as installer l'application de quel manière ? si tu l'a installé avec iosgods (version gratuite) le certificat a été revoke et tu peux rien y faire. utilise dont sideloadly qui te permet d'avoir ton propre certificat pour 7 jours. (il doit y avoir pleins de tutos sur youtube)

show the full arm function, here you are changing the Store instruction, but there might be other ways not buggy

well, ima make a tutorial then when i have time

@Mina Kim Ton application a été revoke, ça veux dire qu'elle n'est plus signée et qu'elle ne peut donc pas s'ouvrir. re sign la avec Sideloadly

c'est normal, il faut resigner tout les 7 jours

you can hook Objc function on non-JB, with %hook. but well in 2022 asaik no games use Objc lol, its more likly for VPN app or stuff like this that only need Objc. you could find like isPremium objc function and use %hook to reture true or stuff like this. but if u wanna go in offset patching and hooking on jailed u gonna need to use H5GG atm

you can "hack" Objc by hook Objc code on jailed, but can't hook a dynamic adress. if you want to hook like JB (an instance variable for example you gonna need to use H5GG that can patch offset (dynamic) , hook any c++ func/meth in the app, and can make script like GG for android. H5GG use JS tho tho it's kinda limitless cuz u need to compile an ipa each time you hook an Offset, so try your offset on JB, and make a hack after with H5GG for non-JB support

@weselito Esign has this feature, tho it's kinda buggy if the iPA > 1 Go but well u can inject a dylib there