0xSolana

Hello Hello, Here is finally a tutorial to patch or even hook on Non-JB/JB. This tutorial will cover the non-JB way because that's what's interesting , but this way can work on JB. We will see the complete installation of H5GG, and an example of offset patching, and another with hooking. The source code will also be provided. Nothing better to feel in paradise. Requirements: - PC (or a way of managing iPA files) - Sideloadly - 3u Tools to view the app documents - Subway Surfer 1) Since Critical Strike has serious issues with their games, I can't base my tutorial on this game. So let's go on a new one : Subway Surfer First, download the Subway Surfer iPA : HERE Then we will need 3 other files specific to H5GG for offset patching / hooking: Simply see the instruction : HERE You can delete the "hookme.test.dylib" cuz we don't need it. You should have this : Now, simply extract the iPA, copy the 3 files and move to the .app folder and paste it there. It should look like this : Now simply ZIP the Payload, and rename it To WhatEver.ipa Now we need to download the .deb that we gonna inject to the iPA : HERE Now, we gonna need to Sideload the iPA WITH these settings : We will need to use File Sharing later in the tutorial, so enable it. Don't forget to inject the H5GG.deb file. We did like 50% of the work now hehe 2) Now, we gonna code (or Ctrl+C, Ctrl+V) : I use EasyHTML app on the AppStore to code it. Offset Patching/Hooking on H5GG is done by injecting a .js script so, let's write it. you have a sample: HERE Below is an edited version to work on Subway Surfer 3.6.0. Offset Patching code : h5gg.require(7.9); var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib"); if(!h5frida) throw "Failed to load h5frida plugin"; function ActiveCodePatch(fpath, vaddr, bytes) { if(!h5frida.ActiveCodePatch(fpath, vaddr, bytes)) { var result = h5frida.ApplyCodePatch(fpath, vaddr, bytes); alert(fpath+":0x"+vaddr.toString(16)+"-修改失败!\n" + fpath+":0x"+vaddr.toString(16)+"-PatchFailed!\n" + result);return false; } return true; } function DeactiveCodePatch(fpath, vaddr, bytes) { return h5frida.DeactiveCodePatch(fpath, vaddr, bytes); } /*HERE IS OUR OFFSET PATCHING CODE*/ //public bool get_CanJump() -> 0x1B39598 //Enable a hack at 0x1B39598 with HEX : 200080D2C0035FD6 ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6"); Well here we arn't using a template, we just want to patch our offset so we will enable it by default. If you are using a template, just make a if statement, and use this code to disable the Offset Patching : //this is just a POC if (switch_Jump) { ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6"); } else { //when you desactivate a patch, it need to be the same HEX that you use to enable the hack. DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "200080D2C0035FD6"); } Now, inject the script with H5GG by clicking the "Scripts" button, and select the JavaScript file from there. Information The first JS run is just to prepare the Framework file and get a new one. This step is mandatory. More details under. Once this done, you should see this "error" (my offset is not the same on the picture, its normal i was testing another one. Ignore it): A big alert for just telling us to overwrite a file , dont panic haha we gonna fix it ! If you want to replace the file without PC : In theory, just change the UnityFramework given by H5GG with the old one. detailed step : So this is where we need 3uTools. Go to the applications on your phone using 3utools, and select subway surfer then "view" (because you normally activated File Sharing). you should be able to see this : Navigate to the directory until you find the UnityFramework file. then copy it, and replace it with the one of the Playload folder of the iPA. like this : We don't see it on the pic, but the file patch is : Payload\SubwaySurf.app\Frameworks\UnityFramework.framework Ofc, delete the old one. i kept it & renamed just for demonstration. Then, simply delete the app on your device, repack the new Payload folder and again Sideload the new iPA with the edited UnityFramework. you don't need to enable file sharing exept if you want to patch a new offset. but no need if you follow the tutorial Then run the script again on the new sideloaded iPA, and you should be able to Jump every time due to the Offset Patching . Now, lets go to Hooking ! I will make a new script with this content (an edited version of the github one) : h5gg.require(7.9); //设定最低需求的H5GG版本号//min version support for H5GG var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib"); if(!h5frida) throw "加载h5frida插件失败\n\nFailed to load h5frida plugin"; if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib")) throw "加载frida-gadget守护模块失败\n\nFailed to load frida-gadget daemon module"; var procs = h5frida.enumerate_processes(); if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list"; var pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用 var found = false; for(var i=0;i<procs.length;i++) { if(procs[i].pid==pid) { if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP"; found = true; } } if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process"; var session = h5frida.attach(pid); if(!session) throw "frida附加进程失败\n\nfrida attach process failed"; //监听frida目标进程连接状态, 比如异常退出 session.on("detached", function(reason) { alert("frida目标进程会话已终止(frida target process session terminated):\n"+reason); }); var frida_script_line = frida_script("getline"); //safari console will auto add 2 line var frida_script_code = "("+frida_script.toString()+")()"; //将frida脚本转换成字符串 var script = session.create_script(frida_script_code); //注入frida的js脚本代码 if(!script) throw "frida注入脚本失败\n\nfrida inject script failed!"; script.on('message', function(msg) { if(msg.type=='error') { script.unload(); //如果脚本发生错误就停止frida脚本 try {if(msg.fileName=="/frida_script.js") msg.lineNumber += frida_script_line-1;} catch(e) {} if(Array.isArray(msg.info)) msg.info.map(function(item){ try { if(item.fileName=="/frida_script.js") item.lineNumber += frida_script_line-1;} catch(e) {}; return item;}); var errmsg = JSON.stringify(msg,null,1).replace(/\/frida_script\.js\:(\d+)/gm, function(m,c,o,a){return "/frida_script.js:"+(Number(c)+frida_script_line-1);}); alert("frida(脚本错误)script error:\n"+errmsg.replaceAll("\\n","\n")); } if(msg.type=='send') alert("frida(脚本消息)srcipt msg:\n"+JSON.stringify(msg.payload,null,1)); if(msg.type=='log') alert("frida(脚本日志)script log:\n"+msg.payload); }); if(!script.load()) throw "frida启动脚本失败\n\nfrida load script failed"; //启动脚本 function frida_script() { if(arguments.length) return new Error().line; /*HERE IS OUR HOOKING*/ var Jump = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework", 0x1B39598, "bool", ["pointer"], function(instance) { //return 1 for true, 0 for false return 1; } ); } You can hook any function type, just change the return type of the function. //public float get_SpeedModifier() -> 0x1234567 var Speed = h5frida.StaticInlineHookFunction("Frameworks/UnityFramework.framework/UnityFramework", 0x1234567, "float", ["pointer"], function(instance) { return 9999; } ); Well, that's all hehe, hope you could achieve your goals ! Usefull To "Enable" all your offset at once, you can just call the ActiveCodePatch function as much as u need on the script. it will proceed each offset at once, so that u need to replace the UnityFramework file once only ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1212121, "YOUR HEX"); ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x8989898, "YOUR HEX"); ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x6565656, "YOUR HEX"); Usefull Better would be to make a full working mod menu on JB, and convert it to H5GG after, cuz its a pain to test offset with H5GG lol Credits : @tuancc H5GG tool - Me for the tuto Feel free to ask questions about it if its related to the topic If your app is crashing, you can see this H5GG Discord : https://discord.gg/h5gg H5GG Github : https://github.com/H5GG/H5GG Maybe usefull :

wait, arn't we already in 2023 ?

here is the chinese telegram of H5GG, they share a lot of scripts : https://t.me/h5gg_cn and here is a forked repo of the one i gaved : https://github.com/iRedddy/h5gg-files

tu as installer l'application de quel manière ? si tu l'a installé avec iosgods (version gratuite) le certificat a été revoke et tu peux rien y faire. utilise dont sideloadly qui te permet d'avoir ton propre certificat pour 7 jours. (il doit y avoir pleins de tutos sur youtube)

show the full arm function, here you are changing the Store instruction, but there might be other ways not buggy

well, ima make a tutorial then when i have time

@Mina Kim Ton application a été revoke, ça veux dire qu'elle n'est plus signée et qu'elle ne peut donc pas s'ouvrir. re sign la avec Sideloadly

c'est normal, il faut resigner tout les 7 jours

you can hook Objc function on non-JB, with %hook. but well in 2022 asaik no games use Objc lol, its more likly for VPN app or stuff like this that only need Objc. you could find like isPremium objc function and use %hook to reture true or stuff like this. but if u wanna go in offset patching and hooking on jailed u gonna need to use H5GG atm

you can "hack" Objc by hook Objc code on jailed, but can't hook a dynamic adress. if you want to hook like JB (an instance variable for example you gonna need to use H5GG that can patch offset (dynamic) , hook any c++ func/meth in the app, and can make script like GG for android. H5GG use JS tho tho it's kinda limitless cuz u need to compile an ipa each time you hook an Offset, so try your offset on JB, and make a hack after with H5GG for non-JB support

@weselito Esign has this feature, tho it's kinda buggy if the iPA > 1 Go but well u can inject a dylib there

mhhh then they encrypted the strings... well i have no idear about what you try atm... maybe in this case just navigate to all namespaces and classes trough the .dll using DnSpy, but this takes a lot of time

have you tried to search for the strings that the pop up shows inside iDA string view ?

mhh

Mhh it seems to be acting like this : bool _fb_is_jailbroken(ID param_1,SEL param_2) { if (the check has determine that your device is JB) { alert("your device is JB"); return true; } return false; } (my analysis only) I would return false. As i said, i think the class CheatDetection is useless, i think it uses other thing to determine if jailbreak or not. Have you checked method names containing Jaibreak/root keywords ?

Mhhh i am not sure that this class is usefull for JB détection... It seems dealing with "real cheat" but, if it's whatever dealing with JB, i would NOP / RET all of theses meth/functions. All of them have obfuscated parameters, it's hard to know with what it's dealing. and also, ive search for this class online and it seems to be private, there is no documentation from Unity3D about it...

Have you first tried FlyJb X ? If you open the game, and enable FlyJb after its useless since the game will store that you are Jailbreak. Steps : 1) Delete the game. 2) Re install it BUT DON'T OPEN IT 3) Open FlyJb and from there, enable ur app. you can use A-bypass if you want, i use FlyJB but use any good alternatives. 4) Open your game If that didn't work, you probably need to work with DnSpy... Afaik you can't NOP a class, try to look functions / methods, maybe bool functions store if you are jailbreak or no. You can also search for function names containing "jailbreak", "root". I think the first method should work tbh, but if not good luck for the second one, it's gonna be a lot of work to test them

use Laxus link to test if you have the right offset, than you can use theos to compile them and make a nicely mod menu, you can use Ted2 template, it's great documented and not complicated to use. There is also theos installation tutorial. in the tutorial section

disable your orientation lock before open the game

wow 😯

https://iosgods.com/topic/130167-windowsmacosm1wi-fi-introducing-sideloadly-working-cydia-impactor-alternative/

tu as telecharger avec l'appli iosgods ou sideloadly ? dans tout les cas je pense que le certificat est perimé, tu peux resigner avec sideloadly, il y a des tutos a propos de ça sur iosgods

Well, now it's part 3 of the tutorial series . Part 2 here if you haven't seen it yet. In this tutorial, we gonna see hooking, it's usefull when you need to return a specific value, without having to check de hex value of it. Since critical Strike has again been updated, v11.452 is outdated. I'm gonna use v11.604 I let you load your DLLs in DnSpy and we meet right after. Lets Start ! Requirements: - Jailbroken iPhone/iPad/iPod Touch. - Filza - DnSpy - Theos - Ted2 Theos template - Critical Strike v11.604 - ARM notions. [Hidden Content]