lxdx

let procs = h5frida.enumerate_processes(); if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list"; let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用 //Use its own process to call OC/C/C++ functions, or attach to other APP processes to call try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} let found = false; for(let i=0;i<procs.length;i++) { if(procs[i].pid==pid) { //if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP"; found = true; } } if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process"; //检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住 //Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked while(pid>0) { let frontapp = h5frida.get_frontmost_application(); if(frontapp && frontapp.pid == pid) break; alert("请将目标APP切换至前台运行, 再点击确定继续...\n" + "Please switch the target APP to the foreground to run, and then click OK to continue..."); } Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod ! It's good that "normal" hook with c++ work

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ? I do not have XCode, otherwise i would test it by myself

Mhh Mhh okay that's what i would try, im not a pro, but this is what i would do : You can maybe try to get the field with the Update() function (if there is). else, ive seen somwhere on the web where you can use other function from the class but i didn't tried, Lmk if it worked. So, if no Update() function : //just a poc to get the idear void(*old_func)(void *instance); void func(void *instance) { if ([switches isSwitchOn:@"9999 Items"]) { //int Amount *(int *) ((uint64_t) instance + 0x1C) = 9999; } old_func(instance); } setup(){ //a function in the same class. use Update if there is, if not try another function (Init for ex) HOOK(0x1ABB3A8, func, old_func); } do the same thing. Afaik, when there is a Type and you don't have his definition, just make a pointer to it like this ; //taking ur code auto modInit = reinterpret_cast<void(*) (void *, void *, int, bool)>(getRealOffset(0x1ABB3A8)); replace the CRefItem with void *, that way it gonna make a pointer on the undifined type and with luck it not gonna crash using this is the same as . *(int *) ((uint64_t) instance + 0x1C) = 9999; i guess, once you hooked Init, you can easly called it and put "true" on the func parameter, it gonna overwrite it probably. //POC modInit(this_, paramName ,9999, true); Hope it could help you, tho all this is my knowledge, things might not be 100% right

don't start hacking on UE4 games, they are kinda hard, try first with some IL2CPP/Mono games (Unity3D)

it was a long time ago but i dis not build it, it was already done

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

Yeah but sadly i don't have a mac

Try to restart the phone, or if JB run : ldrestart It will reboot in a JB state and refresh the storage

Nice, that's pretty cool I never tried debug a game with xCode. Nice tut, gonna link it on my tut

yeah but where do you find the static-inline folder on Documents app (iOS) ? Yeah itunes can do it if im right, but well this tut is for newbies that don't know how to share files

Yeah but transfer the patched UnityFramework to the PC ?

On part 2, i will probably make a tut with a mod menu, but for the first part i just wanted to people know how to patch and hook. And also, afaik Documents app doesn't let you access app content in /Documents of Subway Surfer (in the case of the tutorial) even if the app has File Sharing enable. (at least on a fully jailed phone) I will edit the topic once i have time to add Discord link and official Github

you can load the ida.py script or whatever python script to get class names and func names yeah, and yeah you can patch with any hex editor but a better way would be using iGameGod and Live Offset Patcher tool in the settings

Idk i never played the game, check if there is a directory named Frameworks/UnityFramework or something like this, if there this mean that the real binary is UnityFramework (so use this on iDA) of not, it's the default binary file on the .app

Here is a guide that may help you :

H5GG doesn't work like this, it wouldn't be possible since apps are Sandbox on jailed devices. The only solution is to patch all your offset at once, and replace only once the framework file.

Tuancc said it was for advanced modders only, i guess that's why it'd documented that way. Yeah they didn't made any guide for that, that's why i made one You only need to "prepare" the UnityFramwork once, after that you can hook/patch the offset. No need to replace with a new UnityFramework file if you switch between ActiveCodePatch/StaticInlineHookFunction.

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything. Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB. can you provide more details ?

My bad, i wrote this beeing pressed by the time. I have edited the topic. Lmk if it worked

nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/ there is a doc on how to use writeInt / writeFloat.

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

yep you are right ! welcome !

that's cool, could you edit your answer and tell me if hook works ?