Jump to content


Senior Member
  • Content count

  • Joined

  • Last visited

  • Days Won


shmoo last won the day on May 29 2016

shmoo had the most liked content!

Community Reputation

29,558 Forum Legend

About shmoo

  • Rank
    I'm too good

Profile Information

  • iDevice
    iPhone X
  • iOS Version
  • Jailbroken
  • Rooted
  • Gender
  • Location
    East Coast USA

Recent Profile Visitors

102,249 profile views
  1. removed redundant code 😛 Nothing has changed as far as functionality goes. I am pushing another fix rn because I found another mistake
  2. Taken from reddit This is the version of uncrypt that works with iOS 11. For iOS 10 and below, use https://github.com/shmoo419/uncrypt or one of the many other alternatives. As someone who likes to reverse engineer and mod things, I needed a way to decrypt binaries when Electra1131 released. The version of my tool I linked above does not work on iOS 11 because the kernel kills "untrusted binaries", which causes a mountain of problems. So I made this. Why did I make this? I wanted to get familiar with the mach-o file format and figured other people would find it useful. I know BFDecrypt is a thing, but I don't like how it dumps the entire IPA because for my purposes I only need the binary. So, as you can guess, my tool only dumps the binary. I also do not want to promote piracy, so the cryptid is not flipped. This tool is intended for research purposes only. If this doesn't suit your needs, use another tool. uncrypt11 is in BETA. If you encounter any problems, please open an issue on github. To get it, add my repo: http://shmoo419.github.io/ and install uncrypt11. To use: /electra/inject_criticald pidofapphere /Library/MobileSubstrate/DynamicLibraries/uncrypt11.dylib See the source here: https://github.com/shmoo419/uncrypt11 Enjoy!
  3. that jb can't come soon enough lol. This GDB is blazing fast on my 6s, I cant imagine how fast it will be on my X
  4. No clue I am going to try to add ios 11 support, don't worry
  5. I need an ios 11 device to test with, can't do it when it isnt jailbroken
  6. No ios 11 support until the 11.3.1 jailbreak comes
  7. dude, use the pid of deepworld ps ax | grep Deepworld then attach whatever the pid is
  8. try again, it is buggy, if that doesnt work use the pid
  9. Wtf lol you posted this right after i clicked post
  10. iOS 11 Support? No iOS 11 support until I can jailbreak my 11.3.1 device. The best debugger ever made has returned to iOS with arm64 support! I have spent about five days fixing bugs, adding features, and making this GDB usable. However, I need all the help I can get in fixing bugs. If you find a bug, or see any debug output, *PLEASE* DM me on Twitter @hackedbyshmoo with steps to reproduce so I can add that bug to my list. Installs to /usr/bin, put your gdbinit in /var/root if you run GDB as root and /var/mobile if you run GDB as mobile. It is buggy. Please dont get your hopes up. If you get abort trap: 6 when trying to attach, keep trying or use the pid if you jailbroke with doubleh3lix this may not work due to issues sending signals over SSH Bugs destroyed: - SIGINT wasn't being handled correctly. If you tried to interrupt the program, nothing would happen, the GDB prompt wouldn't come back, and you wouldn't be able to type. Fixed by writing my own SIGINT handler - When you detached from a process, a ton of errors would be spit to the screen and it would fail. This no longer happens and detaching works again - You can no longer Ctrl C two times in a row, which would either (a)ruin your debugging session or (b)crash GDB - A broken breakpoint auto-added when attaching that would screw up your debugging session is auto-deleted ("could not insert breakpoint -1") - The inferior's name wasn't being updated correctly. Fixed by calling exec_close whenever you attach to something - No more nasty errors when you kill the debuggee - iOS 10 support by changing DYLD_VERSION_MAX from 14 to 15 - You can debug multithreaded programs without GDB crashing. Before, doing anything after a breakpoint hit would cause GDB to crash - You can attach to a process if you give its executable name New: - add-aslr-bp: a command to automatically add the ASLR slide to breakpoints. To use, set add-aslr-bp on - add-aslr-set: a command to automatically add the ASLR slide to the expression in the set command. To use, set add-aslr-set on. Since memory addresses already have ASLR accounted for, we need an upper bound to know when to not add the ASLR slide. Use 0x103000000 if you know you aren't going to be modifing memory and only instructions, otherwise, use IDA Pro to find out where main code segment ends (Ctrl+S) Notes: - Hardware watchpoints will never be supported Known bugs: - Rare bug that can be fixed by detaching and reattaching - Spamming c after a breakpoint hits may crash GDB under special circumstances - Very bad lag when scrolling up in the TUI asm window TODO: - ascii value of memory shown side by side with the actual memory printed out by the examine command (x) - TUI window that shows memory like Cheat Engine's memory editor How do I get it? Uninstall any other GNU Debugger you may have, add my repo: shmoo419.github.io, and install GNU Debugger. CREDITS: - swigger (for arm64 support: https://github.com/swigger/gdb-ios) - me (for building, fixing bugs, adding stuff, and making it usable)
  11. They did a bit of a better job than whoever made standoff 2. With the unpatched crown hack I'm modifing the starting crowns so you have to make a new account. My ideal hack would be an undetectable add crowns hack
  12. tip MORE HERE: https://github.com/shmoo419/BlackopsHacks No hidden content for learning purposes, i f***ing hate it when i go to a site for a quick answer and i need to register #import <mach-o/dyld.h> #import <pthread/pthread.h> #define MILLISECOND_BIAS 1000 uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } void *modifyScore(void *arg0){ while(true){ // __symbolstub1:0000000100260398 STR X19, [X0,#0x100638240@PAGEOFF] void *CScoreManager = *(void **)(getASLRSlide() + 0x100638240); // turns out CScoreManager isn't the class that holds our score // so I had to do a bit of exploring and analysis to find out where it is kept if(CScoreManager){ void *unkptr0 = *(void **)((uint64_t)CScoreManager + 0x70); if(unkptr0){ void *unkptr1 = *(void **)((uint64_t)unkptr0 + 0x8); if(unkptr1){ // increase our score by 1 every 25 milliseconds (*(int *)((uint64_t)unkptr1 + 0x24))++; } } } usleep(25 * MILLISECOND_BIAS); } return NULL; } void *modifyWave(void *arg0){ // we don't want to keep modifying our wave, only modify it when we're finished with a wave int lastWave = 0; while(true){ // __symbolstub1:000000010028BBEC STR X19, [X0,#0x1006371F8@PAGEOFF] void *CWaveManager = *(void **)(getASLRSlide() + 0x1006371f8); if(CWaveManager){ // we could make this an int pointer, but sizeof(int *) == 8 and that causes problems in this particular situation because of overlapping memory int currentWave = *(int *)((uint64_t)CWaveManager + 0xd8); if(currentWave != lastWave){ // currentWave's value has already been updated // if we multiply that by two, we'll get the wrong wave value // using lastWave fixes this because it hasn't been updated // sometimes lastWave is 0, so we need to handle that // will double the wave you're on every time you finish a wave *(int *)((uint64_t)CWaveManager + 0xd8) = ((lastWave == 0 ? 1 : lastWave) * 2); // we only want to modify the wave once // there is absolutely no way a wave will last only five seconds sleep(5); } // be sure to update lastWave correctly lastWave = *(int *)((uint64_t)CWaveManager + 0xd8); } usleep(25 * MILLISECOND_BIAS); } return NULL; } void *pickupHacks(void *arg0){ while(true){ // __symbolstub1:000000010022DB70 STR X19, [X0,#0x100637210@PAGEOFF] void *CPickupManager = *(void **)(getASLRSlide() + 0x100637210); if(CPickupManager){ // the game uses however many points you've earned since last pickup to decide whether or not to spawn a pickup // setting this to a ridiculously large value tricks the game into thinking it's been a long time since the last pickup spawn *(int *)((uint64_t)CPickupManager + 0xd0) = 999999999; // however, there's a limit to the number of pickups that spawn each round so we need to patch that // this is guaranteed not to be NULL - you can tell from the assembly void *maxPickupLimitDvar = *(void **)((uint64_t)CPickupManager + 0x150); *(int *)((uint64_t)maxPickupLimitDvar + 0x20) = 999999999; } usleep(25 * MILLISECOND_BIAS); } return NULL; } %hook s3eAppDelegate - (void)applicationDidBecomeActive:(id)arg0 { dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC), dispatch_get_main_queue(), ^ { pthread_t scoreThread; pthread_create(&scoreThread, NULL, modifyScore, NULL); pthread_t waveThread; pthread_create(&waveThread, NULL, modifyWave, NULL); pthread_t pickupThread; pthread_create(&pickupThread, NULL, pickupHacks, NULL); }); %orig; }
  • Recently Browsing   0 members

    No registered users viewing this page.

    • Administrator |
    • Global Moderator  |
    • Moderator  |
    • ViP Plus |
    • ViP |
    • Cheater  |
    • Modder  |
    • Novice Cheater |
    • Rookie Modder |
    • Contributor |
    • Senior Member |
    • Member |

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.