0xWeiss

Well hello there, creep. /j

Name of the Game: Battle Night 

Version of the Game: 1.5.3

iTunes Link: https://apps.apple.com/us/app/battle-night/id1449448167

Jailbroken or Non-Jailbroken: Jailbroken.

Requested Features: 

- Multiply Attack / Defense
 

I haven’t tried hacking it myself, but will attempt to in the morning.

First. Thank you.

Thank you, Laxus!

29 minutes ago, Dunkyy said:

I want to try this apps:   beatleap

I have iPhone8p ios13.6 without jailbreak.

Is it able to install it with Sideloadly? It seems the start button only available after IPA file is selected, but the beatleap one is a .deb.

What else should I do? Checked the instructions & Q&A, but I'm still confusing.

I can send over a cracked IPA of that app if you’d like.

You would be the one who posts the game I was trying to work on 😭

Great job, though, btw ^^ I'm gonna move on now.

7 hours ago, Max-- said:

i can give a tip like the droping offset when watchpoint hits its not the real one, thats why when remove the aslr from it we get a ridiculous offset, that doesnt even exist in ida=Jump failed

Please let me know. I'm currently trying to hack a game atm using LLDB.

I've searched values -> set watchpoints -> trigger watchpoints -> image lookup -a 0x00000000 (the watchpoint hit)

TYTY.

Thank you 😊

Thank you.

Thank you, Zahir.

Thank you, Zahir.

Thank you.

Tuesday, November 2nd.

 

Today I’m feeling very optimistic with my learning journey as I’ve made a breakthrough with hacks! It’s also my mother’s birthday today, which reminds me to wish her a happy birthday when I wake up later. Haha.

Thank you.

Thanks

Monday, November 1st:

Today, I’m feeling quite ill, but I’m trying my best to recover. My mood’s been neutral lately, just taking the days as they are.

As for something interesting, there’s nothing interesting about me 🌝

 

Thank you for hosting this giveaway.

41 minutes ago, Zahir said:

You can run the script in IDA, so it renames those sub functions 

Offset 1 -- Offset 2 -- Offset 3

 

Python has apparently finished loading.

Some functions are still listed as sub_x, but I can see the names of these ones.

Money:
1. IDA Offset - 191506c Game.GUI.GlobalCanvas.ResourceValuePresenter$$ChangeResource
2. IDA Offset - 19075ec CSGame.Models.Resources.Resource$$AddValue
3. IDA Offset - 1915288 Game.GUI.GlobalCanvas.ResourceWidgetView$$UpdateValue

4 minutes ago, Zahir said:

You can run the script in IDA, so it renames those sub functions 

Ah, thought I had done that.

UnityFramework > global-metadata.dat -- Done.

File > Script File > ida.py > script.json

Waiting on the load now.

1 minute ago, Zahir said:

That game is unity right? Why don't you make use of the unity tool to see the function names

iL2CPPDumper, correct? Open the dump.cs file in Notepad++?

2 minutes ago, Zahir said:

You should try 19075E4 to MOV W2, #16777216 [0220A052]

 

Hmm, either the Live Offset Patcher doesn't work for this game, the offset is wrong (doubt), or the game's currency isn't possible to change.

It didn't work.. ^^ Game: ZombieShop

I'm sure you're getting tired of seeing me here, but you're gonna see a whole lot of me.

I need assistance with identifying offsets that are useful. I've stumbled across 3.

These offsets are involved with the game's currency. 

Searched current value, altered value by selling, search value, ended up with 3 offsets.

 

Offset 1 -- Offset 2 -- Offset 3

Money:
1. IDA Offset - 191506c Game.GUI.GlobalCanvas.ResourceValuePresenter$$ChangeResource
2. IDA Offset - 19075ec CSGame.Models.Resources.Resource$$AddValue
3. IDA Offset - 1915288 Game.GUI.GlobalCanvas.ResourceWidgetView$$UpdateValue

 

EDIT: I also need help with figuring out how to alter the assembly using the KEYPATCH:Patcher.

No idea how to do that, I don't know how to pull up the menu/pop-up.

EDIT: I'm also attempting to test the offsets with the Live Patcher on iGG.

 

Any help is appreciated.

7 hours ago, ProGamerMoment said:

That is correct, you must use UnityFramework, offsets will be in there and usually they don’t have the 0x10 in front so try it without and see if they match up, however when looking for the process you have to side Zombie shop since it loads the the frameworks once the binary has been loading, hence why the binary is small. Hope this helps

That solved a problem, but not the one I originally had. Haha. However, I realized I was able to find the address in the debug portion of IDA. The green play button thing. However it didn’t have anything next to it, so I exited and saw that the analysis thing wasn’t finished. So I’m gonna let that load and try again tonight.

EDIT:

Possible Mistakes List:

- “image list UnityFramework” instead of “image list ZombieShop”? (3:23AM Thought)

3 hours ago, ProGamerMoment said:

 

Hey can you provide screenshots on exactly what you are doing or a video, you might be grabbing offsets that might be from another process, sometimes games are weird and have stuff in a framework which can make things a little more difficult 

If you don’t mind, I’ll list everything in detailed steps.

Game:

• Zombie Shop V-0.21.1

 

Devices:

• iPhone X 13.3 UnC0Ver 7.0.0 JB

• ASUS ROG Laptop Win10 x64

 

Programs:

• IDA PRO 7.3

• iL2CPPDumper

• Notepad++

• LLDB

• 3uTools

• PuTTy

• iGameGod

• Filza

• NewTerm

• FlexDecrypt | CrackerXI

 

Sites:

• ArmConverter

• BinaryHexConverter

• Calculator-HexCalculator

——————————————

1. Gathering the necessary files.

• [iPhone] Launch CrackerXI —> Zombie Shop —> Full IPA

• [iPhone] Launch Filza (/var/mobile/Documents/CrackerXI) —> EXTRACT ZombieShop_0.21.1_Weiss
• Launch NewTerm —> flexdecrypt /var/mobile/Documents/CrackerXI/ZombieShop_0.21.1_Weiss/Payload/ZombieShop.app/Frameworks/UnityFramework.framework/UnityFramework

[[Cracked binary is in /tmp/UnityFramework]]

• [PC] — Launch 3uTools > Grab UnityFramework and place in Desktop Folder.

• [PC] Direct to ZombieShop.app > Data > Managed > Metadata > Grab global-metadata.dat and place in Desktop Folder.

——————————————

2. IDA Pro Portion

• [PC] Launch IDA Pro x64 > New > Select “UnityFramework” > Allow to fully load with “IDLE” is on the bottom left.

• [PC] Launch iL2CPPDumper > Select “UnityFramework” > Select “global-metadata.dat” > Allow to finish.

• [PC] Return to IDA Pro (Fully Loaded) > File > Script File... > IDA.py > Script.JSON

• [PC] Allow the script to fully finish until it says “IDLE” is on the bottom left.

——————————————

3. 3uTools / PuTTy / LLDB / Game Portion

• [iPhone] Open iGameGod and enable Zombie Shop.

• [iPhone] Launch Zombie Shop.

• [PC] Launch 3uTools > Toolbox > Open SSH Tunnel > SSH Client (PuTTy)

• [PC] In PuTTy > Type “lldb” > Type “attach ZombieShop”

• [PC] Game attaches successfully, the game freezes.

• [PC] In PuTTy > Type “image list ZombieShop” > Note the ASLR > Type “c” to continue process (unfreeze game).

• [iPhone] Use iGameGod to search values until I’m left with 1-2 (in my case, 3).

• [PC] In PuTTy > Type “process interrupt” (freezes game).

[[NOTE: Cannot create Watchpoints while the game’s running.]]

• [PC] Creates Watchpoints.

• [iPhone/PC] Changes the value > Trigger Watchpoints 1.

• [PC] In PuTTy > Type “register read” and copy the output into Notepad++ > Type “c” to proceed > Watchpoint 2 was trigger-ed > Type “register read” and copy the output into Notepad++.

• [PC] Acquired 2 IDA offsets > Removed ASLR using hex calculator.

• [PC/iPhone] Kept notes on money value and converted using decimal to hex.

• [PC] Searched for the converted value in the register read outputs and found a match in watchpoint 1.

• [PC] Returned to IDA > Press “G” > Inserts Address (ASLR REMOVED ONE)

——————————————
[[ENCOUNTERS ERROR]]
• Command “JumpAsk” Failed

——————————————

Hopefully you could help spot the issue this way!