GodModerator

not bad

amazing!

amazing!

there is a H5GG.dylib in the h5gg jb app.

First, you need to manually find the address of the value you need (such as through fuzzy search, nearby search, etc.), and then load the AutoSearchPointerChains.js script. It will prompt you to enter the following 3 parameters: 1:Please enter the data address to be searched (hex starting with 0x) This parameter is for you to enter the address of the value you found. 2: Please enter the max search offset (hex starting with 0x) This parameter allows you to limit the maximum offset you want to search. Different games are different. Generally speaking, the offset of the Unity3D engine is small (0x50 to 0x500 range), and the offset of the Unreal engine is relatively larger (range from 0x100 to 0x2000), you can try a smaller offset (faster) first, and then try a larger offset (slower) if no search results are found. 3: Please enter the max search level This parameter allows you to limit the maximum search offset chain length. Generally speaking, the offset chain length is less than 10 layers, and in rare cases it may exceed 10 layers. You can try a smaller number of layers first (faster), If there is no search result, try a larger number of layers (slower). After waiting tens of minutes to a few hours, he will give out all the pointer chains that have been searched. Each pointer chain consists of the following three parts: [Module Name] : [Static Offset] -> [Dynamic Offsets] If there are multiple pointer chains found in the search, the smallest value of the dynamic offsets is more accurate. Then we can use the pointer chain in h5gg to directly calculate the address of the value we need. With the address, we can read the value or write the value we want. There is no need to restart the game every time Do a fuzzy or nearby search. For example, the following pointer chain used in H5GG: UnityFramework:0x123456 -> 0x234 -> 0x456 -> 0x678 var modules = h5gg.getRangesList("UnityFramework"); //Module Name var base = modules[0].start; //module base addr in runtime memory var addr = Number(base) + 0x123456; //Static Offset var pointer = getValue(addr, "U64"); //read pointer var addr1 = Number (pointer) + 0x234; //First Dynamic Offset var pointer1 = getValue(addr1, "U64"); //read pointer var addr2 = Number (pointer1) + 0x456; //Second Dynamic Offset var pointer2 = getValue(addr2, "U64"); //read pointer var addr3 = Number (pointer2) + 0x678; //Third Dynamic Offset var pointer3 = getValue(addr3, "U64"); //read pointer //final var value = h5gg.getValue(pointer3, "I32"); alert("read value=" + value); h5gg.setValue(pointer3, 99999, "I32"); suggestions: 1: On the jailbroken device, you can put the game app into the background, and then use the H5GG APP to run AutoSearchPointerChains.js 2: Because the search process may take several hours, it is recommended to put your iPhone/iPad in the refrigerator to cool down. get AutoSearchPointerChains.js on https://github.com/H5GG/H5GG

genius, bro!

genius, bro!

https://discord.com/channels/1001549249063944222/1001591584439140382/1016020356206690454

get patched file without PC:

asshole~ brother!

asshole~brother

many examples here : https://github.com/H5GG/H5GG/tree/main/examples-HTML5 and you can learn html, js, css on google !

do it for your binary by yourself. hookme is just for testing, you can delete it.

with h5frida v2.0 now you can patch code dynamicly on non-jailbreak very easily, like this: h5gg.require(7.9); var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib"); if(!h5frida) throw "Failed to load h5frida plugin"; alert("frida plugin version="+h5frida.pluginVersion() + "\nfrida core version="+h5frida.coreVersion()); function ActiveCodePatch(fpath, rvaddr, bytes) { if(!h5frida.ActiveCodePatch(fpath, rvaddr, bytes)) { var result = h5frida.ApplyCodePatch(fpath, rvaddr, bytes); alert(fpath+":0x"+rvaddr.toString(16)+"-PatchFailed!\n" + result);return false; } return true; } function DeactiveCodePatch(fpath, rvaddr, bytes) { return h5frida.DeactiveCodePatch(fpath, rvaddr, bytes); } /* fpath: relative path of the binary in the .app directory rvaddr: relative virtual address Generally speaking, for dylib/framework, rvaddr = [offset in file] = [address in IDA] for main executable, rvaddr = offset in file = [address in IDA] - [base address in IDA], the base address is usually 0x100000000. */ /*************************************************************************/ //switch on ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6"); //switch off DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6"); see more: https://github.com/H5GG/H5GG/tree/main/examples-h5frida

https://github.com/H5GG/H5GG