GodModerator

not bad

amazing!

amazing!

there is a H5GG.dylib in the h5gg jb app.

First, you need to manually find the address of the value you need (such as through fuzzy search, nearby search, etc.), and then load the AutoSearchPointerChains.js script. It will prompt you to enter the following 3 parameters: 1:Please enter the data address to be searched (hex starting with 0x) This parameter is for you to enter the address of the value you found. 2: Please enter the max search offset (hex starting with 0x) This parameter allows you to limit the maximum offset you want to search. Different games are different. Generally speaking, the offset of the Unity3D engine is small (0x50 to 0x500 range), and the offset of the Unreal engine is relatively larger (range from 0x100 to 0x2000), you can try a smaller offset (faster) first, and then try a larger offset (slower) if no search results are found. 3: Please enter the max search level This parameter allows you to limit the maximum search offset chain length. Generally speaking, the offset chain length is less than 10 layers, and in rare cases it may exceed 10 layers. You can try a smaller number of layers first (faster), If there is no search result, try a larger number of layers (slower). After waiting tens of minutes to a few hours, he will give out all the pointer chains that have been searched. Each pointer chain consists of the following three parts: [Module Name] : [Static Offset] -> [Dynamic Offsets] If there are multiple pointer chains found in the search, the smallest value of the dynamic offsets is more accurate. Then we can use the pointer chain in h5gg to directly calculate the address of the value we need. With the address, we can read the value or write the value we want. There is no need to restart the game every time Do a fuzzy or nearby search. For example, the following pointer chain used in H5GG: UnityFramework:0x123456 -> 0x234 -> 0x456 -> 0x678 var modules = h5gg.getRangesList("UnityFramework"); //Module Name var base = modules[0].start; //module base addr in runtime memory var addr = Number(base) + 0x123456; //Static Offset var pointer = getValue(addr, "U64"); //read pointer var addr1 = Number (pointer) + 0x234; //First Dynamic Offset var pointer1 = getValue(addr1, "U64"); //read pointer var addr2 = Number (pointer1) + 0x456; //Second Dynamic Offset var pointer2 = getValue(addr2, "U64"); //read pointer var addr3 = Number (pointer2) + 0x678; //Third Dynamic Offset var pointer3 = getValue(addr3, "U64"); //read pointer //final var value = h5gg.getValue(pointer3, "I32"); alert("read value=" + value); h5gg.setValue(pointer3, 99999, "I32"); suggestions: 1: On the jailbroken device, you can put the game app into the background, and then use the H5GG APP to run AutoSearchPointerChains.js 2: Because the search process may take several hours, it is recommended to put your iPhone/iPad in the refrigerator to cool down. get AutoSearchPointerChains.js on https://github.com/H5GG/H5GG

genius, bro!

genius, bro!

https://discord.com/channels/1001549249063944222/1001591584439140382/1016020356206690454

get patched file without PC:

asshole~ brother!

asshole~brother

many examples here : https://github.com/H5GG/H5GG/tree/main/examples-HTML5 and you can learn html, js, css on google !

do it for your binary by yourself. hookme is just for testing, you can delete it.

with h5frida v2.0 now you can patch code dynamicly on non-jailbreak very easily, like this: h5gg.require(7.9); var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib"); if(!h5frida) throw "Failed to load h5frida plugin"; alert("frida plugin version="+h5frida.pluginVersion() + "\nfrida core version="+h5frida.coreVersion()); function ActiveCodePatch(fpath, rvaddr, bytes) { if(!h5frida.ActiveCodePatch(fpath, rvaddr, bytes)) { var result = h5frida.ApplyCodePatch(fpath, rvaddr, bytes); alert(fpath+":0x"+rvaddr.toString(16)+"-PatchFailed!\n" + result);return false; } return true; } function DeactiveCodePatch(fpath, rvaddr, bytes) { return h5frida.DeactiveCodePatch(fpath, rvaddr, bytes); } /* fpath: relative path of the binary in the .app directory rvaddr: relative virtual address Generally speaking, for dylib/framework, rvaddr = [offset in file] = [address in IDA] for main executable, rvaddr = offset in file = [address in IDA] - [base address in IDA], the base address is usually 0x100000000. */ /*************************************************************************/ //switch on ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6"); //switch off DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6"); see more: https://github.com/H5GG/H5GG/tree/main/examples-h5frida

https://github.com/H5GG/H5GG

Step 1: Enable App's Documents File Sharing When Signature Step 2: Find Target App Folder in File App that's all!

var type = Number(h5gg.getValue(actor, "U16")) & 0x0FFF; then draw the type variable in esp, you will see:

function readUTF16String(address, maxlen) { var str = ""; for (var s = 0; !maxlen||s<maxlen; s++) { var charCode = Number(h5gg.getValue(address + s * 2, "U16")); if(!charCode) break; str += String.fromCharCode(charCode); } return str; } function readUTF32String(address, maxlen) { var str = ""; for (var s = 0; !maxlen||s<maxlen; s++) { var charCode = Number(h5gg.getValue(address + s * 4, "U32")); if(!charCode) break; str += String.fromCharCode(charCode); } return str; } //This is usually slower, It is recommended to cache it //var str1 = readUTF16String(addr); //var str2 = readUTF16String(addr, 20); //var str3 = readUTF32String(addr); //var str4 = readUTF32String(addr, 20);

what normal imgui? c/c++? thats really sh!t! People just want good looks, who wants to use c++?

H5Menu DarkStyle: H5Menu LightStyle: H5AlertView: H5-IMGUI-Lite: H5 ESP Draw: Get source code from https://github.com/H5GG/H5GG/tree/main/examples-HTML5

Search Value and Lock/Freeze Value: h5gg.require(7.8); //min version h5gg.clearResults(); h5gg.searchNumber("123", "I32", "0x0", "0xFFFFFFFF00000000"); var count = h5gg.getResultsCount(); var results = h5gg.getResults(count); var locker = setInterval(function() { console.log("running..."); for(var i=0; i<count; i++) { h5gg.setValue(results[i].address, "456", "I32"); } }, 500 //lock/freeze time interval (millseconds) ); //then we can cancel the lock/freeze: //clearInterval(locker); Read Static Pointer In Modules(dylib/main-executable): h5gg.require(7.8); //min version //ModuleFileName: like "UnityFramework", or 0 for main executable var modules = h5gg.getRangesList("ModuleFileName"); var base = Number(modules[0].start); var addr = base + 0x123456; //add offset var pointer = h5gg.getValue(addr, "U64"); //must convert to Number type, then we can do + calc or convert to hex via toString(16) pointer = Number(pointer); alert('0x'+pointer.toString(16)); Code Patch Offset with Bytes (only for jailbroken): h5gg.require(7.8); var modules = h5gg.getRangesList("UnityFramework"); //module file name var base = modules[0].start; //module base addr in runtime memory var addr = Number(base) + 0x01915304; //offset patchBytes(addr, "00E0AFD2C0035FD6"); //bytes /********************************************************/ //only jailbroken devices can do this function patchBytes(addr, hex) { for(i = 0;i<hex.length/2;i++) { var item = parseInt(hex.substring(i*2, i*2+2), 16); h5gg.setValue(addr+i,item, "U8"); } } /********************************************************/

Theoretically it works, but in practice I haven't tested it

First: you need to get the decrypted ipa file! PC Method via Sideloadly: iPhone/iPad Method via ESign/GBox/BoarSign etc: thats all!

**************** H5GG JavaScript Engine Document (update on v7.5) ******************** h5gg is the engine object, which can call the following functions (similar to the lua interface of Android gg, but the parameters are somewhat different) h5gg.require(H5GG version number); //Set the minimum H5GG version number required by the script, which can be written in the first line at the beginning of the script h5gg.setFloatTolerance('floating-point deviation'); //Set the deviation range of F32/F64 floating-point search, the engine defaults to 0.0 h5gg.searchNumber('value', 'type', 'search lower limit', 'search upper limit'); //Search or secondary search (improve) exact value h5gg.searchNearby('value', 'type', 'adjacent range'); //Nearby (joint) search, consistent with igg's h5gg.getValue('address', 'type'); //Read the value of the specified address, return the value string h5gg.setValue('Address', 'Value', 'Type'); //Set the value of the specified address, return success or failure h5gg.editAll('value', 'type'); //Modify all the values in the search results (cannot be called after clearing the results), and return the number of successful modifications h5gg.getResultsCount(); //Get the total number of search results, return the total number h5gg.getResults('GetCount', 'SkipCount'); //Get the result array, each element has three attributes of address, value and type h5gg.clearResults(); //Clear search results, start a new search h5gg.getRangesList('module file name'); //Return the module array, the module has start (base address), end (end address), name (path) attributes (If the module file name=0, it will return the APP main program module information, if the module file name is not passed in, it will return a list of all modules) h5gg.loadPlugin('Objective-C Class Name','dylib file path'); //load a dylib plugin, return an OC Instance Object (The returned OC object instance can be called directly in js, dylib supports absolute path or relative path in .app) For standalone CrosProc APP version only: h5gg.setTargetProc(process number); //Set the current target process, return success or failure h5gg.getProcList('process name'); //Get the process array, the elements in the array have pid (process number), name (process name) attributes (If the process name is not passed in, it will return a list of all running app processes, which can be called periodically to determine whether the target process has ended) Other APIs: setButtonImage(icon); //Set the icon of the floating button, you can pass in the http starting URL image or the base64 encoded DataURL image setButtonAction(js callback function); //Set a custom floating button icon click action, which is called when a js function is passed in to click setWindowRect(x, y, width, height); //Modify the position and size of the window suspended on the screen setWindowDrag(x, y, width, height); //Set the area of the draggable floating window in the H5 page setWindowTouch (whether to respond to touch); //true=the entire floating window is impenetrable by touch, false=the entire floating window can be touched by touch setWindowVisible (whether to display), //Set the visibility of the floating window, true=display, false=hidden setLayoutAction(js callback function); //Set the js callback when the screen rotates or the iPad split screen float changes, the callback function parameters are (width, height) Notice: 1: The address parameter supports automatic identification in decimal or hexadecimal format starting with 0x, other parameters must be in string format 2: float number types: F32, F64, signed number types: I8, I16, I32, I64, unsigned number types: U8, U16, U32, U64 3: If there are many search results, do not get all the data at one time with getResults, it maybe crash for using too mach memory, and should be obtained in sections 4: The address and value of the search result are all string types. If you want to do digital operations, please use Number(x) to convert them into numeric types before you can perform operations. (Unlike lua, which automatically converts the string types on both sides of the + sign to numeric types, in js, if the + sign is a string, the two strings will be concatenated) 5: The numeric type can be converted into a hexadecimal string format with x.toString(16), but x must be a numeric type to convert successfully 6: The numerical value of the search supports the range format, such as "50～100", such as "2.3～7.8", both searchNumber and searchNearby search are supported 5: The default size of the floating window is 370 points wide and 370 points high. You can set the position, size and draggable area through the js api on the H5 page.

What is H5GG? On Android, they have GameGuardian, which has complex functions, perfect interface, and most importantly, it has lua scripting function, which can realize complex, fast, automatic, and interactive work. And on Android, they have tools like AndLua, AutoJS, AIDE, etc. to make powerful hacks directly on the phone. But on ios, we only have some simple tools, such as memory search, modification, speed hack, etc., the functions are still relatively simple, and there is no support for writing scripts for automated operations. Although we have theos to write tweaks on the iphone, theos is really difficult to make mod menus, and the Objective-C language is essentially a superset of the C language, which is a well-known language that is difficult to learn and understand. And it is very easy to cause errors and crashes. It is far less easy to use than scripting languages such as lua and js. It is a club activity that only a small number of high-end people can participate in. So here comes H5GG, I guess its full name should be called "Html 5 Game Guardian(or God)", which is based on two simple principles: 1: It uses Html5 as the interface engine, which is essentially a web page, you can use any web page creation software to create Menu, whether it is on a computer or an iphone/ipad. 2: It uses JavaScript as the scripting language and JS as the embedded script of the web page, which is very easy to write and use, and can be seamlessly integrated with Html5. It's so simple, but we have it all on ios. Html5, as the most powerful UI engine, can create any menu effect you can imagine, and any menu effect you can't imagine. JS is a mature and powerful script language, but much easier to learn than C. You can find countless tutorials and examples on google and youtube for both. So this is H5GG, so simple, yet so powerful. A new club that any beginner and rookie can enter, there are no barriers, and it is very friendly. And it's completely free and open source! How to start using H5GG? The core of H5GG is H5GG.dylib, which contains all the functions and engines of H5GG. H5GG.dylib can be run in 4 ways: 1: On non-jailbroken devices, you can use sideloadly(pc/mac), esign(ios), boarsign(ios), GBox(ios) and other tools to inject H5GG.dylib into ipa, and re-sign (need to purchase a A personal certificate), and then install it on ios. In this way, H5GG.dylib will run in the process of the APP. 2: On the jailbroken device, you can install the deb package of the general injection version of H5GG (install via Filza), so that H5GG will be automatically injected and loaded by each APP. In this way, H5GG.dylib will run in the process of the APP . 3: On the jailbroken device, you can install the deb package of the standalone APP version of H5GG (install via Filza), so that H5GG will run as a separate system-level APP, and you can select the target APP process to operate in H5GG. In ipad, you can even use SplitView/SliderOver to run H5GG APP. In this way, since H5GG.dylib will not be injected into the target APP process, some protection and detection can be avoided. 4: On the jailbroken device, you can install the deb package of H5GG's floating APP version (install via Filza), which is basically the same as method 3. The main difference is that the H5GG APP can be displayed on the entire screen in a translucent manner. It can even be displayed on the main screen. This can be more convenient to use and operate, and you can also perform screen drawing in H5GG's APP to realize ESP, etc. But in this way, H5GG's APP will not be able to run in SplitView/SliderOver mode. So you see, H5GG can run on both jailbroken and non-jailbroken devices at the same time, it can work in any situation, and, in these different operating modes, the Mod Menu and script hacks you write can be seamlessly compatible. . Endless Possibilities of H5GG: The built-in js script extension function of H5GG.dylib itself is mainly memory search and modification, which is what most people can easily use and need. But in many cases, this may not meet all needs, so H5GG has a built-in plug-in API interface, It is very convenient to use Objective-C to write dylib plug-ins with various extended functions, and the functions in the dylib plug-ins can be loaded and called directly through JS. The power of H5GG plugin: H5GG official plug-in - h5frida, brings the world's most advanced and powerful hook control engine <frida> into H5GG, and frida's scripting language is also js, they are a natural pair, through frida you can call any system API, Objective -C method, you can even call the unnamed function inside the APP, as long as you have the offset. With frida you can hook any system API, Objective-C method, or even the unnamed function inside the APP, as long as you have the offset. !Even on a non-jailbroken device, you can inline-hook any function (even unnamed functions) in the dylib/main-executable of the APP, and you can also dynamically patch any offset instruction in the dylib/main-executable of the APP . Yes, you heard it right, you can dynamically patch on non-jailbroken devices. These two features were completely impossible before! But H5GG did it! The path to learn and use H5GG: 1: You need to know how to use tools such as igg for memory search and modification to hack, or you can use any C/Objective-C call/hook skills and read data methods. 2: Learn the basic syntax and logic of javascript scripting language, so that you can use js to call H5GG/h5frida's api to automate the operations in 1. (write js files) 3: Learn Html5 interface writing and layout, as well as CSS interface appearance properties, so that you can make ModMenu and build your js script into it. (Write html file) MakeTweak - Your ModMenu dylib: This is one of the amazing features of H5GG, just click the MakeTweak button on the H5GG interface, then select a png image file as the icon, select your html file as the Menu, and H5GG will generate a brand new one for you. dylib file, every time H5GG.dylib starts, it will automatically load and display your icon and ModMenu, and the original icon and UI of H5GG will be deleted. Yes, you just need to click the button and select the file. To make, no theos, no command line, no coding, no compile. Advanced: If you have macOS (mac computer or vmware virtual machine), you can connect your ios device to macOS, and debug the running ModMenu in ios through safari in macOS, for example, you can analyze UI layout, real-time dynamic adjustment and Edit UI, add breakpoints to js scripts, dynamically break and single-step scripts, etc. You can also enter any js script through safari's console and let H5GG execute it directly. HTTP request: JavaScript itself has built-in ajax function, you can use ajax to communicate with your remote server. But there is a small limitation: if your ModMenu is loaded from a local file, you can access any domain name remote server through ajax, But if your ModMenu is loaded through a remote server, you can only communicate with the server with the same domain name through ajax. Fuzzy Search & Memory View: There are currently no plans to add these two functions to H5GG, you should use other tools like igg to use these two functions. Tips: You can build a web server (or on your own computer), and then add a button to refresh the page in your ModMenu, so that you can edit the ModMenu on the computer, and then on ios without restarting the APP, you can dynamically Refresh your ModMenu, of course, you can also put ModMenu on your remote server to achieve dynamic update. Suggest: If you make ModMenu and script hacks on ios, it is recommended to download Easy HTML or HTML Editor in AppStore. I have downloaded and tried all the editor apps in AppStore, only these two are more suitable. Final: Friends, if you have any questions about H5GG or want to know the detail which part of H5GG, you can reply to this post, I will regard it as the most important opinion. screenshots: