Kalo DzN

all i can give you is my current tweak.xm code : with the current offsets ! for non jb devices im not quite finished yet #import <UIKit/UIKit.h> #import <mach-o/dyld.h> #import <dlfcn.h> #import <mach/mach.h> // --- VERIFIED OFFSETS (v1.52) --- #define OFF_CAMERA 0x21cbd4 #define OFF_W2S 0x21cb90 #define OFF_POS 0x21cb50 #define OFF_MANAGER 0x4243050 #define OFF_TRANSFORM 0x30 // The magic fix from your screenshot // --- TYPES --- struct Vector3 { float x, y, z; }; // --- GLOBALS --- uintptr_t _unityBase = 0; // --- FUNCTION SIGNATURES (THE FIX) --- // We must match the "_Injected" signature: (Pointer, OutputPointer, ...) long (*GetMainCamera)(); // WorldToScreen_Injected(Camera*, Vector3* input, int eye, Vector3* output) void (*WorldToScreen)(void* cam, struct Vector3* world, int eye, struct Vector3* screen); // get_position_Injected(Transform*, Vector3* output) void (*GetPosition)(void* transform, struct Vector3* outPos); struct { BOOL _espEnabled; BOOL _linesEnabled; BOOL _offsetsLoaded; } _hacks; // --- FORWARD DECLARATIONS --- @interface UISystemInternalBase : UIView @property (nonatomic, strong) UITextField *_secureInputProxy; - (void)_registerSub_overlay:(UIView *)view; @end @interface CAAnimationGroupProxy : UIView @end @interface UIInputContextManager : UIView @property (nonatomic, strong) UIButton *btnESP; @property (nonatomic, strong) UIButton *btnLines; @property (nonatomic, strong) UILabel *lblStatus; @end // --- KERNEL SAFE READ --- extern "C" { typedef uint64_t mach_vm_address_t; typedef uint64_t mach_vm_size_t; kern_return_t mach_vm_read_overwrite(vm_map_t, mach_vm_address_t, mach_vm_size_t, mach_vm_address_t, mach_vm_size_t*); } bool safe_read(uintptr_t address, void *buffer, size_t size) { mach_vm_size_t bytesRead = 0; kern_return_t kr = mach_vm_read_overwrite(mach_task_self(), (mach_vm_address_t)address, size, (mach_vm_address_t)buffer, &bytesRead); return (kr == KERN_SUCCESS && bytesRead == size); } // --- IMPLEMENTATIONS --- @implementation UISystemInternalBase - (instancetype)initWithFrame:(CGRect)frame { self = [super initWithFrame:frame]; if (self) { self._secureInputProxy = [[UITextField alloc] init]; self._secureInputProxy.secureTextEntry = YES; self.userInteractionEnabled = NO; [self addSubview:self._secureInputProxy]; UIView *_targetCanvas = [self._secureInputProxy.subviews firstObject]; if (_targetCanvas) { _targetCanvas.frame = [UIScreen mainScreen].bounds; } } return self; } - (void)_registerSub_overlay:(UIView *)view { UIView *layer = [self._secureInputProxy.subviews firstObject]; if (layer) [layer addSubview:view]; } @end @implementation CAAnimationGroupProxy - (void)drawRect:(CGRect)rect { if (!_hacks._espEnabled || !_hacks._offsetsLoaded) return; CGContextRef _ctx = UIGraphicsGetCurrentContext(); [[UIColor redColor] setStroke]; CGContextSetLineWidth(_ctx, 1.5); if (!GetMainCamera) return; long camAddr = GetMainCamera(); if (camAddr == 0) return; void* _camInst = (void*)camAddr; uintptr_t managerPtr = 0; if (!safe_read(_unityBase + OFF_MANAGER, &managerPtr, sizeof(managerPtr))) return; if (managerPtr < 0x100000000) return; int count = 0; if (!safe_read(managerPtr + 0x18, &count, sizeof(count))) return; uintptr_t itemsPtr = 0; if (!safe_read(managerPtr + 0x10, &itemsPtr, sizeof(itemsPtr))) return; if (count < 1 || count > 64) return; for (int i = 0; i < count; i++) { uintptr_t playerAddr = 0; if (!safe_read(itemsPtr + 0x20 + (i * 0x8), &playerAddr, sizeof(playerAddr))) continue; if (playerAddr < 0x100000000) continue; uintptr_t transformAddr = 0; safe_read(playerAddr + OFF_TRANSFORM, &transformAddr, sizeof(transformAddr)); if (transformAddr < 0x100000000) continue; void* _transform = (void*)transformAddr; // --- FIXED DATA FLOW --- struct Vector3 _wPos = {0,0,0}; struct Vector3 _sPos = {0,0,0}; // 1. Get World Pos (Pass pointer to write to) GetPosition(_transform, &_wPos); if (_wPos.x == 0 && _wPos.y == 0 && _wPos.z == 0) continue; // 2. Get Screen Pos (Pass pointers for Input and Output) // Note: Eye 2 usually maps to Mono/Left. WorldToScreen(_camInst, &_wPos, 0, &_sPos); if (_sPos.z > 0.5f) { float x = _sPos.x; float y = rect.size.height - _sPos.y; float h = 3500.0f / _sPos.z; if (h > 300) h = 300; if (h < 10) h = 10; float w = h * 0.6f; CGContextStrokeRect(_ctx, CGRectMake(x - (w/2), y - (h/2), w, h)); if (_hacks._linesEnabled) { CGContextMoveToPoint(_ctx, rect.size.width/2, rect.size.height); CGContextAddLineToPoint(_ctx, x, y + (h/2)); CGContextStrokePath(_ctx); } } } } @end @implementation UIInputContextManager { CGPoint _originPoint; } - (instancetype)initWithFrame:(CGRect)frame { self = [super initWithFrame:frame]; if (self) { UIBlurEffect *blur = [UIBlurEffect effectWithStyle:UIBlurEffectStyleDark]; UIVisualEffectView *bg = [[UIVisualEffectView alloc] initWithEffect:blur]; bg.frame = self.bounds; bg.layer.cornerRadius = 12; bg.clipsToBounds = YES; [self addSubview:bg]; self.layer.borderColor = [UIColor cyanColor].CGColor; self.layer.borderWidth = 1.0; self.layer.cornerRadius = 12; UILabel *lbl = [[UILabel alloc] initWithFrame:CGRectMake(0, 5, frame.size.width, 20)]; lbl.text = @"Kalipso v9"; lbl.textColor = [UIColor cyanColor]; lbl.textAlignment = NSTextAlignmentCenter; lbl.font = [UIFont fontWithName:@"Courier-Bold" size:14]; [self addSubview:lbl]; self.btnESP = [UIButton buttonWithType:UIButtonTypeCustom]; self.btnESP.frame = CGRectMake(10, 30, frame.size.width-20, 30); [self.btnESP setTitle:@"Visuals: OFF" forState:UIControlStateNormal]; self.btnESP.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1]; self.btnESP.layer.cornerRadius = 5; [self.btnESP addTarget:self action:@selector(_toggleESP) forControlEvents:UIControlEventTouchUpInside]; [self addSubview:self.btnESP]; self.btnLines = [UIButton buttonWithType:UIButtonTypeCustom]; self.btnLines.frame = CGRectMake(10, 65, frame.size.width-20, 30); [self.btnLines setTitle:@"Lines: OFF" forState:UIControlStateNormal]; self.btnLines.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1]; self.btnLines.layer.cornerRadius = 5; [self.btnLines addTarget:self action:@selector(_toggleLines) forControlEvents:UIControlEventTouchUpInside]; [self addSubview:self.btnLines]; self.lblStatus = [[UILabel alloc] initWithFrame:CGRectMake(0, 100, frame.size.width, 15)]; self.lblStatus.text = @"ABI: Injected Mode"; self.lblStatus.textColor = [UIColor lightGrayColor]; self.lblStatus.textAlignment = NSTextAlignmentCenter; self.lblStatus.font = [UIFont systemFontOfSize:10]; [self addSubview:self.lblStatus]; } return self; } - (void)_toggleESP { _hacks._espEnabled = !_hacks._espEnabled; if (_hacks._espEnabled) { if (_unityBase == 0) { for (uint32_t i = 0; i < _dyld_image_count(); i++) { const char *name = _dyld_get_image_name(i); if (name && strstr(name, "UnityFramework")) { _unityBase = (uintptr_t)_dyld_get_image_header(i); break; } } if (_unityBase > 0) { // Cast to Injected Signatures GetMainCamera = (long(*)())(_unityBase + OFF_CAMERA); // Note the casting to the void* signature we defined above WorldToScreen = (void(*)(void*, struct Vector3*, int, struct Vector3*))(_unityBase + OFF_W2S); GetPosition = (void(*)(void*, struct Vector3*))(_unityBase + OFF_POS); _hacks._offsetsLoaded = YES; } } [self.btnESP setTitle:@"Visuals: ON" forState:UIControlStateNormal]; self.btnESP.backgroundColor = [UIColor colorWithRed:0.0 green:0.5 blue:0.0 alpha:0.6]; } else { [self.btnESP setTitle:@"Visuals: OFF" forState:UIControlStateNormal]; self.btnESP.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1]; } } - (void)_toggleLines { _hacks._linesEnabled = !_hacks._linesEnabled; if (_hacks._linesEnabled) { [self.btnLines setTitle:@"Lines: ON" forState:UIControlStateNormal]; self.btnLines.backgroundColor = [UIColor colorWithRed:0.0 green:0.5 blue:0.0 alpha:0.6]; } else { [self.btnLines setTitle:@"Lines: OFF" forState:UIControlStateNormal]; self.btnLines.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1]; } } - (void)touchesBegan:(NSSet*)t withEvent:(UIEvent*)e { _originPoint = [[t anyObject] locationInView:self.superview]; } - (void)touchesMoved:(NSSet*)t withEvent:(UIEvent*)e { CGPoint p = [[t anyObject] locationInView:self.superview]; self.center = CGPointMake(self.center.x + (p.x - _originPoint.x), self.center.y + (p.y - _originPoint.y)); _originPoint = p; } @end // --- ENTRY POINT --- static UIInputContextManager *_sharedMenu; @interface UIInternalEventBridge : NSObject + (void)_toggleMenu; @end @implementation UIInternalEventBridge + (void)_toggleMenu { _sharedMenu.hidden = !_sharedMenu.hidden; } @end %ctor { dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{ UIWindow *_targetWin = [UIApplication sharedApplication].keyWindow; if (!_targetWin) return; UISystemInternalBase *_shield = [[UISystemInternalBase alloc] initWithFrame:_targetWin.bounds]; _shield.userInteractionEnabled = NO; [_targetWin addSubview:_shield]; CAAnimationGroupProxy *_renderObj = [[CAAnimationGroupProxy alloc] initWithFrame:_targetWin.bounds]; _renderObj.backgroundColor = [UIColor clearColor]; _renderObj.userInteractionEnabled = NO; [_shield _registerSub_overlay:_renderObj]; _sharedMenu = [[UIInputContextManager alloc] initWithFrame:CGRectMake(50, 50, 160, 120)]; _sharedMenu.hidden = YES; [_targetWin addSubview:_sharedMenu]; UITapGestureRecognizer *tap = [[UITapGestureRecognizer alloc] initWithTarget:[UIInternalEventBridge class] action:@selector(_toggleMenu)]; tap.numberOfTouchesRequired = 3; [_targetWin addGestureRecognizer:tap]; [NSTimer scheduledTimerWithTimeInterval:0.016 repeats:YES block:^(NSTimer *t){ [_renderObj setNeedsDisplay]; }]; UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"Kalipso v9" message:@"Injected ABI Enabled.\nDrawing Activated." preferredStyle:UIAlertControllerStyleAlert]; [alert addAction:[UIAlertAction actionWithTitle:@"GO" style:UIAlertActionStyleDefault handler:nil]]; [_targetWin.rootViewController presentViewController:alert animated:YES completion:nil]; }); }

It crashes

Still working

Nice

Can’t wait to try

I can’t get it to download

Bet

Nicee

Niceee

Update again pleaseee

Thanks