Jump to content

Search the Community

Showing results for tags 'TuT'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Forum Related
    • Forum Rules
    • Forum Announcements
    • Member Introductions
    • Community Giveaways
  • No Jailbreak Section
    • ViP Non-Jailbroken Hacks & Cheats
    • Free Non-Jailbroken IPA Cheats
    • No Jailbreak Save Game Cheats
  • VIP Section
    • ViP Cheats
  • Game Cheats & Hack Requests
    • Free Jailbroken Cydia Cheats
    • Save Game Cheats
    • DIY Cheats
    • Other Cheats
    • Hack Requests
  • Android Section
    • Free Android Modded APKs
    • ViP APK Hacks & Mods
    • Do-It-Yourself Android Mods
    • Android Tutorials
    • Android Help & Support
    • Android Tools
    • APK Mod Requests
  • Tutorials, Tools, Support & Coding!
    • Tutorials
    • Tools
    • Help & Support
    • Coding Center
  • Everything Else
    • General Cydia
    • GFX - Graphic Studio
    • General Talk
    • App Store Apps Discussion
    • Console and PC Gaming
    • Other Stuff
    • Freebies
    • Spam City
  • Everything Mac's Discussions
  • Everything Mac's Other Stuff
  • Everything Mac's Questions
  • The Respawnables Club's Respawnables Tips and Tricks
  • No-Jailbreak Users's Questions
  • Counter-Strike: Global Offensive's General Talk
  • Italiano IOSGods Club's Discussioni generali
  • Everything Mac's Announcements
  • iOS Jailbreak Setups's Announcements
  • MARVEL Contest of Champions Club's Help & Support
  • PLAYERUNKNOWN'S BATTLEGROUNDS's Squads
  • PLAYERUNKNOWN'S BATTLEGROUNDS's Discussions
  • Cuphead Club's Boss Levels
  • Cuphead Club's Run and Guns
  • España iOSGods Club's Topics
  • Ultimate Ninja Club's Events
  • Ultimate Ninja Club's Team
  • Ultimate Ninja Club's Tips
  • Brave Frontier Club's Brave Frontier Discussions
  • Brave Frontier Club's Brave Frontier Help & Support
  • iOSGods Turkish Club's Genel Bilgilendirme
  • Naruto x Boruto Ninja Voltage Club's Help & Support
  • Ultimate Ninja Club's Clans
  • Modern Combat Versus's Discussion
  • Call of duty WWII's Glitches
  • Call of duty WWII's Mods
  • Call of duty WWII's Boosting
  • Call of duty WWII's General Talk
  • South Park: Phone Destroyer Club's Topics
  • Toram online MMORPG's Topics
  • Naruto x Boruto Ninja Voltage Club's Announcement
  • Naruto x Boruto Ninja Voltage Club's Clans
  • Naruto x Boruto Ninja Voltage Club's Layout
  • Rules Of Survival Club's News & Announcements
  • Rules Of Survival Club's Play together!
  • Forward Assault's Topics
  • Rules Of Survival Club's Discussions
  • Rules Of Survival Club's Q&A
  • Rules Of Survival Club's YouTube
  • Star Wars: Galaxy of Heroes Club's Topics
  • Critical Ops's Topics
  • PS4 Pro Club's Topics
  • Dank Memes's Memes
  • Football Club's News
  • Football Club's Goals
  • Football Club's Live Score
  • Steam Club's Steam Profiles
  • Steam Club's Steam News
  • Steam Club's General
  • Anime's Anime Discussions
  • Anime's Manga Discussions
  • Anime's Recommendations
  • DomiNations Club's DomiNations Discussions
  • DomiNations Club's Friends & Alliances
  • Console & PC Gaming's Our specs and setups
  • BLEACH Brave Souls Club's Discussions
  • DRAGON BALL Z DOKKAN BATTLE Club's Updated Links!
  • One Piece Treasure Cruise (Global & Japan)'s OPTC Discussion
  • Counter-Strike: Global Offensive's Steam Profiles
  • Clash of Clans Club's Topics
  • Counter-Strike: Global Offensive's Tips & Guides
  • Summoners War Club's Summoners War Discussions
  • MARVEL Contest of Champions Club's Discussions
  • Mobile Legends: Bang bang Club's Discussions
  • DRAGON BALL Z DOKKAN BATTLE Club's Global Discussions
  • DRAGON BALL Z DOKKAN BATTLE Club's Japan Discussions
  • Photography's Topics
  • Brawl Stars club's Topics
  • Summoners War Club's Help & Support
  • Counter-Strike: Global Offensive's Media
  • Counter-Strike: Global Offensive's Team Recruitment
  • Counter-Strike: Global Offensive's Play Together!
  • Overwatch Club's Overwatch Discussions
  • Overwatch Club's Play(s) of The Game & Highlights
  • Console & PC Gaming's Good/Cheap PC parts
  • Brawl Stars club's Upcoming updates
  • Brawl Stars club's Guild info
  • Monster Super League Club's Discussions
  • Injustice 2 Club's Discussions
  • Dungeon Hunter 5 Club's Topics
  • Overwatch Club's Tips, Tricks & Tutorials
  • Console & PC Gaming's Favourite game songs/themes
  • One Piece Treasure Cruise (Global & Japan)'s One Piece Treasure Cruise (Global)
  • One Piece Treasure Cruise (Global & Japan)'s One Piece Treasure Cruise (Japan)
  • Overwatch Club's Funny Videos & Others
  • Last Day on Earth: Survival Club's LDOE Discussions
  • Futurama: Worlds of Tomorrow Club's Discussions
  • MARVEL Avengers Academy Club's Discussions
  • Modern Combat 5 Club's Discussions
  • DC Legends Club's Discussions
  • Golf Clash Club's Golf Clash Discussions
  • Dank Memes's Funny
  • DRAGON BALL Z DOKKAN BATTLE Club's News
  • Dungeon Hunter 5 Club's Post your profile code
  • Yu-Gi-Oh! Duel Links Club's Duel Link News
  • Grand Theft Auto 5's General Talk
  • Grand Theft Auto 5's Glitches
  • Grand Theft Auto 5's Mods
  • Yu-Gi-Oh! Duel Links Club's Duel Link Farming Guides
  • King's Raid Club's Discussions
  • MARVEL Future Fight Club's Discussions
  • iOS Jailbreak Setups's Device Setups
  • iOS Jailbreak Setups's Tweak, Theming & General Questions
  • iOS Jailbreak Setups's Tweak & Theme Recommendations
  • iOS Jailbreak Setups's General
  • Movies & Series Club's Topics
  • Movies & Series Club's Movies trailers
  • Movies & Series Club's Movies release date
  • Movies & Series Club's Series trailers
  • AdventureQuest Worlds Club's Farming
  • AdventureQuest Worlds Club's In-Game Help
  • AdventureQuest Worlds Club's Introductions
  • AdventureQuest Worlds Club's Questions about the Game
  • Taichi Panda Club's Discussions
  • Last Day on Earth: Survival Club's LDOE Help & Support
  • Last Day on Earth: Survival Club's LDOE News
  • H A R M O N Y's Forum
  • Grand Theft Auto 5's Questions
  • H A R M O N Y's Giveaways/Rewards
  • Call of Duty's General Talk
  • Call of Duty's Glitches
  • Call of Duty's Mods
  • Last Day on Earth: Survival Club's LDOE Guides & Tutorials
  • Destiny 2's General
  • Destiny 2's Help/Support
  • Destiny 2's Looking For Group
  • Destiny 2's News
  • H A R M O N Y's Videos/Music/Photography
  • Music Club's Favourite music
  • Music Club's Worst Music
  • Club Français iOSGods's Groupe de discussion en Français
  • Club Français iOSGods's Support en Français
  • Club Français iOSGods's Support iOS en Français
  • Club Français iOSGods's Support Android en Français
  • One Piece Treasure Cruise (Global & Japan)'s Japan/Global Help & Support
  • Destiny 2's Glitches, Tricks, Tips & Strategies
  • Golf Clash Club's Golf Clash Help & Support
  • No-Jailbreak Users's Topics
  • iOSGods Svenska Klubb's Diskussioner
  • iOSGods Svenska Klubb's iOS Hjälp
  • iOSGods Svenska Klubb's Android Hjälp
  • One Piece Treasure Cruise (Global & Japan)'s Status Hack For One Piece Treasure Cruise (Global & Japan)
  • iOSGods Svenska Klubb's Generell Hjälp
  • The Respawnables Club's Ask your questions here
  • The Respawnables Club's General Discussion
  • Everything Mac's Apps & Games
  • Console & PC Gaming's Console and PC Gaming

Group


iDevice


iOS Version


Android Device


Android Version


Location


Interests

Found 1,135 results

  1. Tutorial Some Info About ARM64

    In this tutorial, I will just give a brief overview of some ARM64 You need to know ARMv7 first so this will be easier to understand. Let's Get Started So basically, instructions are the same, ARM64 has LDR, MOV, STR, etc., same from ARMv7. You will notice ARM64 has different registers, instead of R0, for example, ARM64 uses X0, OR W0. You can hack it the same way as you would ARMv7. Example: This is ammo in the game Forward Assault. The highlighted instruction is what I hacked, SUB W8, W8, #1 Subtract 1 from W8 and put the value back into W8, simply NOP it. OR You can hack the STR underneath it and instead of storing W8, change it to W20 or W29. It will result in making your ammo a very high number. why? Because you silly goose, W20/W29 is the equivalent of R7. OR you can use X20/X29 if the function has X But wait, are the W20/W29 both the same Father Nitro? Well, I'm glad you asked, I was just about to get to that you eager mcbeaver. You see here, the 20 has a high value, but 29 has a even more higher value. Sometimes 29 can make it go too high it can go negative, so use 20 instead. BOOLS Now let's talk about Booleans in ARM64. In ARMv7, to make something return TRUE or FALSE, we simply change it to MOV R0, #1 OR MOV R0, #0 ARM64 is no different, it's just X instead. MOV X0, #0 or MOV X0, #1 Example: Here is an example function. In case you didn't know, it's a BOOL since this function loads a byte, which have 0 or 1 value. So as you can see, this function gets my sexiness. Obviously, to hack it you will change it to MOV X0, #1 making it true, which it is.. This can NEVER be false :kappa: FLOATS So floats in ARM64 are similar in ARMv7, using FMOV instead of VMOV. So just hack the instruction the same way as you would in ARMv7. Example: You can change that FMOv S2, #0.5 to FMOV S2, #31.0. Now it's time to discuss something else. As you make know in ARM7, sometimes we want to hack the beginning of a function and make it return a float value. so we would do: VMOV S0, #31.0 VMOV R0, S0 BX LR So father Nitro, is it the same in ARM64? I know what you're thinking, you're thinking in ARM64 the equivalent would be: FMOV S0, #31.0 FMOV X0, S0 RET WRONG! Do that and watch the game crash. In arm64 the second instruction isn't needed. FMOV S0, #31.0 FMOV X0, S0 RET SO just replace the first 2 lines of the function with FMOV S0, #31.0 then RET that bad boy. Now let me get into another example why ARM64 is bae. Example: This function is from Critical Ops, which gets the bounciness from the grenade. As you will see, it's a LDR, you can hack it and change it from LDR to FMOV. Yes, in ARM64 you can hack LDR functions to FMOV's. So to hack the function, you can replace the LDR S0, [X0,#0xA0] with a FMOV S0, #31.0 This function made my grenades super bouncy, it was funny to troll in public matches. The grenades bounced like crazy! In ARMv7 I found the same function, it was a LDR followed by a BX LR (RET). So to hack it, I tried many things, MOV R0, R7 and such but every time I threw a grenade it crashed. A VMOV S0, #31.0 VMOV R0, S0 BX LR wouldn't work since there isn't enough space. Unless you wanted to write your own code to the unused part of the binary and make the function branch there, which I'm not entirely sure would have worked since I never tried. So I just hacked it in ARM64 instead That's it for this tutorial EDIT: Forgot to mention, this tutorial was written specially for Amuyea
  2. As requested, here is the tutorial how to dump il2cpp of iOS Unity games. With Il2CppDumper, it will be much easier to find useful functions and offsets to hack. No need to waste your time debugging the game. Requirements: - ARM/ASM knowledge - IDA hacking experience - IDA Pro. Download link - Notepad++. Download link - Il2CppDumper (Windows). Download link - Clutch or Rasticrac for jailbroken devices or visit appvn.com to download latest cracked free games - Winrar or 7-zip to open .ipa file Instructions: Download Il2CppDumper released version by Perfare and extract the program To open .ipa file, simply rename file extension to .zip and open it If you are using 7-zip, right click -> 7-zip -> Open Archive to open .ipa file directly Navigate to \Payload\<app or game name>.app\ and extract the big binary file that doesn't have file extension Navigate to \Payload\iosfps.app\Data\Managed\Metadata\ and extract global-metadata.dat 32-bit: Press 1 for 32-bit and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required pointers (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find, As you used auto mode, the program will tell the pointers, but you do not need to know it if you have no idea what it is. Skip 64-bit steps if you are working with 32-bit 64-bit: Auto mode does not work on 64-bit binary yet. Here is dev's response "I have to say, these same questions will make me feel that adding auto feature is a bad decision We have to find 2 required offsets (CodeRegistration and MetadataRegistration) in IDA to dump. Open IDA Pro 64-bit (idaq64.exe), and disassemble the binary in 64-bit. Search function name InitFunc_1. Above InitFunc_1, there is sub function that contains 2 pointers we need. sub_100C46D8C ; DATA XREF: InitFunc_1+8o ADRP X0, #unk_101D48FE8@PAGE ADD X0, X0, #unk_101D48FE8@PAGEOFF ADRP X1, #dword_101D948C8@PAGE In Il2CppDumper, Press 2 for 64-bit and Press 1 for manual. Input your pointers: Input CodeRegistration(X0): your first pointer Input MetadataRegistration(X1): your second pointer The dump.cs file should be created at the location where Il2CppDumper.exe is located Open dump.cs with Notepad++ by right click and select Edit with Notepad++ Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod. launch Il2CppDumper.exe. It will open the dialog twice to select file. For ELF file or Mach-O file, select the binary file. For global-metadata.dat, select global-metadata.dat It will ask you to select platform, 32-bit or 64-bit. Press 1 for 32-bit or press 2 for 64-bit. Now for Mode, Press 1 for manual and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required offsets (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find, and I haven't find out where to find 2 offsets in 64-bit binary yet. As you used auto mode, the program will tell the offsets, but you do not need to know it if you have no idea what it is. The dump.cs file should be created at the location where Il2CppDumper.exe is located Open dump.cs with Notepad++ by right click and select Edit with Notepad++ Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod. To search, click Search -> Find... To find all keyword, click on Find All in Current Document If you never seen C# code before, I'll explain a bit what the codes mean. I'm bad at explaining what these code means but I hope it goes well This comment you see on top is just a list .dll files that are been converted into il2cpp // Image 0: mscorlib.dll - 0 // Image 1: System.Security.dll - xxxx … // Image xx: Assembly-CSharp.dll - xxxx The Assembly-CSharp.dll (Android users know this) is a game logic thing and it is what we looking for. The full code of "Assembly-CSharp.dll" thingy is always located somewhere at the bottom of the dumped file This class body is like a group to make programmers easier to find codes. For example PlayerAntiHack class contains anti-hack code related. // Namespace: public class PlayerScript : MonoBehaviour // TypeDefIndex: 4303 { } In IDA you'll probarly see function names like Player::Get_Gold… Player::Get_Cash… Player::Isbanned… …. I'll bring this better details for you: A class is a construct that enables you to create your own custom types by grouping together variables of other types, methods and events. A class is like a blueprint. It defines the data and behavior of a type. ... Unlike structs, classes support inheritance, a fundamental characteristic of object-oriented programming. In the class, you'll see something like this: // Fields private int primaryWeaponIndex; // 0x10 private float minSpread; // 0x820 private float spread; // 0x824 private float visualSpread; // 0x828 …. Fields is not what we looking for so let's look into Methods. // Methods private int findNextAvailableWeapon(int currentWeaponIndex); // 1e704c private bool IsLookingAtPlayer(PlayerScript player); // 1f3894 public bool HasBeenVisible(); // 1f2fa0 …. public int get_Gold_Example(); // 1a2b3c public float float_example(); // 1a2b3d …. This is what we looking for. These simple codes explains the name of the methods/functions, what type and the REAL IDA OFFSETS are written in the green commenented text. public, private, protected etc, are access modifier. It's not important to know static is a static modified to declare a static member. It's not important to know int, float, double, boolean etc are data type. If you look up the offset in IDA, you will see a sub_xxxxxx Write down all useful functions + offsets you found inside the dumped .cs file and start writing your code injection. Note: It is suggested that you disassemble the binary file and look up the offsets to see if there are enough spaces to replace the instructions to hack. That's all. Good luck hacking iOS games! Credits: Evildog1 A.K.A iAndroHacker (this tutorial) Perfare (Il2CppDumper https://github.com/Perfare/Il2CppDumper) If you have any issues with Il2CppDumper, please report the issue at: https://github.com/Perfare/Il2CppDumper/issues/
  3. Hey! If you came here wondering how you create a port23 for lldb using iFunbox, you're at the right place. You need to have place the debugserver file from this topic by @DiDA first. Then IF you're on Windows 10 you follow the video from below. Lower windows, should be able to run mux.exe, if not watch my video also. Video: Credits: @Ted2
  4. Hello Everyone! In this topic I'll explain/show you how you hack games with IDA using lldb &/ GDB on armv7 I'll try to make it as noob friendly as I can, it will be a long tutorial since I'll explain EVERY step. Requirements for this tutorial: - IDA Program -> get it HERE - Jailbroken Phone to test it - Hex Editor - The binary of the game we're gonna hack -> get it HERE * - The game, get it HERE & download v1.11 - LLDB -> For Windows, go HERE & for Mac go HERE - Gameplayer - Theos fully setup (not 100% neccesarry, but since you're learn hacking.. why not?) -> Setup Tutorial * = When you're hacking armv7, I suggest you to remove aslr from the binary using THIS site, so you don't have to calculate every watchpoint & breakpoint. The binary for this tutorial, is thinned & has ASLR removed. The game we are going to hack is called 'Trigger Fist' a dead shoot game, but good to practice with. First thing to do, is load the binary from above into IDA, with these settings: Second thing we need to do is replace the binary of the game with the one from above, since we will be using lldb & we don't want aslr to be loaded. To do this, you'll need Filza Manager from Cydia. First of all, copy the binary, then go to: /var/containers/bundle/appliciation/'Trigger Fist/TriggerFist.app' & paste. Then set the binary premissions like this: To do this, you click the little 'Info' icon next to the binary name. Alright, everything is set for debugging using lldb First of all we need to know what we're going to hack, which is ammo & grenades. So what we're going to do is find the values using Gameplayer, I hope everyone knows how to do that. Write them down if you found both values. You can also do this while you're connected with lldb, but every time you search for a value in Gameplayer, you'll need to type 'continue or c' in the lldb window. I do this because sometimes the game changes the value even if I haven't closed it. Not sure if this also is for this game, but it's up to you how you wanna do it.If you do not know how to find them: Your ammo starts with 30 (atleast for me, if not for you replace numbers from below with yours) Alright, now we need to debug, so we can get the ida offsets. We need to debug with port 23, on mac you don't need to do anything. On windows you run the mux.exe program for it, but if you're on Windows 10 that won't work. We need to do it with iFunbox, using the USB Tunnel option in the toolbox tab. See THIS topic to do this with Windows 10 First we need to make connection with our phone, by runnning this command in SSH Terminal (open using iFunbox) debugserver 127.0.0.1:23 --attach=PID What is 'PID', not sure what it exactly is, but I do know how to find it Open the game, click Gameplayer icon & select the application if it doesn't automaticly. This is the PID: Alright, you typed it in & it should look like this: Now go to your lldb folder & double click lldb.exe A command promt will show up, type this: process connect connect://127.0.0.1:23 It should look like this: It can take some time to make connection, depends on how fast you connection is. When it's connected it will show you this: Alright, so we want to know the ida offsets of the gameplayer addresses we have. We do this by this command w s e -- 0xgameplayeraddress which is for me w s e -- 0x1501ca6c //ammo and w s e -- 0x0ebcec60 //grenades It should say this when you set a watchpoint: Type 'continue' or 'c' in the lldb window to continue the game. Make a change in ammo, the game will freeze, this is good! The lldb window will look like this: This is the ida offset: (marked with <<<<<<<<<) (WRITE IT DOWN + WRITE DOWN TO WHAT THE VALUE CHANGED) (lldb) Process 86864 stopped * thread #1: tid = 0x15350, 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346, stop reason = watchpoint 3 frame #0: 0x001527d4 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1382346 TriggerFist`___lldb_unnamed_function1$$TriggerFist + 1373466: -> 0x1527d4 <<<<<<<<<<<<<<<: mov r0, #0x1 0x1527d8: strb r0, [r10, #430] 0x1527dc: mov r0, #0x1 Also type 'register read' to know what each register means around the function. (register = R1, R2, R3, etc) It will look like this: Copy the output & paste it somewhere where you can find it back & type 'ammo' above it. How to copy it? Select it with your mouse & hit enter, this will copy it. You can 'ctrl + c it' too, but it will ask you to quit lldb & we don't want that. Alright, now type 'continue' or 'c' in lldb to continue the game Make a change in grenades, the game will freeze & we know now this is good! We also know how the lldb windows looks like & what the ida offset is. (WRITE IT DOWN = WRITE DOWN TO WHAT THE VALUE CHANGED) Type again 'register read' & do the same progress you did with the ammo, but now type 'grenades' above it. I suggest you to register read when the you have more then 0 grenades, otherwise it's harder to see which register is the real one. Now we have both, close lldb. Alright, now we know both offsets & what every register means, it's easy peasy to hack. Let's look into the ammo function first, it looks like this: Alright, there are most of the times multiply ways to hack something. This is the exact code written: LDR R0, [R10,#0x88] LDR R0, [R0,#0x70] CMP R5, R0 BLT loc_152764 LDR R0, [R10,#0x88] LDR R1, [R0,#0xAC] // SUB R1, R1, #1 // STR R1, [R0,#0xAC] // MOV R0, #1 ; The address where it drops us STRB R0, [R10,#0x1AE] MOV R0, #1 STRB R0, [R10,#0x1AF] LDR R0, [R10,#0x1CC] ADD R0, R0, #1 STR R0, [R10,#0x1CC] LDR R0, [R10,#0x88] VLDR S0, [R0,#0x68] VCVT.F64.F32 D2, S0 VCVT.F32.F64 S0, D2 VSTR S0, [R10,#0x284] LDR R0, [R10,#0x174] LDR R1, =(unk_C80D00 - 0x15281C) // B loc_152814 Alright, we also know what all Registers means. lldb gives the values in HEX decimal We only know the values in decimal. We wrote down what our ammo changed to, which was for me 29. 29 in hex = 1D Register 1 (R1) holds that value, which means that's our ammo. As you can see in the code, we see some R1, R0, R5, R10 etc. R1 is which is important for us now. As you can see in the code above the 'register read' output, I wrote // after each instruction with a R1 in it. Which are these four: I wrote down what they mean. We can see in the 'register read' output we wrote down, R0 = 0x1501c9c0 in hex decimal, which is 352438720 in decimal value. This is a big number & get's loaded into our ammo it says. This doesn't make sense to me, because if that's true we had lots of ammo But we don't have to take everything exactly as translated, I mean Google translate sucks too Anyways, The sub instruction is the most used way to hack ammo Why? Well.. when you shoot, one bullet wil go away.. This instruction Substracts 1 from R1 (ammo) into R1 (ammo) We can hack a SUB in diffrent ways. 1. NOP the instruction, what this does is skip the instruction and does nothing 2. Change the #1 to #0, which would substract 0 from our ammo. 3. Change the SUB to ADD, which would ADD ammo instead of substracting. 4. Change the SUB to MOV R1, R7, which would move the value of 803 millioin into our ammo. We can also hack it using the first LDR from above & the STR function. How we hack the LDR: - LDR R1, [R0,#0xAC] to LDR R1, [R7,#0xAC] --> What this does is load R7 (803 million) into our ammo instead of what the normal value should be. How we hack the STR: - STR R1, [R0,#0xAC] to STR R7, [R0,#0xAC] --> what this does is stores R7 into R0,#AC] instead of storing our normal ammo. When you're hacking a binary, you need to know what kind of 'HEX' it is. How to find out: When you know that you can change the instruction which you like. Let's change the SUB instruction to MOV R1, R7 The outcome in armconverter will be 0710A0E1, because this game is ARM-HEX. Normally you patch the binary manually using a hex editor, somehow this is not working for me on this game. Maybe for some others it does I don't know. These are the steps if you wanna try it: Load the same binary you loaded into IDA in HxD. I suggest you to make a backup though. We need to go to our SUB instruction offset, which is: 1527CC How do I know? See here: Go to that offset in HxD, by doing 'ctrl + G' or 'edit - goto' This is it, this is what we're gonna hack. Alright, I'm going to hack it by MOV R1, R7 the SUB instruction. You can do whatever you prefer, but remember do it in ARM-HEX!! It will look like this: Now save it. We wanna test it, but we need to sign it first. Paste the hacked binary into var/mobile with iFunbox or whatever you like. Type in SSH window: cd /var/mobile & then type: ldid -s TriggerFist You're done, if it doesn't work see this topic by @shmoo: Sign Binary Topic Now replace it into your application folder like you did before with the same premissions. Test the hack. I'm using a Code Injection Template with Theos, if you never used theos, you need to set this up. If you do paste this nic template into your /var/theos/templates/iphone/HERE Link to template: Code Injection Template made by @DiDA You set up a project like you normally do & change the tweak.xm, which looks like this: Change it to this: Why? The first offset, is the ida hex offset & the second is the hacked offset. Compile it & test it. The grenades function is for you guys, you can try this on your own! You guys have the 'read register' output, so you can do it! Let me know if you succeed Hope you learned something PS: there will come some more advanced tutorial soon, also with lldb. Another game you can practice with is Sniper 3D, ammo is easy & resources are same offsets but maybe more 'challenging ' Credits: @Ted2
  5. 1- Guide to create a transfer code: a) Open the MENU tab, at the bottom right of the screen. And go to Device Transfer / Back Up. b) Create a transfer code. c) Write down the two codes created and/or copy-paste them to a sticky note. d) Repeat these two steps at least every week because the transfer codes expire after 2 weeks!!! 2- Guide to recover your lost account: a) Go to the page: Global Edition - Japanese Edition b) Then send an empty mail via the link at the bottom of the page. c) They'll send back an email with a link to a form, open it and fulfill the asked things. where they'll ask for: -User ID -In-game name -Rank -In-game name -Characters/Teams/DS/General informations -Last event attended/Last actions in the game/etc. -The last purchase/transaction data (can be seen in the purchases history on Play Store or the App store) d) They'll return with a migration code within 10 business days once the application is processed and their checks done. e) Enter these codes in your new game to recover your old account (the one related to the User ID) 3- Guide to link your game to facebook: a) Create a Facebook account if you do not have one. b) Open the MENU tab, at the bottom right of the screen. And go to Device Transfer / Back Up. c) Go to Facebook Linking Back-up and log in to Facebook. d) Your game is now linked to your Facebook account. And, That's it!
  6. First off, if the hack is outdated this isn't going to help you. This is for mods such as Unkilled, TWD: No Man's Land, and more. Requirements: JB, AppSync (Search for it in cydia) [Hidden Content] That's how I get a decent amount of DiDa's hacks to work that before used to crash.
  7. Difference Between ADDRESS and OFFSET In the initial days when I started writing assembly programs on my own I used to get confused as to when to use ADDRESS and when to use OFFSET in the program. This article is an attempt to clear the doubts of assembly programmers regarding the meaning and usage of ADDRESS and OFFSET. First and foremost, the purpose of using either ADDRESS or OFFSET is to get the memory address of variables during program execution. Now, we know that variables in any assembly program are of two types, i.e. local and global variables. While global variables remain in the memory throughout the execution of the program, local variables exist only during the execution of the functions in which they are declared and will be removed from the stack memory once the function in which they are declared completes is execution. Since the global variables exist in memory throughout the lifetime of a program's execution, their memory address is allocated during assembly time by the assembler. The assembler knows the exact location of the global variable's memory address during assembly time. In case of local variables, the assembler has no idea about the address of the variable as it's address is allocated during runtime in the stack as and when the function in which it is declared is executed. now coming back to our assembler instructions, OFFSET will get the address of a variable which already has it's address allocated. This in turn means, OFFSET could be used to get the address of global variables only. We cannot receive the address of a local variable by using OFFSET as the address of a local variable is not decided during assembly time. To overcome this difficulty we have ADDRESS instruction. This instruction should be used if we want to retrieve the address of a local variable. Now naturally a question arises as to how does ADDRESS know the address of a local variable while OFFSET cannot. Well, even ADDRESS will not know the actual address of a local variable as it is referred during assembly time. What ADDRESS actually does is a simple substitution in the code as follows, just before the function is executed. lea eax, localvar push eax What really this means is that ADDRESS causes the address of the local variable which is generated during runtime to be returned. lea is used to refer to the stack memory. LEA means Load Effective Address! It is used to load variables from the stack. If you still did not get it, then imagine a situation as follows. I am standing somewhere on the street there and you come to meet me there in search of the address of a beautiful girl which you feel I know. So, now your asking me of the address could be considered as the assembly time of the program, you are the assembly program in search of the (girl's) address and I am the assembler. Now if I know her exact address I'll give it to you: with perfect street address, door number, etc. This is what OFFSET does. Now if I don't know where she lives, but I know somebody who I know knows the address of that girl, then I'll give you the address of that somebody and ask you to checkout there for the address of the girl you are searching for. That's what ADDRESS does. So it's clear that even ADDRESS doesn't have the exact address of the variable. Now that we clearly know when to use ADDRESS and OFFSET, another question arises. Can we use ADDRESS to load global variables???? Yes, of course! If you are referring to global variables using ADDRESS, then ADDRESS simply substitutes is as following. mov eax, 3000h where 3000h is the actual address of the global variable. Remember, the actual address of a global variable is known during assemble and link time. But then, why does ADDRESS use LEA instead of MOV in case of local variables. Well, for the simple reason that mov eax,ebp+2 is an invalid CPU instruction. Note that EBP also known as base address is the register used to access stack, and it is in stack where the local variables are stored. Hence, LEA is used by ADDRESS in case of local variables. So it is clear that OFFSET is to be used to global variables and ADDRESS for local variables. ADDRESS could ALSO be used while referring to global variables, BUT OFFSET cannot be used while referring to local variables. Credits to author: http://www.hitxp.com/comp/pro/asm/120403.htm
  8. Hello my friends. It is great to have fixed my iPhone and finally be back! I am sharing this knowledge today because I noticed all of the common links have gone down months ago and everyone is starting to go to their pc to impact Yalu. I hate doing this personally and found a working link so here it is. This is just another version of the popular Yalu 102- Semi untethered JB Compatable devices: iPhone 6s Plus, iPhone 6s, iPhone 6 Plus, iPhone 6, iPhone 5s, iPhone SE iPad Air, iPad mini 4, iPad mini 3, iPad mini 2, iPad Pro iPod Touch 6 Step 1. Go to the link below and smack that big blue button to download Yalu. [Hidden Content] [Hidden Content] Step 2. Go to Settings> General> Device management> And trust Foxto Co., Ltd Step 3. Open up the new app "YaluArabic" and press the words in the middle. As seen below. It might take a few tries for the JB to register so you might have to repeat this step a few times. Enjoy! If there are any issues or the license gets revoked let me know and I'll snag you guys a new one!
  9. How to stop FREE Paid Apps/certificate apps from Getting Revoked! So if you download your paid apps through 3rd party apps you may be familiar with apps getting revoked and rendering them useless meaning all of your saved data within the app is gone. Now there is a new way of stopping apps from getting revoked, which works by blocking the connection between the apps profile signature and Apple’s verification server. This method is super simple, easy and quick to do. GIMME SOME LOVE [Hidden Content]
  10. Tutorial Tutorial help

    Looking for a way to learn how to hack a game to get God mode in a game or how to have unlimited skill in game . Trying find he right tutorials so I can know which direction to go such as flex , theos or something different. It's mainly for 1 or 2 server side games so I can hack it myself . I've seen such mods that do this for games and I would love to learn how to do it. Please if someone can tell me which tutorial I can go to learn how to do it . I've asked a while back but all I get is "go to the tutorials section " I can never find what exactly each way to hack a game is like "theos is for _________, or flex is for ______" I just want to learn specifically for games I want to play. If i didn't make it clear before I do not want to hack things that are unhackable. Such as in app purchases or anything like that please someone help point me where I need to go
  11. LLDB ON ALL WINDOWS 64bit PERMANENT GENUINE SOLUTION-FIX Here we go... Simple instruction... BECAUSE SIMPLE HAVE POWER... Tested on Win 7 64, Win 8 64, Win 10 64... It must work INSTRUCTION: [Hidden Content] Credits: Me P.M.S: You can use every version of iTunes, it not depends on anything.... Here is picture how need to look proper started lldb... it must have two windows, one LLDB and one itunnel mux..... also make sure to start lldb from "lldb.cmd" ALSO I RECOMMEND THAT YOU USE "Bitvise SSH Client (Tunnelier)" INSTEAD OF PEASANT PUTTY... ALL THE BEST
  12. Here's how to install iGameGuardian without "Initialisation Error". I figured I would make a tutorial because there isn't much out there. [Hidden Content]
  13. Tutorial LLDB Problems...

    iphone 6s 10.2 and windows 10 64bit I have Debugserver in usr/bin 755 Root/mobile i open lldb, than open ifunbox. than connect via putty as root than in putty i place 127.0.0.1:23 --attach=nameofapp i use default ip, because it works... than my game on phone freeze i go to lldb window and type this "process connect connect://127.0.0.1:23" and than NOTHING game is freeze and nothing happens... WHAT CAN IT BE GUYS???
  14. Anyone on iPhone 7 knows the struggle of getting Extra_Recipe to jailbreak your device. It usually takes 1-8 tries but with this method it usually always works first time but i also have a backup method. Method 1: Before opening Extra_Recipe turn your phone on airplane mode, then open Extra_Recipe and click go. Method 2: Hard Reboot (Hold down Power + Volume Down button until the apple screen appears) your phone and turn on airplane mode, then swipe up Extra_Recipe if it is open in multitasking and reopen it and click go. If both of these methods don't work after a couple tries comment below your IOS version and i'll try helping you fix it
  15. Hello, today i'm going to show you how to make FlexConverter work for Flex 3, let's start! Requirements: 1. Jailbroken iDevice with FlexConverter installed (you can install it from here): 2.iFile (download it from Cydia) 3.Basic iFile knowledge (copy/paste/create symlink...) Instructions: [Hidden Content]
  16. Requirements: *Jailbreak *Yalu102 IPA *Basic Cydia Knowledge Tutorial: [Hidden Content] Now you have to do absolutely nothing to resign any application Enjoy.
  17. Video How To See Wifi Password On Iphone

    Requirements : -Jailbreak -Cydia Tut: Credits: - Me - Malcolm Hall
  18. now i can explain how to fast farm exp/card in one piece treasure cruise with hack Requirements - Jailbroken iPhone/iPad. - iPhone 5 or better or iPad 4 or better - GameGem - Hack One piece treasure cruise (use auto win[ vip hack feature]) is better result [Hidden Content] special thanks to @Amuyea and @xiaov
  19. This tutorial is going to be about controlling your iDevice from SSH. But wait, what the heck is SSH? SSH is a short word from Secure Shell. It's like a terminal, but the difference is that the terminal executes code on the device it's launched on, but SSH executes code on the device you've SSHed into using WiFi or USB. So, how do I get SSH on my iDevice? Well, it's really simple. If you have a jailbreak on iOS 9.3.3 or lower, just open Cydia, search for OpenSSH, and install it. That's it, now you have SSH! But wait, what if I'm jailbroken with YaluX or extra_recipe? There are two ways to get SSH. Yalu and extra_recipe install SSH to your device by default, but it only works from USB. If you wanna SSH into your device over USB, here's a great tutorial how to use SSH on the YaluX jailbreak via USB. But wait, you want SSH over WiFi? Ok, this is also easy! Here's a great tutorial about how to SSH into your iDevice over WiFi with the YaluX jailbreak! So now, the most fun part begins! We're SSHing into the iDevice. Let's go! If you're SSHing over USB, the tutorial about SSH over USB on yalu102 is pretty clear. If you're SSHing over WiFi, I'll explain it here. SSHing over WiFi macOS / Linux: Open terminal Type ssh root@your-idevice's-ip It wall ask you for your root password. The default one is alpine. If you didn't change it, it'll be the default one. Windows: Download putty Open the app Select the connection type SSH Enter the IP address of your iDevice Press open Wait for a few seconds till it asks for the password and enter it. Again, the default one is alpine. Congratulations, you've SSHed into your iDevice! Now, let's do stuff. Here are some useful commands: passwd - changes the SSH access password so hackers can't hse the default one to mess up your device killall backboardd or killall SpringBoard - resprings your iDevice reboot - reboots your iDevice halt - power off your iDevice But wait, is this all? No it isn't Let's take real control over our iDevice! To do this, download this small tool I wrote for controlling your iDevice from SSH (read the description to know how to install it). So, after you've downloaded nimbus, you can fully control your iDevice from SSH! In SSH, type nimbus help. You'll see a list of commands which you can enter. So, let's have some fun! Open an app on your iDevice. Now type nimbus home. See? The home button press was simulated! Cool, right? You can look for other commands in the nimbus help list. Looks actually fun, right?
  20. Tutorial How to spoof location NO JAILBREAK

    How to spoof location NO JAILBREAK Requirements: - Computer with xCode installed - An iDevice - An apple ID Instructions: 1. Make a blank app in xCode 2. Plug your device in and click the run button! 3.Go to google maps and get the location and copy and paste the link here https://mapstogpx.com/ and download your .gpx file! 4. Click this button at the bottom of the screen! 5. Load your .gpx file and bam look at find friends or Find my iPhone on your iDevice and enjoy spoofed location CREDITS: ME @ElevatedHacks Request by @4Hero
  21. this tutorial for fix missing driver your devices (cannot be detect by itunes/iFunbox/iTools/iExplorer) after update itunes, or reinstal/instal itunes not solved this problem ok let's begin 1.if you have instal app/games with itunes or backup data your devices,make sure your backup this forder (skip this if you not have backup your devices with itunes, or instal app/games with itunes ) -C:\Users\pc name\Music then copy folder iTunes to other drive -C:\Users\pc name\AppData\Roaming then copy folder Apple Computer to other drive 2.uninstal itunes and other app itunes -itunes it self -bonjour-apple software update -apple mobile device support -apple application support (64-bit) and apple application support (32-bit) (*if you os is 32 bit/x86,"apple application support (64-bit)" not avaible) 3.now we clean other file itunes -delete folder iTunes in C:\Users\pc name\Music\iTunes -delete folder Apple Computer in C:\Users\pc name\AppData\Roaming\Apple Computer -delete folder Apple and Apple Computer in C:\ProgramData 4.now instal new itunes,then connect your devices sory my english bad
  22. Hi, this week i'm in summer in another country, and mine Yalu102 certificates is finish and i haven't any computers with me. Searching on the internet i found a link where you can install Yalu102. The Link Is: [Hidden Content] If you have any problem write in the comments below. I don't know when Apple will revoke the certificate, but i will update the link when the app doesn't work anymore. P.S. Sorry for my english, I'm Italian 07/09/2017 : Reuploaded Again From The Creator Of The Link After You Get Yalu102 App From My Tutorial Or From Cydia Impactor With Computer, I Reccomend This Tutorial Made By @FlyingAK473For Auto-Resign The Yalu102 App With Extender For Get Yalu102 App Forever : And By The Way I Reccomend To Read This General Discussion For Yalu+Extender Best Combination Made By Me : Credits: - @XD10SX - @FlyingAK473 - @i0s_tweak3r
  23. Setting up Theos with the iOS toolchain for Windows on cygwin64 Note: Requires 64 bit Windows Vista, 7, 8, 8.1 or 10. 1. Go to https://cygwin.com/install.html and select the download the version for 64-bit versions of 2. Click next until you get to this screen. Select the mirror closest to you and click next [Hidden Content] If you forget to install any extension you can restart cygwin and download the add-in again Do not worry the files will not be deleted only will download the add-on that you forgot to download done thx
×