Search the Community

[Hidden Content]

To continue reversing iOS tutorial series, today I will share you how to by pass in-app purchases using LLDB on ARM64 architect. Feel free to connect me on Twitter @ReverseThatApp and drop me a message for feedbacks/discussions... any kinds are welcome I will try to have more posts on how to reverse iOS apps soon. [Hidden Content]

So with the Critical ops aimbot when it locks on to somebody and u shoot, you don't hit them due to the Recoil. For the people that haven't already found this out when you launch the game it should let you adjust the values for aimbot or just use WallHack. To make the Aimbot actually hit someone instead of shooting over them use these values [Hidden Content]

Hello there:) Today I want to tell you about Code Inject and MSHook Hacking. I will explain with a practical example for clarity! I thank this community and leave this guide. Thank you ! ✔Requirements ✔Binary ✔Note about Tweak.xm ✔ASLR Slide ✔ARM Insructions ✔CodeInject Ex1:Change instruction to change damage Ex2:Change branch to change accuracy of weapon ❔ Where should I actually write ❔ ✔MS(Object-C func) ✔MSHook(Native func) Ex1:Increase Damage ✔NSLog Ex:Display argument values ✔Call the native func Ex:Call a function to get user information ✔PrefBundle p.s. A knowledgeable person would think why I don't talk about debuggers. Unfortunately gdb is displayed as BadCPUType in my environment and watch-point does not work properly in lldb. Here are some great tutorials if you are interested in them: https://iosgods.com/topic/75950-arm64-ida-lldb-tutorial-noob-friendly/ If there are any mistakes please point in reply! Enjoy

How to Avoid being banned on Snap chat Why jailbroken by @Noctisx this Method will Work If you follow My instructions Below [Hidden Content]

Bring a picture into SnapChat without any lens/icon logo for non-jailbreak/jailbreak : You cannot be banned by SnapChat because we will be using their own software You will need a computer (Mac/Windows) No need to have programming knowledge This method is 100% safe [Hidden Content] Have a nice day

Hello guys, here is a tutorial for UNBAN snapchat account (12 hours to 72 hours) Before starting, if your account is already banned, this method is less fortunate to work. (For 100% work) Use this methode just after seen this SnapChat message (SnapChat prevents you before ban) : this method will make you lose : - (PROBABLY) your SNAPSTREAKS 🔥 (if the ban is more than 24 hours) - Snapchat will delete all your friends (This is obviously TEMPORARILY) and all your snapchat friends will be added AUTOMATICALLY again after this method. this whole process is automatic, you just have to wait. You used SnapChat tweaks like ? : Wraith DzSnap DzSnap2 SnapChat ++ SCOthman For Snapchat Phantom For Snapchat (Other Tweak) Here is the method : (All image are in french) [Hidden Content] have fun !

- Requirements: - A basic game. - iFile/iFunbox/Filza - Jailbroken iDevice - Common Features that can be hacked: - Coins - Sometimes gems - No Ads - Unlocking new characters - Changing high score - Instructions: [Hidden Content] Possible Problems and Notes Q - Can't find any properties like coins A - This game is probably not basic enough to be plist hacked Q - I changed the coins and it gives me 0. Or negative numbers A - You have set a value which is too high. Try a smaller number. Q - I changed some values but nothing has changed in the game. A - Make sure to save the .plist file before opening the game, And make sure you close game from app history before opening. Q - I don't Like your tutorial A - And I don't like you Q - What is that game called? A - It is paper.io Q - Can I get a hack for paper.io? A - https://iosgods.com/topic/43795-paperio-save-game-all-avatars-1billion-coins-best-score-100-version-22/

Hello Everyone! In this topic, I'll be teaching you how to hack with lldb watchpoints & IDA step by step. Quick note: Watchpoints doesn't seem to work on iOS 11 so you need a phone below that iOS. Requirements: - IDA Program -> get it HERE - Jailbroken Phone - GamePlayer, iGameGuardian or whatever alternatives. - LLDB -> Follow THIS topic - * Theos _> Follow this: Setup Tutorial * = You can also edit the game's binary manually with a Hex Editor, but this is a pain in the ass to keep replacing each time. Setup a theos project If you already know how to setup a theos project & how to use it correctly, skip this part. For the sake of this tutorial, use this sdk and use this .nic template This video will show you how to setup a theos project: - https://youtu.be/eplJ2118cv0 NOTE: I am using Putty because I'm on windows. If you're on a Mac, you can just use terminal. Type this command to SSH into your device: ssh [email protected] & then type the default password "alpine" LLDB The game we are going to hack is called "Bloody Harry", you can get it HERE: We will be hacking our ammo. I hope you installed lldb as I said with the linked topic from my Requirements list, if not, do it now. You can basically just type "lldb" in your SSH window & it will look like this: Now you have lldb started, you have to attach to the game by this command: attach "PID" / attach "Binary Name" I always use PID, cause I'm too lazy to search for the binary name. You can find the PID by attaching the game to GamePlayer & then the number next to the Game's name is the PID. It will now connect & it should look something like this: ASLR We need to do ONE more VERY IMPORTANT thing before we start setting watchpoints. Since we are hacking arm64, we have to deal with a ASLR slide. You can find this ASLR slide by typing this command in your SSH window: image list or image list "binary name" However, it somehow doesn't support binaries with a space in them. So type the first one & scroll up to where [ 0] starts: As you may see, in my case [ 1] is the line I need. Cause that points to Bloody Harry: [ 1] A0825C08-EAE4-3748-ADB5-042D675A380A 0x000000010007c000 /var/containers/Bundle/Application/4D84AA61-4639-402A-96F0-11CAC3A3F8C8/Bloody Harry.app/Bloody Harry 0x000000010007c000 is what I need. However, I only need to remember 7c000 Your slide is likely diffrent. For example if you had this: 0x0000000100080000 80000 is the only thing you need to remember. Watchpoints We are ready to set watchpoints now! In order to set a watchpoint, we need to find the memory address with, in my case GamePlayer. I assume everyone knows how to work with a memory searcher such as GamePlayer, if not: - Search for your current ammo value in Gameplayer - Shoot one time - Search for the new value - Shoot againt - Search for the new value - Do this till you get 1 / 2 matches. IT's VERY IMPORTANT YOU DO NOT CLOSE THE APP FROM NOW, BECAUSE Gameplayer ADDRESSES ALWAYS CHANGE AFRER REOPENING APP. How to set a watchpoint: w s e -- 0xGamePlayerAddress Example: w s e -- 0x109098E10 So get your GamePlayerAddress & then set a watchpoint. I keep getting 2 matches in Game Player, so I will set 2 watchpoints: NOTE: Sometimes the "new value" isn't correct, just in my case. Please remember the ammo in the next step. So our watchpoint has been set, in order to get the IDA address, we'll have to make a change in our ammo. This is the step where you HAVE to remember your ammo value it's going to change to. My current ammo is: 65 & I'm going to shoot one bullet, which ends me up with the value of 64. Watchpoint 1 Hit: frame #0 = our IDA offset according to lldb (ignore the 000... before the first "1". Type "register read" in lldb & paste the output in a note somewhere, we are going to need this later. I like to organize it like this: Now let's see if our watchpoint 2 will also hit, type "c" in lldb & see what happens: It's not saying anything about watchpoint 2, but it does stop so it might be usefull. Do the same steps you did for watchpoint one: make a note, paste the "read register" output & organize it like mine if you like. We know our IDA Offset according to lldb, however we need to remove the aslr slide from it. Go to this website: https://www.calculator.net/hex-calculator.html In the first box, type your offset lldb gave you & in the second box put your ASLR & you subtract it! Let's do this for watchpoint one first, the one with the red circle around it is the REAL offset in IDA: Write it in your note, something like: Real Offset: "your offset" Now you do the same for the second watchpoint. Register Read Output The register output will show you which register holds what value when the watchpoint was hit (when the game froze) This is really usefull for us. We can read which register holds our ammo & then hack that in IDA later. However, the values are in hexDecimal & we only know our decimal value of our ammo. Mine is 62, so go to some "Decimal To Hex" converter online such as this one: https://www.binaryhexconverter.com/decimal-to-hex-converter Convert your number & search it in your "register read" output. Mine is: 3E & I found a match: x8 = 0x000000000000003e NOTE: the X could be a W in IDA. Do the same for your second watchpoint IDA Alright, first let's go to the offset of watchpoint 1 first in IDA You can do this by pressing the "G" button in IDA View: The yellow colored line is where it brings us: So you might think, this must be the line we have to change. But this is wrong, you know which register holds our ammo (X8 ) so you will be looking for that. This is our matches with X8: W8 = Our ammo, X & W is basically the same 10092DED8 LDR W8, [X19,#0x40] //Load X19+0x40 into W8 10092DEE4 ADD W8, W8, W20 //Add W20 to W8 into W8 10092DEE8 STR W8, [X19,#0x40] //STR W8 into X19+0x40 10092DEF0 LDR X8, [X1,#0x10] //Load X1+0x10 into X8 10092DEF4 LDR X8, [X8,#0x50] //Load X8+0x50 into X8 10092DEF8 BLR X8 //Not important to really know, but it's some sort of branch 10092DF00 LDR X8, [X19,#0x10] //Load X19+0x10 into X8 10092DF0C LDR X2, [X8,#0x188] //Load X8+0x188 into X2 10092DF10 LDR X8, [X2,#0x10] //Load X2+0x10 into X8 10092DF14 LDR X8, [X8,#0x50] //Load X8+0x50 into X8 10092DF18 BLR X8 //Not important to really know, but it's some sort of branch Thing such as: X19+0x40 = X19 = a memory address, 0x40 is a variable that holds something. Together it will point to a address where the memory is at That's allot of matches, however the matches with #0x40 in them seems interesting to me. First: whatever X19+0x40 holds is getting loaded into W8 (our ammo register) Then: W8 is getting stored into X19+0x40, it looks like it's updating it. But we can't be sure until we try something. So how I would try to hack this is this: LDR W8, [X19,#0x40] - Change to: MOV W8, #0xfffff --> this will move the hex value 0xfffff into W8 - Change to: LDR W8, [X23] ---> X23 is a register that has it's own high value. In this way this get's loaded into our ammo. STR W8, [X19,#0x40] - Change W8 to W23 --> This will store a high value into X19+0x40 (which what we think is where our ammo memory is at) - Change it to a NOP, this will skip the instruction & in this way the ammo can't be stored. I'm going with the last option. Compiling a hack with theos Open your tweak.xm from your theos project & find this: if(GetPrefBool(@"key1")) { vm_writeData(0x123456, 0x123456); //The first value should be the offset & the second value the hackedHex } If I wanted to change it to NOP I would change it to this: if(GetPrefBool(@"key1")) { vm_writeData(0x10092DEE8, 0x1F2003D5); // } How do I know it would be "0x1F2003D5"? Well iOSGods has this awesome website: http://armconverter.com/ I typed "NOP" & in the " ARM64 HEX" box I got the Hex of it. You can convert any valid arm instruction here, so if you wanted to hack the LDR, you could have written this in the box: LDR W8, [X23] & it would give you this value: 0xE80240B9 Save your tweak.xm & go back to your SSH window. Type in: cd /your/directory/of/your/project, for me that would be: cd /var/root/bloodyharry Hit enter & now type: "mpi" & if that gives you a error, type "make package install" This will compile it into a .deb & automaticly install it for you. Open your settings & enable the first toggle. NOTE: @"key1" is used to recognize the toggle key of your Root.plist inside /"yourproject"/"projectName"Settings/Resources/Root.plist See this topic for more info about patchers: https://iosgods.com/topic/444-tutorial-how-to-make-a-preference-bundle/ NOTE: You can skip step 1 & 2 in that topic, you already did that by creating a project. Open the game & voila since I NOP'ed the STR, my ammo won't substract! Ammo succesfully hacked : So after all we didn't need the second watchpoint. But if the first watchpoint's location just didn't work out, you could move to watchpoint 2 When you're hacking ammo in ALLOT of cases you'll see something like this: SUB W8, W8, #1 //SUBstract 1 from w8 into w8 If you see this from a watchpoint, you're basically sure that it's the right thing to hack. You could NOP it or change the #1 with a #0 (use armconverter) Try to hack the gold yourself If you're confused about some parts, leave a comment. Other useful topic for this tutorial: - https://iosgods.com/topic/852-tutorial-how-to-hack-using-ida/ NOTE: This tutorial is old & the registers are armv7 registers. But this may help you understand how instruction works (instructions = STR, LDR, MOV, CMP etc etc) - https://iosgods.com/topic/19378-how-to-defeatremove-aslr-on-ios-9-armv7-and-arm64-devices/ Good luck on your journey!

In this tutorial, I'll be showing you how to duplicate your favorite apps/games on your iOS 11 Electra Jailbreak. I'll be using WhatsApp as an example. Tested working on iPhone 8, 11.3.1. Take note that not all apps/games can be duplicated. Requirements: - Filza File Manager (BigBoss repo) - AppSync Unified (Karen's repo) Instructions: [Hidden Content]

Requirements: NewTerm GameGem 1.5 I did the video with this fix when using iOS 11.3.1. So higher iOS version may not work. I'm no longer jailbreak anymore so if you can't fix this, even followed all of the steps I did in the video, you should find another fix method, thank you. Tutorial (Step by Step) [Hidden Content]

Hey. I'm back! In this tutorial, I will be teaching you guys how to duplicate Clash Royale and other popular games! By the way, when Clash Royale is duplicated, the data will be fresh. It won't be the account you were using before. You will start fresh! It will probably be the same for other games. Here's the requirements and the instructions! Requirements: - Cydia - iDevice - Your brain Instructions: [Hidden Content] Hit that thanks/heart button if you've enjoyed this tutorial!

Hello, I'm Editing This Topic With A Completely NEW Method And A New Layout As The First One Got Patched. This Tutorial Is Much More Complicated And Takes A Lot Longer And Is A Bit Harder. But It's Worth It In My Opinion. This Might Get Patched Soon I Don't Know. DISCLAIMER: I Am NOT Responsible For ANY Bans Using This Method! It's Your Responsibility And NOT Mine! Be Careful If You Want To Play On An Account You've Spent Money On Or You Care About! ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Hidden Content] ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Settings / Keybinds: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Hidden Content] ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ↓↓↓ Now You're Done! It Might Get Patched Again! If You Get The Error After Finishing A Game Follow The Steps Down Below ↓↓↓ ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Hidden Content] ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Credits: - Indian Nova (YouTube) I'm Not Exactly Sure This Is The Guy Who Made This But It's The Person I Got This Method From So Therefor I'm Giving The Credits To Him. If You Know Who The Real Creator Is Please Comment That And Give Me Some Proof Or Something And I'll Change The Credit ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Bada Bing, Bada Boom

As of September 30th 2019, this thread has been updated to (maybe) support some other games. (Pokemon GO doesn't work so far) Method 1 Method 2 Method 3 Note: You may use Methods 2 and 3 in conjunction if they do not work standalone. Method 4 Note: This reverts to before you jailbroke! Method 5

Requirements 2018/8/8 -Jailbreak phone From (Cydia Download (i Cleaner ) -non jailbreak phone ( Deleted PUBG HACK IPA ) Download i cleaner for Nan Jailbreak (FOR NON JAILBREAK PHONE I CLEANER Download From The link i post it) 1-For Jailbreak phone - First GO TO CYDIA >CHANGE>PUBG Chests Remove it -Go Filza Deleted .deb for PUBG HACK 2- GO TO I Cleaner [Hidden Content] 12-make this step i found it on old topic 1. Open the pubg app 2. Login with your IOSGods account 2. Click on REPAIR on the home screen3. Then re-open the pubg app4. Login with your IOSGods account again5. Wait for the update6. LOGIN Facebook) GOOD LUCK FOR ALL

This Topics You can be sharing Video of PUBG CHEATS GLITCH,YouTube and etc Which You can searching and posting to all clubs members can used the glitch . Mod Requirements: - Jailbroken iPhone/iPad/iPod Touch. -iGameGuardian - Add igame guardian Cydia source [Hidden Content] if you are unable to open i game guardian (initialization failed) you need to pay from his website and activated or find crack for other topics from here you can register for it [Hidden Content] first i will sharing a glitch i found it ,shooting through walls, (no need jailbreak or IGG) Change all enemies color to white or black easy to see the enemies (jailbreak and MUST IGG) Size Enemies change to bigger (jailbreak and IGG) first Shooting thought walls link tutorial i found it [Hidden Content] F32 then switch on the Button on the up Find Nearby on up and F32 values 1 and wait until showing 2 offset on the second offset change the values to 500 or 200 for white color or change the values to -10 for black color after doing this step just go pubg again and enter room training to testing if its working use it with anymod (each closing pubg u need do this step) Change Enemies size to bigger BY IGG Open PUBG MOBILE WITH UNTIL YOUR CHARACTERS SHOWING UP Open IGG Select Target (TrackerExt) Click On Search >Click on up button Numbers F32 Post this Numbers [Hidden Content] just change any offset values to 20 or 120 or 500 when you change it enter room training to test the offset memory i post you have more offset each one the doing somthing in game fly hack walk hack drive through walls you need to try and find more offset memory to hack cheats (if you have offset memory IGG or glitch sharing here ) Maybe this options will be add DiDA soon to vip hack Good luck waiting your comment and sharing ( i don’t know if its risk or not for ben )

Requirements: Being jailbroken and having Filza installed. Alright guys so today I'm gonna be walking you through a step-by-step guide on how to get your Guest Account unbanned from COD Mobile. I'm aware there's already another post on how to get your device unbanned, but really what that does is it completly erases your keychains and in so doing it also deletes all your passwords which means you'd have to login again on every single account from every application installed on your phone. The method explained in that post lets you start a fresh account, that is to say, you're gonna have to create another Facebook account every time you get banned which is a little bit of a daunting prospect, and it doesn't unban your guest account. With this method you'll be able to start new account as a guest which consists only in typing a new username. What's more it doesn't delete any of your actual passwords, and you can later link your guest account to a Facebook account if you wish to, into the bargain. This is really convenient for testing cheats and whatnot because you can throw away your account if you get banned and create a new one easily. However, there is one string attached, and that's the fact that your progress will be inevitably erased every time you get banned. There's no two ways about it, once you get caught cheating your stats will never come back. That being said, lets get started: [Hidden Content]

Hello everyone, With Apple’s latest certification revokes it came with bugs and new ways to prevent third-party apps on your iDevice. With the latest certificate came a bug or preventative measure by Apple to stop opening third party apps by crashing them on launch. The steps below will hopefully help everyone that is having this issue. Please backup your iDevice before proceeding. Go to Settings > Apple ID > iCloud > iCloud Backup > Back up your iPhone over WiFi Once done; go back to Settings > General > Reset > Erase All Content and Settings > Enter passcode and it should ask you to sign out of your Apple ID Once your iDevice has finished resetting and restoring the backup you made in step 1— the iOSGods App should be installed already and you’re ready to download and play games. I really hope this helped everyone that is having crashing apps and unsure why it’s happening. I have to give credit to @HectorBhz for this helpful info. I’ve thought I needed to get a forum out letting people know how to solve this annoying issue. My Phone that I tested it on: iPhone 7 Plus 32GB on iOS 13.3 - Happy Gaming 🙃 Update: This has been confirmed to work on iOS 13.x.x YOU DO NOT NEED A JAILBROKEN IPHONE TO COMPLETE THIS PROCESS!

*BEST VIEWED ON DESKTOP* Prerequisite reading: https://iosgods.com/topic/65529-instance-variables-and-function-pointers/ Seriously, read my tutorial on instance variables and function pointers before reading this one. You'll be lost. This tutorial builds off of concepts from the last one. The game is Free Fire v1.17.1. I will include everything used in this tutorial in a zip archive at the end, including an IDA database. [hide] 1. What Are Static Members? Have you ever seen something like this while scourging through a Unity dump? Looks like that would be fun as hell to mess around with. Or this? How can we access sUniqueEntityID? Or RunSpeed, DashSpeedScale, and CrouchSpeed? You've probably noticed static members during your Unity hacking. These are different than instance variables. While instance variables will have a copy for each object of a given class, there will only be one copy of each static member for every object. Because of this, a static member is not apart of any object. To illustrate this concept, check out this class I wrote called Apple: An apple is fresh when it hasn't been eaten. When we instantiate a new Apple object, we increment the number of fresh apples because a new Apple hasn't been eaten yet. When eat() is called on an Apple object, it is no longer fresh, so we decrement the number of fresh apples. I also included a regular instance variable that represents the name of an Apple. When an Apple is eaten, its name changes to eaten. Let's make three fresh apples and check out our static member freshApples and our instance variable name for each Apple object: The number of fresh apples is the same for every Apple instance and the name of each Apple instance is unique. Let's eat apple2 and print everything out again: Since apple2 was eaten, the number of fresh apples decremented for every object, but only apple2's name changed to eaten. Remember when I said a static member is not apart of any object? Sounds a bit confusing right? I'm a person that won't really understand something fully until I can see it proven, so using Visual Studio's debugger, we can prove that freshApples is not a part of any Apple object. I set a breakpoint on the first std::cout << "apple1: " << apple1.name << " freshApples: " << Apple::freshApples << std::endl; (line 28) and let it hit. The Locals tab displays variables that are defined in the local scope. That includes our three Apple objects. name is present, but freshApples is not. This makes sense. Why would each Apple have its own copy of something that is supposed to be shared throughout all Apples? Let's take a look at the Autos tab: The Autos tab displays variables used around the current line. Ignore the entry for apple1.name. There's our freshApples static member! It is being used to print its value to the screen. Notice that it is independent of all the other Apple objects listed. However, let's go a bit further and dive into memory. I added these four lines of code: The %p format specifier prints out a pointer, and the & operator takes the address of what it is used on. I set a breakpoint before apple2.eat() because the names of the apples would line up nicer. Because this is before apple2.eat(), freshApples is still 3, and apple2.name is still "second apple". This output confirms it. freshApples is nowhere near apple1, apple2, or apple3. This supports what I said earlier about freshApples not being apart of any Apple object. Let's check out the memory around apple1, apple2, and apple3: You can see the names of the apples. If freshApples was anywhere near these Apple objects, you'd see 03 somewhere in this screenshot. Here is where freshApples is kept in memory: It is stored a long way away from any of the apple objects. In like a void of nothing, kinda sp00ky. This example proves static members are not apart of the objects from the class they reside in. In memory, they reside somewhere else, far away from the class objects. However, nothing is inaccessible. If the machine can pull the value of a static member without a problem, we can too. We just have to replicate what the machine does in our own code. 2. Accessing Static Members In A Game I want to remind you the game being used is Free Fire v1.17.1. Our first example will be the GameVarDef class from the very first screenshot in this tutorial. Here it is again so you don't have to constantly scroll up and down: There are so many more static members in this class. It just wouldn't be convenient to show all of them. We can disregard the readonly keyword just like we disregard private and public. We are past compile-time checks, so a compiler isn't preventing us from making changes to or accessing things when we're hacking. If we can find RunSpeed, we'll have access to every single static member in this class. Why? Check out how the memory is laid out. If RunSpeed is at X, DashSpeedScale will be at X + 0x4, CrouchSpeed will be at X + 0x8, and so on. But how can we do that? If this class holds static members that control many attributes of the game, why not search for functions like GetRunSpeed or GetDashSpeedScale? Searching for GetRunSpeed brings us to a function called GetRunSpeed() at 0x1007231E8. Let's check it out in IDA. I forgot to mention the developers added some fake code and mangled some names in the game, but not the ones we're using so we can disregard it. This function hits when you set a breakpoint on it. I wouldn't make a tutorial using a game where I couldn't figure out how to modify static members in it before. We are not looking to modify the instructions here to boost our run speed. That would defeat the entire purpose of this tutorial. At the end of this tutorial, we'll have made a hack that could modify anything in GameVarDefs via threading, pointer arithmetic, and absolutely no hooking. Anyway, back to it. There is something very interesting about this function: The main thing to take away from this is that the game ends up loading some pointer from a constant base address into X0. In this case, it is whatever 0x102b77358 points at. How do I know its constant? Because it is hardcoded in the binary. Why is this awesome for us? Well, since what we need is always going to be located at whatever 0x102b77358 is pointing to, we don't need a pointer from the game! AKA no hooking! To access normal instance variables, we'd have to hook some kind of function to get the pointer to the object so we can do a little bit of math on it. After all, the locations of those objects change every launch. Here we don't because it's constant. Let's take a look at the end of this function: Okay, so we're getting somewhere. Whatever 0x102b77358+0xa0 is pointing to gets moved into X8, and whatever X8 is pointing at seems to be our run speed and the beginning of the static members from the GameVarDef class. Before we move on, I'd like to include what I call a LDR map. This is how I visualize things in my head. Instead of seeing an entire function, I don't focus on the parts I don't need for what I'm trying to do: Then I usually visualize some sort of map in my head. I tried my best to recreate what I see: If it doesn't help you, please don't try and do it. Different things work for different people. Now let's try and access RunSpeed with a debugger, keeping in mind what we talked about. After attaching to Free Fire via LLDB and getting the ASLR slide, we can see what is at 0x102b77358. To see this, we can use the memory read command. Our ASLR slide is 0xa4000. 0x102b77358 looks like it is pointing to 0x50779f2e01, but since hex here is in little endian, we read the address starting from the end: 0x012e9f7750. That makes more sense. We just imitated these three instructions: Now we have to do is find out what is at 0x012e9f7750+0xa0: 0x012e9f7750+0xa0 is pointing to 0x0111d59c80. We just imitated this instruction: If we were correct in our interpretation of how the game is accessing these static members, 0x0111d59c80 should point to RunSpeed. Let's see: Look at that! Not only do we see RunSpeed, we see every static member from GameVarDef after it. Floats are also not represented as "just floats" in memory, they're represented as an integer equal to their value. If we make a tiny program to convert floats to their integer representation and so on, we can see what 0x40500000 is. To get a float's integer representation and vice versa, we can use a union. A union is like a struct, but also completely different. Like a struct, it can have multiple members, but unlike a struct, all those members share the same location in memory. Very useful. I wrote something to do that a long time ago, so I'll use that here: 3.25 sounds right for something called RunSpeed. But we don't know for sure. We can know for sure if we use LLDB to see what S9 holds in PlayerAttributes::GetRunSpeed. Our ASLR slide here is 0x7c000. S9 is 3.25! This confirms that the way we accessed the static members from GameVarDef is correct. And because of the way memory is laid out for the static members in GameVarDef, we can safely assume they'll all be next to each other. Before we move onto the next step, I want to quickly demonstrate that it doesn't matter if you want to access a static member from a class with other instance variables. Here's the second screenshot from this tutorial again: For this kind of thing, you'd want to find a function that fetches this static member. Thankfully, we have this in the same class: When we take a look at it in IDA, we can see the same theme of a constant base address being used to grab static members: It's the same procedure here as getting RunSpeed from GameVarDef. 1. Move 0x102b77f18 into X19. 2. Move whatever X19 points to into X0. 3. Move whatever X0+0xa0 points to into X8. 4. Load whatever X8 points to into W0, which is our unique ID. If the game you're working on has a class filled with static members that control very hackable aspects of it, you can take advantage of a constant base address and write the hack without any hooking! 3. Multithreading Threads are awesome. Just know that. They allow you to do work simultaneously with the main thread and are so vital to how any computer works. The threads we'll be using in our hacks are POSIX threads. If you want to use POSIX threads, you need to add #include <pthread/pthread.h> to your hack. The POSIX thread datatype is pthread_t and the function we'll be using to spawn POSIX threads is pthread_create. Let's look at pthread_create. int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine) (void *), void *arg); pthread_create takes four arguments: pthread_t *thread: in short, the thread you want to spawn. const pthread_attr_t *attr: an object to specify thread attributes. We don't need to do this, so this is always NULL. void *(*start_routine) (void *): a pointer to the function you want your thread to work with. Must match that signature. void *arg: the arguments to start_routine. Can be NULL, a single argument, or a struct to pass multiple arguments. I hope you know why that works, that was one of the main takeaways from the previous tutorial. When a successful call to pthread_create returns, your thread will spawn and immediately begin work in the function you passed in for start_routine. Let's look at an example. Since Windows doesn't support POSIX threads, I'll be writing this program on my phone. All this program does is spawn a thread to add one to a counter every second. Here's the code, heavily commented: #include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> // our counter variable. We need this to be global. int counter = 0; // the method your POSIX thread does work in MUST match this signature. // the return type must be void *, and there must be only one argument, which is a void *. void *addOneEverySecond(void *arg){ // we don't want the thread to only increment the counter once and then be done! while(1){ counter++; printf("%d\n", counter); // sleep puts the calling thread to sleep for however many seconds you specify. // once however many seconds is up, the thread is woken back up and executes // until sleep is called again, where it will be put to sleep again. // this is great for easing stress on the device. sleep(1); } // always return NULL for our sakes return NULL; } int main(int argc, char **argv){ // declare our thread pthread_t countThread; // spawn our thread pthread_create(&countThread, NULL, addOneEverySecond, NULL); getchar(); return 0; } Here's what it looks like when I run this program: Pretty simple. That's all there really is to it with threads. We don't need to go into more detail for the stuff we're doing. It is best to create another thread anytime you have something that you want to do that's unrelated to what all your other threads are doing. 4. Putting It All Together With threads and a bit of pointer arithmetic, we can make a hack that will successfully modify anything we want in the GameVarDef class. First of all, let's get the "outline" of our code going: #import <mach-o/dyld.h> #import <pthread/pthread.h> #import <substrate.h> uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } bool launched = false; %hook UnityAppController - (void)applicationDidBecomeActive:(id)arg0 { if(!launched){ timer(1){ launched = true; }); } %orig; } This is the skeleton of the hack. A function to get the ASLR slide and some code to set up the initial hooks to UnityAppController. Now we can get to adding our function that our thread will do work in, as well as the thread itself: #import <mach-o/dyld.h> #import <pthread/pthread.h> #import <substrate.h> uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } void *modifyGameVarDefs(void *arg){ while(true){ sleep(1); } return NULL; } bool launched = false; %hook UnityAppController - (void)applicationDidBecomeActive:(id)arg0 { if(!launched){ timer(1){ pthread_t modifyGameVarDefsThread; pthread_create(&modifyGameVarDefsThread, NULL, modifyGameVarDefs, NULL); launched = true; }); } %orig; } Since we don't have any arguments to modifyGameVarDefs, we give NULL as the last parameter to pthread_create. Our thread will sleep for 1 second before carrying out its work again. I am going to shift focus to modifyGameVarDefs and getASLRSlide. I will no longer be including the hooks for UnityAppController or the #include's to save space. Just imagine they're there. Now we can get to accessing the static members in GameVarDef through pointer arithmetic! Remember our base address? It's 0x102b77358. To imitate what the machine does, first we make a pointer to 0x102b77358. As always, we have to account for ASLR and check if it is NULL for safety. uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } void *modifyGameVarDefs(void *arg){ while(true){ void *baseAddress = *(void **)(getASLRSlide() + 0x102b77358); if(baseAddress){ // ... } sleep(1); } return NULL; } Finally, to access the static members from GameVarDef, we have to add 0xa0 to baseAddress, and check if that is NULL as well. uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } void *modifyGameVarDefs(void *arg){ while(true){ void *baseAddress = *(void **)(getASLRSlide() + 0x102b77358); if(baseAddress){ void *Defs = *(void **)((uint64_t)baseAddress + 0xa0); if(Defs){ // now we can modify any static member from GameVarDef! } } sleep(1); } return NULL; } Like the comment says, we'd put our code to modify the static members from GameVarDef there. We are going to add the last piece of code to modify RunSpeed: uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } void *modifyGameVarDefs(void *arg){ while(true){ void *baseAddress = *(void **)(getASLRSlide() + 0x102b77358); if(baseAddress){ void *Defs = *(void **)((uint64_t)baseAddress + 0xa0); if(Defs){ // now we can modify any static member from GameVarDef! *(float *)((uint64_t)Defs + 0x0) = 10.0f; } } sleep(1); } return NULL; } Of course I didn't need the + 0x0 there, but it is better visually for a tutorial. And we're done! We've successfully modified the static member RunSpeed from the class GameVarDef via threading, pointer arithmetic, and without any hooking! This does work in game. However, we can still improve. 5. Structs Make Everything Better If we wanted to change a ton of other static members in GameVarDef, we would have to constantly retype the same pointer arithmetic, constantly look back at the dump to make sure types are right and to find out what to add to Defs to access that static member. Imagine if you didn't have to do that. Remember what a struct is? A struct is something that can hold many members, so naturally, memory is laid out exactly the same way as you'd expect it to be. The first member is at struct + 0x0, the second at struct + 0x4, the third at struct + 0x8, and so on. Take a look at this screenshot again: Don't you notice something? This is laid out like a struct! If we had a struct with the first member being RunSpeed, the second being DashSpeedScale, the third being CrouchSpeed, and so on, making our struct point to baseAddress+ 0xa0 would work. Let's make a struct like described above: struct GameVarDef { float RunSpeed; // 0x0 float DashSpeedScale; // 0x4 float CrouchSpeed; // 0x8 }; If we had it point to baseAddress + 0xa0, doing GameVarDef->RunSpeed = 10.0f; would be the exact same thing as *(float *)((uint64_t)Defs + 0x0) = 10.0f;, doing GameVarDef->DashSpeedScale = 5.0f; would be the exact same thing as *(float *)((uint64_t)Defs + 0x4) = 5.0f; and doing GameVarDef->CrouchSpeed = 20.0f; would be the exact same thing as *(float *)((uint64_t)Defs + 0x8) = 20.0f;. The only thing we have to be aware of is the size of each variable in the struct. Why? Because in the dump, there are some booleans that are 4 bytes, and some that are only 1 byte. If we made every boolean 4 bytes, the machine would start to overwrite other members in the struct after a supposed-to-be 1 byte boolean because of a size mismatch. Anyway, look at these two screenshots: See how the boolean in the first screenshot is 4 bytes and the booleans in the second screenshot are only 1 byte? That's something we need to pay attention to. In the dump, booleans are treated as a 4 byte long datatype. This is not the case for us because sizeof(bool) == 1. Before I wrote the code for this tutorial, I didn't realize sizeof(bool) didn't equal 4, so in the struct, I replaced every 1 byte bool with char. Why did I do that? sizeof(char) == 1. You don't have to do that. It was a harmless mess up on my part. What you do have to do, however, is change every 4 byte boolean to int. sizeof(int) == 4, so that will work. Here is our resulting struct: You'll find a copy of that struct in the zip archive at the end of this tutorial. Anyway, now that we have that, it is as simple as replacing Defs datatype from a void * to GameVarDef * and then modifing anything in our new GameVarDef struct! I put that struct in its own file called GameVarDef.h because of its size. This does work in game, I tested it before writing this tutorial. Here is our finished hack: #import <mach-o/dyld.h> #import <pthread/pthread.h> #import <substrate.h> #import "GameVarDef.h" uint64_t getASLRSlide(){ return _dyld_get_image_vmaddr_slide(0); } void *modifyGameVarDefs(void *arg){ while(true){ void *baseAddress = *(void **)(getASLRSlide() + 0x102b77358); if(baseAddress){ GameVarDef *Defs = *(GameVarDef **)((uint64_t)baseAddress + 0xa0); if(Defs){ Defs->RunSpeed = 20.0f; Defs->MaxJumpHeight = 20.0f; } } sleep(1); } return NULL; } bool launched = false; %hook UnityAppController - (void)applicationDidBecomeActive:(id)arg0 { if(!launched){ timer(1){ pthread_t modifyGameVarDefsThread; pthread_create(&modifyGameVarDefsThread, NULL, modifyGameVarDefs, NULL); launched = true; }); } %orig; } Doesn't that look so much cleaner? Much more readable, also. We just made a hack to change our speed and jump height with no code injection, no hooking, threading, and pointer arithmetic. Pretty awesome. Here's our hack in game: 6. Conclusion To reiterate, this is awesome because there's no hooking involved. Hooking always adds instability to our hacks. I've linked an archive with everything that I used with this tutorial. It includes the binary for 1.17.1, global-metadata.dat for 1.17.1, the IDA database for the binary, the dump, the script to rename functions in IDA, the code for the hack, and the code from StaticMembersDemo. Do not try and frankenstein the code into your own hack without thinking and complain that it doesn't work. It is a big download because of the database. Archive: https://iosddl.net/24cc97063ab999c0/archive.zip Also, I have a Github repository. I've been messing with Guitar Hero 3, and the hacks I made for that game build upon concepts from this tutorial: https://github.com/shmoo419/GH3Hacks Practice: If you want to try this yourself but on a different game, try accessing the static members from the Main class in Dominations. Harder Practice: Create a struct with all the static members from the GlobalVars class from Dominations. You'll find my GlobalVars struct below: If you want to see a sample hack that covers all the concepts from this tutorial, go here: https://github.com/shmoo419/DomiCrowns I hope you enjoyed this. Please don't be afraid to ask questions [/hide]

Requirements: 1. Jailbroken phone 2. Filza from cydia 3. MEGA app from app store Notice: things have changed since yesterday and now it only works once I will try to figure out a way to make it work every time. This is the final update this will probably not work in the future and if it does work you are lucky and it will only happen once. PUBG did something with the severs so this might not work for some people [Hidden Content]

This tutorial covers floats in ARM64, so I expect you to have a basic understanding of IDA and how it works. I won't be going into depth on this subject, but I will show you how I hacked a game with floats in ARM64, so you can get a grip of it. Also, this tutorial will cover ground on ARM64, so I suggest you do a bit of reading up on this before continuing with the tutorial. This tutorial made by is a really good starting point for you to learn how to hack in ARM64. [Hidden Content] That was my brief tutorial on floats in ARM64. If you have any questions, please feel free to ask below!

This is a start pack/list with everything about iOS Hacking. We will try and keep this up to date as much as we can but you should also always use the search function on iOSGods to find new topics. If you have any questions or problems, make a Help & Support topic. We also have a Coding Center where people share their offsets and code for you to study and learn. Here is a list of some general tools/requirements for hacking iOS applications: How to Install Theos: Have you never hacked on iOS? This is what I recommend you do: After that you've practiced the previous method of hacking (MS) on multiple games, you are ready to move on to the "next step", which is MS Hooking. Now when you know how to hack a game using MS hooking, you are ready for the last step, which is hacking games using IDA. How to Hack Games with IDA: Other useful things to know: How to Thin a Binary: How to Crack an Application: How to Remove ASLR from a Binary:

A simplistic way of fixing Unable To Verify App & other revoked certificate messages, errors & crashes with ReProvision. We just have to fix the tweak first since it was patched. Requirements: Jailbroken Device Valid Apple ID [Hidden Content]

Download iosGods Apps While They’re Still Revoked! Certificates being revoked by the glorious but devilish Apple 🍎 are a very common thing. They hate Enterprise Certificates but gladly take their money & turn a cold shoulder to them. So here we will learn how to install apps from iosGods when they’re revoked in spite of Apple! [Hidden Content] Enjoy!

THIS IS THE ONLY ACTUAL WORKING METHOD TUTORIAL/GUIDE TO UNBAN YOUR DEVICE FROM CALL OF DUTY MOBILE WITHOUT LOSING ANY DATA/SAVED PASSWORDS NOTE: This method does not unban your account. It only unbans your device, allowing you to create a new guest account and link that new account to your desired facebook account (one that isn’t banned already). Requirements: - Jailbroken device; - iFile/Filza File Manager (or another similar tweak); Tutorial/Guide: [Hidden Content] Side Note: You can use this method every time your device gets banned for using cheats in Call of Duty: Mobile. In case you need help or messed up a step, leave a comment and I’ll try to reply as quick as I can.