Help/Support MSHOOKMEMORY hack not working

Ibrahim 89 · October 29, 2019

Hey guys I tried hacking with MSHOOKMEMORY using this tutorial:

I created a bloody harry hack but after successfully compiling my project in theos and installing the .deb, the tweak fails to function in the game shows no affects.

Here my Makefile:

INSTALL_TARGET_PROCESSES = SpringBoard

include $(THEOS)/makefiles/common.mk

TWEAK_NAME_LIBRARIES = substrate

bloodyharry_FILES = Tweak.x
bloodyharry_CFLAGS = -fobjc-arc

include $(THEOS_MAKE_PATH)/tweak.mk

And here is my Tweak.xm:

#import <substrate.h>
#import <mach-o/dyld.h>

uint64_t realAddr(uint64_t offset) {
	return offset + _dyld_get_image_vmaddr_slide(0);
}

%ctor {

uint64_t offset = realAddr(0x10092DEE8);

const uint8_t data[] = {
	0x1F, 0x20, 0x03, 0xD5,
};

MSHookMemory((void *)offset, data, sizeof(data));

}

Can anyone tell me where am I going wrong and what should I do to make my hack work?? btw im on ios 12.1 unc0ver

Thanks in advance.

Rook · October 30, 2019

Since latest Unc0ver uses Substitute, I think MSHookMemory might not be needed any longer? Unless it was ported over to Unc0ver's Substitute.

I also think someone made a header ready with MSHookMemory support.

Laxus · October 30, 2019

How can you so sure that offset is working shrug

Ibrahim 89 · October 30, 2019

13 hours ago, Laxus said:

How can you so sure that offset is working shrug

Cuz I tested with CustomLive offset patcher and it worked fine.

13 hours ago, DADi said:

Since latest Unc0ver uses Substitute, I think MSHookMemory might not be needed any longer? Unless it was ported over to Unc0ver's Substitute.

I also think someone made a header ready with MSHookMemory support.

Should I resort to vm_writedata to patch offsets?

Ted2 · October 30, 2019

Have you entered the correct bundle ID? Do a NSLog in the %ctor to see if it actually loads into the game or not

Ibrahim 89 · October 31, 2019

12 hours ago, Ted2 said:

Have you entered the correct bundle ID? Do a NSLog in the %ctor to see if it actually loads into the game or not

Yes. correct bundle ID entered and the UI shows in the app. Am I missing something in my include directory in theos since I only have the substrate.h file??

Ted2 · October 31, 2019

8 hours ago, Ibrahim 89 said:

Yes. correct bundle ID entered and the UI shows in the app. Am I missing something in my include directory in theos since I only have the substrate.h file??

No, if you were missing something it would throw errors.
Also, which UI shows in the app?

You can try this, but I doubt this will work:

#include <substrate.h>
#include <mach-o/dyld.h>
#define ASLR_BIAS _dyld_get_image_vmaddr_slide(0)

uint64_t getRealOffset(uint64_t offset){
	return ASLR_BIAS + offset;
}

void inject(uint64_t offset, uint64_t hackedHex) {
    hackedHex = CFSwapInt32(hackedHex);        
    MSHookMemory((void *)getRealOffset(offset), (void *)&hackedHex, sizeof(hackedHex));
}

//Usage
%ctor {
    inject(0x10092DEE8, 0x1F2003D5);
}

Ibrahim 89 · November 1, 2019

14 hours ago, Ted2 said:

No, if you were missing something it would throw errors.
Also, which UI shows in the app?

You can try this, but I doubt this will work:


#include <substrate.h>
#include <mach-o/dyld.h>
#define ASLR_BIAS _dyld_get_image_vmaddr_slide(0)

uint64_t getRealOffset(uint64_t offset){
	return ASLR_BIAS + offset;
}

void inject(uint64_t offset, uint64_t hackedHex) {
    hackedHex = CFSwapInt32(hackedHex);        
    MSHookMemory((void *)getRealOffset(offset), (void *)&hackedHex, sizeof(hackedHex));
}

//Usage
%ctor {
    inject(0x10092DEE8, 0x1F2003D5);
}

Nop still not working. It compiles fine but does not show any effect in the app however when I use the CustomLive Offset Patcher, the hack works(which freezes the ammo). My fault about the UI that was some other one, even using the UI crashes the app. Twice checked the Bundle ID.

Ted2 · November 1, 2019

2 hours ago, Ibrahim 89 said:

Nop still not working. It compiles fine but does not show any effect in the app however when I use the CustomLive Offset Patcher, the hack works(which freezes the ammo). My fault about the UI that was some other one, even using the UI crashes the app. Twice checked the Bundle ID.

Which jailbreak do you use? Also, UI as in Mod Menu?