Help/Support How would I override an method with its offset?

Aarivex · November 3, 2019

I'm very new into this game, yet I have some knowledge (programming and basic reverse-engineering).

I just dumped some data for a game (American Dad! Apocalypse Soon). It's an Unity game, so I used IL2CPPDump/I'm viewing the classes with dotPeek.

There are many methods including get and set methods. Basiclly every method has its own RVA and offset.

How would I change the behaviour of a method?

Say I want get_XYZValue() to return 1337 (or set_XYZValue(int x) to set x to 1337) and the offset is 0x17EC0809. Would I just override 17EC0809 with 0x539 or maybe 20A78052 (MOV W0, #1337) or is it more than that?

I tried the second approach with some functions using iOSGods Live Offset Patcher, yet it sadly didn't affect anything.

I appreciate any answer! Thanks.

Updated November 4, 2019 by Aarivex

bR34Kr · November 4, 2019

Make sure that you have chosen the correct register to move a value into, and make sure it doesn’t get changed afterwards. This can be achieved by putting a RET statement right after it.

Aarivex · November 4, 2019

13 hours ago, bR34Kr said:

Make sure that you have chosen the correct register to move a value into, and make sure it doesn’t get changed afterwards. This can be achieved by putting a RET statement right after it.

Thanks for your answer.

I already know about RET, but how would you fit both MOV and RET in one single HEX and how could I get the current register? Do I need to debug it, or would fridump do the job?

And does that mean that the offset of a method is just pointing to the corresponding ARM code that is being executed, just like you'd inspect an method inside IDA?

Updated November 4, 2019 by Aarivex

Red16 · November 5, 2019

Are you trying to hook this

Updated November 5, 2019 by Red16

dj_TK · November 5, 2019

If you are using in game Menu patching your hack is 0x20A78052C0035FD6.

If you are just patching binary for ipa sideloading the hack is 20A78052C0035FD6.

Rook · November 6, 2019

On 11/4/2019 at 5:01 PM, Aarivex said:

I already know about RET, but how would you fit both MOV and RET in one single HEX and how could I get the current register? Do I need to debug it, or would fridump do the job?

Yeah, you can fit both MOV and RET in a function as long as the function is at least 4 bytes in size.

Updated November 6, 2019 by DADi

Aarivex · November 6, 2019

13 hours ago, DADi said:

Yeah, you can fit both MOV and RET in a function as long as the function is at least 4 bytes in size.

I got some answers on /r/jailbreakdevelopers that told me that I need the RVA and the ASLR slide, so it makes sense now to me.

Thanks for your answers!

What confused me was that why overriding a method address with ARM HEX instructions would work, but I got some insight there now that I know that you can "replace" the original function with your own and how the offset works using _dyld_get_image_vmaddr_slide(0).

Rook · November 6, 2019

51 minutes ago, Aarivex said:

I got some answers on /r/jailbreakdevelopers that told me that I need the RVA and the ASLR slide, so it makes sense now to me.

Thanks for your answers!

What confused me was that why overriding a method address with ARM HEX instructions would work, but I got some insight there now that I know that you can "replace" the original function with your own and how the offset works using _dyld_get_image_vmaddr_slide(0).

Ah, perhaps this would be of help to you. http://armconverter.com/mshookgenerator/

Aarivex · November 6, 2019

43 minutes ago, DADi said:

Ah, perhaps this would be of help to you. http://armconverter.com/mshookgenerator/

I already know that tool, but I can write that code on my own

I wrote this bit of code, which sadly doesn't affect anything:

#include <mach-o/dyld.h>
#include <substrate.h>
  
void *func = (void *)(_dyld_get_image_vmaddr_slide(0) + 0x101AA8924);
int (*original) (); // or int (*original) (void *self);
int replacement() { // or int replacement (void *self);
	return 10; 
}

%ctor {
	MSHookFunction(lvlFunc, (void *)replacement, (void **)&original);
}

whereas this code leads to an crash:

#include <mach-o/dyld.h>
#include <substrate.h>

int (*old_get_Level)(void *self);
int get_Level(void *self) {
	return 10;
}
  
%ctor {
	MSHookFunction((void *)(_dyld_get_image_vmaddr_slide(0) + 0x101AA8924), (void*)get_Level, (void**)&old_get_Level);
}

Not just with get_Level, but also with some methods inside a battle - f.e. MaxHealth or UnitHealth.