Solved App crashes when hooked function is called

princessXZ · April 5, 2020

Hello everyone.
I really need community's help now.

I am hacking using MSHookFunction and vm_writeData.
The game crashes when the function to hook is called in the case of MShookFunction, and when the function containing the rewritten instruction is called in the case of vm_writeData.
First, I thought that the processing after rewriting was bad. So I wrote the code to origin one with vm_writeData, but it still crashes when the function containing the instruction is called.
And now I think the offset is shifted:(

Here's how I get offset
1.Retrieve the desired binary decrypted using CrackerXI
2.Open it in IDA and find the desired function

I know there is an ASLR slide. I used iosgods' binarytool to remove aslr, but when opened in IDA the before and after offsets were the same.
I tried thinbinary as well. However, the process could not be completed normally due to an error on binarytool.

Below is an example of insturuction and offset:

15 00 38 1E

__text:00000001002B55F0 FCVTZS W21, S0

I write code like this

#import <substrate.h>
#import "vm_writeData.h"
%ctor {
	vm_writeData(0x1002B55F0, 0x1500381E); 
}

This only writes the original instruction but does not work. Crash when function containing this is called.

The game was made with cocos2dx
My phone is iphone8 and version is iOS13.3.1
Theos version is latest.

I would appreciate any advice.

Thank you.

Updated April 10, 2020 by mafusuke

Rook · April 5, 2020

Hello,

If you're using Cydia Substrate Unc0ver, or CheckRa1n, you will need to use:

princessXZ · April 6, 2020

Hello boss. Thank you for your reply.

Is my way of getting the offset correct?(I'm worried about this)
and also depends on CyraSubstrate of checkra1n that MSHookFunction cannot be used properly?:c

I tried MSHookMemory but I got this errror:c

Undefined symbols for architecture armv7:
"_MSHookMemory", referenced from:
_logosLocalCtor_7b309e66(int, char**, char**) in Tweak.xm.105cff38.o
ld: symbol(s) not found for architecture armv7

By the way I also tried LiveOffsetPatcher but crashed as well

I learned about the IOS hack for about a week but very defficult ( maybe the time to return to Android hack?:/ )　

Updated April 6, 2020 by mafusuke

0xNoctis · April 6, 2020

59 minutes ago, mafusuke said:

Hello boss. Thank you for your reply.

Is my way of getting the offset correct?(I'm worried about this)
and also depends on CyraSubstrate of checkra1n that MSHookFunction cannot be used properly?:c
I tried MSHookMemory but got this error
error: use of undeclared identifier 'MSHookMemory'
( I got and copied Substrate.h from Cydia / Framework to / var / root / theos / include )
By the way I also tried LiveOffsetPatcher but crashed as well

I learned about the IOS hack for about a week but very defficult ( maybe the time to return to Android hack?:/ )　

only took me 2 weeks to learn game hacking is the game a unity game like does it have Global metadata file in it

princessXZ · April 6, 2020

@Noctisx

I know there is useful tool for Unity.

but the game I want to hack is non-unity ... made with cocos2dx :c

Updated April 6, 2020 by mafusuke

0xNoctis · April 6, 2020

start with unity first non unity games are really hard to hack

princessXZ · April 6, 2020

3 minutes ago, Noctisx said:

start with unity first non unity games are really hard to hack

Unable to hack neither Unity games nor NonUnity games without solving the problem that Anyway Hook function hook does not work:(

Updated April 6, 2020 by mafusuke

princessXZ · April 6, 2020

11 hours ago, mafusuke said:

Hello boss. Thank you for your reply.

Is my way of getting the offset correct?(I'm worried about this)
and also depends on CyraSubstrate of checkra1n that MSHookFunction cannot be used properly?:c

I tried MSHookMemory but I got this errror:c

Undefined symbols for architecture armv7:
"_MSHookMemory", referenced from:
_logosLocalCtor_7b309e66(int, char**, char**) in Tweak.xm.105cff38.o
ld: symbol(s) not found for architecture armv7

By the way I also tried LiveOffsetPatcher but crashed as well

I learned about the IOS hack for about a week but very defficult ( maybe the time to return to Android hack?:/ )　