Jump to content
Community Announcements, Giveaways & More!

How can I change the returned value of a method to an expected string?

scatrmynd

By scatrmynd
in Help & Support

 Share

2 posts in this topic

Recommended Posts

scatrmynd Enthusiast

scatrmynd 1
  •   iPhone 7 
  •   14.4

    • Posted
    Posted (edited)

    iDevice: Jailbroken (checkra1n) iPhone 7 w/iOS 14.4

    How can I change the returned value of a method to an expected string?

    Below is the method as seen in dnSpy... 

    public string MatchEndReason
{
	[Token(Token = "0x6002EC5")]
	[Address(RVA = "0x15D2450", Offset = "0x15D2450", VA = "0x1015D2450")]
	[Attribute(Name = "CompilerGeneratedAttribute", RVA = "0x1A7C30", Offset = "0x1A7C30")]
	get
	{
		return null;
	}
	[Token(Token = "0x6002EC6")]
	[Address(RVA = "0x15D2458", Offset = "0x15D2458", VA = "0x1015D2458")]
	[Attribute(Name = "CompilerGeneratedAttribute", RVA = "0x1A7C40", Offset = "0x1A7C40")]
	set
	{
	}
}

    The corresponding strings in global-metadata.dat include "PointsCaptured", "OpponentsDestroyed", "TimeWasUp", and "LeftGame" (all without quotes).

    If I leave the game, I want to change the MatchEndReason from "LeftGame" to any of the other match end reasons so I can get an ad view for rewards.

    Below are the corresponding ARM64 functions from IDA Pro... 

    il2cpp:00000001015D2450		; DATA XREF: __data:0000000104871DC8↓o
il2cpp:00000001015D2450		LDR		X0, [X0,#0x20]
il2cpp:00000001015D2454		RET
il2cpp:00000001015D2458		; DATA XREF: __data:0000000104871DD0↓o
il2cpp:00000001015D2458		STR		X1, [X0,#0x20]
il2cpp:00000001015D245C		RET

    If I just try to patch LDR X0,[X0,#0x20] to a corresponding string list number for the Match End Reason (i.e. patch to MOV X0, #1 by hex-editing the binary at that offset to 200080D2), the game just crashes. I'm guessing it's looking for the actual string, but I don't know how to assign a string to a register.

    Any insight you can provide would be greatly appreciated.

    Updated by scatrmynd
    clarification/reiteration at end of post
    0xNoctis Community Regular

    0xNoctis 9.7k
  •   iPad Pro (5th gen) 
  •   13.3
  • Donor
  •  

    • Posted
    Posted
    On 5/2/2022 at 11:03 PM, scatrmynd said: 
    Address(RVA = "0x15D2450", Offset = "0x15D2450", VA = "0x1015D2450")]
	[Attribute(Name = "CompilerGeneratedAttribute", RVA = "0x1A7C30", Offset = "0x1A7C30")]

    Which Offset are you trying to patch? also, are you testing the offsets/patch on the go or are you compiling it as an IPA then seeing if the hacks worked.

     

     

    On 5/2/2022 at 11:03 PM, scatrmynd said: 
    il2cpp:00000001015D2450		; DATA XREF: __data:0000000104871DC8↓o
il2cpp:00000001015D2450		LDR		X0, [X0,#0x20]
il2cpp:00000001015D2454		RET
il2cpp:00000001015D2458		; DATA XREF: __data:0000000104871DD0↓o
il2cpp:00000001015D2458		STR		X1, [X0,#0x20]
il2cpp:00000001015D245C		RET

    This isn't really needed as DNSPY show's you all the offsets. 

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
     Share
    Go to topic listing
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines