Help/Support How can I change the returned value of a method to an expected string?

scatrmynd · May 2, 2022

iDevice: Jailbroken (checkra1n) iPhone 7 w/iOS 14.4

How can I change the returned value of a method to an expected string?

Below is the method as seen in dnSpy...

public string MatchEndReason
{
	[Token(Token = "0x6002EC5")]
	[Address(RVA = "0x15D2450", Offset = "0x15D2450", VA = "0x1015D2450")]
	[Attribute(Name = "CompilerGeneratedAttribute", RVA = "0x1A7C30", Offset = "0x1A7C30")]
	get
	{
		return null;
	}
	[Token(Token = "0x6002EC6")]
	[Address(RVA = "0x15D2458", Offset = "0x15D2458", VA = "0x1015D2458")]
	[Attribute(Name = "CompilerGeneratedAttribute", RVA = "0x1A7C40", Offset = "0x1A7C40")]
	set
	{
	}
}

The corresponding strings in global-metadata.dat include "PointsCaptured", "OpponentsDestroyed", "TimeWasUp", and "LeftGame" (all without quotes).

If I leave the game, I want to change the MatchEndReason from "LeftGame" to any of the other match end reasons so I can get an ad view for rewards.

Below are the corresponding ARM64 functions from IDA Pro...

il2cpp:00000001015D2450		; DATA XREF: __data:0000000104871DC8↓o
il2cpp:00000001015D2450		LDR		X0, [X0,#0x20]
il2cpp:00000001015D2454		RET
il2cpp:00000001015D2458		; DATA XREF: __data:0000000104871DD0↓o
il2cpp:00000001015D2458		STR		X1, [X0,#0x20]
il2cpp:00000001015D245C		RET

If I just try to patch LDR X0,[X0,#0x20] to a corresponding string list number for the Match End Reason (i.e. patch to MOV X0, #1 by hex-editing the binary at that offset to 200080D2), the game just crashes. I'm guessing it's looking for the actual string, but I don't know how to assign a string to a register.

Any insight you can provide would be greatly appreciated.

Updated May 2, 2022 by scatrmynd
clarification/reiteration at end of post

0xNoctis · May 11, 2022

On 5/2/2022 at 11:03 PM, scatrmynd said:

Address(RVA = "0x15D2450", Offset = "0x15D2450", VA = "0x1015D2450")]
	[Attribute(Name = "CompilerGeneratedAttribute", RVA = "0x1A7C30", Offset = "0x1A7C30")]

Which Offset are you trying to patch? also, are you testing the offsets/patch on the go or are you compiling it as an IPA then seeing if the hacks worked.

On 5/2/2022 at 11:03 PM, scatrmynd said:

il2cpp:00000001015D2450		; DATA XREF: __data:0000000104871DC8↓o
il2cpp:00000001015D2450		LDR		X0, [X0,#0x20]
il2cpp:00000001015D2454		RET
il2cpp:00000001015D2458		; DATA XREF: __data:0000000104871DD0↓o
il2cpp:00000001015D2458		STR		X1, [X0,#0x20]
il2cpp:00000001015D245C		RET

This isn't really needed as DNSPY show's you all the offsets.