Tutorial H5GG Tutorial - Dynamicly Code Patch With Bytes on Non-jailbreak

GodModerator · April 11, 2023

with h5frida v2.0 now you can patch code dynamicly on non-jailbreak very easily, like this:

h5gg.require(7.9);

var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib");
if(!h5frida) throw "Failed to load h5frida plugin";

alert("frida plugin version="+h5frida.pluginVersion() + "\nfrida core version="+h5frida.coreVersion());

function ActiveCodePatch(fpath, rvaddr, bytes) {
    if(!h5frida.ActiveCodePatch(fpath, rvaddr, bytes)) {
        var result = h5frida.ApplyCodePatch(fpath, rvaddr, bytes);
        alert(fpath+":0x"+rvaddr.toString(16)+"-PatchFailed!\n" + result);return false;
    } return true;
}
function DeactiveCodePatch(fpath, rvaddr, bytes) {
    return h5frida.DeactiveCodePatch(fpath, rvaddr, bytes);
}

/* 
fpath: relative path of the binary in the .app directory

rvaddr: relative virtual address
Generally speaking, for dylib/framework,  rvaddr = [offset in file] = [address in IDA]
for main executable, rvaddr = offset in file = [address in IDA] - [base address in IDA], the base address is usually 0x100000000.
*/
/*************************************************************************/

//switch on
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6");

//switch off
DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6");

see more: https://github.com/H5GG/H5GG/tree/main/examples-h5frida

Updated April 11, 2023 by tuancc
fix

Laxus · August 31, 2022

I’m clueless right now, is there a proper code without using hookme to test? Like directly using binary?

GodModerator · August 31, 2022

1 minute ago, Laxus said:

I’m clueless right now, is there a proper code without using hookme to test? Like directly using binary?

do it for your binary by yourself.

hookme is just for testing, you can delete it.

𓄼 . f v c k . 𓄹 · August 31, 2022

3 hours ago, Laxus said:

I’m clueless right now, is there a proper code without using hookme to test? Like directly using binary?

var framework = h5gg.getRangesList("UnityFramework");

if it's normal binary:

var bin = h5gg.getRangesList("UnityFramework");

here examples : https://github.com/HappyOx6032/h5gg-files

Updated August 31, 2022 by j u s t...
examples

Laxus · September 1, 2022

6 hours ago, j u s t... said:

var framework = h5gg.getRangesList("UnityFramework");

if it's normal binary:

var bin = h5gg.getRangesList("UnityFramework");

here examples : https://github.com/HappyOx6032/h5gg-files

Thank you!!

Best explain, I aint programmer

Edit: How do I use these ...

Updated September 1, 2022 by Laxus

𓄼 . f v c k . 𓄹 · September 1, 2022

6 hours ago, Laxus said:

Thank you!!

Best explain, I aint programmer

Edit: How do I use these ...

after you can calc the base adress :

//get bin or framework

var framework = h5gg.getRangesList("UnityFramework");

//calculate base adresse + offset to prepare patch

var adr = Number(framework[0].start) + 0xOffset;

//patch offset

f***base(adr,"C0035FD6");

i think there are better examples in the link

Happy Secret · January 11, 2023

On 9/1/2022 at 4:15 PM, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

after you can calc the base adress :

//get bin or framework

var framework = h5gg.getRangesList("UnityFramework");

//calculate base adresse + offset to prepare patch

var adr = Number(framework[0].start) + 0xOffset;

//patch offset

f***base(adr,"C0035FD6");

i think there are better examples in the link

Hello, the link document is gone. Can help upload one back? Thanks in advance

𓄼 . f v c k . 𓄹 · January 12, 2023

8 hours ago, Happy Secret said:

Hello, the link document is gone. Can help upload one back? Thanks in advance

here is the chinese telegram of H5GG, they share a lot of scripts : https://t.me/h5gg_cn

and here is a forked repo of the one i gaved :

https://github.com/iRedddy/h5gg-files

Happy Secret · January 12, 2023

Thx, but I don’t use Telegram.

I am on their discord.

Happy Secret · January 13, 2023

Not sure why I got "The bytes to patch have changed, please revert to original file and try again" error when execute the ActiveCodePatch function.

I did tried with an unmodified UnityFramework file. Still failed.

Any idea why? @tuancc

Sign In

Tutorial H5GG Tutorial - Dynamicly Code Patch With Bytes on Non-jailbreak

13 posts in this topic

Recommended Posts

GodModerator 173 iPhone X 13.4

Link to comment

Share on other sites

Laxus 742.4k iPhone 5s 10.3.3

Link to comment

Share on other sites

GodModerator 173 iPhone X 13.4

Link to comment

Share on other sites

𓄼 . f v c k . 𓄹 18k :)

Link to comment

Share on other sites

Laxus 742.4k iPhone 5s 10.3.3

Link to comment

Share on other sites

𓄼 . f v c k . 𓄹 18k :)

Link to comment

Share on other sites

Happy Secret 2.8k iPad Pro (2nd gen) 16.2

Link to comment

Share on other sites

𓄼 . f v c k . 𓄹 18k :)

Link to comment

Share on other sites

Happy Secret 2.8k iPad Pro (2nd gen) 16.2

Link to comment

Share on other sites

Happy Secret 2.8k iPad Pro (2nd gen) 16.2

Link to comment

Share on other sites

Join the conversation

Our picks

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Important Information

GodModerator 173
iPhone X

13.4

Laxus 742.4k
iPhone 5s

10.3.3

GodModerator 173
iPhone X

13.4

𓄼 . f v c k . 𓄹 18k

:)

Laxus 742.4k
iPhone 5s

10.3.3

𓄼 . f v c k . 𓄹 18k

:)

Happy Secret 2.8k
iPad Pro (2nd gen)

16.2

𓄼 . f v c k . 𓄹 18k

:)

Happy Secret 2.8k
iPad Pro (2nd gen)

16.2

Happy Secret 2.8k
iPad Pro (2nd gen)

16.2