Tutorial H5GG Tutorial - Dynamicly Code Patch With Bytes on Non-jailbreak

GodModerator · April 11, 2023

with h5frida v2.0 now you can patch code dynamicly on non-jailbreak very easily, like this:

h5gg.require(7.9);

var h5frida=h5gg.loadPlugin("h5frida", "h5frida-15.1.24.dylib");
if(!h5frida) throw "Failed to load h5frida plugin";

alert("frida plugin version="+h5frida.pluginVersion() + "\nfrida core version="+h5frida.coreVersion());

function ActiveCodePatch(fpath, rvaddr, bytes) {
    if(!h5frida.ActiveCodePatch(fpath, rvaddr, bytes)) {
        var result = h5frida.ApplyCodePatch(fpath, rvaddr, bytes);
        alert(fpath+":0x"+rvaddr.toString(16)+"-PatchFailed!\n" + result);return false;
    } return true;
}
function DeactiveCodePatch(fpath, rvaddr, bytes) {
    return h5frida.DeactiveCodePatch(fpath, rvaddr, bytes);
}

/* 
fpath: relative path of the binary in the .app directory

rvaddr: relative virtual address
Generally speaking, for dylib/framework,  rvaddr = [offset in file] = [address in IDA]
for main executable, rvaddr = offset in file = [address in IDA] - [base address in IDA], the base address is usually 0x100000000.
*/
/*************************************************************************/

//switch on
ActiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6");

//switch off
DeactiveCodePatch("Frameworks/UnityFramework.framework/UnityFramework", 0x1A21658, "C0035FD6");

see more: https://github.com/H5GG/H5GG/tree/main/examples-h5frida

Updated April 11, 2023 by tuancc
fix

Laxus · August 31, 2022

I’m clueless right now, is there a proper code without using hookme to test? Like directly using binary?

GodModerator · August 31, 2022

1 minute ago, Laxus said:

I’m clueless right now, is there a proper code without using hookme to test? Like directly using binary?

do it for your binary by yourself.

hookme is just for testing, you can delete it.

0xSolana · August 31, 2022

3 hours ago, Laxus said:

I’m clueless right now, is there a proper code without using hookme to test? Like directly using binary?

var framework = h5gg.getRangesList("UnityFramework");

if it's normal binary:

var bin = h5gg.getRangesList("UnityFramework");

here examples : https://github.com/HappyOx6032/h5gg-files

Updated August 31, 2022 by j u s t...
examples

Laxus · September 1, 2022

6 hours ago, j u s t... said:

var framework = h5gg.getRangesList("UnityFramework");

if it's normal binary:

var bin = h5gg.getRangesList("UnityFramework");

here examples : https://github.com/HappyOx6032/h5gg-files

Thank you!!

Best explain, I aint programmer

Edit: How do I use these ...

Updated September 1, 2022 by Laxus

0xSolana · September 1, 2022

6 hours ago, Laxus said:

Thank you!!

Best explain, I aint programmer

Edit: How do I use these ...

after you can calc the base adress :

//get bin or framework

var framework = h5gg.getRangesList("UnityFramework");

//calculate base adresse + offset to prepare patch

var adr = Number(framework[0].start) + 0xOffset;

//patch offset

f***base(adr,"C0035FD6");

i think there are better examples in the link

Happy Secret · January 11, 2023

On 9/1/2022 at 4:15 PM, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

after you can calc the base adress :

//get bin or framework

var framework = h5gg.getRangesList("UnityFramework");

//calculate base adresse + offset to prepare patch

var adr = Number(framework[0].start) + 0xOffset;

//patch offset

f***base(adr,"C0035FD6");

i think there are better examples in the link