Tutorial H5GG Full Tutorial [Offset Patching + Hooking] for Non-Jailbroken/Jailbreak Devices !

[0xSolana 23.6k 10.0]

11 minutes ago, papastweak said:

Haven't tested hooks yet but code patching works! Tested on Iphone 12 Pro Max, 16.1.2

that's cool, could you edit your answer and tell me if hook works ?

[Happy Secret 3.4k iPad Pro (2nd gen) 16.2]

40 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

edit :

oh you mean the UnityFramework patched ? well i didn't looked at the data at the offset 0x1B...98, but it's seems normal to me that's it's not 2000...FD6, otherwise it will always be enable. i think that it creates another function on the UnityFramework (at another place) and at 0x1B...98, it calls it.

so if there is no script running, we shouldn't be able to jump always, but when we load our script, it probably jump to our created function in the UnityFramework, and so it return 2000..FD6 at our function (maybe at 0x264ab4c) and if we unload the script, the original bytes in the memory will load again making "normal jumps"

 

(this is my personal analysis, it may not be 100% right but this is how i visual it) 

video : https://streamable.com/5g6nvz

So, it could be my concept is wrong from beginning.
First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder.

The patched version of UnityFramework has embedded a new function inside. 
 

From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect.

 

First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

 

Let me test it our again later tonight.

Thanks for the help.

[0xSolana 23.6k 10.0]

2 minutes ago, Happy Secret said:

So, it could be my concept is wrong from beginning.
First time the script run, we, in fact, expect the alert come and provide a patched version of the UnityFramework inside the static-inline-hook folder.

The patched version of UnityFramework has embedded a new function inside. 
 

From we call the ActiveCodePatch or StaticInlineHookFunction the second time onwards, it starts to take effect.

 

First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

 

Let me test it our again later tonight.

Thanks for the help.

yep you are right ! 

welcome !

[namcyeon 63 6]

I had tried hooking, but it's not working 😑, stuck at 

if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))

[0xSolana 23.6k 10.0]

57 minutes ago, namcyeon said:

I had tried hooking, but it's not working 😑, stuck at 

if(!h5frida.loadGadget("frida-gadget-15.1.24.dylib"))

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

[Laxus 790.8k iPhone 5s 10.3.3]

Have you tried instance variable hook? Does it work?

37 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

if this get you an error, you didn't have placed the file in the .app folder, or you have renamed it

 

[0xSolana 23.6k 10.0]

14 minutes ago, Laxus said:

Have you tried instance variable hook? Does it work?

 

nope, haven't tried, i think its possible tho, with this : https://frida.re/docs/javascript-api/
there is a doc on how to use writeInt / writeFloat.

[Happy Secret 3.4k iPad Pro (2nd gen) 16.2]

5 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

yep you are right ! 

welcome !

I have just test it again and finally worked.

it is really 

• First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

You will probably want to include a hint/note to your tutorial about this.

The error message is not sufficient. It can’t explain what to expect.

 

Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken.

Hope there is a way to do pure in memory hook / patch (without modifying the binary).

 

Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

[namcyeon 63 6]

@Happy Secret You can try second method with hook, but it's not working with me.

[0xSolana 23.6k 10.0]

16 minutes ago, Happy Secret said:

I have just test it again and finally worked.

it is really 

• First run is just to prepare the Framework (insert function). The real effect happens when we use the patched framework with the function call to enable/disable.

You will probably want to include a hint/note to your tutorial about this.

The error message is not sufficient. It can’t explain what to expect.

 

Anyway, it is not the type of in memory hook/patch that I expect. It requires a repackage and redeployment for non-jailbroken.

Hope there is a way to do pure in memory hook / patch (without modifying the binary).

 

Did Frida allow us to do that? I used to test patches with Xcode (LLDB), but it requires a PC connection.

Yep, but here are the basics, after that you can make an HTML Mod Menu and create a dylib that contains your HTML + JS. then you can inject it on an iPA and you wont need to inject the script or anything.

Since Non-JB doesn't have the same permission as a JB Device, i don't think Frida let you hook like on JB.

10 minutes ago, namcyeon said:

@Happy Secret You can try second method with hook, but it's not working with me.

can you provide more details ?