Tutorial H5GG Tricks to do Live (online) Code Patching for Non-Jailbroken Devices !

Happy Secret · May 24, 2023

UPDATE: You can achieve this with JIT from Sideloadly/Altstore/etc now

First and foremost this trick is not for everyone.

It is mostly for those casual hacker who will do some dynamic hacking with debugger, while won’t spend a lot of time in front of PC.

Casual, in a sense that he/she does not have a jailbroken device.

He/she would like to do some causal hacking with in travel or away from PC.

This Trick allow you to test your hack with H5GG in real-time.
YES, no need to repackage and re-sideload.

Requirements:

- Xcode

- Subway Surfers

Spoiler

First, please follow ꞋꞌꞋꞌꞋꞌꞋꞌ ’s tutorial (H5GG Full Tutorial [Offset Patching + Hooking] for Non-Jailbroken/Jailbreak Devices !) to get Subway Surfers with H5GG & h5frida sideloaded to your Non-Jailbroken device.

Below is a modify version of CodePatchOffsetWithBytes.js (see H5GG GitHub) for Subway Surfers 3.6.0 (Always can Jump hack)

h5gg.require(7.8);

var modules = h5gg.getRangesList("UnityFramework"); //module file name

var base = modules[0].start; //module base addr in runtime memory

var addr = Number(base) + 0x1B39598; //offset

patchBytes(addr,  "200080D2C0035FD6"); //bytes

/********************************************************/
//Usually only jailbroken devices can do this, but we have a trick
function patchBytes(addr, hex) {
    for(i = 0;i<hex.length/2;i++) {
        var item = parseInt(hex.substring(i*2, i*2+2), 16);
        h5gg.setValue(addr+i,item, "U8");
    }
}
/********************************************************/

This code is supposed only work with Jailbroken device.

Save it in your iOS device, reachable by iOS Files App.

Here is the Tricks.

Run Subway Surfers on iOS device
Connect your iOS device to your PC
Open up Xcode, create a random project.
Attach debugger to your iOS’s Subway Surfers process (Debug -> Attach to Process, be sure you are project runtime is pointing at your iOS device)
After the debugger attached to your game, go to your game and inject the script with H5GG by clicking “the Scripts” button, and click on “Load” to find your script.
Boom, the hack is done.

Yes, if you do not have debugger on, the game will normally crash immediately due to invalid memory access (code section in memory is protected under non-jailbroken device, with one exception - when it is tagged as under debugging)

At this point, you may ask, does it mean we need to have debugger always turn on, for this hack. It is pretty useless.

The answer is NO. You can now try detach the debugger (Either disconnect your iOS device or Xcode -> Debug -> Detach)

Try your hack scripts again. Or change to any script that hack different offsets.

The game WON’T Crash. It is because the Debugging state of the App is very sticky. It won’t reset before your restart your App/Game.

In fact, you just need to attached and detach immediately. The debugging state is already registered.

So, Enjoy casual hacking with live code patching on non-jailbroken device.

note:

I haven’t try if h5frida Interceptor work in this way. I will give it a try later. But I guess, likely not work. Or it mean we can do live hooking as well. Too good to be true.
I guess ios-deploy might able to create the same Debugging state without Xcode as well. I haven't try as well.

Credits :

@tuancc the H5GG tool

@ꞋꞌꞋꞌꞋꞌꞋꞌ for the tutorial on H5GG tutorial

Updated May 24, 2023 by Happy Secret
JIT update

0xSolana · January 15, 2023

Nice, that's pretty cool

I never tried debug a game with xCode.

Nice tut, gonna link it on my tut

Happy Secret · January 15, 2023

4 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Nice, that's pretty cool

I never tried debug a game with xCode.

Nice tut, gonna link it on my tut

Thanks for the support.

if you are on Mac, Xcode is a pretty good option. Free and suppprt signing and Sideload with your our own Apple developer certificate.

0xSolana · January 16, 2023

8 hours ago, Happy Secret said:

Thanks for the support.

if you are on Mac, Xcode is a pretty good option. Free and suppprt signing and Sideload with your our own Apple developer certificate.

Yeah but sadly i don't have a mac

Happy Secret · January 16, 2023

4 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Yeah but sadly i don't have a mac

Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.

0xSolana · January 16, 2023

4 hours ago, Happy Secret said:

Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

namcyeon · January 16, 2023

6 hours ago, Happy Secret said:

Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.

IDA pro crack also, 😆

Happy Secret · January 16, 2023

1 hour ago, namcyeon said:

IDA pro crack also, 😆

Haven’t try to do same thing with IDA.

I use IDA normally for string search, static analysis using graphical view.
I don’t even debug from IDA now. Completely don’t know how to debug on non-jailbroken device.

Happy Secret · January 16, 2023

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

Cool, thx. Not aware of that.
Do you have a good source of it? I don’t familiar GitHub and how to build. It often take me long time.

namcyeon · January 16, 2023

11 minutes ago, Happy Secret said:

Haven’t try to do same thing with IDA.

I use IDA normally for string search, static analysis using graphical view.
I don’t even debug from IDA now. Completely don’t know how to debug on non-jailbroken device.

I think IDA is the best disassembler tool, i can decompile il2cpp, read the understandable code