Tutorial H5GG Tricks to do Live (online) Code Patching for Non-Jailbroken Devices !

Happy Secret · January 16, 2023

6 minutes ago, namcyeon said:

To

/cdn-cgi/mirage/db804e55228eea14ed66529a8d29de853ef284cd521d3708b93a2ff43c4bae76/1280/https://i.imgur.com/Je63274.png

Oh!! That is something I don’t know.

Any tutorial? How to convert first photo to second one?

I thought we can only look at those arm code to mentally reverse engine the logic. Very painful exercise for me.

namcyeon · January 16, 2023

56 minutes ago, Happy Secret said:

Oh!! That is something I don’t know.

Any tutorial? How to convert first photo to second one?

I thought we can only look at those arm code to mentally reverse engine the logic. Very painful exercise for me.

After ida processed your il2cpp file (take about 30min), press F5, it will show the pseudocode of which function you selected https://www.hex-rays.com/products/decompiler/manual/interactive.shtml

Happy Secret · January 16, 2023

3 minutes ago, namcyeon said:

After ida processed your il2cpp file (take about 30min), press F5, it will show the pseudocode of which function you selected https://www.hex-rays.com/products/decompiler/manual/interactive.shtml

Oh! God! I just missed the lovely “F5”!

Thank you so much!

0xSolana · January 16, 2023

1 hour ago, Happy Secret said:

Cool, thx. Not aware of that.
Do you have a good source of it? I don’t familiar GitHub and how to build. It often take me long time.

it was a long time ago but i dis not build it, it was already done

0xSolana · January 16, 2023

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself

Happy Secret · January 16, 2023

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself

Quite busy these two days. I am still figuring out how to write “Intercepter” on UnityFramework. Never try it before.

Or do you have good tutorial? Or a quick piece of normal hook script for Subway Surfers?

Two quick challenges found are,

1. How to get process ID in script?
“var pid = $("#procname").attr('pid');” is not working.
Per tuancc, this seems need different version of H5GG. I am trying to hard code “pid” for now.

2. Interceptor is default not available under current configuration. We will need to update the Frida config. Already found what to change, hopefully we won’t block by the jailed implementation of H5GG/h5frida.

Happy Secret · January 17, 2023

9 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself

GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!

Not sure if there has any drawback/issue yet.

Will give another try later tonight!

If it really works, I will definitely make another Tutorial.

Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.

0xSolana · January 17, 2023

2 hours ago, Happy Secret said:

GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!

Not sure if there has any drawback/issue yet.

Will give another try later tonight!

If it really works, I will definitely make another Tutorial.

Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod !

It's good that "normal" hook with c++ work

Updated January 17, 2023 by ꞋꞌꞋꞌꞋꞌꞋꞌ

IosgodPlayer · January 17, 2023

4 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

maybe after that we could find an automated step to make the app thinks it's in debugging mod !

it's good that "normal" hook with c++ work

Wow thanks!

now i can crack iap

0xSolana · January 17, 2023

8 hours ago, Happy Secret said:

How to get process ID in script?

let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";

let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to call

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

let found = false;
for(let i=0;i<procs.length;i++) {
if(procs[i].pid==pid) {
//if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
found = true;
}
}

if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";

//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
let frontapp = h5frida.get_frontmost_application();
if(frontapp && frontapp.pid == pid) break;

alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
+ "Please switch the target APP to the foreground to run, and then click OK to continue...");
}

Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)