Tutorial H5GG Tricks to do Live (online) Code Patching for Non-Jailbroken Devices !

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";

let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to call

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

let found = false;
for(let i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        //if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}

if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";

//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
    let frontapp = h5frida.get_frontmost_application();
    if(frontapp && frontapp.pid == pid) break;
    
    alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
            + "Please switch the target APP to the foreground to run, and then click OK to continue...");
}

 

Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)

Cool, let me give them a try. 
If I remember correctly, h5frida.enumerate_processes() return process within Frida only. I only see Gadget in it previously.

Below one could work, frontmost app should be the game

• let frontapp = h5frida.get_frontmost_application();
• frontapp.pid

This one, I am not so sure. 

• h5gg.getProcList("UnityFramework")[0].pid

 

There is a version of h5gg works cross-process app, which is requires jailbroken. Hopefully, these commands does not need that version.

 

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

3 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod ! 

It's good that "normal" hook with c++ work 

Am….are we talking the same hook? You seems have special expectation on that word “normal”.

My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.

[0xSolana 23k 10.0]

27 minutes ago, Happy Secret said:

Am….are we talking the same hook? You seems have special expectation on that word “normal”.

My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.

I mean c++ hook like on Ted2 mod menu.

34 minutes ago, Happy Secret said:

h5gg.getProcList("UnityFramework")[0].pid

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

var session = h5frida.attach(pid);
 

I saw this code on github for the second option. (getProcList), idk if it requires JB or not 

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

I mean c++ hook like on Ted2 mod menu

Never use Ted2 mod menu. I don’t have a jailbroken device now. 
 

is it a simple deb that I can inject and try out? 

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

Test Result:

1. try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} - NOT WORK

2. let frontapp = h5frida.get_frontmost_application();

    frontapp.pid; - THIS WORK

But the hook seems not always work, sometime it cause game hang (not exit) on applying the hook.

Need some more study.

[0xSolana 23k 10.0]

48 minutes ago, Happy Secret said:

Test Result:

1. try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} - NOT WORK

2. let frontapp = h5frida.get_frontmost_application();

    frontapp.pid; - THIS WORK

But the hook seems not always work, sometime it cause game hang (not exit) on applying the hook.

Need some more study.

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

6 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

I am not able to find out what causing the game hang yet. But I seem happened after I tried to clean up the script. It could also because I mess up the code.

Let me try a bit more today.

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

11 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

Update:

1. It works every time on my iPad Pro (9.7) but not work on my iPad Pro 2nd Generation.

2. Both are on iPad OS 16.2

Completely no idea what happens. 
 

Luckily the live patching work across device. Just the Interceptor failed on one.

I guess it is the implementation of Interceptor causing problem. Because the statement simply hang and not returning, app’s console log show nothing. We just see the Interceptor call invoked, then nothing more in log and not progressing.

So, it is probably not invalid memory access stuff.

Looking for possible solutions.

[0xSolana 23k 10.0]

3 hours ago, Happy Secret said:

Update:

1. It works every time on my iPad Pro (9.7) but not work on my iPad Pro 2nd Generation.

2. Both are on iPad OS 16.2

Completely no idea what happens. 
 

Luckily the live patching work across device. Just the Interceptor failed on one.

I guess it is the implementation of Interceptor causing problem. Because the statement simply hang and not returning, app’s console log show nothing. We just see the Interceptor call invoked, then nothing more in log and not progressing.

So, it is probably not invalid memory access stuff.

Looking for possible solutions.

Mhhh okay okay thanks for testing  

[Happy Secret 3.3k iPad Pro (2nd gen) 16.2]

Completely dead ended for live hook on non-jailbroken.

Tried 

1. Interceptor.replace instead of Interceptor.attach —FAILED on my IPad Pro 2nd Gen

2. Remove memory protection —FAILED on my IPad Pro 2nd Gen

 

For now, I will Iive with live patch first.
May be later see if H5GG would update embedded Frida version to latest. Then could give it a try.