Help/Support Can't patch offsets with iGG - where am I going wrong?

Liam Crayden · September 14, 2024

I am working on a custom speed tweak for a Unity based game.

I'm on a jailed iPhone with iGG Jailed and Custom Offset Patcher injected. I also have Frida Gadget injected.

I have identified the correct Il2cpp instance function - which is a float value. The default value is 1.00. I want to increase it to 3.00 by changing the return value.

The get_Speed function:
[Address(RVA = "0x2FF3D4C", Offset = "0x2FF3D4C", VA = "0x2FF3D4C")]

LDR             S0, [X0,#0x10]
RET

The set_Speed function:
[Address(RVA = "0x2FF3D54", Offset = "0x2FF3D54", VA = "0x2FF3D54")]

STR             S0, [X0,#0x10]
RET

Using Frida I have verified that the set_Speed function is called at the time that I expect it, so I think the best way to do it would be to override the input value (set by a server call with some horrid protobuf thing).

I have tried putting the offset as 2FF3D54 and the patch as 00F0271EC0035FD6 (which is just max float value and a return - FMOV S0, #31.00000000 RET). It doesn't work.

I then wondered if I needed to get the exact offset so I also use Frida to find the base address of UnityFramework and add 0x2FF3D54 to it - that didn't work either.

No matter what I try, the speed does not change. I have also tried the same technique with the get_Speed function, where I just return 3f. It doesn't work.

HOWEVER.

If I use Frida to call the function with my own custom value (3f) then it works immediately (I do Il2cpp.gc.choose... to find the instance, then call the set_Speed method).

Where am I going wrong?

I've also tried this on an iPhone 6S with Dopamine jailbreak, get-task-allow, and with JIT enabled. Nothing changes.

Laxus · September 14, 2024

From my modding experience the small function like that do nothing. You may need to find another working one

Try xref that function in IDA see if it lead to anywhere else

Liam Crayden · September 17, 2024

On 9/14/2024 at 9:16 AM, Laxus said:

From my modding experience the small function like that do nothing. You may need to find another working one

Try xref that function in IDA see if it lead to anywhere else

Thanks for this tip. I was able to see a function further down that was altering the value, so targeting that made the patch work. All working now as expected (and I can stop wondering if I'm doing my offsets wrong now! 😅)