Help/Support Any guidance for modifying IPA with non-jailbreak device

kenzusik · August 2

11 hours ago, Aizen_ said:
Your game is crashing because of the way you patched the function. The instruction you used:
MOV W0, #99999
RET
doesn’t work for values bigger than 65535 on ARM64. MOV W0, #imm can only handle 16‑bit immediates, so when you put 99999, the instruction isn’t encoded properly and the app blows up when it runs.

If you want to force it to return 99999, you need to build that value in two steps using MOVZ and MOVK, like this:

MOVZ W0, #34463 ; lower 16 bits of 99999 (0x869F)
MOVK W0, #1, LSL #16 ; upper bits
RET

something like this i think

Thank you, but this happens even if I add not 9999, but even if I add 10

Aizen_ · August 3

13 hours ago, kenzusik said:

Thank you, but this happens even if I add not 9999, but even if I add 10

try to Patch somewhere else . maybe try to patch at the last or in the middle where decision point is

Rakunera · August 4

@Cashlaz can you kinda pin point how to use Frida for dynamic hooking or analysis?

I've tried Theos Jailed to hook stuff on games before but there are games that I find nothing on when loading onto IDA so I was thinking maybe using Frida for dynamic analysis would help but there are no resources out there for that

kenzusik · August 6

On 8/3/2025 at 3:09 PM, Aizen_ said:

try to Patch somewhere else . maybe try to patch at the last or in the middle where decision point is

I noticed something: the offset in the guide is long, but mine is short. In the offset field, I simply enter the offset from IDA. Is that correct?

Aizen_ · August 7

1 hour ago, kenzusik said:

I noticed something: the offset in the guide is long, but mine is short. In the offset field, I simply enter the offset from IDA. Is that correct?

Yes , if u r doing staric patching via HxD etc , then make sure ur base address is set to 0x0 not 100000000

go to edit > segments > Rebase peogram ( set it to 0x0 ) , then ur patches will work in HxD

On 8/4/2025 at 6:24 PM, Rakunera said:

@Cashlaz can you kinda pin point how to use Frida for dynamic hooking or analysis?

I've tried Theos Jailed to hook stuff on games before but there are games that I find nothing on when loading onto IDA so I was thinking maybe using Frida for dynamic analysis would help but there are no resources out there for that

Frida not worth your time ,trust me just try with IDA pro

KieranTran · August 7

On 8/2/2025 at 6:43 PM, kenzusik said:
I'm not patching random stuff — I'm specifically patching the DreamBlast.Inventory::GetCoins function

Here’s how it looks in IDA:
il2cpp:0000000001ADA504 ; DreamBlast.Inventory::GetCoins
il2cpp:0000000001ADA504                 SUB     SP, SP, #0x40
il2cpp:0000000001ADA508                 STP     X22, X21, [SP,#0x30+var_20]
il2cpp:0000000001ADA50C                 STP     X20, X19, [SP,#0x30+var_10]
...
il2cpp:0000000001ADA5B0                 RET
It just returns the coin count using GetItemCount and Mathf.Max

I try to patch it like this
MOV     W0, #99999
RET
Or in hex:
20 0B 80 D2   ; MOV W0, #99999
C0 03 5F D6   ; RET
But after patching, the app immediately crashes. The address is correct, and I’m only replacing the start of the function

I'm not so sure your tool can automatically balance the bit for #99999 or not. But look at your original function, I quite sure the reason cause the problem is "Function Contract".

Sub sp, sp..... // Subtract the stack pointer by 0x40 bytes, which means "allocating" 64 bytes on the stack.

Stp ...... // Save important registers to stack.

So they are "callee-saved" registers.

It means your patched overwrote the prologue of the function. The SP now is unbalanced and the function did not execute SUB SP, SP, #0x40. But the function that called GetCoins could expect the SP to be adjusted. So, when the parent function (caller) continues to run and then terminates, it will try to clean up its own stack. Since the SP is in an unexpected position, this cleanup will cause an error and crash the application.

I also use only non-jail device for modding. These things above just my experience when dealing with static patch by Ghidra and I'm not an expert in this field, so you should going to check again.

P/S: 1 more thing is you have to make sure that game not have any anti-cheat like source code integrity check. Because it can calculate everytime the game running, so you have to balance by yourself for safety.

Updated August 7 by KieranTran
P/S