Jump to content
  • Sky
  • Mint
  • Azure
  • Indigo
  • Blueberry
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Pomegranate
  • Ruby Red
  • Orange
  • Banana
  • Apple
  • Emerald
  • Teal
  • Chocolate
  • Slate
  • Midnight
  • Maastricht
  • Charcoal
  • Matte Black
Sign in to follow this  
DiDA

TuT [Tutorial] How to Easily Thin/Patch your Binary! On Mac/PC & iOS!

30 posts in this topic

Recommended Posts

DiDA    62,783

Instructions for PC/Mac/Linux:

Step 1: You need to have the app installed on your iDevice. If you're on iOS 9, you must install the app using iTunes in order for this process to work.

 

Step 2: The binary also needs to be Cracked using Clutch or Rasticrac. Get them both from cydia.iphonecake.com and there are tutorials on how to use them posted around the forum.

 

Step 3: Once you have your cracked binary, visit http://armconverter.com/binarytools/

 

Step 4: Now select your binary file for uploading or just drag and drop it on the upload button.

Ivn60zS.png

 

 

Step 5: Select the "Thin Binary" option and then press the "Go" button.

UZfwMDM.png

 

 

Step 6: Wait for the binary file to upload and the page to refresh showing you the download link for the thinned/patcher binary.

 

nINub4k.png

 

PgfVmpK.png

 

Step 7: Click the download thinned binary button and you know have patched/thinned your binary!

 

 

Instructions for iOS/iDevice:

The same procedure is done if you're on iOS and using Safari. To upload any files using Safari, install "Safari Uploader 8" from Cydia. :)

 

That's it!

  • Upvote 11

Share this post


Link to post
Share on other sites
Dannyyy    655

Thanks DiDa, this is a great resource for me for the future :D

  • Upvote 1

Share this post


Link to post
Share on other sites
ITz_kser    363

Nice boss :admin:

and you know have patched/thinned your binary

know? :lol:

Edited by ITz_kser

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Similar Content

    • By Fadexz
      Here's how to install iGameGuardian without "Initialisation Error". I figured I would make a tutorial because there isn't much out there.

      Hidden Content
      React or reply to this topic to see the hidden content. More info
    • By alpax93
      Well, hello everyone,
      that's my first post ever in a forum, and i'd like to start with this trick that i found trying around to hack in game purchases.
       
      After years of research to hack that F****ing SimCity Buildit, i found a way that worked for almost other 5 games like MegaPolis or Paradise Beach, I'm keeping trying with other games , plus, after you've read this tut you should be able to test it yourself at anytime with any game.
       
      What are we going to need?
       

      Hidden Content
      React or reply to this topic to see the hidden content. More info             ----->            
       
       
       
                                                 
       
      |
      |
      |
      \/

       
      Atm i'm working to hack simcity for arm32 or lower devices so that everyone can have his city hacked.
      Till now just money can be hacked using a gameguardian ios similar in arm32.
    • By NitroxicDemon
      In this tutorial, I will just give a brief overview of some ARM64
      You need to know ARMv7 first so this will be easier to understand.
       
       
      Let's Get Started
      So basically, instructions are the same, ARM64 has LDR, MOV, STR, etc., same from ARMv7.
      You will notice ARM64 has different registers, instead of R0, for example, ARM64 uses X0, OR W0. You can hack it the same way as you would ARMv7.
      Example:

      This is ammo in the game Forward Assault. The highlighted instruction is what I hacked,  SUB             W8, W8, #1
      Subtract 1 from W8 and put the value back into W8, simply NOP it.
       
      OR
      You can hack the STR underneath it and instead of storing W8, change it to W20 or W29. It will result in making your ammo a very high number. why?
      Because you silly goose, W20/W29 is the equivalent of R7. OR you can use X20/X29 if the function has X
       
      But wait, are the W20/W29 both the same Father Nitro? 
      Well, I'm glad you asked, I was just about to get to that you eager mcbeaver. You see here, the 20 has a high value, but 29 has a even more higher value. Sometimes 29 can make it go too high it can go negative, so use 20 instead.
       
      BOOLS
      Now let's talk about Booleans in ARM64. In ARMv7, to make something return TRUE or FALSE, we simply change it to MOV R0, #1 OR MOV R0, #0
      ARM64 is no different, it's just X instead. MOV X0, #0 or MOV X0, #1
       
      Example:

      Here is an example function. In case you didn't know, it's a BOOL since this function loads a byte, which have 0 or 1 value. So as you can see, this function gets my sexiness. Obviously, to hack it you will change it to MOV X0, #1 making it true, which it is.. This can NEVER be false :kappa: 
       
       
      FLOATS
      So floats in ARM64 are similar in ARMv7, using FMOV instead of VMOV. So just hack the instruction the same way as you would in ARMv7.
      Example:

      You can change that FMOv S2, #0.5 to FMOV S2, #31.0.
      Now it's time to discuss something else. As you make know in ARM7, sometimes we want to hack the beginning of a function and make it return a float value.
      so we would do:
      VMOV S0, #31.0
      VMOV R0, S0
      BX LR
       
      So father Nitro, is it the same in ARM64?
      I know what you're thinking, you're thinking in ARM64 the equivalent would be:
      FMOV S0, #31.0
      FMOV X0, S0
      RET
       
      WRONG! Do that and watch the game crash. In arm64 the second instruction isn't needed.
      FMOV S0, #31.0
      FMOV X0, S0
      RET
      SO just replace the first 2 lines of the function with FMOV S0, #31.0 then RET that bad boy.
      Now let me get into another example why ARM64 is bae.
      Example:

       
      This function is from Critical Ops, which gets the bounciness from the grenade. As you will see, it's a LDR, you can hack it and change it from LDR to FMOV. Yes, in ARM64 you can hack LDR functions to FMOV's. So to hack the function, you can replace the    LDR             S0, [X0,#0xA0] 
      with a FMOV S0, #31.0
      This function made my grenades super bouncy, it was funny to troll in public matches. The grenades bounced like crazy!
      In ARMv7 I found the same function, it was a LDR followed by a BX LR (RET). So to hack it, I tried many things, MOV R0, R7 and such but every time I threw a grenade it crashed. A VMOV S0, #31.0 VMOV R0, S0 BX LR wouldn't work since there isn't enough space. Unless you wanted to write your own code to the unused part of the binary and make the function branch there, which I'm not entirely sure would have worked since I never tried. So I just hacked it in ARM64 instead  
       
      That's it for this tutorial
       
      EDIT: Forgot to mention, this tutorial was written specially for Amuyea
    • By TheArmQueen
      Call this the appcake of Mac !!
       
      Its simple go to the website and search and download your preffered software for free
       
      Note:- Not every software is availabale but tons are , Mac App Store paid apps can be easily found here Mac.
       
      Website:-
       
       
       
       
       
    • By evildog1
      As requested, here is the tutorial how to dump il2cpp of iOS Unity games. With Il2CppDumper, it will be much easier to find useful functions and offsets to hack. No need to waste your time debugging the game.
      Note: Il2CppDumper does not work on some games. Dumping 64-bit offsets may not work. Bug reported: https://github.com/Perfare/Il2CppDumper/issues/22
      We hope djkaty (developer of Il2CppInspector) will also work with iOS dumping so we can use Il2CppInspector as an extra dumper, in case if Il2CppDumper doesn't work correctly
      I will keep updating this thread if I found something new
       
      Requirements:
      - ARM/ASM knowledge
      - IDA hacking experience
      - IDA Pro. Download link
      - Notepad++. Download link
      - Il2CppDumper (Windows). Download link
      - Clutch or Rasticrac for jailbroken devices or visit appvn.com to download latest cracked free games
      - Winrar or 7-zip to open .ipa file
       
      Instructions:
      Download Il2CppDumper released version by Perfare and extract the program
       
      To open .ipa file, simply rename file extension to .zip and open it
      If you are using 7-zip, right click -> 7-zip -> Open Archive to open .ipa file directly

       
      Navigate to \Payload\<app or game name>.app\ and extract the big binary file that doesn't have file extension
      Navigate to \Payload\iosfps.app\Data\Managed\Metadata\ and extract global-metadata.dat
       
      launch Il2CppDumper.exe. It will open the dialog twice to select file. For ELF file or Mach-O file, select the binary file. For global-metadata.dat, select global-metadata.dat
       
      It will ask you to select platform, 32-bit or 64-bit. Press 1 for 32-bit or press 2 for 64-bit. Now for Mode, Press 1 for manual and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required offsets (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find, and I haven't find out where to find 2 offsets in 64-bit binary yet. As you used auto mode, the program will tell the offsets, but you do not need to know it if you have no idea what it is.
       
      The dump.cs file should be created at the location where Il2CppDumper.exe is located
       
      Open dump.cs with Notepad++ by right click and select Edit with Notepad++
      Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.
       
      To search, click Search -> Find...
      To find all keyword, click on Find All in Current Document
       
      If you never seen C# code before, I'll explain a bit what the codes mean. I'm bad at explaining what these code means but I hope it goes well
       
      This comment you see on top is just a list .dll files that are been converted into il2cpp
      // Image 0: mscorlib.dll - 0
      // Image 1: System.Security.dll - xxxx

      // Image xx: Assembly-CSharp.dll - xxxx
       
      The Assembly-CSharp.dll (Android users know this) is a game logic thing and it is what we looking for. The full code of "Assembly-CSharp.dll" thingy is always located somewhere at the bottom of the dumped file
       
      This class body is like a group to make programmers easier to find codes. For example PlayerAntiHack class contains anti-hack code related.
      // Namespace:
      public class PlayerScript : MonoBehaviour // TypeDefIndex: 4303
      {
      }
       
      In IDA you'll probarly see function names like
      Player::Get_Gold…
      Player::Get_Cash…
      Player::Isbanned…
      ….
       
      I'll bring this better details for you:
      A class is a construct that enables you to create your own custom types by grouping together variables of other types, methods and events. A class is like a blueprint. It defines the data and behavior of a type. ... Unlike structs, classes support inheritance, a fundamental characteristic of object-oriented programming.
       
      In the class, you'll see something like this:
      // Fields
      private int primaryWeaponIndex; // 0x10
      private float minSpread; // 0x820
      private float spread; // 0x824
      private float visualSpread; // 0x828
      ….
       
      Fields is not what we looking for so let's look into Methods.
       
      // Methods
      private int findNextAvailableWeapon(int currentWeaponIndex); // 1e704c
      private bool IsLookingAtPlayer(PlayerScript player); // 1f3894
      public bool HasBeenVisible(); // 1f2fa0
      ….
      public int get_Gold_Example(); // 1a2b3c
      public float float_example(); // 1a2b3d
      ….
       
      This is what we looking for. These simple codes explains the name of the methods/functions, what type and the REAL IDA OFFSETS are written in the green commenented text.
       
      public, private, protected etc, are access modifier. It's not important to know
      static is a static modified to declare a static member. It's not important to know
      int, float, double, boolean etc are data type.
       
      If you look up the offset in IDA, you will see a sub_xxxxxx

       
      Write down all useful functions + offsets you found inside the dumped .cs file and start writing your code injection.
       
      Note: It is suggested that you disassemble the binary file and look up the offsets to see if there are enough spaces to replace the instructions to hack.
       
      That's all. Good luck hacking iOS games!
      Credits:
      Evildog1 A.K.A iAndroHacker (this tutorial)
      Perfare (Il2CppDumper https://github.com/Perfare/Il2CppDumper)
       
       
  • Recently Browsing   0 members

    No registered users viewing this page.


    • Administrator |
    • Global Moderator  |
    • Moderator  |
    • ViP Plus |
    • ViP |
    • Cheater |
    • Modder  |
    • Novice Cheater |
    • Rookie Modder |
    • Contributor |
    • GFX Team  |
    • Senior Member |
    • Member |
×