Request Critical Ops

clyzeep · February 6

📌 Game Hack Request Details:

Game Name: Critical Ops
Game Version: 1.52.7
App Store Link: https://apps.apple.com/sg/app/critical-ops-online-pvp-fps/id1017717218
Device Type: Jailbroken / Non-Jailbroken

🎮 Hack Features You Want:
Radar Hack or ESP Hack or Chams Hack Help to tutorial or make it

Kalo DzN · February 10

all i can give you is my current tweak.xm code : with the current offsets ! for non jb devices im not quite finished yet

#import <UIKit/UIKit.h>
#import <mach-o/dyld.h>
#import <dlfcn.h>
#import <mach/mach.h>

// --- VERIFIED OFFSETS (v1.52) ---
#define OFF_CAMERA    0x21cbd4   
#define OFF_W2S       0x21cb90   
#define OFF_POS       0x21cb50   
#define OFF_MANAGER   0x4243050  
#define OFF_TRANSFORM 0x30       // The magic fix from your screenshot

// --- TYPES ---
struct Vector3 { float x, y, z; };

// --- GLOBALS ---
uintptr_t _unityBase = 0;

// --- FUNCTION SIGNATURES (THE FIX) ---
// We must match the "_Injected" signature: (Pointer, OutputPointer, ...)
long (*GetMainCamera)();

// WorldToScreen_Injected(Camera*, Vector3* input, int eye, Vector3* output)
void (*WorldToScreen)(void* cam, struct Vector3* world, int eye, struct Vector3* screen);

// get_position_Injected(Transform*, Vector3* output)
void (*GetPosition)(void* transform, struct Vector3* outPos);

struct {
    BOOL _espEnabled;
    BOOL _linesEnabled;
    BOOL _offsetsLoaded;
} _hacks;

// --- FORWARD DECLARATIONS ---
@interface UISystemInternalBase : UIView
@property (nonatomic, strong) UITextField *_secureInputProxy;
- (void)_registerSub_overlay:(UIView *)view;
@end

@interface CAAnimationGroupProxy : UIView
@end

@interface UIInputContextManager : UIView
@property (nonatomic, strong) UIButton *btnESP;
@property (nonatomic, strong) UIButton *btnLines;
@property (nonatomic, strong) UILabel *lblStatus;
@end

// --- KERNEL SAFE READ ---
extern "C" {
    typedef uint64_t mach_vm_address_t;
    typedef uint64_t mach_vm_size_t;
    kern_return_t mach_vm_read_overwrite(vm_map_t, mach_vm_address_t, mach_vm_size_t, mach_vm_address_t, mach_vm_size_t*);
}
bool safe_read(uintptr_t address, void *buffer, size_t size) {
    mach_vm_size_t bytesRead = 0;
    kern_return_t kr = mach_vm_read_overwrite(mach_task_self(), (mach_vm_address_t)address, size, (mach_vm_address_t)buffer, &bytesRead);
    return (kr == KERN_SUCCESS && bytesRead == size);
}

// --- IMPLEMENTATIONS ---

@implementation UISystemInternalBase
- (instancetype)initWithFrame:(CGRect)frame {
    self = [super initWithFrame:frame];
    if (self) {
        self._secureInputProxy = [[UITextField alloc] init];
        self._secureInputProxy.secureTextEntry = YES;
        self.userInteractionEnabled = NO;
        [self addSubview:self._secureInputProxy];
        
        UIView *_targetCanvas = [self._secureInputProxy.subviews firstObject];
        if (_targetCanvas) {
            _targetCanvas.frame = [UIScreen mainScreen].bounds;
        }
    }
    return self;
}
- (void)_registerSub_overlay:(UIView *)view { 
    UIView *layer = [self._secureInputProxy.subviews firstObject];
    if (layer) [layer addSubview:view]; 
}
@end

@implementation CAAnimationGroupProxy
- (void)drawRect:(CGRect)rect {
    if (!_hacks._espEnabled || !_hacks._offsetsLoaded) return;

    CGContextRef _ctx = UIGraphicsGetCurrentContext();
    [[UIColor redColor] setStroke];
    CGContextSetLineWidth(_ctx, 1.5);

    if (!GetMainCamera) return;
    long camAddr = GetMainCamera();
    if (camAddr == 0) return;
    void* _camInst = (void*)camAddr;

    uintptr_t managerPtr = 0;
    if (!safe_read(_unityBase + OFF_MANAGER, &managerPtr, sizeof(managerPtr))) return;
    if (managerPtr < 0x100000000) return;

    int count = 0;
    if (!safe_read(managerPtr + 0x18, &count, sizeof(count))) return;
    
    uintptr_t itemsPtr = 0;
    if (!safe_read(managerPtr + 0x10, &itemsPtr, sizeof(itemsPtr))) return;

    if (count < 1 || count > 64) return;

    for (int i = 0; i < count; i++) {
        uintptr_t playerAddr = 0;
        if (!safe_read(itemsPtr + 0x20 + (i * 0x8), &playerAddr, sizeof(playerAddr))) continue;
        if (playerAddr < 0x100000000) continue;

        uintptr_t transformAddr = 0;
        safe_read(playerAddr + OFF_TRANSFORM, &transformAddr, sizeof(transformAddr));

        if (transformAddr < 0x100000000) continue;

        void* _transform = (void*)transformAddr;
        
        // --- FIXED DATA FLOW ---
        struct Vector3 _wPos = {0,0,0};
        struct Vector3 _sPos = {0,0,0};
        
        // 1. Get World Pos (Pass pointer to write to)
        GetPosition(_transform, &_wPos);
        
        if (_wPos.x == 0 && _wPos.y == 0 && _wPos.z == 0) continue;

        // 2. Get Screen Pos (Pass pointers for Input and Output)
        // Note: Eye 2 usually maps to Mono/Left.
        WorldToScreen(_camInst, &_wPos, 0, &_sPos);

        if (_sPos.z > 0.5f) { 
            float x = _sPos.x;
            float y = rect.size.height - _sPos.y;
            
            float h = 3500.0f / _sPos.z; 
            if (h > 300) h = 300;
            if (h < 10) h = 10;
            float w = h * 0.6f;
            
            CGContextStrokeRect(_ctx, CGRectMake(x - (w/2), y - (h/2), w, h));
            
            if (_hacks._linesEnabled) {
                CGContextMoveToPoint(_ctx, rect.size.width/2, rect.size.height);
                CGContextAddLineToPoint(_ctx, x, y + (h/2));
                CGContextStrokePath(_ctx);
            }
        }
    }
}
@end

@implementation UIInputContextManager { CGPoint _originPoint; }
- (instancetype)initWithFrame:(CGRect)frame {
    self = [super initWithFrame:frame];
    if (self) {
        UIBlurEffect *blur = [UIBlurEffect effectWithStyle:UIBlurEffectStyleDark];
        UIVisualEffectView *bg = [[UIVisualEffectView alloc] initWithEffect:blur];
        bg.frame = self.bounds;
        bg.layer.cornerRadius = 12;
        bg.clipsToBounds = YES;
        [self addSubview:bg];
        
        self.layer.borderColor = [UIColor cyanColor].CGColor;
        self.layer.borderWidth = 1.0;
        self.layer.cornerRadius = 12;

        UILabel *lbl = [[UILabel alloc] initWithFrame:CGRectMake(0, 5, frame.size.width, 20)];
        lbl.text = @"Kalipso v9";
        lbl.textColor = [UIColor cyanColor];
        lbl.textAlignment = NSTextAlignmentCenter;
        lbl.font = [UIFont fontWithName:@"Courier-Bold" size:14];
        [self addSubview:lbl];

        self.btnESP = [UIButton buttonWithType:UIButtonTypeCustom];
        self.btnESP.frame = CGRectMake(10, 30, frame.size.width-20, 30);
        [self.btnESP setTitle:@"Visuals: OFF" forState:UIControlStateNormal];
        self.btnESP.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1];
        self.btnESP.layer.cornerRadius = 5;
        [self.btnESP addTarget:self action:@selector(_toggleESP) forControlEvents:UIControlEventTouchUpInside];
        [self addSubview:self.btnESP];

        self.btnLines = [UIButton buttonWithType:UIButtonTypeCustom];
        self.btnLines.frame = CGRectMake(10, 65, frame.size.width-20, 30);
        [self.btnLines setTitle:@"Lines: OFF" forState:UIControlStateNormal];
        self.btnLines.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1];
        self.btnLines.layer.cornerRadius = 5;
        [self.btnLines addTarget:self action:@selector(_toggleLines) forControlEvents:UIControlEventTouchUpInside];
        [self addSubview:self.btnLines];
        
        self.lblStatus = [[UILabel alloc] initWithFrame:CGRectMake(0, 100, frame.size.width, 15)];
        self.lblStatus.text = @"ABI: Injected Mode";
        self.lblStatus.textColor = [UIColor lightGrayColor];
        self.lblStatus.textAlignment = NSTextAlignmentCenter;
        self.lblStatus.font = [UIFont systemFontOfSize:10];
        [self addSubview:self.lblStatus];
    }
    return self;
}

- (void)_toggleESP { 
    _hacks._espEnabled = !_hacks._espEnabled;
    if (_hacks._espEnabled) {
        if (_unityBase == 0) {
            for (uint32_t i = 0; i < _dyld_image_count(); i++) {
                const char *name = _dyld_get_image_name(i);
                if (name && strstr(name, "UnityFramework")) {
                    _unityBase = (uintptr_t)_dyld_get_image_header(i);
                    break;
                }
            }
            if (_unityBase > 0) {
                // Cast to Injected Signatures
                GetMainCamera = (long(*)())(_unityBase + OFF_CAMERA);
                
                // Note the casting to the void* signature we defined above
                WorldToScreen = (void(*)(void*, struct Vector3*, int, struct Vector3*))(_unityBase + OFF_W2S);
                GetPosition = (void(*)(void*, struct Vector3*))(_unityBase + OFF_POS);
                
                _hacks._offsetsLoaded = YES;
            }
        }
        [self.btnESP setTitle:@"Visuals: ON" forState:UIControlStateNormal];
        self.btnESP.backgroundColor = [UIColor colorWithRed:0.0 green:0.5 blue:0.0 alpha:0.6];
    } else {
        [self.btnESP setTitle:@"Visuals: OFF" forState:UIControlStateNormal];
        self.btnESP.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1];
    }
}

- (void)_toggleLines { 
    _hacks._linesEnabled = !_hacks._linesEnabled;
    if (_hacks._linesEnabled) {
        [self.btnLines setTitle:@"Lines: ON" forState:UIControlStateNormal];
        self.btnLines.backgroundColor = [UIColor colorWithRed:0.0 green:0.5 blue:0.0 alpha:0.6];
    } else {
        [self.btnLines setTitle:@"Lines: OFF" forState:UIControlStateNormal];
        self.btnLines.backgroundColor = [UIColor colorWithWhite:1.0 alpha:0.1];
    }
}

- (void)touchesBegan:(NSSet*)t withEvent:(UIEvent*)e { _originPoint = [[t anyObject] locationInView:self.superview]; }
- (void)touchesMoved:(NSSet*)t withEvent:(UIEvent*)e {
    CGPoint p = [[t anyObject] locationInView:self.superview];
    self.center = CGPointMake(self.center.x + (p.x - _originPoint.x), self.center.y + (p.y - _originPoint.y));
    _originPoint = p;
}
@end

// --- ENTRY POINT ---
static UIInputContextManager *_sharedMenu;
@interface UIInternalEventBridge : NSObject
+ (void)_toggleMenu;
@end
@implementation UIInternalEventBridge
+ (void)_toggleMenu { _sharedMenu.hidden = !_sharedMenu.hidden; }
@end

%ctor {
    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
        UIWindow *_targetWin = [UIApplication sharedApplication].keyWindow;
        if (!_targetWin) return;

        UISystemInternalBase *_shield = [[UISystemInternalBase alloc] initWithFrame:_targetWin.bounds];
        _shield.userInteractionEnabled = NO;
        [_targetWin addSubview:_shield];

        CAAnimationGroupProxy *_renderObj = [[CAAnimationGroupProxy alloc] initWithFrame:_targetWin.bounds];
        _renderObj.backgroundColor = [UIColor clearColor];
        _renderObj.userInteractionEnabled = NO; 
        [_shield _registerSub_overlay:_renderObj];

        _sharedMenu = [[UIInputContextManager alloc] initWithFrame:CGRectMake(50, 50, 160, 120)];
        _sharedMenu.hidden = YES;
        [_targetWin addSubview:_sharedMenu];

        UITapGestureRecognizer *tap = [[UITapGestureRecognizer alloc] initWithTarget:[UIInternalEventBridge class] action:@selector(_toggleMenu)];
        tap.numberOfTouchesRequired = 3;
        [_targetWin addGestureRecognizer:tap];

        [NSTimer scheduledTimerWithTimeInterval:0.016 repeats:YES block:^(NSTimer *t){ [_renderObj setNeedsDisplay]; }];
        
        UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"Kalipso v9" message:@"Injected ABI Enabled.\nDrawing Activated." preferredStyle:UIAlertControllerStyleAlert];
        [alert addAction:[UIAlertAction actionWithTitle:@"GO" style:UIAlertActionStyleDefault handler:nil]];
        [_targetWin.rootViewController presentViewController:alert animated:YES completion:nil];
    });
}