Help/Support Jailbreak Anti-cheat system bypass

DrBonsai · December 3, 2015

Hi, I am trying to bypass the jailbreak detection of battlecats.

FLEX2, TsProtector, Xcom, and more: ==> I have tryed and nothing work in ios 8.1.2 with this game.

So I am trying to patch it with ida And an hex editor because is the only way to find the way it works from the inside.

For the booblean functions i got help, but now I have a bigger problem I think. When the aplication is not modded it display a message like: Unauthoriced (A) activity has been detected. With the mod I have done, this don´t happend. But the app keeps stopping on the boot. There are 3 more functions related with jailbreak detection on the code:

[MAT Utils checkJailBreak] Boolean (Patched)
[GAD Device isJailbroken] Boolean (Patched)
[MAT Settings jailbroken] Id (¿?)

; id __cdecl -[MATSettings jailbroken](struct MATSettings *self, SEL)
__MATSettings_jailbroken_               ; DATA XREF: __objc_const:0000000100776768o
                 MOV             W3, #0
                 ADRP            X8, #_OBJC_IVAR_$_MATSettings._jailbroken@PAGE ; NSNumber *_jailbroken;
                 LDRSW           X2, [X8,#_OBJC_IVAR_$_MATSettings._jailbroken@PAGEOFF] ; NSNumber *_jailbroken;
                B               _objc_getProperty
; End of function -[MATSettings jailbroken]

[MAT Settings setJailbroken] Id (¿?)

 ; MATSettings - (void)setJailbroken:(id)

 ; void __cdecl -[MATSettings setJailbroken:](struct MATSettings *self, SEL, id)
 __MATSettings_setJailbroken__           ; DATA XREF: __objc_const:0000000100776270o
                 MOV             X8, X2
                 ADRP            X9, #_OBJC_IVAR_$_MATSettings._jailbroken@PAGE ; NSNumber *_jailbroken;
                 LDRSW           X2, [X9,#_OBJC_IVAR_$_MATSettings._jailbroken@PAGEOFF] ; NSNumber *_jailbroken;
                 MOV             W5, #1
                 MOV             X3, X8
                 MOV             W4, #0
                 B               _objc_setProperty
 ; End of function -[MATSettings setJailbroken:]

[MobileAppTracker setJailbroken] Boolean (Patched)
[MobileAppTracker setShouldAutoDetectJailbroken] Boolean (Patched)
[MATTracker setShouldDetectJailbroken] Boolean (¿?¿?¿?¿)

http://pastebin.com/A9aNR5A2

What should I do now? I am thinking on copy the BL in the end of the 2 Id functions.
But the other one is a mess for me. I can´t understand what is doing.

If anyone need the binary or something to examine it ask me in a PM.

This is my first ios work, so I am completely noob here. I need help please.

Thanks for your time.

Updated December 5, 2015 by DrBonsai

smokey · December 3, 2015

Hi, I am trying to bypass the jailbreak detection of battlecats.

For the booblean functions i got help, but now I have a bigger problem I think. When the aplication is not modded it display a message like: Unauthoriced (A) activity has been detected. With the mod I have done, this don´t happend. But the app keeps stopping on the boot. There are 3 more functions related with jailbreak detection on the code:

[MAT Utils checkJailBreak] Boolean (Patched)[GAD Device isJailbroken] Boolean (Patched)[MAT Settings jailbroken] Id (¿?)
; id __cdecl -[MATSettings jailbroken](struct MATSettings *self, SEL)
__MATSettings_jailbroken_               ; DATA XREF: __objc_const:0000000100776768o
                 MOV             W3, #0
                 ADRP            X8, #_OBJC_IVAR_$_MATSettings._jailbroken@PAGE ; NSNumber *_jailbroken;
                 LDRSW           X2, [X8,#_OBJC_IVAR_$_MATSettings._jailbroken@PAGEOFF] ; NSNumber *_jailbroken;
                B               _objc_getProperty
; End of function -[MATSettings jailbroken]  
[MAT Settings setJailbroken] Id (¿?)
; MATSettings - (void)setJailbroken:(id)

 ; void __cdecl -[MATSettings setJailbroken:](struct MATSettings *self, SEL, id)
 __MATSettings_setJailbroken__           ; DATA XREF: __objc_const:0000000100776270o
                 MOV             X8, X2
                 ADRP            X9, #_OBJC_IVAR_$_MATSettings._jailbroken@PAGE ; NSNumber *_jailbroken;
                 LDRSW           X2, [X9,#_OBJC_IVAR_$_MATSettings._jailbroken@PAGEOFF] ; NSNumber *_jailbroken;
                 MOV             W5, #1
                 MOV             X3, X8
                 MOV             W4, #0
                 B               _objc_setProperty
 ; End of function -[MATSettings setJailbroken:] 
[MobileAppTracker setJailbroken] Boolean (Patched)[MobileAppTracker setShouldAutoDetectJailbroken] Boolean (Patched)[MATTracker setShouldDetectJailbroken] Boolean (¿?¿?¿?¿)

http://pastebin.com/A9aNR5A2

What should I do now? I am thinking on copy the BL in the end of the 2 Id functions.

But the other one is a mess for me. I can´t understand what is doing.

So what is it exactly that you need help with?

DrBonsai · December 3, 2015

I want to bypass the jailbreak detection . So I need to know what are this functions doing and what modification should i make them.

SoloTurk · December 3, 2015

; DATA XREF: __objc_const:000000010077F5E80

stub_helper:00000001003D7E9C LDR W16, =0x877

Fix this line first

Updated December 3, 2015 by SoloTurk

DrBonsai · December 3, 2015

; DATA XREF: __objc_const:000000010077F5E80

stub_helper:00000001003D7E9C LDR W16, =0x877

Edit this line first

What is this line doing? What is loading?

SoloTurk · December 3, 2015

What is this line doing? What is loading?

Send me pm i help you out

Updated December 3, 2015 by SoloTurk

CmakLove · December 3, 2015

Use flex 2.

DrBonsai · December 3, 2015

Use flex 2.

I have made this. Is necesary to edit it with iDA. With flex it simply not work at all.

http://iosgods.com/topic/20498-request-the-battle-cats-330-jailbreak-bypass/

Updated December 3, 2015 by DrBonsai

Diversityy · December 4, 2015

I have made this. Is necesary to edit it with iDA. With flex it simply not work at all.

http://iosgods.com/topic/20498-request-the-battle-cats-330-jailbreak-bypass/

Go to the first offset of the function then, just MOV R0, #0 BXLR it. In HEX, it is 00207047.