TuT [Tutorial] Hacking with MSHook

[Goggwell 17.8k iPod Touch 1.0.0]

Hey guys, I wanted to share my information of MSHook with you so that you can hack many other games that cannot be hacked with Save or MS.

 

 

Requirements:

 

- IDA (preferably a version that is relatively new)

- Theos

- SDK (this is different depending on your iOS)

- MobileTerminal

 

 

 

 

Steps:

1. Create a new project on your iPhone/iPad (the project is a tweak; if you don't know how to do this step, please refer to http://iosgods.com/topic/831-tutorial-how-to-hack-using-mobile-substrate-method-hooking/

 

DO NOT CLOSE MOBILETERMINAL! We will need this in a later step

 

2. Open iFile, locate your Tweak.xm and open it. Now add these lines to the beginning of your code:

#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>

After that, you can either add this code:

__attribute__((constructor)) void DylibMain(){ }

or this code:

%ctor{ }

After doing that, add this code between the curly brackets (make sure that the first curly bracket is below your first code, the code below under the first bracket, and the last curly bracket under the code below) :

MSHookFunction((( *)MSFindSymbol(NULL, "")),( *)$,( **)&old );

Here is the code altogether:

#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>

__attribute__((constructor)) void DylibMain()
{
MSHookFunction((( *)MSFindSymbol(NULL, "")),( *)$,( **)&old );
}

Don't worry if this is confusing, this will all be explained later.

 

3. Open IDA and use the binary of the game that you want to hack (I will be using MinecraftPE). Make sure the binary is cracked. We do not want to deal with a regular binary.

 

 

Now what we do now is search for the function we want to hack. If you're used to MS, the function would normally look like -(int)coins or something like that. Here it's different.

As you can see, there are many functions that look like Textures:: or __ZNSt3 and stuff.

 

What we want is something like Health or Instant Kill. So search for Player::

 

To search, press ALT + T (make sure you click on the functions part first)

 

Sometimes, when we search that function, the things that we are looking for aren't there, so we need to extend the search from Player:: to something else. Try searching for something like Player::is or Player::get

 

 

Once you have found the function you want, double click on it.

(NOTE: the function doesn't have to start with Player::get, it can be Player::hurt or something else)

 

 

You should be brought to a different page on the other part of the IDA screen. Find the symbolic name of the function, which normally starts with __Z

 

 

Now, the symbolic name we just found will be your SymbolicFunction, which is __ZN6Player4hurtEP6Entityi in our case.

Go back to the Tweak.xm and locate the line with the word MSHookFunction in it. 

Replace that code with this:

MSHookFunction(((type of function*)MSFindSymbol(NULL, "yourSymbolicFunction")),(type of function*)$yourSymbolicFunction,(return type of function**)&oldyourSymbolicFunction );

Which in our case looks like this:

MSHookFunction(((int*)MSFindSymbol(NULL, "__ZN6Player4hurtEP6Entityi")),(int*)$__ZN6Player4hurtEP6Entityi,(int**)&old__ZN6Player4hurtEP6Entityi);

If you can't find the type of function, just deduce what it is if the type is not given to you in the function itself:

 

- BOOL types are normally found in functions that have Can in it. For example, "CanDie"

- INT types are found in functions that have Get in it or simply the term, like "getWalkingSpeedModifier" or "getArmorValue"

- VOID types are found everywhere. But you can simply change it to an INT or BOOL just by reading what the term says. If a void is found in something like "Player::isInWall" then you can just change it to a BOOL because it is a True or False function.

 

4. Add this code to the beginning of the Tweak.xm, just below the #import lines:

type of function (*oldyourSymbolicFunction)();

Which is this (as explained earlier) :

int (*old__ZN6Player4hurtEP6Entityi)();

Then add this after the code we just wrote earlier:

type of function $yourSymbolicFunction()
{ 
   return //whatever you want;
}

Which is:

int $__ZN6Player4hurtEP6Entityi()
{ 
   return 999999;
}

There is also a complex code which can replace the code above if you want, but I'd rather you stick to the code above. The complex code looks something like this:

int $__ZN6Player4hurtEP6Entityi()
{
  if(ida_hack2)
               {
                 return 999999;
               }
     else
               {
                 return old__ZN6Player4hurtEP6Entityi();
               }
}

5. If you wish, you can add a UIAlertView to test if the hack is working. If it is, the UIAlertView popup will appear on your game.

 

Just find the AppDelegate in Flex (normally applicationDidBecomeActive or applicationDidFinishLaunching) and use this code (replace the parts necessary) :

%hook APPDELEGATE
- (void)applicationDidBecomeActive:(id)fp8
{
%orig();
UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"Hack Works" message:@"Hack working. Please thank Goggwell, because he is awesome XD" 
delegate:nil cancelButtonTitle:@"+1 BRAH!" otherButtonTitles:nil];
[alert show];
[alert release];
}
%end

Make sure to add this code in your Makefile underneath "NameOfProject_FILES = Tweak.xm"

NameOfProject_FRAMEWORKS = UIKit

Just compile your project after saving your project and install the hack. Run the game and see if your hack works

 

NOTE: Some games will crash if there is a UIAlertView. So just make the hack without a popup if you can.

 

 

Here is the binary used: https://www.dropbox.com/s/bne9uou9agphp9g/minecraftpe.zip?dl=0

 

Have a great day!

 

 

[Tokyo_Ghoul 2.1k 8 7.1.2]

nice tut

[AnotherLurker 1.5k]

um.... what about parameters????
 
 
U know whut? I'm making my own tutorial
 
[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

 

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)
[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[Goggwell 17.8k iPod Touch 1.0.0]

um.... what about parameters????

 

 

U know whut? I'm making my own tutorial

 

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

 

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

 

That's all I got from the ones I've studied up on. I'll add parameters if I can find where they are

[Yasir_Gh0st 2.3k 26 9.0.2]

Thanks for helping

[Ted2 39.2k iPhone 13 Pro 16.0 Donor]

great tut bud 

[Gen3ral C 676 iPhone 7 11.3.1]

nice one

[Gen3ral C 676 iPhone 7 11.3.1]

i have a question, if i have the project finished, is compiling it just turing it into a zip file and then use i unarchiver from ifile?

[Red16 5.2k iPhone 13 Pro Max 15.2]

A little hard to understand but I now have more knowledge good tut

[ic0 1 iPhone 8 Plus 12.3]

Njjh