TuT [Tutorial] Hacking with MSHook

Goggwell · October 20, 2014

Hey guys, I wanted to share my information of MSHook with you so that you can hack many other games that cannot be hacked with Save or MS.

Requirements:

- IDA (preferably a version that is relatively new)

- Theos

- SDK (this is different depending on your iOS)

- MobileTerminal

Steps:

1. Create a new project on your iPhone/iPad (the project is a tweak; if you don't know how to do this step, please refer to http://iosgods.com/topic/831-tutorial-how-to-hack-using-mobile-substrate-method-hooking/

DO NOT CLOSE MOBILETERMINAL! We will need this in a later step

2. Open iFile, locate your Tweak.xm and open it. Now add these lines to the beginning of your code:

#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>

After that, you can either add this code:

__attribute__((constructor)) void DylibMain(){ }

or this code:

%ctor{ }

After doing that, add this code between the curly brackets (make sure that the first curly bracket is below your first code, the code below under the first bracket, and the last curly bracket under the code below) :

MSHookFunction((( *)MSFindSymbol(NULL, "")),( *)$,( **)&old );

Here is the code altogether:

#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>

__attribute__((constructor)) void DylibMain()
{
MSHookFunction((( *)MSFindSymbol(NULL, "")),( *)$,( **)&old );
}

Don't worry if this is confusing, this will all be explained later.

3. Open IDA and use the binary of the game that you want to hack (I will be using MinecraftPE). Make sure the binary is cracked. We do not want to deal with a regular binary.

Now what we do now is search for the function we want to hack. If you're used to MS, the function would normally look like -(int)coins or something like that. Here it's different.

As you can see, there are many functions that look like Textures:: or __ZNSt3 and stuff.

What we want is something like Health or Instant Kill. So search for Player::

To search, press ALT + T (make sure you click on the functions part first)

Sometimes, when we search that function, the things that we are looking for aren't there, so we need to extend the search from Player:: to something else. Try searching for something like Player::is or Player::get

Once you have found the function you want, double click on it.

(NOTE: the function doesn't have to start with Player::get, it can be Player::hurt or something else)

You should be brought to a different page on the other part of the IDA screen. Find the symbolic name of the function, which normally starts with __Z

Now, the symbolic name we just found will be your SymbolicFunction, which is __ZN6Player4hurtEP6Entityi in our case.

Go back to the Tweak.xm and locate the line with the word MSHookFunction in it.

Replace that code with this:

MSHookFunction(((type of function*)MSFindSymbol(NULL, "yourSymbolicFunction")),(type of function*)$yourSymbolicFunction,(return type of function**)&oldyourSymbolicFunction );

Which in our case looks like this:

MSHookFunction(((int*)MSFindSymbol(NULL, "__ZN6Player4hurtEP6Entityi")),(int*)$__ZN6Player4hurtEP6Entityi,(int**)&old__ZN6Player4hurtEP6Entityi);

If you can't find the type of function, just deduce what it is if the type is not given to you in the function itself:

- BOOL types are normally found in functions that have Can in it. For example, "CanDie"

- INT types are found in functions that have Get in it or simply the term, like "getWalkingSpeedModifier" or "getArmorValue"

- VOID types are found everywhere. But you can simply change it to an INT or BOOL just by reading what the term says. If a void is found in something like "Player::isInWall" then you can just change it to a BOOL because it is a True or False function.

4. Add this code to the beginning of the Tweak.xm, just below the #import lines:

type of function (*oldyourSymbolicFunction)();

Which is this (as explained earlier) :

int (*old__ZN6Player4hurtEP6Entityi)();

Then add this after the code we just wrote earlier:

type of function $yourSymbolicFunction()
{ 
   return //whatever you want;
}

Which is:

int $__ZN6Player4hurtEP6Entityi()
{ 
   return 999999;
}

There is also a complex code which can replace the code above if you want, but I'd rather you stick to the code above. The complex code looks something like this:

int $__ZN6Player4hurtEP6Entityi()
{
  if(ida_hack2)
               {
                 return 999999;
               }
     else
               {
                 return old__ZN6Player4hurtEP6Entityi();
               }
}

5. If you wish, you can add a UIAlertView to test if the hack is working. If it is, the UIAlertView popup will appear on your game.

Just find the AppDelegate in Flex (normally applicationDidBecomeActive or applicationDidFinishLaunching) and use this code (replace the parts necessary) :

%hook APPDELEGATE
- (void)applicationDidBecomeActive:(id)fp8
{
%orig();
UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"Hack Works" message:@"Hack working. Please thank Goggwell, because he is awesome XD" 
delegate:nil cancelButtonTitle:@"+1 BRAH!" otherButtonTitles:nil];
[alert show];
[alert release];
}
%end

Make sure to add this code in your Makefile underneath "NameOfProject_FILES = Tweak.xm"

NameOfProject_FRAMEWORKS = UIKit

Just compile your project after saving your project and install the hack. Run the game and see if your hack works

NOTE: Some games will crash if there is a UIAlertView. So just make the hack without a popup if you can.

Here is the binary used: https://www.dropbox.com/s/bne9uou9agphp9g/minecraftpe.zip?dl=0

Have a great day!

Tokyo_Ghoul · October 20, 2014

nice tut

AnotherLurker · October 21, 2014

um.... what about parameters????

U know whut? I'm making my own tutorial

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)
[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

Goggwell · October 21, 2014

um.... what about parameters????

U know whut? I'm making my own tutorial

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)

[TUT][EASY]Intro to MSHook Hacking (Noob Friendly!)