Tutorial Hooking functions from IDA into Mobile Substrate

Infamous-Ash · December 14, 2016

Requirements:

-Theos

-iPhone SDK

-IDA

-an iDevice

So, enough speaking and lets start explaining:

Before starting, let me say that its better if you follow the guid on your computer and ssh to your device rather than using ifile.

Step 1.

You should first create a new project as so:

su

alpine

$THEOS/bin/nic.pl

If you changed your root pass, change alpine to it.

Then type 5 for Tweaks or 6 if you added Iosgods patcher template.

and type in the info you want until you reach the filter bundle question; there you type in your game's bundle "com.GAMECOMPANY.GAME" which is usually found in:

"/var/mobile/Applications/"Game's Number"/Game.app/info.plist"

Step 2.

Important Note: Please Don't Close The MobileTerminal/Putty/etc... We Will Use It Later

Open the Tweak.xm file and make sure that the following imports are used (if some aren't, add them):

[list=1][*][b]#import <CoreFoundation/CoreFoundation.h>[/b] [*][b]#import <substrate.h>[/b] (just in case) [*][b]#import <Foundation/Foundation.h>[/b](just in case as well) [/list]

Now, at the bottom of your code, either add:

__attribute__((constructor)) void DylibMain(){ }

Or

%ctor{ }

Inside either one of those two, add this:

MSHookFunction((( *)MSFindSymbol(NULL, "")),( *)$,( **)&old );

this code is missing vital parts that you will add in later

Don't worry if that confuses you, it will be explained

MSHookFunction: This is part of Mobile Substrate that allows you to hook many functions that you can see in IDA (sort of like %hook)

MSFindSymbol: This allows your tweak to find the function you want to edit

Step 3:

Open the game binary you want in IDA; in this tutorial, we'll be using the TempleRun binary which will be provided in the "Links" part.

Search the function you want to hack (press alt+t)... In this case we will search "hasAngel".

Then double click on "hasAngelWings".

Then copy and paste the function's symbolic name... In this case its "__ZNK7cPlayer13hasAngelWingsEv"

From here later, __ZNK7cPlayer13hasAngelWingsEv will be named as yourSymbolicFunction

Go back to Tweaks.xm and change

MSHookFunction((( *)MSFindSymbol(NULL, "")),( *)$,( **)&old );

With this:

MSHookFunction(((return type of function*)MSFindSymbol(NULL, "yourSymbolicFunction")),(return type of function*)$yourSymbolicFunction,(return type of function**)&oldyourSymbolicFunction );

In our case, it looks like so:

MSHookFunction(((bool*)MSFindSymbol(NULL, "__ZNK7cPlayer13hasAngelWingsEv")),(bool*)$__ZNK7cPlayer13hasAngelWingsEv,(bool**)&old__ZNK7cPlayer13hasAngelWingsEv);

To find out the return type of the function you have to look at what it's called and decide for yourself

if it is called something like "CanShoot" then it is probably a bool because you either can shoot or you can't

if it is called something like "GetMoney" then it is probably an int because it is getting your money value

if it is called something like "DoLevelUp" then it is probably a void bacuase it is "doing" something (this probably has an int argument though

like "Player::DoLevelUp(int)" where the int is either your new level or what gets added to your current level

Step 4:

Add the following code to the beginning of the Tweak.xm file:

return type of function (*oldyourSymbolicFunction)();

In our case it looks like this:

bool (*old__ZNK7cPlayer13hasAngelWingsEv)();

Then, add this after the statement we wrote earlier and before the dylib part:

return type of function $yourSymbolicFunction(){//Hack code you want.}

In our case, we want to have unlimited wings, so this is what we write:

bool $__ZNK7cPlayer13hasAngelWingsEv(){    return true;}

Info: the above code can be very complex like so:

bool $__ZNK7cPlayer13hasAngelWingsEv(){ if(ida_hack2) {    return true; } else {    return old__ZNK7cPlayer13hasAngelWingsEv(); }}

or even more, but make sure you usually write the hack in c++ though

.

Part 5: Testing

Before continuing, please find your game's MainDelegate (which contains a function such as "applicationDidBecomeActive") if you want to add a UIAlertView.

From now on, this header file, will be named "APPDELEGATE".

A good thing to do is to add an alert view telling you the hack is activated. If it appears, the hack is working, else its not.

So add this code under all the other code you've got:

%hook APPDELEGATE- (void)applicationDidBecomeActive:(id)fp8{%orig();UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"Hack is Working" message:@"Hack Successfully Attached. This hack was made By Infamous-Ash" delegate:nil cancelButtonTitle:@"Cool" otherButtonTitles:nil];[alert show];[alert release];}%end

If you add the code above, be sure to add this code in your Makefile under "TempleRunHackTut_FILES = Tweak.xm":

TempleRunHackTut_FRAMEWORKS = UIKit

To test the hack save your tweak.xm in your project folder and type "make package" to compile. This not only makes your dylib but also puts it in a deb for you.

Then, just install and run the game.

VERY IMPORTANT NOTE:

There are some games that can't run UIAlertViews so they cause the game to crash. Such games are like Bejeweled. So, the problem isn't in the code, but rather in the game.

Credit:

Alsafa7 and Kamizoom