Help/Support Code Injection doesn't work, except credit popup.

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

Heyyy it's me again.. 

I used this tutorial also: https://www.dropbox.com/s/y3rcskg8uigt5lm/IDA PRO Code Inject Tutorial.pdf?dl=0

 

 

I'm kind of practicing to work with IDA on Pou,

So I figured out how to hack some functions by editing the binary using a hex editor.

 

Now I wanted to try to make a code injection tweak out of it.

 

The function is:

; Coins - (int)have
__text:0003EBD4 ; Attributes: bp-based frame
__text:0003EBD4
__text:0003EBD4 ; int __cdecl -[Coins have](struct Coins *self, SEL)
__text:0003EBD4 __Coins_have_                           ; DATA XREF: __objc_const:0045C890o
__text:0003EBD4                 PUSH            {R4-R7,LR}
__text:0003EBD6                 ADD             R7, SP, #0xC
__text:0003EBD8                 MOV             R4, R0
__text:0003EBDA                 MOV             R0, #(_OBJC_IVAR_$_Coins.given - 0x3EBEA) ; int given;
__text:0003EBE2                 MOVW            R1, #:lower16:(selRef_collected - 0x3EBF0)

 

well the function is longer, but in the hex editor I changed 

 ; Coins - (int)have
__text:0003EBD4 ; Attributes: bp-based frame
__text:0003EBD4
__text:0003EBD4 ; int __cdecl -[Coins have](struct Coins *self, SEL)
__text:0003EBD4 __Coins_have_                           ; DATA XREF: __objc_const:0045C890o
__text:0003EBD4                 PUSH            {R4-R7,LR}
__text:0003EBD6                 ADD             R7, SP, #0xC

TO:
 ; Coins - (int)have
__text:0003EBD4 ; Attributes: bp-based frame
__text:0003EBD4
__text:0003EBD4 ; int __cdecl -[Coins have](struct Coins *self, SEL)
__text:0003EBD4 __Coins_have_                           ; DATA XREF: __objc_const:0045C890o
__text:0003EBD4                 MOV            R0,R7
__text:0003EBD6                 BX LR

 

This worked.

 

So the HEX Offsets I need are

0003ebd4 & 0003ebd6

Right?

 

So what I did in my tweak.xm was:

 

%ctor {
	if(GetPrefBool(@"key1")) {
		writeData(0x3ebd4, 0x38467047);
		writeData(0x3ebd6, 0x7047);
	} else {
}

 

It had no effect, however I got the credit popup which is automaticly added in the tweak.xm

 

So after that I tried this, which didn't make sense to me since the BX LR had another hex adress

 

%ctor {
	if(GetPrefBool(@"key1")) {
		writeData(0x3ebd4, 0x38467047);
	} else {
}

}

 

but this didn't work either..

 

It doesn't make any sense I try this on Pou, since this can be hooked too,

but for me it's just practicing & playing around lol

 

Someone knows what the problem can be?

Am I doing something wrong?

 

Thankyou in advance!

Updated May 4, 2017 by Ted2

[Rook 561.7k iPad Pro (2nd gen) 17.4 Donor]

Seems like you only hacked armv7 and likely didn't think your binary.

If the Pou binary has both armv7 & arm64, you'll likely need to integrate armv7 binary into your deb so it automatically thins it. 

According to your profile fields, your iPhone 6s is loading the arm64 portion. But you only hacked armv7 portion so that's why you need to thin it.

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

2 minutes ago, DiDA said:

Seems like you only hacked armv7 and likely didn't think your binary.

If the Pou binary has both armv7 & arm64, you'll likely need to integrate armv7 binary into your deb so it automatically thins it. 

According to your profile fields, your iPhone 6s is loading the arm64 portion. But you only hacked armv7 portion so that's why you need to thin it.

I did thin the binary to armv7 using shmoo's tutorial about 'How to perform a Binary patch'  

 

edit: you're right.. I redownloaded because otherwise it would've loaded my hacks still into it. Sh*t man, lol sorry.. I feel so stupidd

My bad & thankyou for helping

Updated May 4, 2017 by Ted2
im stupid xd

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

7 minutes ago, DiDA said:

Seems like you only hacked armv7 and likely didn't think your binary.

If the Pou binary has both armv7 & arm64, you'll likely need to integrate armv7 binary into your deb so it automatically thins it. 

According to your profile fields, your iPhone 6s is loading the arm64 portion. But you only hacked armv7 portion so that's why you need to thin it.

ehmm, it still doesn't work.. I've defenitly thinned it this time

[Rook 561.7k iPad Pro (2nd gen) 17.4 Donor]

1 minute ago, Ted2 said:

ehmm, it still doesn't work.. I've defenitly thinned it this time

Did you enable the switch with key 'key1'?

Also, use 381c7047

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

1 minute ago, DiDA said:

Did you enable the switch with key 'key1'?

Also, use 381c7047

Lol I feel so stupid sometimes.. It was switched off -.-

Works now.

 

Why 381c7047 though?

[Rook 561.7k iPad Pro (2nd gen) 17.4 Donor]

8 minutes ago, Ted2 said:

Lol I feel so stupid sometimes.. It was switched off -.-

Works now.

 

Why 381c7047 though?

Nevermind, 38467047 is the same

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

2 minutes ago, DiDA said:

Nevermind, 38467047 is the same

haha alright, thanks DiDa, you're my hero

[CorruptedHxR 100 iPhone 6 9.0.2]

4 hours ago, Ted2 said:

haha alright, thanks DiDa, you're my hero

Already hacked: 

 

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

1 minute ago, CorruptedHxR said:

Already hacked: 

 

Iknow, I wrote in my post I'm just practicing.