Help/Support Something wrong with offset or ?

ada1016 · May 16, 2017

So, I like so start with thanks @arthurdapaz and @shmoo for the detail TuT on how to start Cydia Substrate journey

I am now able to build deb, get it running and get the UI, the next step is of course, try on real game.

For a game I am trying to start, I know what I want to change at HeX editor, and noticed there seems to be some pre-fix there so the actual offset at binary should minus 0x4000

__text:0094083C _Equipment_get_Attack_m171674799 ; CODE XREF: _AutoEquipLogic_GetAutoEquip_m241924269+3C6�p
__text:0094083C ; _AutoEquipLogic_GetAutoEquip_m241924269+3DC�p ...
__text:0094083C 00 6C LDR R0, [R0,#0x40]
__text:0094083E 70 47 BX LR
__text:0094083E ; End of function _Equipment_get_Attack_m171674799

The offset on IDA appeared as 0094083C but the actual offset at HxD is 0x93C83C, and I tried to change it to 58 46.

On @arthurdapaz's template, I write it like this

    NSDictionary *hacks =
    @{
        @"k01BasicSwitcher":@{
            @"offsets": @[@"0x93C83C"],
            @"orig":    @[@"0x006C"],
            @"patched": @[@"0x5846"],
            @"desc": @"God Power",
            @"label": @"God Power"
            },

    };

The result is game crash..

Can I get some love and please let me know where went wrong?

The original Tweak.xm attached.

#import <APMenu.h>
#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>

/*
// 
// You can use: [mm getFloat:@"SOME HACK KEY"];
// You can use: [mm getBool:@"SOME HACK KEY"];
// 
// For customizing the hack inside your hooks
// see an example below:
// 
// EXAMPLE OF HOOK FUNCTIONS
// THAT GETS THE VALUE DEFINED
// OF AN INTERFACE "KEY" ELEMENT
   

float (*orig_func)(void *self);

float new_func(void *self)
{
    float newValue = [mm getFloat:@"aSliderKey"];
    if (newValue)
        return newValue;
    else
        return orig_func(self);
}

*/


%ctor
{
    // the mod menu core
    mm = [APMenu sharedInstance];

    // a writeData.h rewritten to my APMenu
    mp = [MemoryPatcher sharedInstance];

    NSDictionary *hacks =
    @{
        @"k01BasicSwitcher":@{
            @"offsets": @[@"0x0093C83C"],
            @"orig":    @[@"0x006C"],
            @"patched": @[@"0x5846"],
            @"desc": @"God Power",
            @"label": @"God Power"
            },

    };


    // HERE IS WHERE ALL THE FUN BEGINS :)
    [mm init:hacks
                openAfter: 1                                                                          // seconds (I like to use average game loading time)               (OBLIGATORY)
                    width: 260                                                                        // width in pixels                                                 (OBLIGATORY)
        maxVisibleToggles: 5                                                                          // only shows N first hacks, the others needs to be scrolled       (OBLIGATORY)
                    theme: rgb(0xbef7d9)                                                              // the main color for you hack menu (you can use any color :)      (OBLIGATORY)
                    title: @"MY VALANTFORCE GAME HACK"                                                            // your hack titlebar text upper case is better :) (OBLIGATORY)
                    credits: @"Hack by ada1016. Thanks to DiDA n' shmoo for inspiration <3"     // pretty self explicative, no? (Leave @"" for empty)
                    creditsURL: nil                                                                        // a URL for the user to visit on credits menu screen @"http://www.myblog.com" or simple: nil

                // CHOOSE YOUR INTERFACE TOGGLE GESTURE
                // APGestureTwoFingerTap
                // APGestureThreeFingerTap
                // APGestureFourFingerTap
                // APGestureTwoFingerSwipeUp
                // APGestureTwoFingerSwipeDown
                // APGestureTwoFingerSwipeLeft
                // APGestureTwoFingerSwipeRight
                // APGestureThreeFingerSwipeUp
                // APGestureThreeFingerSwipeDown
                // APGestureThreeFingerSwipeLeft
                // APGestureThreeFingerSwipeRight
                  gesture: APGestureThreeFingerTap
            onFirstLaunch:^{

            // this method listens to Mod Menu controller changes
            // and gets it's values according to the type of
            // UIControl you are dealing with
            // if you don't need this, just comment or remove these lines
            [mm listenChanges:^(id sender)
            {
                if ([mm ismodtext:sender])
                {
                    UIKeyTextField *textField = (UIKeyTextField*) sender;
                    NSString *key             = textField.featureKey;
                    float value               = textField.text.floatValue;

                    NSLog(@"Value of modtext %@: %f", key, value);
                }
                if ([mm ismodslider:sender])
                {
                    UIKeySlider *slider = (UIKeySlider*) sender;
                    NSString *key       = slider.featureKey;
                    float value         = slider.value;

                    NSLog(@"Value of modslider %@: %f", key, value);

                    /* SIMPLE EXAMPLE OF USING THIS
                        switch (value)
                        {
                            case 1:
                                [mp write:0xbadf00d data:0xf33dbac];
                            break;

                            case 2:
                                [mp write:0xbadf00d data:0xf33dbac];
                            break;

                            ...
                        }
                    */
                }
                if ([mm ismodswitcher:sender])
                {
                    UIViewSwitcher *switcher = (UIViewSwitcher*) sender;
                    NSString *key            = switcher.featureKey;
                    BOOL value               = switcher.isOn;

                    NSLog(@"Value of modslider %@: %d", key, value);
                }
            }];


        /* DO SOMETHING AFTER HACK INTERFACE LAUNCH 
        designed for customized hooks or you can popup an alert to warn the user
        that hack is already active and maybe send an UIAlertControl informing Gesture you have used
        

        ******** THIS IS HOW TO HOOK
        ******** (if you need hooking some internal function):
        ********
        ******** MSHookFunction((void*)[mp calculateAddress:0xb4df00d], (void*)new_func, (void**)&orig_func);
        ********
        ******** Please, notice that new_func and orig_func are declared at
        ******** the top of the file (before %ctor)

        */

        NSLog(@"Initialized");
    }];
}

Rook · May 16, 2017

You're supposed to use 94083C and not the HEX editor offset.

So, +0x4000

arthurdapaz · May 16, 2017

~~Firsts things first:~~

1) Crack the binary
2) Remove the ASLR protection

~~Doing that you're dealing with "real" offsets instead of shifted ones.~~

~~It crashes because you patching some offset with some unaccepted or not contextualized ARM instruction. You need understand assembler basics to avoid this crashes on researching for hacks!~~

~~Use GDB / GamePlayer / GameGem / iGameGuardian for start, and you will get some real offsets to play with~~

__text:0094083C _Equipment_get_Attack_m171674799 ; CODE XREF: _AutoEquipLogic_GetAutoEquip_m241924269+3C6�p

PRO TIP: you don't need to use OFFSETS if it's an Objective C exposed function. You can hook it directly:

MSHookFunction(MSFindSymbol(NULL,"_Equipment_get_Attack_m171674799"), (void*)new_func, (void**)&orig_func);

Now, if you only want to patch this function, work with the offset IDA shows you (it's already shifted +0x4000, it is a default shifting for iOS apps mostly)

ada1016 · May 17, 2017

@DiDA Thank you for help out.. I am still learning all this MSHook stuff..

@arthurdapaz

thanks! The more I study the less I know.. ;(.. Do you mind

1. Take a look of my Tweak.xm and see if I understand this correctly? Cause it still crash when I try to enter the battle..

2. If you can share a living sample of Tweak.xm that got your widget and its hacking code? (this will helps much better)

3. Lastly.. where to see NSLog?

#import <APMenu.h>
#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>


float (*orig_func)(void *self);

float new_func(void *self)
{
    float newValue = [mm getFloat:@"k05SimpleUiSlider"];
    if (newValue)
        return newValue;
    else
        return orig_func(self);
}




%ctor
{

    mm = [APMenu sharedInstance];
    mp = [MemoryPatcher sharedInstance];

    NSDictionary *hacks =
    @{

        @"k05SimpleUiSlider":@{
            @"type": @"modslider",
            @"typecfg": @{
                    @"minimumValue":@0,
                    @"maximumValue":@99999
                },
            @"desc": @"Normal UI Slider",
            @"label": @"Normal UI Slider"
            },
    };

    [mm init:hacks
                openAfter: 1                                                                          
                    width: 260                                                                        
        maxVisibleToggles: 5                                                                          
                    theme: rgb(0xbef7d9)                                                              
                    title: @"MY VALANTFORCE GAME HACK"                                                
					credits: @"Hack by ada1016. Thanks to DiDA n' shmoo for inspiration <3"     
					creditsURL: nil                                                             
					gesture: APGestureThreeFingerTap	
				onFirstLaunch:^{

            [mm listenChanges:^(id sender)
            {
                if ([mm ismodtext:sender])
                {
                    UIKeyTextField *textField = (UIKeyTextField*) sender;
                    NSString *key             = textField.featureKey;
                    float value               = textField.text.floatValue;

                    NSLog(@"Value of modtext %@: %f", key, value);
                }
                if ([mm ismodslider:sender])
                {
                    UIKeySlider *slider = (UIKeySlider*) sender;
                    NSString *key       = slider.featureKey;
                    float value         = slider.value;

                    NSLog(@"Value of modslider %@: %f", key, value);

                }
                if ([mm ismodswitcher:sender])
                {
                    UIViewSwitcher *switcher = (UIViewSwitcher*) sender;
                    NSString *key            = switcher.featureKey;
                    BOOL value               = switcher.isOn;

                    NSLog(@"Value of modslider %@: %d", key, value);
                }
            }];


		MSHookFunction(MSFindSymbol(NULL,"_Equipment_get_Attack_m171674799"), (void*)new_func, (void**)&orig_func);
        NSLog(@"Initialized");
    }];
}

ada1016 · May 18, 2017

I will answer myself so if anyone meet similar questions like I do, you can get some lights here. Still million appreciation to @arthurdapaz and @DiDA. Could not done this without your TuT and guide

Q: NSLog, where to read and how?

A: Install ondeviceconsole on Cydia, SSH in and run command

Q: So how the code goes that make it works?

#import <APMenu.h>
#import <CoreFoundation/CoreFoundation.h>
#import <substrate.h>
#import <Foundation/Foundation.h>
float (*orig_func)(void *self);
float new_func(void *self)
{
    float newValue = [mm getFloat:@"k05SimpleUiSlider"];
    if (newValue)
        return newValue;
    else
        return orig_func(self);
}
%ctor
{
    mm = [APMenu sharedInstance];
    mp = [MemoryPatcher sharedInstance];
    NSDictionary *hacks =
    @{

        @"k05SimpleUiSlider":@{
            @"type": @"modslider",
            @"typecfg": @{
                    @"minimumValue":@0,
                    @"maximumValue":@99999
                },
            @"desc": @"God Power",
            @"label": @"Normal UI Slider"
            },
    };
    [mm init:hacks
					openAfter: 1 
                    width: 260
					maxVisibleToggles: 5
                    theme: rgb(0xbef7d9)
                    title: @"MY GAME HACK"
					credits: @"Hack by ada1016. Thanks to DiDA n' shmoo for inspiration <3"
					creditsURL: nil

                  gesture: APGestureThreeFingerTap
		onFirstLaunch:^{
            [mm listenChanges:^(id sender)
            {
                if ([mm ismodtext:sender])
                {
                    UIKeyTextField *textField = (UIKeyTextField*) sender;
                    NSString *key             = textField.featureKey;
                    float value               = textField.text.floatValue;

                    NSLog(@"Value of modtext %@: %f", key, value);
                }
                if ([mm ismodslider:sender])
                {
                    UIKeySlider *slider = (UIKeySlider*) sender;
                    NSString *key       = slider.featureKey;
                    float value         = slider.value;

                    NSLog(@"Value of modslider %@: %f", key, value);

                }
                if ([mm ismodswitcher:sender])
                {
                    UIViewSwitcher *switcher = (UIViewSwitcher*) sender;
                    NSString *key            = switcher.featureKey;
                    BOOL value               = switcher.isOn;
                    NSLog(@"Value of modslider %@: %d", key, value);
                }
            }];

		MSHookFunction(MSFindSymbol(NULL,"_Equipment_get_Attack_m171674799"), (void*)new_func, (void**)&orig_func);
        NSLog(@"Initialized");
    }];
}