Help/Support Need help creating tweak or patching jailbreak detection IDA Pro and Theos

saulin · November 10, 2017

Hey guys,

I have tried every anti jailbreak detection tweak in Cydia and nothing works for either Optik on the Go or Virgin TV Anywhere

Back in the days these 2 apps could be patched with Flex for jailbreak detection but now nothing works. Flex cannot see a lot of values that I can see with IDA Pro.

In fact I can clearly see that Optik on the Go checks for apps installed and some specific folders. However it seems that IDA itself cannot patch the binary, everything is done through a Hex Editor and it gets very confusing trying to figure out which value to patch at what address.

Then I found this post

http://kolbi.cz/blog/?p=286

It seems that the best way to patch it is creating a Cydia tweak with Theos. Now I do have Theos installed and working. And if anyone takes a loo at the binary for Optik on the Go in IDA you will see the method use is very similar to the one used for the Citrix App that gets patched on that link that I provided above. However it has some other files it looks for.

However this is where I need help.

I do need to hook to the class object that has the jailbreak detection right?

Also if I'm trying to create a bool to reurn false, does that mean that the bool value has to exist in that section or I can just create it? because if the bool actually existed I would be able to find it with Flex right? But I cannot find it and that's why these 2 apps are impossible to patch with Flex.

If anyone has time. I can provide the decripted executable for both of these apps. I need help creating the tweak.xm file, then I think I can probbaly build the deb file once I have the propper tweak.xm file.

Here is the ipa I created with Clutch2

https://www.dropbox.com/s/ru23fx3pttczuam/com.telus.nscreen-iOS7.0-(Clutch-2.0.4).ipa?dl=0

I whish I could just change bools and other values in IDA and save the changes back to the executable and replace the executable but it seems that IDA is not able to do that. Every guide I have checked shows how to find values, but then you need to convert some code to hex and patch it with a hex editor; and that's where it gets complicated because no one explains how they actually got the hex values to patch.

That's the nice thing about Flex that you can void stuff and change bool values so easy but it just doesn't work for jailbreak detection in a few apps.

Th3nop · November 10, 2017

maybe downgrade them to version you can bypass,i dont know what are these apps.

not on my appstore cant help

saulin · November 10, 2017

If anyone wants to help I can provide login information for the apps as well.

They are Cable Providers apps that allow you to stream live TV or episodes and movies.

Much like Comcast Xfinity Stream or the DirecTV app. Downgrading does not help because the versions that are hackable by Flex are not longer supported and not compatible with IOS 9/10

i0s_tweak3r · November 11, 2017

6 hours ago, saulin said:

However this is where I need help.

Also if I'm trying to create a bool to reurn false, does that mean that the bool value has to exist in that section or I can just create it? because if the bool actually existed I would be able to find it with Flex right? But I cannot find it and that's why these 2 apps are impossible to patch with Flex.....

I whish I could just change bools and other values in IDA and save the changes back to the executable and replace the executable but it seems that IDA is not able to do that. Every guide I have checked shows how to find values, but then you need to convert some code to hex and patch it with a hex editor; and that's where it gets complicated because no one explains how they actually got the hex values to patch.

That's the nice thing about Flex that you can void stuff and change bool values so easy but it just doesn't work for jailbreak detection in a few apps.

There aren't any simple bool variables in Flex to change, and ya can't just make them up because the code is still being executed, you just don't see it in Flex.

Flex just shows the headers, not the implementation logic, or specific function(s)/ subfunctions that need modified. That's where IDA comes in.

If you find where it has the jailbreak check, you'll find a branch to a dead end one way, or back to the main flow the other way.

Basically you need to find the address of the correct subfunction, then tell it to jump to the address where the sub-function branches to if it's not jailbroken, ( to the main flow) and then void the rest of the subfunction, so it never has a chance to branch to the dead end that having a jailbreak would send ya to.

With the right offsets/addresses, and instructions, you can patch the binary, and with armconverter.com get what you need to make a tweak.

It takes some patience (and a nice learning curve) tho to get there. There's some good tutorials on here for using IDA. Good luck.

saulin · November 11, 2017

I wish someone would post a tut on any of these 2 apps. I can find lots of references to jailbreak and jailbroken but what to patch is the big question. Also since there is no true of false values to change makes it a lot harder than altering the money value on a game lol

I swear these 2 apps are more protected than bank apps. They have some crazy jailbreak protection, nothing seems to work

Oh well back to smali code hacking on Android for me. I was able to patch the Android version of Optik on the Go but the Virgin TV Anywhere App is showing to be a real challenge as well.

***EDIT**

Watching this video

It looks like this guy is able to NOP the values that send the jailbreak message right in the program and then he's able to save a new executable?

At around 10:30 on the video he starts explaining how the jailbreak is called

Can IDA in Windows do the same?

Otherwise do I just need a virtual machine with Mac software to install that Hopper software he's using?

This is exactly what I was hopping I would be able to do with IDA

The patch function does nothing in IDA for me. I can seem to be able to remove stuff but the changes are not reflected in the Hex area and also, I'm not able to save any changes or the difference of the changes for ARM64 IOS games and apps anyways.

Also I was trying to patch a game to get the items for free. I thought I had found the correct subs entry and I tried to NOP it with a hex editor in Windows. After I made the changes and transferred the modified executable back to the game.app folder on the device, the app just crashes, even though the permissions were set exactly the same as the other files in the folder. What is the proper way to to transferred the modified files back to the app or game?

However if I modify the hex values right on the phone itself with the Hex Editor built into Filza File Manager, the app doesn't crash but it looks like I got the wrong entry or I was not supposed to NOP it anyways because the app crashes when I try to make the purchase.