Jump to content

Instance Variables and Function Pointers


Guest

1,191 posts in this topic

Recommended Posts

*BEST VIEWED ON DESKTOP*

The Unity tool. I hate it. All it does is make people worse at hacking because no one is developing actual analysis skills anymore. Now all you have to do to make an awesome hack is to CTRL-F everything until you have 100 features. If you want to get good at something, take the hard route. I can't stress that enough. Anyway, when I first heard about it, I thought it just revealed method names and locations. I was surprised upon finding that not only does it reveal method names and their locations, it reveals class names, parameters, instance variables, and the location in memory where said instance variables can be found. I couldn't believe what was right in front of me because everyone was just taking advantage of visible methods and their locations.

 

This applies to non-Unity games as well. You just need to have knowledge of object oriented programming to really know how to take advantage of instance variables. I guess I could cover that in a later tutorial. Anyway, let's get started.

 

This tutorial pertains to iOS only. Not the concepts, just the tutorial.

 

Hidden Content

    *****Get the Unity tool from herehttps://github.com/Perfare/Il2CppDumper/releases

     

    Part A. Instance Variables

    1. Memory Layout

    I went to make this absolutely clear. For example, this...

    STR X3, [X0, #0x248]

    ...is telling the machine to store whatever X3 is holding (let's say ammo) in X0+0x248 (let's say X0 points to a Gun object). X0 contains the address of wherever the Gun object is held in memory. Let's say the address of the Gun object is 0x16fd27640. That means the machine is assigning whatever is at 0x16fd27640+0x248 to X3. That's why when you NOP a STR instruction, the value freezes. The machine can no longer update the value at the location of whatever you NOP'ed.

    Let's look at an actual example involving arrays:

    #include <stdio.h>
    #include <malloc.h>
    #include <conio.h>
    
    int main(){
    	int *a = (int *)malloc(sizeof(int)*4);
    	
    	free(a);
    
    	_getch();
    }

    This program allocates some memory for an array of four integers, then frees that memory. _getch() forces the machine to wait for a letter to be pressed before it terminates the program. Now I'll give the elements in this array some values:

    #include <stdio.h>
    #include <malloc.h>
    #include <conio.h>
    
    int main(){
    	int *a = (int *)malloc(sizeof(int)*4);
    	
    	a[0] = 3;
    	a[1] = 2;
    	a[2] = 4;
    	a[3] = 1;
      
    	free(a);
    
    	_getch();
      
      	return 0;
    }

    The memory map of this array would be as follows:

    	a[0]		a[1]		a[2]		a[3]
    	 3	         2                4               1

    But that's not all. Here's another equivalent way of writing the memory map:

    	*(a+0)		*(a+1)		*(a+2)		*(a+3)
    	   3	           2               4               1

    This is the way we'll be able to get and set instance variables on various objects, but that is later down the line. Why does this work? Because when the compiler sees the [] operator, it translates it into pointer addition (as well as a dereference), which is exactly what we are doing by writing *(a+X). If you're still confused, hopefully this next part will clear this up. When we created the array of four ints, the machine allocated sixteen bytes space on the heap for it (as well as a pointer for it on the stack, but that isn't important for this tutorial). Why sixteen bytes? Because the size of an int on most machines is four, and we allocated memory for four ints. 4*4=16 :) We can take a look at what the memory looks like where the array is located in Visual Studio's debugger:

    array_on_the_heap.png

    The highlighted area is where the array is located. You can see the elements in the exact order as they were declared (3, 2, 4, 1) on the heap. Now we can use our newfound knowledge of memory layout to access and modify instance variables in iOS games.

     

    2. The 'this' pointer

    In C++, the 'this' pointer is best thought of as a hidden argument in every non-static function call. (Static methods do not need to be called with a class object) It references the current instance of its class. To better illustrate this concept, I have created a tiny class called Test. Also, take note that both of Test's instance variables are private, which means I cannot access them directly. Here is Test.h:

    class Test {
    private:
    	int a;
    	int b;
    
    public:
    	Test();
    	
    	int getA() const;
    	int getB() const;
    
    	void setA(int newA);
    	void setB(int newB);
    
    	~Test();
    };

    Here is Test.cpp:

    #include "Test.h"
    
    //create a new Test object and set its instance variables to 5 and 8 respectively
    Test::Test(){
    	this->a = 5;
    	this->b = 8;
    }
    
    int Test::getA() const {
    	return this->a;
    }
    
    int Test::getB() const {
    	return this->b;
    }
    
    void Test::setA(int newA){
    	this->a = newA;
    }
    
    void Test::setB(int newB){
    	this->b = newB;
    }
    
    Test::~Test(){}

    See how I use the this pointer to get and set Test's instance variables? If I wanted to call setA, I would do this:

    Test *t = new Test();
    
    t.setA(100);

    Obviously, in assembly, we don't have the luxury of syntax. In assembly, the call to setA would look like this:

    setA(t, 100);

    t is the this pointer. In assembly, the this pointer is always the first argument to any (non-static) function. For additional clarity, if I included this method in the Test class:

    void Test::setAB(int newA, int newB){
    	this->a = newA;
    	this->b = newB;
    }

    and called setAB like this:

    Test *t = new Test();
    
    t.setAB(1000, 2000);

    The function call in assembly would be setAB(t, 1000, 2000). No matter what type the function is, however many arguments it has, or whatever class it belongs to, the this pointer is always the first argument. If the method is static, there is simply no this pointer.

     

    3. A "Hacky" Way of Getting and Setting Instance Variables

    Recall our class called Test and the array example. In the array example, our array was located at 0xba5d38, with sixteen bytes of extra space for the four elements. This is no different with our Test class. Consider this code:

    #include <stdio.h>
    #include <malloc.h>
    #include <conio.h>
    #include "Test.h"
    
    int main(){
    	Test *t = new Test();
      
    	_getch();
    
    	return 0;
    }

    The machine created a pointer to our Test object on the stack and allocated the appropriate amount of memory on the heap for its instance variables. In the Test constructor, I set a and b to 5 and 8 for visibility. Let's take a look at our memory in Visual Studio's debugger:

    test_instance_variables.png

    You can see t's instance variables on the heap! Again, since an int is four bytes on most machines, there are eight byes of memory reserved for the two instance variables. And remember, they are private. When I try and directly access the instance variable "a", I get this error:

    trying_to_access_private_instance_variab

    (side note: I changed my project directory and I forgot to change it back)

    Fortunately for us, since C++ gives us complete control over our memory, we can access and modify a without a function through pointer arithmetic! Since a is our first instance variable, it is located where our Test object is located. b is located at our test object + 0x4, and so on if we had more instance variables. And remember, t is our this pointer. Consider this code:

    int instanceVariableA = *(int *)(t + 0x0);
                                    /*---1---*/
                            /*--2--*/

    Don't be worried if this looks confusing. I'll explain this step by step. Just like with the array example, we can access data through pointer arithmetic. In the comments I've numbered each thing I am going to explain.

    1. Since t is literally just the address to its location on the heap, this is also the address to its first instance variable. Also, throughout this entire tutorial I have been including "+ 0x0" for clarity. In your code you don't have to do this.

    2. Cast whatever is at t + 0x0 to an int pointer and dereference it to access its value.

    After all that, we have successfully grabbed t's instance variable a without a function. Remember that when a Test object is created, a is set to 5 and b is set to 8.

    accessing_A_without_function.png

    if I wanted to grab b, I would replace t + 0x0 with t + 0x4.

    We can modify a in a similar manner in which we used to grab it. All we have to do is treat all of our pointer arithmetic and casting like a variable, and set it to whatever we want, like so:

    *(int *)(t + 0x0) = 1000;

    Let's see if this is successful:

    accessing_A_and_setting_it_without_funct

    Success! I call getA() to make sure that I actually did change a. Let's take a look at our memory on the heap:

    memory_on_heap_after_changing_A.png

    Sure enough, the data at where a is located changed to 0xe803. But since the hex here is in little endian, 0xe803 is actually 0x03e8, which is 1000. We successfully modified a without calling a function. This will be extremely useful when making game hacks because we won't need to call a function that may or may not be present in the game itself every time we want to modify an instance variable. Everytime we call a function from the game, a little instability is added because we don't actually know how it works, and we want as much stability as possible.

     

    4. Applying These Concepts to Game Hacks

    Why did I use a program I wrote on my computer to illustrate these concepts? Because C++ on Windows is no different than C++ on iOS. A program that counts from one to one hundred on Windows would do the exact same thing on iOS. Obviously, there are API differences, but we aren't dealing with that. Also, Visual Studio's debugger is great for showing memory. Anyway, let's say that I made a dump of some Unity game and the Player class looked like this:

    public class Player : MonoBehaviour // TypeDefIndex: 5545
    {
    	// Fields
    	private float health; // 0x18
    	private int ammo; // 0x1c
      	private float moveSpeed; // 0x20
      	private bool isDead; // 0x24
      	private Player playerLastDamaged; // 0x28
      	private bool mine; // 0x30
    
    	// Methods
    	public void .ctor(); // 0x100093720
    	private void Awake(); // 0x1000937A0
    	private void Update(); // 0x1000938FC
    	private void InitPlayer(); // 0x100094000
    	private void OnDestroy(); // 0x100094AF0
    }

    (I made every instance variable private as a proof of concept - it doesn't matter if something is public or private as shown in the last example)

    While taking a look at this, you should notice the instance variable "playerLastDamaged" is eight bytes. This is fine. Size does not matter when grabbing instance variables. You should also notice there are no accessors or setters for any of the instance variables.

    Notice the function called "Update". Any function called LateUpdate or Update is of massive use to you. Why? Because this is a non-static function that is called by Unity once per frame. If you have 60 FPS in a game, Update is being called 60 times a second. Why is this good? Think about it. We wouldn't want to get and set instance variables on a Player object that hasn't been updated for a while right? We need our most current Player object to modify, and what better way of getting it than hooking a function that is called 60 times every second? You all know how to hook a function with MSHookFunction. At least I hope so. In this example, I'm not going to show the call to MSHookFunction. Just imagine it is there. In this example, the game we are hacking is an online FPS. Everyone in the room is a Player object, and Update is called for each Player object. And for some reason, the game is so insecure that we can modify other people's instance variables non-visually. Here's how the barebones function hook would look:

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	Player_update(player);
    }

    Remember the previous examples. The first argument to any non-static function in assembly is the this pointer. It is best to name the this pointer the class name, because it is representing that class. We also have to use a void pointer (void *) because we don't actually have access to the Player class, only its objects. Because of this, the way we get and set instance variables will be a bit different. We also have to check if the player object isn't NULL to prevent crashes! Recall what you read about the this pointer. If the Player object is NULL, this is what the call to update would look like in C++:

    NULL.Update();

    And that doesn't make any sense, right? :p

    For this first example, we'll be giving ourselves infinite ammo, infinite health, and increased move speed, as well as making everyone else's health 1.0 and taking everyone else's ammo away.

    Obviously we don't want to apply anything bad to ourselves, so we can make use of the mine instance variable. This boolean just tells us if this Player object belongs to me. To get this instance variable, we need to do this:

    if(player != NULL){
    	bool isMine = *(int *)((uint64_t)player + 0x30); 
    }

    The one difference is casting the void pointer to uint64_t. We need to do this in order to perform pointer arithmetic on the player object. Also, a boolean in C and C++ just holds a 0 or a 1... which means we can substitute int for it.

    So far, the Update hook looks like this:

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    	}
    
    	Player_update(player);
    }

    Now that we have the mine instance variable, we can test to see if our Player object is indeed ours, and if it is, apply the hacks:

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    
    		if(isMine){
    			//ammo
    			*(int *)((uint64_t)player + 0x1c) = 999;
    
    			//health
    			*(float *)((uint64_t)player + 0x18) = 100.0f;
    
    			//increased move speed, normal is 1.0f
    			*(float *)((uint64_t)player + 0x20) = 5.0f;
    		}
    	}
    
    	Player_update(player);
    }

    That's not all we want to do, though. We want to wreak havoc on other people so we need to take everyone's ammo away and make everyone have 1.0 health.

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    
    		if(isMine){
    			//ammo
    			*(int *)((uint64_t)player + 0x1c) = 999;
    
    			//health
    			*(float *)((uint64_t)player + 0x18) = 100.0f;
    
    			//increased move speed, normal is 1.0f
    			*(float *)((uint64_t)player + 0x20) = 5.0f;
    		}
    		else{
    			//enemy ammo
    			*(int *)((uint64_t)player + 0x1c) = 0;
    
    			//enemy health
    			*(float *)((uint64_t)player + 0x18) = 1.0;
    		}
    	}
    
    	Player_update(player);
    }

    If you want to get more creative, you can make use of the "playerLastDamaged" instance variable to make a "freeze tag" hack. This hack will freeze the person you just shot, just like if you tag a person in freeze tag. Like before, we have to check if the player object is ours, and then we can access the playerLastDamaged instance variable.

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    	}
    
    	Player_update(player);
    }

    Now we have to get the playerLastDamaged instance variable. Like I said before, size does not matter. You would access it just like any other instance variable. We also have to check if it isn't NULL.

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    
    		if(isMine){
    			void *playerLastDamaged = *(void **)((uint64_t)player + 0x28);
    
    			if(playerLastDamaged != NULL){
    				
    			}
    		}
    	}
    
    	Player_update(player);
    }

    Now we have to set playerLastDamaged's moveSpeed instance variable to 0.0. Remember that playerLastDamaged is a Player object, so we have access to the Player instance variables. Again, we don't have access to the actual Player class, so we have to use a void pointer.

    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    
    		if(isMine){
    			void *playerLastDamaged = *(void **)((uint64_t)player + 0x28);
    
    			if(playerLastDamaged != NULL){
    				//set person we just shot moveSpeed to 0.0
    				*(float *)((uint64_t)playerLastDamaged + 0x20) = 0.0f;
    			}
    		}
    	}
    
    	Player_update(player);
    }

    And just like that, our freeze tag hack is complete! There you have it, two full fledged hacks that work by modifying instance variables! ALWAYS REMEMBER TO CHECK ALL POINTERS TO SEE IF THEY'RE NULL!!!!

     

    Part B. Function Pointers

    Function pointers are great when you want to call a function but don't want to sacrifice stability by hooking it. This part is much simpler than instance variables. Here's an example of a function pointer in C++:

    #include <stdio.h>
    #include <conio.h>
    
    void func(){
    	printf("Hello, someone called me!\n");
    }
    
    int main(){
      	//&func takes the address of where func is kept in memory
    	void (*func_ptr)() = &func;
    
    	func_ptr();
    
    	_getch();
    
    	return 0;
    }

    We can this in action here:

    function_pointer_1.png

    The & operator takes the address of whatever it is being used on. You can think as a function pointer as a pointer to the address of where the function is in memory. The syntax here should look a bit familiar because you are creating a function pointer to the original function whenever you use MSHookFunction to hook something. But again, that adds instability to the hack. The concept here is the same on iOS, but the syntax is not as simple. First of all, let's add some new methods to our Player class from Part A:

    public class Player : MonoBehaviour // TypeDefIndex: 5545
    {
    	// Fields
    	private float health; // 0x18
    	private int ammo; // 0x1c
      	private float moveSpeed; // 0x20
      	private bool isDead; // 0x24
      	private Player playerLastDamaged; // 0x28
      	private bool mine; // 0x30
    
    	// Methods
    	public void .ctor(); // 0x100093720
    	private void Awake(); // 0x1000937A0
    	private void Update(); // 0x1000938FC
    	private void InitPlayer(); // 0x100094000
    	private void OnDestroy(); // 0x100094AF0
      	private void KillPlayer(); // 0x100095CF4
      	private void SetPlayerTeam(int team); // 0x100095FF8
      	private void RespawnPlayerAtLocation(Vector3 location, int health); // 0x10009A230
      	private int GetPlayerID(); // 0x10009B34C
      	private static void Suicide(int playerID); // 0x10009C99C
    }

    Again, it doesn't matter if a function is private or public.

    To get the correct offset with the ASLR slide, I use a function called getRealOffset. This is what it looks like:

    uint64_t getRealOffset(uint64_t offset){
        return _dyld_get_image_vmaddr_slide(0) + offset;
    }

    Now that that's out of the way, this is how to declare a function pointer:

    <type> (*<function name>)(<this pointer>, <any additional parameters>) = (<type>)(*)(void *, <types of additional parameters))getRealOffset(<offset>);

    To remember the syntax, learn to look at this as pairs. I'll add comments to pairs you should remember:

    <type> (*<function name>)(<this pointer>, <any additional parameters>) = (<type>)(*)(void *, <types of additional parameters>))getRealOffset(<offset>);
    /*A*/  /*------B------*/ /*-----------------C-----------------------*/   /*-A-*//*B*/ /*----------------C------------------*/  /*-------D--------*/

    If it is hard to tell, here's what corresponds to what:

    //A
    <type> = (<type>)
    
    //B
    (*<function name>) = (*)
    
    //C  
    (<this pointer>, <any additional parameters>) = (void *, <types of additional parameters>)
    
    //D
    getRealOffset(<offset>) has no corresponding part

    It looks really weird, but once you get used to it, it just feels right.

    Here's what the function pointers would look like for the five new methods I added:

    void (*Player_KillPlayer)(void *player) = (void (*)(void *))getRealOffset(0x100095CF4);
    void (*Player_SetTeam)(void *player, int team) = (void (*)(void *, int))getRealOffset(0x100095FF8);
    void (*Player_RespawnPlayerAtLocation)(void *player, Vector3 *location, int health) = (void (*)(void *, Vector3 *, int))getRealOffset(0x10009A230);
    int (*Player_GetPlayerID)(void *player) = (int (*)(void *))getRealOffset(0x10009B34C);
    void (*Player_Suicide)(int playerID) = (void (*)(int))getRealOffset(0x10009C99C);

    Side note - Vector3 is a class that you can recreate yourself. Notice how the last method I added was static. That's why there's no this object included in the parameters. You can call these function pointers as normal functions:

    //kill someone
    Player_KillPlayer(player);
    
    //get someone's ID
    int playerID = Player_GetPlayerID(player);
    
    //force someone with ID 1 to suicide
    Player_Suicide(1);

    Now that you know how to create and call function pointers, let's make a hack that constantly kills someone with a specific ID. For this example, it will be 10. First, we hook Update.

    //declare function pointers
    void (*Player_KillPlayer)(void *player) = (void (*)(void *))getRealOffset(0x100095CF4);
    void (*Player_SetTeam)(void *player, int team) = (void (*)(void *, int))getRealOffset(0x100095FF8);
    void (*Player_RespawnPlayerAtLocation)(void *player, Vector3 *location, int health) = (void (*)(void *, Vector3 *, int))getRealOffset(0x10009A230);
    int (*Player_GetPlayerID)(void *player) = (int (*)(void *))getRealOffset(0x10009B34C);
    void (*Player_Suicide)(int playerID) = (void (*)(int))getRealOffset(0x10009C99C);
    
    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	Player_update(player);
    }

    Now we have to figure out which Player object is ours, because we don't want to kill ourselves in case our ID is 10.

    //declare function pointers
    void (*Player_KillPlayer)(void *player) = (void(*)(void *))getRealOffset(0x100095CF4);
    void (*Player_SetTeam)(void *player, int team) = (void(*)(void *, int))getRealOffset(0x100095FF8);
    void (*Player_RespawnPlayerAtLocation)(void *player, Vector3 *location, int health) = (void(*)(void *, Vector3 *, int))getRealOffset(0x10009A230);
    int (*Player_GetPlayerID)(void *player) = (int(*)(void *))getRealOffset(0x10009B34C);
    void (*Player_Suicide)(int playerID) = (void(*)(int))getRealOffset(0x10009C99C);
    
    void (*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    	}
    
    	Player_update(player);
    }

    Now we can check if the Player object isn't ours and then get the Player ID of the Player object if it is not ours.

    //declare function pointers
    void (*Player_KillPlayer)(void *player) = (void(*)(void *))getRealOffset(0x100095CF4);
    void (*Player_SetTeam)(void *player, int team) = (void(*)(void *, int))getRealOffset(0x100095FF8);
    void (*Player_RespawnPlayerAtLocation)(void *player, Vector3 *location, int health) = (void(*)(void *, Vector3 *, int))getRealOffset(0x10009A230);
    int (*Player_GetPlayerID)(void *player) = (int(*)(void *))getRealOffset(0x10009B34C);
    void (*Player_Suicide)(int playerID) = (void(*)(int))getRealOffset(0x10009C99C);
    
    void(*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    		
    		if(!isMine){
    			int playerID = Player_GetPlayerID(player);
    		}
    	}
    
    	Player_update(player);
    }

    Now we can check if playerID is 10, and if so, force that player to kill themselves:

    //declare function pointers
    void (*Player_KillPlayer)(void *player) = (void(*)(void *))getRealOffset(0x100095CF4);
    void (*Player_SetTeam)(void *player, int team) = (void(*)(void *, int))getRealOffset(0x100095FF8);
    void (*Player_RespawnPlayerAtLocation)(void *player, Vector3 *location, int health) = (void(*)(void *, Vector3 *, int))getRealOffset(0x10009A230);
    int (*Player_GetPlayerID)(void *player) = (int(*)(void *))getRealOffset(0x10009B34C);
    void (*Player_Suicide)(int playerID) = (void(*)(int))getRealOffset(0x10009C99C);
    
    void(*Player_update)(void *player);
    
    void _Player_update(void *player){
    	if(player != NULL){
    		bool isMine = *(int *)((uint64_t)player + 0x30);
    		
    		if(!isMine){
    			int playerID = Player_GetPlayerID(player);
    
    			if(playerID == 10){
    				Player_Suicide(playerID);
    			}
    		}
    	}
    
    	Player_update(player);
    }

    (I know this is inefficient, but it is a great way of showing use of function pointers)

    And there you have it, a hack to kill a certain player if their ID is 10 using function pointers.

     

    You can get really creative with this method of hacking! It's really addicting :p

     

    Here is an example Tweak.xm (dead trigger 2 hack): https://iosddl.net/cc637e33bdf2a037/Tweak_for_tutorial.xm

    Check out my aimbots I put on my Github: http://www.github.com/shmoo419/

 

Please let me know if you have any questions :)

 

(It took about 6 hours to write this tutorial)

Updated by Guest
Fixed all images and added a little bit of extra info
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below. For more information, please read our Posting Guidelines.
Reply to this topic... Posting Guidelines

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Our picks

    • Idle Ninja Online v2312 Cheats +17
      Modded/Hacked App: Idle Ninja Online By Puzzle Monsters Inc.
      Bundle ID: com.puzzlemonsters.growninja
      iTunes Store Link: https://apps.apple.com/us/app/idle-ninja-online/id1559182313?uo=4


      Mod Requirements:
      - Non-Jailbroken/Jailed or Jailbroken iPhone/iPad/iPod Touch.
      - Sideloadly / Cydia Impactor or alternatives.
      - A Computer Running Windows/macOS/Linux with iTunes installed.


      Hack Features:
      - fast farm (attack full map & hide some shuriken) 
      - no cool skill
      - no need mana
      - speed
      - wall hack
      - increase damage 
      - increase damage v2 
      - Always ultimate skill???? (not test, need tester) 
      - fast shot
      - penetration
      - multi shot
      - far FOV (in setting)
      - can move while attack 
      - reduce animation 
      - skin dame (need show damege skin in setting, from 1 to 23)
      - antiban (not sure 100%) 
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 95 replies
    • Idle Ninja Online v2312 Cheats +17
      Modded/Hacked App: Idle Ninja Online By Puzzle Monsters Inc.
      Bundle ID: com.puzzlemonsters.growninja
      iTunes Store Link: https://apps.apple.com/us/app/idle-ninja-online/id1559182313?uo=4


      Hack Features:
      - no cool skill
      - no need mana
      - speed
      - max level
      - fast shot
      - penetration
      - multi shot
      - far FOV (in setting)
      - can move 
      - reduce animation
      - skin dame (need show damege skin in setting, from 1 to 23)
      - antiban (not sure 100%) 


      Non-Jailbroken & No Jailbreak required hack(s): https://iosgods.com/forum/79-no-jailbreak-section/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 679 replies
    • Pocket Champs PVP Racing Games Cheats v5.2.1 +2
      Modded/Hacked App: Pocket Champs: 3D Racing Games By MADBOX
      Bundle ID: com.pocketchamps.game
      iTunes Store Link: https://apps.apple.com/us/app/pocket-champs-3d-racing-games/id1542776143?uo=4


      Hack Features:
      - Free Store (not Free iAP) -- Negative value will reset to 0 on launch
      - Infinite Coins & Gems

      iOS Hack Download Link: https://iosgods.com/topic/165006-pocket-champs-3d-racing-games-cheats-v318-2/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 161 replies
    • Idle Theme Park - Tycoon Game Cheats v6.1.1 +1
      Modded/Hacked App: Idle Theme Park - Tycoon Game by Digital Things Sociedad Limitada
      Bundle ID: com.codigames.idle.theme.park.tycoon
      iTunes Store Link: https://apps.apple.com/us/app/idle-theme-park-tycoon-game/id1460772578?uo=4&at=1010lce4


      Hack Features:
      - Infinite Cash


      iOS Hack Download Link: https://iosgods.com/topic/116320-arm64-idle-theme-park-tycoon-game-cheats-v210-1/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 531 replies
    • Gran Saga Idle:KNIGHTSxKNIGHTS Cheats v1.18.0 +2
      Modded/Hacked App: Gran Saga Idle:KNIGHTSxKNIGHTS By Kakao Games Corp.
      Bundle ID: com.piedpixels.gransagaidle
      iTunes Store Link: https://apps.apple.com/us/app/gran-saga-idle-knightsxknights/id6482985104?uo=4


      Hack Features:
      - Multiply Attack
      - Multiply Defense


      iOS Hack Download Link: https://iosgods.com/topic/182761-gran-saga-idleknightsxknights-cheats-v101-2/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 225 replies
    • Toram Online v4.0.51 - [ Custom Move Speed & More ]
      Modded/Hacked App: Toram Online By ASOBIMO,Inc.
      Bundle ID: com.asobimo.toramonline
      iTunes Store Link: https://itunes.apple.com/us/app/toram-online/id988683886?mt=8&uo=4&at=1010lce4
       

      Mod Requirements:
      - Jailbroken iPhone/iPad/iPod Touch.
      - iFile / Filza / iFunBox / iTools or any other file managers for iOS.
      - Cydia Substrate or Substitute.
      - PreferenceLoader (from Cydia or Sileo).


      Hack Features:
      - Custom Move Speed
      - God Mode 
      - Fast Attack Speed
      - Fast Cast Speed
      - Always Critical Chance
      - Never Miss Hit 
      - Mobs/Bosses Can't Avoid & Guard 
      - Quick Draw
      - Armor Break
      - Magic Wall - Stun + Full Map Hack 
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 2,511 replies
    • Operate Now: Hospital Cheats v1.58.5 +1
      Modded/Hacked App: Operate Now: Hospital by SPIL Games
      Bundle ID: com.spilgames.OperateNow2
      iTunes Store Link: https://itunes.apple.com/us/app/operate-now-hospital/id1136678102?mt=8&uo=4&at=1010lce4



      Hack Features:
      - Heart Reward Instead of Cash


      Hack Download Link: https://iosgods.com/topic/97086-arm64-operate-now-hospital-cheats-v1312-1/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 279 replies
    • Slayer Legend Cheats v600.0.0 +3
      Modded/Hacked App: Slayer Legend By GEAR2
      Bundle ID: com.gear2.growslayer
      iTunes Store Link: https://apps.apple.com/us/app/slayer-legend/id1635712706?uo=4


      Hack Features:
      - Multiply Attack
      - Multiply Defense
      - Freeze Currencies


      iOS Hack Download Link: https://iosgods.com/topic/186299-slayer-legend-cheats-v50084-3/
        • Informative
        • Agree
        • Haha
        • Winner
        • Like
      • 55 replies
    • Immortal Rising Cheats v2.4.7 +4
      Modded/Hacked App: Immortal Rising By MOBIRIX
      Bundle ID: com.badbeans.DarkIdle
      iTunes Store Link: https://apps.apple.com/us/app/immortal-rising/id1588863558?uo=4


      Hack Features:
      - God Mode
      - One Hit Kill
      - PREMIUM
      - Freeze Currencies*

      *Abuse = Ban


      iOS Hack Download Link: https://iosgods.com/topic/178921-immortal-rising-cheats-v222-4/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 159 replies
    • Demon Squad: Idle RPG Cheats v1.60 +2
      Modded/Hacked App: Demon Squad: Idle RPG By SuperPlanet corp.
      Bundle ID: com.superplanet.demonsquad
      iTunes Store Link: https://apps.apple.com/us/app/demon-squad-idle-rpg/id6504470907?uo=4


      Hack Features:
      - Multiply Attack
      - Multiply Defense


      iOS Hack Download Link: https://iosgods.com/topic/185576-demon-squad-idle-rpg-cheats-v139-2/
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 67 replies
    • Delusion: Tactical Idle RPG Cheats v2.0.4 +3
      Modded/Hacked App: Delusion: Tactical Idle RPG By SuperPlanet corp.
      Bundle ID: com.superplanet.delusion
      iTunes Store Link: https://apps.apple.com/us/app/delusion-tactical-idle-rpg/id6496342351?uo=4


      Hack Features:
      - Multiply Attack
      - God Mode
      - Freeze Currencies

      NOTE: Do not abuse or buy ViP just for this cheats


      iOS Hack Download Link: https://iosgods.com/topic/183614-delusion-tactical-idle-rpg-cheats-v1027-3/
        • Thanks
        • Winner
        • Like
      • 52 replies
    • Candy Crush Saga Cheats v1.291.0 +2
      Modded/Hacked App: Candy Crush Saga By King
      Bundle ID: com.midasplayer.apps.candycrushsaga
      iTunes Store Link: https://itunes.apple.com/us/app/candy-crush-saga/id553834731?mt=8&uo=4&at=1010lce4




      Hack Features:
      - Infinite Life (Turn on when you running out of life)
      - Infinite Booster (Won't subtract when use)
       

      Hack Download Link: https://iosgods.com/topic/72296-arm64-candy-crush-saga-cheats-v11330-2-iosgods-exclusive/


      Credits:
      - @Laxus
        • Informative
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 4,749 replies
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines