[TUTORIAL] How To Hack Using Mobile Substrate (Method Hooking)

[EvillyG00d 242 30]

✻ Requirements
✔ Mobile Substrate
✔ Mobile Terminal
✔ BigBoss Recommended Tools
✔ Theos
✔ iOS SDK

✻ Setup Variants
From my experience, setting up theos is a *****. My 3 iDevices all have different theos/SDK variants because while something may work on one device, it may not work on another. In the future I may write a theos/SDK error list with solutions, but right now I really don’t have the expertise to talk about that, especially considering I have a broken theos now that I can’t seem to fix. If you are having similar issues, I recommend following this guide: https://iosgods.com/topic/62343-new-2021-ios-1213-how-to-install-theos-sdk-on-your-idevice/

 

✻ Setting Up a Project
Launch Mobile Terminal and sign in as root. Then type this command:

$THEOS/bin.nic.pl
/* If that results in error, type /var/theos/bin/nic.pl */

This command starts up the New Instance Creator (nic). Next, choose iphone/tweak by typing the number associated with it. Lastly, name your project (herein myhack), bundle ID, and author. The last too are only important if you plan on publishing your tweak to Cydia. If you’re not, feel free to leave them blank.

Note this puts myhack in /var/mobile. If you want it in a different directory, cd it before starting up nic.

In /myhack, there are 3 files of interest. The Makefile, myhack.plist, and Tweak.xm. The Makefile is where you would add frameworks or instructions for the installation process. myhack.plist contains a list of app bundle IDs the hack will target. To fetch a bundle ID, go into /Library/Preferences of your app and copy the com.companyName.appName.plist (exclude the .plist extension). That is the bundle ID. If you’re app doesn’t have that file in /Preferences, go to /appName.app and open up Info.plist. The bundle ID will be in <string>Bundle Identifier</string>. If you want the hack to work on all apps, delete the myhack.plist.

 

✻ Tweak.xm
This is where the code is written. The file already has an example written for you. Since it is commented out, feel free to keep it there for reference - it will not affect your code.

The way MS hook hacks are made is by calling both a header and a method, and altering them. I recommend using Flex to find headers and methods. It’s by far the most convenient program to use, considering you can search all headers at once and you don’t need to crack the app. If you prefer a command-line program, use class dump. If you notice a lack of unique headers/methods, the app is sub_X. MS hooking will not work with this app and you’ll either need to use symbol hooking or code injection.

Here are some examples on how to return each method type:

int, double, and long long

-(int)coins {
return 999999;
}
/* doubles and long longs are returned the same way, just replace (int) with (double) or (long long).
The return value must be an integer - no decimals */

float

-(float)coins {
return 999.9f;
}

bool

-(bool)hasCoins {
return TRUE;
}
/* must be true/false value. Can also be written as yes/no */

id

-(id)coins {
return [NSNumber numberWithInteger:999999];
}
/* id’s can be anything - a number, bool, string, etc. You have to call the correct NSClass to hack it correctly.
These are very rare - I myself have never had to hack one */

void

-(void)showCoins {
}
/* This is a nulled method. Standalone-voids cannot be returned */

void with argument

-(void)setCoins:(int)argument {
argument = 999999;
}
-(void)setHasCoins:(bool)argument {
argument = TRUE;
}
-(void)setCoins:(id)argument {
argument = [NSNumber numberWithInteger:999999];
}
/* “argument” can be named anything. This is similar to returning non-void counterparts,
except you name the argument and remove “return” */

 

✻ Adding UI Popup
This is really handy against leechers. Adding a popup is relatively simple, and requires changes to both the Makefile and Tweak.xm. First, use Flex (or class dump) to find method -(void)applicationDidBecomeActive:(id). It's usually in a header file called AppDelegate. Now add this to your Tweak.xm (remember to edit the header accordingly):

 

%hook AppDelegate
-(void)applicationDidBecomeActive:(id)argument {
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"This is the Title" message:@"This is the Message" delegate:nil cancelButtonTitle:@"This is the Button Text" otherButtonTitles:nil];
[alert show];
[alert release];
}
%end
/* Sometimes attaching the popup to this method results in a crash.
You can attach the popup to any void you want,
but attaching it to the launch method is the most convenient for both you and the user */

If you were to compile myhack now, the compiler would not understand what UIAlertView is and would return an error. To fix this, import the UIKit framework in your Makefile. Add this line below the myhack_FILES line:

myhack_FRAMEWORKS = UIKit

You can now compile.

 

✻ Compiling
In MobileTerminal, cd to your project folder. Then, type any of these commands:

make
/* Makes the .dylib */

make package
/* Makes a .deb for easy install */

make package install
/* Makes a .deb and installs it for you */

The .dylib will appear in /myhack/obj. The .deb will appear in /myhack and install to /Library/MobileSubstrate/DynamicLibraries.
 
Extra info by @castix (post😞

So because this tutorials is already awesome (big shoutout to evilg00d there) I will just add some notes
 
As he already mentioned in the main topic here, you can't override void but you can NULL them = disable them

- (void)enemiesShoots {    //This is the method that calls your opponents to shoot so if we disable this, they can't anymore
}

if you want to add this in a patcher, you can simply write it like this

- (void)enemyShoots {                              //Easy isn't it ?
   if(GetPrefBool(@"kEnemyShooting")) {
   return; 
   }
   return %orig;
   }

Moving on there are some more value classes, which can be modified

- (long long)Coins {    //This can obviously be treated like int
return 2222;
}

- (double)Coins {     //You can also see here that it can be overwritten really easy
return 2222;
}

Those are just a few more function methods , so if you find something like them in FLEX/Headers/Binaries you know what do do.

 

Step-by-step tutorial on how to make a Preference Bundle (Patcher with on/off settings) here: http://iosgods.com/topic/444-tutorial-how-to-make-a-preference-bundle/

[Rook 524.1k iPad Pro (2nd gen) 17.4 Donor]

Very helpful!

 

Thanks for posting!

 

Pinned.

[EvillyG00d 242 30]

Very helpful!

 

Thanks for posting!

 

Pinned.

No problem, DiDA. Happy to help.

[Rook 524.1k iPad Pro (2nd gen) 17.4 Donor]

No problem, DiDA. Happy to help.

Thanks EG!

[Guest]

Good job! But you didn't include further info on how to have UI Alerts and stuff

[EvillyG00d 242 30]

Good job! But you didn't include further info on how to have UI Alerts and stuff

Whoops - forgot about that.

 

Added, thank you.

[Guest]

Whoops - forgot about that.Added, thank you.

Np

Updated July 22, 2014 by Guest

[K3NNNY 7.3k iPhone 7 Plus 11.2.1]

It really good one it more understanding

[K3NNNY 7.3k iPhone 7 Plus 11.2.1]

Thanks For the UI pop up

[AnotherLurker 1.5k]

just wanna point out, that for some people you need to add 

 

#import <UIKit/UIKit.h>

and not just the makefile