TuT [Tutorial] How to Perform a Binary Patch / How to Thin your Binary

August 1, 2016

No hidden content so the user can just see it, do it, and use the hack. If lipoARM64 won't work, here is how to manually do a binary patch:

Instructions:
1. Get 'Darwin CC Tools' (version 855) from the BigBoss repo, 'Clutch2' from cydia.iphonecake.com repo, and 'iOS Terminal' from the BigBoss repo.

2. - VERY IMPORTANT: The iOS 9 jailbreak breaks many command line tools and now they must be signed manually with ldid in order for them to work. Because of this, lipo must be signed or else you'll get the infamous "Killed: 9" error. To resign lipo, follow these steps:

1. Navigate to /usr/bin/ in iFile.

2. Find a file named "lipo" and copy it into /var/mobile/.

3. Open iOS Terminal and run these commands:

su
alpine
cd /var/mobile
ldid -s lipo

4. Now we have to set permissions to the newly signed lipo file. Set them as shown here:
Owner: root
Group: wheel

User: Read, Write, Execute
Group: Read, Execute
World: Read, Execute

5. Hit "Done" after setting permissions and copy the new lipo into /usr/bin/ and overwrite the old one.

6. You are done signing lipo!

3. Go into iOS Terminal, switch to root, and run Clutch (enter each command per line).

su
alpine
Clutch2

If I were to crack Netflix I would do this:

Then crack the app and go to /var/mobile/Documents/Cracked (or wherever you set your cracked apps location when configuring Clutch). There should be a new .ipa file there. Rename the .ipa extension to .zip then simply open it with WinRar/7-Zip on your PC or iFile/Filza on your iDevice.

4. Locate the binary inside the .ipa archive: /Payload/App Name.app/Binary Name (Binary file has no extension)

5. Now extract the binary and send it to /var/mobile on your iDevice and rename it to "1" (to make it easier).

6. Switch back to iOS Terminal and then type in this command:

cd /var/mobile
lipo 1 -thin armv7 -o BinaryNameFromIPAHere

Here is what it would look like with Netflix:

7. Take the binary that lipo created (in /var/mobile, it will be smaller than the original binary by around half) and send it to the location where your game's folder is:

iOS 6 & 7: /var/mobile/Applications/AppName/AppName.app

iOS 8 & 9: /var/mobile/Containers/Bundle/Application/AppName/AppName.app

8. Now we will need to set permissions to the binary file inside the app's folder:

Owner: mobile
Group: mobile

User: Read, Write, Execute
Group: Read, Write, Execute
World: Read, Write, Execute

Do that or your game will crash.

9. Now you can celebrate because you just did a binary patch.

Updated August 1, 2016 by Guest
Added Clutch2 instead of Clutch

Raggnar · June 18, 2015

Awesome!

Thanks

Rook · June 18, 2015

For Blitz Brigade?

Diversityy · June 18, 2015

June 18, 2015

For Blitz Brigade?

yeah, so much drama

cu_rry · June 18, 2015

Does this do anything?

June 18, 2015

Does this do anything?

For me:

1. It takes off the arm64 portion of the binary cos its useless to me

2. It makes it so that I can patch syscall (debugging protection) successfully

3. It makes it so that I can remove ASLR (address space layout randomization, basically makes it so that the original offset is hidden)

4. It makes it so that I'm able to set watchpoints and so that there are no 64 bit memory addresses

5. It makes it so that I can attach GDB to the app successfully (for breakpoints)

6. It makes it so that LLDB won't flip out when I try to attach

7. It makes it so that I don't have to patch the arm64 part as well as the armv7 part

8. Smaller binary size = less time to load in IDA

For you:

1. It makes the hack work

ipaarchive.com · June 18, 2015

For me:

1. It takes off the arm64 portion of the binary cos its useless to me

2. It makes it so that I can patch syscall (debugging protection) successfully

3. It makes it so that I can remove ASLR (address space layout randomization, basically makes it so that the original offset is hidden)

4. It makes it so that I'm able to set watchpoints and so that there are no 64 bit memory addresses

5. It makes it so that I can attach GDB to the app successfully (for breakpoints)

6. It makes it so that LLDB won't flip out when I try to attach

7. It makes it so that I don't have to patch the arm64 part as well as the armv7 part

8. Smaller binary size = less time to load in IDA

For you:

1. It makes the hack work