TuT [Tutorial] How to Perform a Binary Patch / How to Thin your Binary

[Guest]

No hidden content so the user can just see it, do it, and use the hack. If lipoARM64 won't work, here is how to manually do a binary patch:


Instructions:
1. Get 'Darwin CC Tools' (version 855) from the BigBoss repo, 'Clutch2' from cydia.iphonecake.com repo, and 'iOS Terminal' from the BigBoss repo.

2. - VERY IMPORTANT: The iOS 9 jailbreak breaks many command line tools and now they must be signed manually with ldid in order for them to work. Because of this, lipo must be signed or else you'll get the infamous "Killed: 9" error. To resign lipo, follow these steps:

1. Navigate to /usr/bin/ in iFile.

2. Find a file named "lipo" and copy it into /var/mobile/.

3. Open iOS Terminal and run these commands:

su
alpine
cd /var/mobile
ldid -s lipo

4. Now we have to set permissions to the newly signed lipo file. Set them as shown here:
Owner: root
Group: wheel

User: Read, Write, Execute
Group: Read, Execute
World: Read, Execute

5. Hit "Done" after setting permissions and copy the new lipo into /usr/bin/ and overwrite the old one.

6. You are done signing lipo!

3. Go into iOS Terminal, switch to root, and run Clutch (enter each command per line).

su
alpine
Clutch2

If I were to crack Netflix I would do this:

  Reveal hidden contents

Then crack the app and go to /var/mobile/Documents/Cracked (or wherever you set your cracked apps location when configuring Clutch). There should be a new .ipa file there. Rename the .ipa extension to .zip then simply open it with WinRar/7-Zip on your PC or iFile/Filza on your iDevice.

  Reveal hidden contents

4. Locate the binary inside the .ipa archive: /Payload/App Name.app/Binary Name (Binary file has no extension)

  Reveal hidden contents

5. Now extract the binary and send it to /var/mobile on your iDevice and rename it to "1" (to make it easier).

  Reveal hidden contents

6. Switch back to iOS Terminal and then type in this command:

cd /var/mobile
lipo 1 -thin armv7 -o BinaryNameFromIPAHere

Here is what it would look like with Netflix:

  Reveal hidden contents

7. Take the binary that lipo created (in /var/mobile, it will be smaller than the original binary by around half) and send it to the location where your game's folder is:

iOS 6 & 7: /var/mobile/Applications/AppName/AppName.app

iOS 8 & 9: /var/mobile/Containers/Bundle/Application/AppName/AppName.app

8. Now we will need to set permissions to the binary file inside the app's folder:

Owner: mobile
Group: mobile

User: Read, Write, Execute
Group: Read, Write, Execute
World: Read, Write, Execute

  Reveal hidden contents

Do that or your game will crash.

9. Now you can celebrate because you just did a binary patch.

Updated August 1, 2016 by Guest
Added Clutch2 instead of Clutch

[Raggnar 8.5k 12 9.3.3]

Awesome!

Thanks

[Rook 545.6k iPad Pro (2nd gen) 17.4 Donor]

For Blitz Brigade?

[Diversityy 32k iPhone 7 Plus 10.2]

[Guest]

  On 6/18/2015 at 4:11 PM, DiDA said:

For Blitz Brigade?

yeah, so much drama

[cu_rry 10.7k iPhone 7 Plus 11.2]

Does this do anything?

[Guest]

  On 6/18/2015 at 4:26 PM, Stephen Curry said:

Does this do anything?

For me:

1. It takes off the arm64 portion of the binary cos its useless to me

2. It makes it so that I can patch syscall (debugging protection) successfully

3. It makes it so that I can remove ASLR (address space layout randomization, basically makes it so that the original offset is hidden)

4. It makes it so that I'm able to set watchpoints and so that there are no 64 bit memory addresses

5. It makes it so that I can attach GDB to the app successfully (for breakpoints)

6. It makes it so that LLDB won't flip out when I try to attach

7. It makes it so that I don't have to patch the arm64 part as well as the armv7 part

8. Smaller binary size = less time to load in IDA

 

For you:

1. It makes the hack work

 

[ipaarchive.com 11.1k]

  On 6/18/2015 at 4:33 PM, shmoo said:

For me:

1. It takes off the arm64 portion of the binary cos its useless to me

2. It makes it so that I can patch syscall (debugging protection) successfully

3. It makes it so that I can remove ASLR (address space layout randomization, basically makes it so that the original offset is hidden)

4. It makes it so that I'm able to set watchpoints and so that there are no 64 bit memory addresses

5. It makes it so that I can attach GDB to the app successfully (for breakpoints)

6. It makes it so that LLDB won't flip out when I try to attach

7. It makes it so that I don't have to patch the arm64 part as well as the armv7 part

8. Smaller binary size = less time to load in IDA

 

For you:

1. It makes the hack work

 

so basically nothing useful

[Guest]

  On 6/18/2015 at 4:41 PM, iOSv64 said:

so basically nothing useful

you don't patch aslr?

[ipaarchive.com 11.1k]

  On 6/18/2015 at 4:43 PM, shmoo said:

you don't patch aslr?

no why?

show mem