Jump to content
Search In
  • More options...
Find results that contain...
Find results in...


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Killerdon

  1. Hi guys, so what i will be doing is coming out with some tutorials on hacking in my free time just something to give back to the community, as I was in this situation once when I was struggling to learn how to hack back in icheats. Without further delay, here is one of many series of tutorials... Things needed: -IDA PRO (I am using IDA PRO v. 6.4 demo) -Hex Editor (HxD in my case) -Tap Tap Revenge Tour Premium v. 2.0 -Some basic knowledge on ASM/ARM Now, once all the items are possessed we shall begin our hacking endeavor... [hide]First load up the binary into IDA PRO by simply dragging and dropping the binary into the IDA PRO icon Next, choose ARM as the processor type for the binary. Click OK and when prompted as to whether or not you want to change it, click OK as well When the binary is finished loading (in the bottom left, there will be a text saying idle), we can now begin hacking our game The functions window stores all of the game's functions, such as score, health, etc. In our case, we want to try and hack score, so let us search score by hitting ctrl+f within the functions window to search through the functions Now that we have found the functions that contain the string score, we must now find the correct function for our actual game score. Scroll down until you see the function -[TTScore setScore:] and double click on it Now comes the tricky/hard part, we must interpret the code. This is where ASM and ARM are needed for hacking in IDA PRO. For a rough overview, ASM deals with commands such as SUBS, LDR, STR, etc. whereas ARM deals mostly with registers such as R1, R2, R3, etc. In this case we can interpret the code as follows: MOV R1, #(_OBJC_IVAR_$_TTScore._score - 0x52588) ; int _score;<---Score function is loaded ADD R1, PC ; int _score; LDR R1, [R1] ; int _score;<---our score that we have is loaded into R1 STR R2, [R0,R1]<---the new score is stored into the R2 register BX LR<---ends the score function What we have here is a generic way of storing certain information, such as setCash, setAmmo, etc. In this case, since our score is stored (STR) in R2, we can make ourselves have a higher score simply by changing the register R2 to a register holding a higher value, in most cases R7. Highlight the STR R2, [R0,R1] function and then click on Hex-View A Once we land in the hex view, we can see the hex value of the function STR R2, [R0.R1] which is 42 50. To change the score so we have a maximum value, all we have to do is change the function to a STR R7, [R0,R1] which has a hex value of 47 52. We can not do this in IDA, but that is where our hex editor comes in handy. Note the hex address in the bottom left of the screen. Now drag and drop the binary file into your hex editor. Remember the hex address we were supposed to keep note of? Now it is needed. In the hex editor, go to the hex address you kept note of. In HxD, you would go to Search->Goto and then paste the file offset Now we land in our function, the same one in IDA PRO. Now to hack the game, all we have to do is change 42 50 into 47 50 for maximum score. Save the file, place it in the TapTapTourPaid.app folder and there you go. Hope you have enjoyed this simple tutorial, I will try and produce more tutorials in the future so be on the lookout. [/hide] Credits: STERLING ARCHER
  2. I`m not very familiar with mshook since i mostly use code inject but in a few cases it can come handy.What we do here is hooking into a class in objective-c classes and overwrite it with our code.I have released some tweaks for apps (not games) using mshook to unlock paid content, make things free, etc... but you can also hack games with it (very rarely in my opinion or i just didn`t look good enough :P) and make unlimited money for example or even 1 hit kill. Basically anything that is stored in classes instead of binary.[hide] [hide]First we need to dump the classes, i prefer FLEX 3 (i`ll post tutorial later). Find a class we can hook into. (I`ll come up with some random class names, don`t take it as reference)Found one called "PlayerData" Relevant methods i found in PlayerData:-(int) Gold-(long long) Gem-(double) ATK-(float) DEF-(id) HP-(bool) isCooldown-(void) AtkSpeed-(void) WalkSpeed:(int)Alright, lets make our code. Create a project in THEOS. ($THEOS/bin/nic.pl - in case you didnt remember) Start with hooking into the class: PlayerData, open up tweak.xm, delete everything. %hook PlayerData -(int)Gold{ return 133337; } -(long long) Gem{ return 133337; } -(double) ATK{ return 133337; } // as you can see those three returned the same way, return value as integer. -(float) DEF { return 133337.7f; } // floating value need to end .nf -(id) HP { return [NSNumber numberWithInteger:133337]; } //id can be whatever you want. You can return a value, boolean even a string. Very important to call the correct NSClass to hack it correctly. -(bool) isCooldown { return FALSE; } // simple boolean logic, return TRUE or FALSE -(void) AtkSpeed{ //voids without arguments can`t be edited -(void) WalkSpeed:(int)arg1 { arg1 = 133337; } //Voids with arguments can be hacked. You need to name the argument for w/e you want and add a value to it. You can also return id and bool. -(void)isCooldown:(bool)arg2 { arg2 = FALSE; } -(void)HP:(id)arg3 { arg3 = [NSNumber numberWithInteger:133337]; } Thats pretty much it. Compile the tweak and we are done.[/hide] [/hide]Credits:Killerdon(Infinite Hacks)
  3. REQUIREMENTS:Windows OSCygwin Make sure to have Cygwin installed with the following packages (if you are unsure, reinstall it): [hide] [hide] wget (Web) git (Devel) ca-certificates (Net) make (Devel) perl (Perl) openssh (Net) python (Python) curl (Net) Open up Cygwin.Enter the following commands 1 by 1: git clone --recursive https://www.github.com/theos/theos.git && mkdir -p theos/toolchains/windows git clone -b x86_64 https://www.github.c...olchain4Win.git theos/toolchains/iphone mkdir -p theos/sdks curl -k -L 'https://sdks.website...OS9.2.sdk.tbz2'| tar -x -j -v -C theos/sdks/ When it`s done, open up C:\cygwin(64)/home/yourpcname/.bash_profile and paste these 2 lines at the bottom: export THEOS=/home/*/theos/ export THEOS_MAKE_PATH=/home/*/theos/makefiles/ Thats pretty much it. If it`s not clear enough, visit Coolstar`s site and read his more detailed tutorial.https://coolstar.org/theos.pdf To be able to work smoothly between Cygwin and your iOS device (don`t need to enter password all the time) do the following:Type in Cygwin sh-keygen -t rsa Just press enter all the way through, dont type anything.Then run this: cat ~/.ssh/id_rsa.pub | ssh root@ "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" Replace the ip with your own and done. For "make package install" command to work add the following line at the top of your makefile: THEOS_DEVICE_IP =[/hide] [/hide]Credits:Killerdon(Infinite Hacks)
  4. Why do I need this" You may ask. The answer is: Binaries are encrypted on iOS, so in order to have full access to them (and hack them) you need to crack it. Rasticrac does this for us with ease. There are other cracking tools as well, I`m gonna stick with this one, it works flawlessly on my device (iOS 8.4). What you need: - Jailbroken iOS device - MobileTerminal or iOS Terminal from BigBoss repo - Rasticrac - I use 3.2.9 from Appcake repo - Game you want to crack. [hide] How you do it: First get a game you want to crack from iTunes. I`m gonna crack KKH. Open up terminal and log in with superuser (default log in - Username: su Password: alpine) and type Quote CODE: SELECT ALL Rasticrack -m You will get your installed app`s binary names listed. I`m cracking Kim Kardashian Hollywood so i type in "d" and press return. After you press return, just wait until the process finishes. DONE. When its done, just connect your iOS Device to your pc, use any tools (iTools, iFunbox, or WinSCP for in case you SSH) and pull the IPA from /var/root/Documents/Cracked/ and save it to your PC. I use 7-Zip to open it - go into Payload/Kardashian.app and look for the binary file which in my case Kardashian. [/hide] Congratz, you cracked your first iOS app and found the Binary you looked for. Credits: Killerdon(Infinite HAck)
  5. [hide] 1) Open cydia and add this repo: "http://coolstar.org/publicrepo" 2) Tap on search and install this packages: "BigBoss Recommended Tools" "Perl" "iOS ToolChains" "MTerminal" "iFile" 3) Open MTerminal and type "su" than your password (default is alpine") 4) Now type in "installtheos3" and hit return (It will take a while, it depends also by your connection so don't worry) 5) Once in done close MTerminal and open iFile. Navigate to /var and you will see a new folder called "theos" 6) Now navigate to /usr/local/bin and search for a file called "perl5.22.0" 7) Tap on edit, select "perl5.22.0" and copy/link that file 8) Now go to /usr/bin tap edit and than tap on Create Link (Don't paste it!!!!) 9) Serach for the file that you have linked and raname it to "perl" 10) Now we need to fix theos for 64-bit devices so go to "/var/theos/bin" 11) Open the file "bootstrap.sh" and look for this line " if [[ "$(uname -s)" == "Darwin" && "$(uname -p)" != "arm" ]] " and add 64 where you see "arm" 12) The result is this " if [[ "$(uname -s)" == "Darwin" && "$(uname -p)" != "arm64" ]] " 13) Save the file and go to "/var/theos/makefile/targets" 14) Tap the blue info button for the folder "Darwin-arm" and rename in "Darwin-arm64" and save it 15) Navigate to "/var/theos/makefiles/platform" and rename the single file inside that folder in "Darwin-arm64" 16) Now we need to download the sdks. Open safari and go to this website "https://sdks.website " and download the iOS 9.3.3 sdks. 17) Once has been downloaded tap in "Open in iFile" and copy the zip file and extract the content in a new folder that you will create in the next step 18) Go to /var/theos and create a new folder called "sdks". Open that folder and paste the zip file and extract it 19) Now open MTermin and login again with the su mode 19) Type in cd /usr/bin and hit return 20) Now type this " ldid -s clang" and click return. After that type "ldid -s clang++" and click return 21) Now type cd /var/mobile and click return 22) And finally we can run theos's menu. Type in "/var/theos/bin/nic.pl" and click return 23) And here we go the menu will appear! [/hide] Credits:Killerdon(Infinite Hacker)
  6. Target game: Zombie Anarchy - https://itunes.apple.com/us/app/zombie- ... 01472?mt=8 [hide] Keyword 1: Cheat Keyword 2: Infinite Keyword 1: Search for cheat in your stringwindow, you see a string mc_cheatsbutton xref it and take a look at the function. Noping the conditional branch will force load the button, also we can enable 2 more buttons here. Start the game and a new cheat button appeared. Now we need the menu bit added back. Take a look at the function. Right under the "onclicked" string. Code (Text): CODE: SELECT ALL ADR X3, sub_1000C8D1C Take the subroutine and you see it unconditionally branches at the end, so follow the route. Take a look at some branches. One leads to this. From here on it should be pretty straight forward what to do. Go back to the previous subroutine and nop out the first two conditional branch forcing the menu to load. You might have to enable battle menu button and the menu bit, inside the debug menu, should be obvious what to do, but here is some hint. [/hide] Credits:Sterling Archer
  7. every device dont have same rom so you need to specify the devices in which this rom works
  • Create New...