Tutorial [iOS]Creating an easy iOS hack, full process. From cracking till hacking

Sebby Seb

Member
Hello, I'll show you today how you can easily create a .ipa hack. An ipa is an iOS Applcation Archive, an app.

Requirements:
ASM/ARM knowledge(we are moving in an Aarch64 environment)
Notepad++(for viewing dump download it here), also if you dont want to click that link use you can get it from official site https://notepad-plus-plus.org/download/v7.6.6.html
Il2cpp Dumper by Perfare(iOS doesnt support Monbuilds anymore so now everything is il2cpp more about il2cpp here)
A jailbroken iOS device
Knowledge of how to crack an ipa(will write explain cracking process here)


What we are going to do is, that we will be hacking Cat Cafe as proof of concept.

Lets start:
download the app from the appstore
you will need a tweak called "CrackerXI+" from the iPhonecake repo. It is a tool that will handle decrypting process
go into the crackerXI application and select the Cat Cafe application

After you selected it and decrypted it, the cracked .ipa will be located in /User/Documents/CrackerXI/YourDecryptedApp

For this hacking method you do need a pc. So now we will exchange files, there are some ways of doing that, sshing into device with mobaxterm and copy it to desktop or uploading it to a file provider e.g.: mega or iosddl. I'll just upload it to my Dropbox. I think you know how to upload a file.
Now download it to your pc(share it on discord somewhere in a private room and login to your pc and download it).

Now you got the file you need. We will be exstracting the two important files. We will change the file extensions from .ipa to .zip for accessing the files it contains.
We are interested in the binary, being the game logic, it most likely has the same name as the game itself and is about 30 mb - 50 mb big. Then we will look for the Metadata we need for running the dumper.
the binary is placed in /Payload/yourapp.app/yourbinary

and the Metadata is placed in /Payload/Yourapp.app/Data/Managed/Metadata/globalmetadata.dat


Now we will use these files to dump. get the dumper from github https://github.com/Perfare/Il2CppDumper
Lets dump
After exstracting the dumper, we will run the il2cppdumper.exe



It will ask you for the il2cpp binary file.



then for the metadata


when it asks you if the Unity version greater than or equal to 2018.3, press 2.
there are 5 possible modes you can run the dump now. the fourth method is the most popular one. If that gives you an error, you will need to dump manually using the first method. For finding the needed Coderegistration(unk) and Metadataregistration(dword), load the binary into ida from https://www.hex-rays.com/products/ida/ and let it load for a bit, then look for initfunc_1. Usually unk and dword are placed right above it. If it is not the case just scroll up and look for it.
In my case I did actually end up getting an error with the third method so I will now go look for unk and dword.
my unk is: 10320139B
my Dword is: 1028090F8
Now after a successfull dump. We will have a folder named DummyDLL
its containing dlls, non of your interest.
Then there is a Scrypt.py you can load into ida, it makes classes, methods etg for you. As we are not hacking using Ida, its not important for us too.
The thing we are interested in is the dump.cs file, you want to view it with notepad++ to search easier.
So when we view the dump.cs file in npp:


you will now want to search for useful functions, classes etc. I will be looking for finding free in app purchases
the keyword I will use is purchase so lets see if we get a hit on it.

Look that is cool, we have found a function used for detecting if freepurchases are enabled. also there is the function:
public bool get_DevMenuEnabled(); // RVA: 0x10174E0E0 Offset: 0x174E0E0
we can use enable a developer menu, sweet.
now well, you got that methods yes, but how do you actually hack it? for that you will need the Offsets placed behind the functions, its showing us where in the binary the methods are placed.
So lets open a hex editor and jump to those adresses:
0x174E0E0 for devmenu and
0x174E100 for freepurchases
ok
I'll be using the HxD Hex editor, you can use a hex editor of your choice here.


at our first adress we will see a line, copy the full line of ASM code:
08 84 40 39 A8 00 00 34 08 88 40 39 1F 01 00 71
now we will go to an online hex-to-arm or disassembler and disassemble the line of code
I'll use the shellstorm disassembler:
http://shell-storm.org/online/Online-Assembler-and-Disassembler/
the output of the code is:

0x0000000000000000: 08 84 40 39 ldrb w8, [x0, #0x21]
0x0000000000000004: A8 00 00 34 cbz w8, #0x18
0x0000000000000008: 08 8C 40 39 ldrb w8, [x0, #0x23]
0x000000000000000c: 1F 01 00 71 cmp w8, #0
now, the first line tells the mashine to load the value of whatever is #0x21 loaded into x0 is into the w8 register. Now lets try to set the 0x21 to 1, which means true and see if it is affecting our game to give us free purchases.
lets assemble the new line of LDRB w8, [x0, #1]

this is the output of the assembly, now we will replace the current asm code with our new one.
08 04 40 39
go to HxD and change the line!
replaced hex
now lets activate a developer menu


whole process again:
go to the adress 174E0E0

copy full asm and disassemble:
asm:
08 84 40 39 A8 00 00 34 08 88 40 39 1F 01 00 71
disassembled asm:
0x0000000000000000: 08 84 40 39 ldrb w8, [x0, #0x21]
0x0000000000000004: A8 00 00 34 cbz w8, #0x18
0x0000000000000008: 08 88 40 39 ldrb w8, [x0, #0x22]
0x000000000000000c: 1F 01 00 71 cmp w8, #0
lets do the same, replaced the codes with new hacked ones.
now I will save the binary and replace the current one with the new one


in /Payload/catcafe.app/

Now change the filextension to .ipa and sideload it using cydia impactor.

I hope you know the process already ffor those who dont here is a tutorial vid
 
Last edited:
Hello, I'll show you today how you can easily create a .ipa hack. An ipa is an iOS Applcation Archive, an app.

Requirements:
ASM/ARM knowledge(we are moving in an Aarch64 environment)
Notepad++(for viewing dump download it here), also if you dont want to click that link use you can get it from official site https://notepad-plus-plus.org/download/v7.6.6.html
Il2cpp Dumper by Perfare(iOS doesnt support Monbuilds anymore so now everything is il2cpp more about il2cpp here)
A jailbroken iOS device
Knowledge of how to crack an ipa(will write explain cracking process here)


What we are going to do is, that we will be hacking Cat Cafe as proof of concept.

Lets start:
download the app from the appstore
you will need a tweak called "CrackerXI+" from the iPhonecake repo. It is a tool that will handle decrypting process
go into the crackerXI application and select the Cat Cafe application

After you selected it and decrypted it, the cracked .ipa will be located in /User/Documents/CrackerXI/YourDecryptedApp

For this hacking method you do need a pc. So now we will exchange files, there are some ways of doing that, sshing into device with mobaxterm and copy it to desktop or uploading it to a file provider e.g.: mega or iosddl. I'll just upload it to my Dropbox. I think you know how to upload a file.
Now download it to your pc(share it on discord somewhere in a private room and login to your pc and download it).

Now you got the file you need. We will be exstracting the two important files. We will change the file extensions from .ipa to .zip for accessing the files it contains.
We are interested in the binary, being the game logic, it most likely has the same name as the game itself and is about 30 mb - 50 mb big. Then we will look for the Metadata we need for running the dumper.
the binary is placed in /Payload/yourapp.app/yourbinary

and the Metadata is placed in /Payload/Yourapp.app/Data/Managed/Metadata/globalmetadata.dat


Now we will use these files to dump. get the dumper from github https://github.com/Perfare/Il2CppDumper
Lets dump
After exstracting the dumper, we will run the il2cppdumper.exe



It will ask you for the il2cpp binary file.



then for the metadata


when it asks you if the Unity version greater than or equal to 2018.3, press 2.
there are 5 possible modes you can run the dump now. the fourth method is the most popular one. If that gives you an error, you will need to dump manually using the first method. For finding the needed Coderegistration(unk) and Metadataregistration(dword), load the binary into ida from https://www.hex-rays.com/products/ida/ and let it load for a bit, then look for initfunc_1. Usually unk and dword are placed right above it. If it is not the case just scroll up and look for it.
In my case I did actually end up getting an error with the third method so I will now go look for unk and dword.
my unk is: 10320139B
my Dword is: 1028090F8
Now after a successfull dump. We will have a folder named DummyDLL
its containing dlls, non of your interest.
Then there is a Scrypt.py you can load into ida, it makes classes, methods etg for you. As we are not hacking using Ida, its not important for us too.
The thing we are interested in is the dump.cs file, you want to view it with notepad++ to search easier.
Good job.
 

Sebby Seb

Member
Ты можешь таким способом и на андроид мод сделать, проктический всё тоже самое как и на iOS
Yes, but android has other ways of signing & installing
 
Top