[Tutorial] Intro To MS Hacking

Requirements:
- iOS 7+
- Flex 2 (Get from BigBoss)
- Developer mode in Cydia (In Cydia, go to Sources, Settings and change User/Hacker to Developer)

Table of Contents:
1.Required packages
2.Flex 2
3.Rasticrac
4.Class dump
5.Explanation of the Different Kinds of Functions
6.Grep -i
7.Testing Your Tweak
8.Making Your Tweak
9.Compiling Your Tweak
10.Credit Popups

1.Required Packages:
 
A. BigBoss Recommended Tools
Install BigBoss Recommended Tools from the BigBoss Repo. Be patient, it may take a while.

B. THEOS:
Go to Cydia, and install Darwin CC Tools from the BigBoss repo, then install iOS Toolchain.

C. MobileTerminal:
You can install MobileTerminal for free from the BigBoss repo. It is currently compatible with iOS 3.2+, iOS 4, iOS 5, and iOS 6. For iOS 7, Install MobileTerminal from this repo:

http://repo.insanelyi.com/

(Note the Terminal for iOS 7 does NOT support Landscape mode, and to scroll you have to use the scroll bar on the very right)
Now that you have MobileTerminal and type:

su
alpine
cd /var && git clone git://github.com/coolstar/theos.git

And now you have $THEOS installed.
D. iFile:
You can get iFile from the BigBoss repo for $4.00 . It currently supports all iOS versions.
E. SDK:
Install the iOS 7 SDK from this site:
http://iphone.howett.net/sdks/

When that is finished downloading the files,create a new folder in the theos folder called "sdks" .
Extract the sdk from the archive you downloaded. Drag the .sdk folder into the "sdks" folder on the device. (Make sure the .sdk doesn't have a sub folder with the same name. Or it will not work.)
Finally Install Perl from coolstars repo. This is a newer perl and you don't need to use a dirty hack for it to work on A6 & A7 Devices.And that's it. You are now ready to start making tweaks.
A7 devices have to perform a fix here:

Go to /var/theos/makefiles/targets and rename the 'Darwin-arm' Folder to 'Darwin-arm64'
Go to /var/theos/makefiles/platform and rename 'Darwin-arm.mk' to 'Darwin-arm64.mk'
Now you should be able to compile, but it will not work yet, since ld64 is b******* around about the architecture!

Making all for tweak Tweak64...
Preprocessing Tweak.xm...
Compiling Tweak.xm...
Linking tweak Tweak64...
ld: unknown/unsupported architecture name for: -arch arm //<-the linker error



Fix:

Open /var/theos/bin/bootstrap.sh (using nano or another text editor)

Search for "if [[ "$(uname -s)" == "Darwin" && "$(uname -p)" != "arm" ]]; then"

And then change the "$(uname -p)" != "arm" to "$(uname -p)" != "arm64"

basically 'arm' to 'arm64' again
This should be all for now!

NOTE: In case you get an Illegal Instruction Error: 4, you can fix this by doing this:

(only do it if you get an Illegal Instruction: 4 error)

sed -i 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' FILE_WHICH_CAUSES_THE_ERROR

If you do not know where the file is, install 'find utilities', run 'updatedb' as root and then 'locate FILE_NAME'

It will show you the path and then you can run the 'sed' command as shown above to fix the illegal instruction: 4 error

C. Perl:
Add this repo:

http://repo.coolstar.org/

and install Perl
You now have all the Mobile Substrate tool requirements to start hacking.
2.Flex 2:
Flex 2 provides the Ultimate way for testing functions to see if they really do work.it works just like MS, and many Elite Hackers confess to using it when testing their Awesome MS hacks. Everyone on this site should have experienced at least one. You can download Flex 2 from BigBoss
2.Rasticrac:
Rasticrac is used to decrypt the binaries of games and apps to find the functions that can be hacked. Normally Rasticrac would give you a cracked IPA which you would have to install,(probably losing your game data) but thanks to t0r from the now gone iapphacks.net, we get the cracked Binary. Download this File

http://www.mediafire.com/view/9pvbjqzn674g6av/r30c5.sh

However, t0r's modified rasticrac is "half-baked" for iOS 7. So to get the Official Rasticrac, Install this repo:

http://cydia.iphonecake.com/
(copy and paste)
2a. Cracking the Game:
After Installing Rastircac, Gto Mobile Terminal and type:

rc.sh for iOS 7 or rc308.sh for t0r's script:

su

alpine

rc.sh (or rc308.sh for t0r)

This loads a list of application names (CFBundleExecutables). Now try and find your application. Here the applicationname will be referred to as appname. In Mobile Terminal:

su
alpine
rc.sh "appname" (Apostraphes are included)

(t0r's is rc308.sh)[/hide]
This should crack the application and that will be stored in /var/root/Documents/Cracked/
2b. Installing the IPA:
Steps:
1. Install the Safari/Mail Fix (iOS 7 Only)
2. Install AppSync for iOS 7 (iOS 7), AppSync for iOS 5&6 (iOS 5&6), AppSync for iOS 4.2 (iOS 4.2), AppSync for iOS 4.1 (iOS 4.1), AppSync for iOS 4.0 (iOS 4)
3. This installs AppCake, or AppCake 4.2 or lower
4. Install IPA Installer from the BigBoss repo.
5. Open it, and GO to Settings, IPA Installer, and check Force Installation
6. Go back and go /var/root/Documents/Cracked/ and install it.

3.Class Dump:
You're now ready to hack your game. Thanks to HackJack, we now have an app to ClassDump an app for us instead of doing a complicated process in MobileTerminal. To get the app, Install this Deb file:

http://www.mediafire.com/download/ir7x1vye02zz8b2/ClassDumpApp.deb

Go to iFile: /var/mobile/Documents/ClassDumpApp.deb click on this file and choose "Installer") And Reboot
4.Creating The Tweak:
Go to iFile:
/var/mobile/Applications/ToBeHackedApp/ToBeHacked.app/info.plist
open with Property List viewer
Now find the CFBundleExecutable and remeber the name

Open MobileTerminal, and type:

su
alpine
$THEOS/bin/nic.pl
5

Note: if you're getting this error "Illegal Instruction:4" that means its a problem with the permissions. Execute this command (copy and paste)#!/bin/bash
s

ed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' /usr/bin/perl
ldid -s /usr/bin/perl

sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' /usr/bin/rsync
ldid -s /usr/bin/rsync

Then press return and continue from the "$THEOS?bin/nic.pl" step
Some,people have also been reporting another error where $THEOS/bin/nic.pl returns with this:
Image
Fortunately, there is a fix:

su
alpine
/var/theos/bin/nic.pl
5

Steps :
1. First it will ask you for Project Name, this name will be used as the dylib name.
2. Then it will ask you for the Package Identifier, or Package Name.
3. In it will ask you for the Author Name in my case it's RickHak.
4. er that, is the important part, It will ask you for the MobileSubstrate Bundle Filter. Now type the CFBundleExecutable you were supposed to remember. If you forgot, just type in a random identifier.
5. Now it will ask you for what processes it should kill upon installation, type this "-"
6. You're Done now go to /var/mobile/(Project name, All lowercase)

Note: If you forgot the identifier
Go to iFile: /var/mobile/Applications/HackInProgressApp/HackInProgress.app/info.plist
open with Property List viewer
Now find the CFBundleIdentifier and remember the name.
Go to iFile: /var/mobile/(Projectname)/Projectname.plist
9 edit bundle filter to that of CFBundleIdentifier
5. Explanation of the Different Kinds of Functions:
After looking at the headers, you can find functions that look important, and hack them. However most of you probably don't know the meanings of all those ints and bools. So I will cover a couple of different types of function types here:

1. Int:
An Int, or (int) is short for an integer and is a direct value. Function like setMoney, setGold, setAmmo are (int)
An example of a hacked (int) can be found here:
-(int)setGold {
return 999999;
}

2. Bool:
A Bool or (BOOL) is a true or false function, it can be used for a function like "isLevel30Completed" which can be used to unlock maybe something in the shop, a new world, a new gameplay mode etc.
An example of a hacked (BOOL) can be found here:
- (BOOL)diesAtHit {
return false;
}
Note that the true or false functions are always lowercase.

3. Floats:
A float is a method of representing an approximation of a real number, like 255.3 It can be used in functions like zombiesReleasedInAMinute
An Example of a hacked (float) can be found here
- (float)getFireReward {
return 999999.00;
}
Note that when you return a float you always have to put a decimal point and something after it, beacuse after all its only a approximation.

4. Voids:
Voids are parameters that can't be hacked directly, instead they rely on (int), (BOOL), and (float) to represent a value which of course can be hacked
You can use the above guides for hacking each function to do voids, I'll use integer as an example.
An example of a hacked (void) can be found here:
- (void)setGoldReward:(int)fp8 {
fp8=9999;
%orig(fp8);
}
So now all you need to do is find the functions you want to hack, make sure to follow the Tweak format correctly, and you're ready to go on and finish your hack! :D
6.Grep -i:
Grep is used in terminal to search for functions without manually looking through all the ClassDump files.
To use grep, execute these commands in MobileTerminal:

su
alpine
cd /var/mobile/ClassDump/(name of the folder)
grep -i "search term" *.* (NOTE: the apostaphes for your search term ARE included)

Some good searches would be: (can also be used for enemy health)
Player's Life: life,health,damage,hp,live,power

example - takeDamage

example - removeHealth

Points: points,score,mp

example - UpdatePoints

example - AddPoints

example - loadScore

Ammo: ammo,shoot,shot,fire,weapon:
example - processShooting

example - setfire (Maybe speed of firing)

example - setAmmo

If you have other things like 'speed' or 'suns' or something just try different options



Extras:

-powerups - megajump,doodlejump

-some keywords depend on the game.. rpg,action,fun,... etc.

-kill - splinter cell

- Unlock is an very important keyword *
7.Testing Your Functions

Now that you know and have found the functions you want to hack, You need to test it:
Steps:

1. Open Flex 2 and create a Patch by clicking on the + icon at the top right section of screen
2. Choose your game
3. Click on Add Units . . ., and process the Executable by pressing on it.
4. Once Processed, search for you function
5. Make sure it is the right function by looking at its Class, which is the header where the function is located
6. Select it by clicking on it
7. Go back to the Add Units . . . Screen. Override those functions to what you overrode the value to
8. Go back once more and "check" the Patch.
9. Relaunch the Game. Hopefully what you wanted to happen works, or otherwise have to start over :(

8.Making the Tweak:
To create the tweak, Open Tweak.xm in /var/mobile/(ProjectName)/tweak.xm and this is where all your code will go. To start you need to hook a header. The Header is where the functions are located. If you used grep, It is on the left side of function that it has in MobileTerminal (example ScoreWidget.h). All headers end with .h

So an example would be:
%hook Header1 -The header you "hook" on to
- (int)hackOne { -The function youre hacking
return 9999; -The new value of the function you are hacking
} - You are done hacking this function

- (BOOL)hackTwo {
return true;
}

- (float)hackThree {
return 9999.0f;
}
%end %end - This means that you are done hacking functions in this header

%hook Header2

- (int)hackFour {
return 9999;
}
9. Compiling Your Tweak:
You're almost done now! Just go in to terminal and type these commands:

su
alpine
cd /var/mobile/tweakfolder
make



Note: if you get illegal Instructiion:4 error execute this command:
[hide]#!/bin/bash

sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' /usr/bin/perl
ldid -s /usr/bin/perl

sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' /usr/bin/rsync
ldid -s /usr/bin/rsync

You will find your deb file in the obj folder. Use Installer and respring
Now You're done!
10. Credit Popups:
For those who've used MS Hacks, you may know that the best hackers use credit Popups
These are little popups that show at the app launching to credit themselves and their hack forum like:
A Normal UIAlertView Popup can be created with the following code:

- (void) AppNameMainDelegate {
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Title" message:@"Message" delegate:nil cancelButtonTitle:@"Ok" otherButtonTitles:nil];
[alert show];
[alert release];
}
[alert show];
[alert relese];



NOTE: The apostrophes only indicate what you can change
NOTE2:When you use an Object with UI, you have to change a little bit in your MAkeFile (in your Projectfolder)



Normal MakeFile:
include theos/makefiles/common.mk



TWEAK_NAME = yourTweakName
yourTweakName_FILES = Tweak.xm

include $(THEOS_MAKE_PATH)/tweak.mk



If you want to add the Credit Popups add this:

yourProjectNamehere_FRAMEWORKS = UIKit



(THEOS_MAKE_PATH)/tweak.mkThis will let you allow to use UI objects and methods.



NOTE: S Now you have to find a Header which contains one of this methods: (mostly its a header with AppNameAppDelegate.h)

-(void)applicationDidFinishLaunching:(id);
-(void)applicationDidBecomeActive.(id);

Then you can add the alertview in one of theses methods and you have a credit popup when the game starts!

%hook AppNameAppDelegate
-(void)applicationDidBecomeActive(id)application
{
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@&quot;The Title you want&quot;message:@&quot;The Message you want&quot; delegate:nil cancelButtonTitle:@&quot;Dismiss Button TitleName&quot;otherButtonTitles:nil];
[alert show];
[alert release];
%orig;
}
%end

0 comments: