For antiban : i found game not use just take the ios crc hash , but use their own mthod . when i patch it still caught , i found checksumOfCRC32 function which do the job 0x1000c0be8 , and also lua script do the same!, !what a headach.
β€2
here the class which handle all hash with all its address :
to use it like: IMP=0x00000001000c0be8
use only 1000c0be8
to use it like: IMP=0x00000001000c0be8
use only 1000c0be8
@interface GNLCommonTools : NSObject
{
}
+ (int)_checksumOfCRC32:(id)arg1; // IMP=0x00000001000c0be8
+ (unsigned long long)_baseDecode:(const char *)arg1 srcLen:(unsigned long long)arg2 destBytes:(char *)arg3 destLen:(unsigned long long)arg4 charset:(const char *)arg5 requirePadding:(_Bool)arg6; // IMP=0x00000001000c0a08
+ (id)_baseDecode:(const void *)arg1 length:(unsigned long long)arg2 charset:(const char *)arg3 requirePadding:(_Bool)arg4; // IMP=0x00000001000c092c
+ (unsigned long long)_baseEncode:(const char *)arg1 srcLen:(unsigned long long)arg2 destBytes:(char *)arg3 destLen:(unsigned long long)arg4 charset:(const char *)arg5 padded:(_Bool)arg6; // IMP=0x00000001000c07f4
+ (id)_baseEncode:(const void *)arg1 length:(unsigned long long)arg2 charset:(const char *)arg3 padded:(_Bool)arg4; // IMP=0x00000001000c0718
+ (_Bool)_isGzippedData:(id)arg1; // IMP=0x00000001000c06a0
+ (id)gzipDecompress:(id)arg1; // IMP=0x00000001000c0520
+ (id)gzipCompress:(id)arg1; // IMP=0x00000001000c03ac
+ (id)gzipTailer:(id)arg1; // IMP=0x00000001000c031c
+ (id)gzipHeader; // IMP=0x00000001000c02a4
+ (id)AESDecryptWithKey:(id)arg1 dataLength:(long long)arg2 data:(id)arg3; // IMP=0x00000001000c00d8
+ (id)AESEncryptWithKey:(id)arg1 data:(id)arg2; // IMP=0x00000001000bff34
+ (id)createGUID; // IMP=0x00000001000bfed0
+ (id)sha1:(id)arg1; // IMP=0x00000001000bfda4
+ (id)md5:(id)arg1; // IMP=0x00000001000bfca8
+ (id)base64DecodeData:(id)arg1; // IMP=0x00000001000bfc3c
+ (id)base64EncodeData:(id)arg1; // IMP=0x00000001000bfbd0
+ (id)ungzippedData:(id)arg1; // IMP=0x00000001000bfa50
+ (id)gzippedData:(id)arg1; // IMP=0x00000001000bf8e8
+ (id)urlDecode:(id)arg1 count:(long long)arg2; // IMP=0x00000001000bf7d0
+ (id)urlEncode:(id)arg1 count:(long long)arg2; // IMP=0x00000001000bf650
@end
π1
Pubg34Gl_Objc_classes.mm
4.4 MB
Here all Obj-c Classes for Shaodw 3.4 GL with address for each
anogs_34GL_Classes.mm
8 KB
and this for anogs 3.4 GL all obj-c classes
GL-DEV
anogs_34GL_Classes.mm
from here find the :
you can swizzlie by fishook or dobby to bypass the screenshot to avoid screenshot ban
caz all screenshot goes to server side to analysis by AI if there are any not normal overlay draws .
here for swizzlie it , just use it to let you know when screenshot going to be taken then hide your draws then return orginal function . after taht do draw your staff π
@interface ScreenShot : NSObject
{
}
- (void)takeScreenShotEx:(id)arg1; // IMP=0x00000000001b2aa8
- (void *)getBufFromImage:(id)arg1; // IMP=0x00000000001b2658
- (id)screenshotOfView:(id)arg1; // IMP=0x00000000001b24f4
- (id)getAppWindowsForScreen:(id)arg1; // IMP=0x00000000001b21f8
@end
you can swizzlie by fishook or dobby to bypass the screenshot to avoid screenshot ban
caz all screenshot goes to server side to analysis by AI if there are any not normal overlay draws .
here for swizzlie it , just use it to let you know when screenshot going to be taken then hide your draws then return orginal function . after taht do draw your staff π
GL-DEV
from here find the : @interface ScreenShot : NSObject { } - (void)takeScreenShotEx:(id)arg1; // IMP=0x00000000001b2aa8 - (void *)getBufFromImage:(id)arg1; // IMP=0x00000000001b2658 - (id)screenshotOfView:(id)arg1; // IMP=0x00000000001b24f4 - (id)getAppβ¦
Edited :
and then go to game sdk of shadow but NOT the file above ! :
here you can name it Lua script helper to take screenshot ..
its take screenshot by Lua script then send it to server. to handle it its can NOT be swizzled like above one caz its not objc , so you have to do it with function table using read and right, and be careful here about integrity you (may) cough and get ban, not caz of write on function table method but for integrity check
i thing they do integrity check by read x function table pointer value and compare it with what they have as original pointer
and then go to game sdk of shadow but NOT the file above ! :
// Object Name: Class Client.ScreenshotMaker
// Size: 0x28 // Inherited bytes: 0x28
struct UScreenshotMaker : UObject {
here you can name it Lua script helper to take screenshot ..
its take screenshot by Lua script then send it to server. to handle it its can NOT be swizzled like above one caz its not objc , so you have to do it with function table using read and right, and be careful here about integrity you (may) cough and get ban, not caz of write on function table method but for integrity check
i thing they do integrity check by read x function table pointer value and compare it with what they have as original pointer
β€3
Pubg GL 3.5:
GWorld Fun: 0x1027dbb98
GWorld Data: 0x109c87fb0
GName Fun: 0x104526804
GName Data:0x1098248a0
lineOfSight: 0x1058f35b4
GUobject: 0x109aca290
HUD : 0x103107430
GEngine: 0x109c86db0
CanvasMap: 0x1099016a0
//by @saudgl
//@pubg_dev
β€4π€―3π3π1
GName Fun: 0x1046bec8c
GUObject : 0x109ca1910
Pubg KR 3.5
GName Fun: 0x1046e74a4
GUObject : 0x109cc7a10
@Bubg_dev
@saudgl
β€4
Bupg 3.5 VNG
GUObject 0x1099BC010
GNames func 0x10448928C
GNames data 0x109716600
GWorld func 0x102817F78
GWorld data 0x109B79D30
GEngine 0x109B78B30
Pubg KR 3.5
GUObject 0x109CC7A10
GNames func 0x1046E74A4
GNames fata 0x109A21DA0
GWorld func 0x102A75FA0
GWorld fata 0x109E85730
GEngine 0x109E84530
credits : prze666
shared from: @pubg_dev
updated ..
β€2π1
Learn about Frida in ios β€οΈ its worth to watch it
https://youtu.be/TKWSwEGUyH8?si=D-SVhuCxduq7IDXj
https://youtu.be/TKWSwEGUyH8?si=D-SVhuCxduq7IDXj
YouTube
r2con2024 - day 2 - Frida hooking tricks on non-jailbroken iOS - mrmacete
After removing the jailbreak superpowers, what options remain for placing Frida hooks in the context of an app process on iOS? A survey of "jailed" Frida hooking techniques and their trade-offs in terms of depth and requirements, with step-by-step practicalβ¦
β€3
BGMβI 3.5
GUObjectArray 3.5 = 0x109191c90
GNames_Fun 3.5 = 0x104046f70
by @g66lk
π4β€1
This how Bupg get the .text size then hash to sha256 or crc32. i made to two hash while they use crc32
#import <Foundation/Foundation.h>
#import <mach-o/dyld.h>
#import <mach-o/loader.h>
#import <CommonCrypto/CommonDigest.h>
#import <zlib.h> // For CRC32
void calculateHashesForTextSection() {
const struct mach_header *header = _dyld_get_image_header(0); // Main executable
if (!header) {
NSLog(@"Failed to get mach header");
return;
}
// Locate LC_SEGMENT_64 (or LC_SEGMENT for 32-bit)
const struct load_command *cmd = (const struct load_command *)((uint8_t *)header + sizeof(struct mach_header_64));
for (uint32_t i = 0; i < header->ncmds; i++) {
if (cmd->cmd == LC_SEGMENT_64) {
const struct segment_command_64 *segCmd = (const struct segment_command_64 *)cmd;
if (strcmp(segCmd->segname, "__TEXT") == 0) {
const struct section_64 *sections = (const struct section_64 *)((uint8_t *)segCmd + sizeof(struct segment_command_64));
for (uint32_t j = 0; j < segCmd->nsects; j++) {
if (strcmp(sections[j].sectname, "__text") == 0) {
const uint8_t *textStart = (uint8_t *)header + sections[j].offset; // Start of .text section
size_t textSize = sections[j].size; // Size of .text section
// Compute CRC32
uLong crc32Result = crc32(0L, Z_NULL, 0); // Initialize CRC32
crc32Result = crc32(crc32Result, textStart, (uInt)textSize);
// Compute SHA-256
uint8_t sha256Hash[CC_SHA256_DIGEST_LENGTH];
CC_SHA256(textStart, (CC_LONG)textSize, sha256Hash);
// Convert SHA-256 to hex string
NSMutableString *sha256String = [NSMutableString string];
for (int k = 0; k < CC_SHA256_DIGEST_LENGTH; k++) {
[sha256String appendFormat:@"%02x", sha256Hash[k]];
}
//log
NSLog(@"CRC32 of .text section: %08lx", crc32Result);
NSLog(@"SHA-256 of .text section: %@", sha256String);
return;
}
}
}
}
cmd = (const struct load_command *)((uint8_t *)cmd + cmd->cmdsize);
}
}
But thr problem came with lua script which came from server like this:-- Lua script to calculate `.text` size and hash
local mach_header = get_mach_header() -- Function to fetch the Mach header (provided by the app)
local text_size = 0
local text_hash = ""
for _, segment in ipairs(mach_header.segments) do
if segment.name == "__TEXT" then
for _, section in ipairs(segment.sections) do
if section.name == "__text" then
text_size = section.size
text_hash = compute_sha256(section.start, section.size) -- Compute hash
break
end
end
end
end
-- Return results
return { size = text_size, hash = text_hash }
#import <Foundation/Foundation.h>
#import "lua.h"
#import "lauxlib.h"
#import "lualib.h"
void executeLuaScript(const char *script) {
lua_State *L = luaL_newstate();
luaL_openlibs(L);
// Provide app-specific functions to Lua (e.g., get_mach_header)
lua_pushcfunction(L, getMachHeaderLua);
lua_setglobal(L, "get_mach_header");
// Load and execute the script
if (luaL_dostring(L, script) == 0) {
lua_getglobal(L, "size");
lua_getglobal(L, "hash");
int textSize = lua_tointeger(L, -2);
const char *textHash = lua_tostring(L, -1);
NSLog(@"Text Size: %d, Hash: %s", textSize, textHash);
} else {
NSLog(@"Lua Error: %s", lua_tostring(L, -1));
}
lua_close(L);
}
// Example: Mock
for Lua
int getMachHeaderLua(lua_State *L) {
lua_newtable(L);
// Add segments, sections, etc. here
// This should simulate the Mach header in Lua
return 1; // Return one table
}
β€7π1
The lua script validated before run
And obfuscate and with time-based token to prevent reuse.
conclusion: both must be handled π©
And obfuscate and with time-based token to prevent reuse.
conclusion: both must be handled π©
Bubg VNG 3.6
GWorld Fun : 0x10278fba0
GWorld Data: 0x10a171a00
GName Fun: 0x104510ef0
GName Data: 0x109aaa1a0
LineOfsight : 0x105a4e978
GUobject: 0x109f5c2a0
ActorArray : 0x105bb38a0
@pubg_dev
@saudgl
π2β€1
Bubg GL 3.6
GWorld Fun : 0x102829098
GWorld Data: 0x10a27bc80
GName Fun: 0x1045aa3e8
GName Data: 0x109bb4440
LineOfsight : 0x105ae7e70
@pubg_dev
@saudgl
π6β€2