โญ๏ธIf you beginner donโt read it.
To start with bypass my own game BubgBattle :
1- bypass cracked version because of iOS resigning.
2- hide your injected framework.
3- hide your objc classes. Or obfuscate it with junk names.
And wen goes in real dylib strip your dylib symbols
4- hide your hook method. (For example : if you using pre-hook method hide new section like __Hook__TEXT etc. if you use other also hide based on what you use.
๐๐๐๐
Generate new empty framework for testing.
Test each step on real game. ( make other friend reports on you for fast results)
If pass for several games move to next step 1 to 4
If you pass it successfully. You almost do it all. Next i will explain the rest.
Use your brain and AI.
If youโre in JB you will f*k all easy.
* The step above not easy for beginners at all. If youโre go learn basics.
* if you are Angos player who play with AnoSDK.. cases that not for you. Yes your method may work but not sold as point above. Why ? Caz its solve issue for its roots
To start with bypass my own game BubgBattle :
1- bypass cracked version because of iOS resigning.
2- hide your injected framework.
3- hide your objc classes. Or obfuscate it with junk names.
And wen goes in real dylib strip your dylib symbols
4- hide your hook method. (For example : if you using pre-hook method hide new section like __Hook__TEXT etc. if you use other also hide based on what you use.
๐๐๐๐
Generate new empty framework for testing.
Test each step on real game. ( make other friend reports on you for fast results)
If pass for several games move to next step 1 to 4
If you pass it successfully. You almost do it all. Next i will explain the rest.
Use your brain and AI.
If youโre in JB you will f*k all easy.
* The step above not easy for beginners at all. If youโre go learn basics.
* if you are Angos player who play with AnoSDK.. cases that not for you. Yes your method may work but not sold as point above. Why ? Caz its solve issue for its roots
โค1
Hey note that :
If you Hooking using fish hook
If you Hooking using fish hook
_dyld_image_count and _dyld_get_image_name to hide your injection , they may still detect you with Kernel level to validate dyld ๐. I havenโt checked that with PG but i have seen it in critical app ๐ฐMy experiment ๐
Game Crash with JB ?Why?
JB Type: unc0ver
iOS Version : 13.3
When run game after 10s crash
Start searchingโฆ
Found when stopped AnoSDK..info its work good , but later will get 10m ban caz of data not send.
๐ง So we know itโs about player device info such fingerprints or jailbreak..
Later found its ok if you play with clean device with jailbreak .. โผ๏ธ
So they not block jailbreak itself but some tweaks not allowed , and sometimes collecting device fingerprints in somehow get crash of it . And sometimes JB will not allowed at all. So no stable rule ๐.
Then tried to clean device from all tweaks and not work ..
someone found the function on Angos that make crash . Then I patched it but in game ban 10y caz of integrity check ..
The solution:
1- Install Kernbypass (with its cmdโs) and activate on target app.
2- install tweak like A-Bypass or Shadow and activate it on target app.
You may face some issues on installing above tweaks.. if youโre interesting: later will shows all installations solutions here.
Game Crash with JB ?Why?
JB Type: unc0ver
iOS Version : 13.3
When run game after 10s crash
Start searchingโฆ
Found when stopped AnoSDK..info its work good , but later will get 10m ban caz of data not send.
๐ง So we know itโs about player device info such fingerprints or jailbreak..
Later found its ok if you play with clean device with jailbreak .. โผ๏ธ
So they not block jailbreak itself but some tweaks not allowed , and sometimes collecting device fingerprints in somehow get crash of it . And sometimes JB will not allowed at all. So no stable rule ๐.
Then tried to clean device from all tweaks and not work ..
someone found the function on Angos that make crash . Then I patched it but in game ban 10y caz of integrity check ..
The solution:
1- Install Kernbypass (with its cmdโs) and activate on target app.
2- install tweak like A-Bypass or Shadow and activate it on target app.
You may face some issues on installing above tweaks.. if youโre interesting: later will shows all installations solutions here.
โค1๐1
KernBypass install in IOS
after install the copy of KernBypass
from Terminal in IPhone or through ssh using Mac
**after command (changerootfs & ) you must see last line is like :
if not make new dir
then repeat bash command above (changerootfs & then disown %1 )
NOTE ๐จ:
install all your tweaks before install Kernbypass caz after it you can not add any tweaks. why ? long answer just do it .
https://www.youtube.com/watch?v=PxJK0421bLo&ab_channel=ThomasJadallah
after install the copy of KernBypass
from Terminal in IPhone or through ssh using Mac
# bash command
# Unofficial (ichitaso) build (iOS 13โ14):
su
preparerootfs
changerootfs &
disown %1
# Official (akusio) build (iOS 12โ13):
su
changerootfs &
disown %1
**after command (changerootfs & ) you must see last line is like :
start changerootfs
if not make new dir
mkdir -p /var/MobileSoftwareUpdate/mnt1
then repeat bash command above (changerootfs & then disown %1 )
NOTE ๐จ:
install all your tweaks before install Kernbypass caz after it you can not add any tweaks. why ? long answer just do it .
https://www.youtube.com/watch?v=PxJK0421bLo&ab_channel=ThomasJadallah
YouTube
How to Easily BYPASS JAILBREAK DETECTION on iOS 13 on Unc0ver or Checkra1n
Hey everyone, today we'll discuss two easy ways to bypass jailbreak detection in apps on iOS 13 or 13.5 on the Checra1n or Unc0ver jailbreak. This jailbreak bypass works on most apps, including banking apps, TV apps, food apps, and more.
The first methodโฆ
The first methodโฆ
โค4
VNG 3.9 :
GNameFun: 0x1048f04e0
GNameData: 0x10a0ee830
GWorldFun: 0x102a08940
GWorldData: 0x10a791ae0
LineOfsight: 0x105f195a4
ActorDecr: 0x10607d3fc
GUObject: 0x10a57b6c8
//by @saudgl
//shared from @bubg_dev
โค5
ARMP_PUBGM_(v3.9.0)_IOS_FIX.zip
4.5 MB
by @D_V_4
shaed from @Bubg_dev
VNG 3.9
GUObject 0x10A57B6C8
gname_func 0x1048F04E0
gname_data 0x10A0EE830
gworld func 0x102A08940
gworld data 0x10A791AE0
TW 3.9
GUObject 0x10A860F48
gname_func 0x104B244E0
gname_data 0x10A3D3E40
gworld func 0x102C3C940
gworld data 0x10AA77360
KR 3.9
GUObject 0x10A887048
gname func 0x104B4D444
gname data 0x10A3F9F40
gworld func 0x102C65634
gworld data 0x10AA9D460
GL 3.9
GUObject 0x10A6A4CC8
gname_func 0x1049A3510
gname_data 0x10A217E50
gworld func 0x102ABB970
gworld data 0x10A8BB0E0
by @Doaodmmc
shared from @Bubg_dev
๐1
3.9
LineOfSightTo offset : 0x7a0
Yaw : 0x880
Roll: 0x888
Pitch: 0x878
โค2
GL 3.9
GNameFun: 0x1049A3510
GNameData: 0x10A217E50
GWorldFun: 0x1029d1558
GWorldData: 0x10a8bb0e0
LineOfsight: 0x105fcc5d4
GUObject: 0x10a6a4cc8
ActorDecr: 0x10613042c
by @saudgl
shared from @Bubg_dev
//GL 3.9
if([bundleIdentifier isEqualToString:@"com.tenโฆin"]) { ///UP GL 3.9.0 make sure from bundle name
kUWorld = "0x10681620C";
kGNames = "0x1049A3510";
hookHUD = "0x1087B1958";
kGetHUD = "0x10339B304";
kDrawText = "0x1064A9628";
kDrawLine = "0x1060C8988";
kDrawRectFilled = "0x1060C88F8";
kDrawCircleFilled = "0x1064A9A94";
kEngine = "0x10A8B9EE";
kLineOfSight_1 = "0x1049A3C04";
kLineOfSight_2 = "0x10A8A2250";
kLineOfSight_3 = "0x105F1793C";
kLineOfSight_4 = "0x105F17A4C";
kLineOfSight_5 = "0x105F226CC";
kBonePos = "0x1030FE934";
kProjectWorldLocationToScreen= "0x1060732B0";
//GUObjectArray 0x10A6A4CC8
}
By a group member
Sahred from @bupg_dev
โค3
ActorDecr Addresses For PโG V3.9:
// GL:
ActorDecr: 0x10613042C
// KR:
ActorDecr: 0x1062DA8F4
// VN:
ActorDecr: 0x10607D3FC
// TW:
ActorDecr: 0x1062B13FC
//by @OOOQG
//shared from @Bubg_dev
๐คฃ11โค7๐ซก3๐2
For jailbreak users if you install Frida, Game will crash , even with the Hide jb tools will be detected
flags Frida detected .
to solve it try hook like :
OR:
Create an anchor file, e.g. /etc/pf.anchors/fridablock with:
"block in quick on lo0 proto tcp from any to any port { 27042, 27043 }"
then Edit /etc/pf.conf and add at the end:
anchor "fridablock"
load anchor "fridablock" from "/etc/pf.anchors/fridablock"
then Reload pf:
pfctl -f /etc/pf.conf
pfctl -e
OR:
use Kernbypass
flags Frida detected .
to solve it try hook like :
static int (*orig_connect)(int, const struct sockaddr*, socklen_t);
// our replacement
static int my_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
if (addr->sa_family == AF_INET && addrlen >= sizeof(struct sockaddr_in)) {
const struct sockaddr_in *in4 = (const void*)addr;
uint16_t port = ntohs(in4->sin_port);
if (in4->sin_addr.s_addr == inet_addr("127.0.0.1")
&& (port == 27042 || port == 27043)) {
// pretend there's no server
errno = ECONNREFUSED;
return -1;
}
}
// otherwise, do the real connect
return orig_connect(sockfd, addr, addrlen);
} // then use any hook it using method like dobby or substrate, etc ..
OR:
Create an anchor file, e.g. /etc/pf.anchors/fridablock with:
"block in quick on lo0 proto tcp from any to any port { 27042, 27043 }"
then Edit /etc/pf.conf and add at the end:
anchor "fridablock"
load anchor "fridablock" from "/etc/pf.anchors/fridablock"
then Reload pf:
pfctl -f /etc/pf.conf
pfctl -e
OR:
use Kernbypass
โค2
I dev easy way to hook with dobby in rootfull-jailbreak . look at and read instractions : https://github.com/saudgl/BaseGetter-with-Dobby-iOS-hook
GitHub
GitHub - saudgl/BaseGetter-with-Dobby-iOS-hook: iOS Hook
iOS Hook . Contribute to saudgl/BaseGetter-with-Dobby-iOS-hook development by creating an account on GitHub.
โค2
dumps_all_Frameworks_bubg39_GL.zip
1 MB
๐ Here the all classes dump for ALL Frameworks . enjoy ๐ฅฐ, if you ask is all Frameworks important ? yes its!! but not all.
Include: ShadowTr.. and Anogs
Include: ShadowTr.. and Anogs
โค1
HideGL1.dylib
166.5 KB
I dev this tweak based on users requests
"HideGL1" is a tweak designed to conceal jailbreak detection and resolve intentional crashes caused by Games if they detect you using like Frida GamePlayer , GameMaster, GameMasterPlus , GameGemiOS , iGameGuardian .
It complements other jailbreak-hiding tweaks such as Shadow and iHide by covering detection vectors they may miss. Using "HideGL1" alongside these tools can provide comprehensive jailbreak concealment for games. by @saudgl @Bubg_dev
"HideGL1" is a tweak designed to conceal jailbreak detection and resolve intentional crashes caused by Games if they detect you using like Frida GamePlayer , GameMaster, GameMasterPlus , GameGemiOS , iGameGuardian .
It complements other jailbreak-hiding tweaks such as Shadow and iHide by covering detection vectors they may miss. Using "HideGL1" alongside these tools can provide comprehensive jailbreak concealment for games. by @saudgl @Bubg_dev
โค5
use this to run app on xcode like run game in xcode to trace it live debug
if you face domain error : XCode -> File -> Project setting -> Advanced -> legacy
how is work ? rename you IPA file to app.ipa the put on "IPAPatch/Assets/app.ipa" then enjoy
https://github.com/saudgl/IPAPatch-saudgl
if you face domain error : XCode -> File -> Project setting -> Advanced -> legacy
how is work ? rename you IPA file to app.ipa the put on "IPAPatch/Assets/app.ipa" then enjoy
https://github.com/saudgl/IPAPatch-saudgl
GitHub
GitHub - saudgl/IPAPatch-saudgl: Patch iOS Apps, The Easy Way, Without Jailbreak.
Patch iOS Apps, The Easy Way, Without Jailbreak. Contribute to saudgl/IPAPatch-saudgl development by creating an account on GitHub.
PB 4 GL = Global
GName Fun : 0x104ab914c
GName Data : 0x10a3ed0e0
GWorld Fun : 0x102a3a7f8
GWorld Data : 0x10aa91290
GUObject : 0x10a87ac70
LineOfsight : 0x1060e7b8c
ActorDecr: 0x10624b5ac
By @saudgl
@Bubg_dev
๐ฅ1