#development

surely they could just hide the path

Yes

Ok bad news I got balatro now and uhhh

that means its statically compiled in @cloud yacht

and likely stripped

yipped another hurtle I need to jump over

just need to write a patchfinder

So what would that basically just be the replcemenet for MSFindSymbol?

not at all?

its stripped

Okay so are there resources on patchfinders?

generally these are all custom designed

first figure out what you're looking for in your stripped binary

then find markers that will help you find that location programmatically

usually people look for references to a string

so you find the location of the string, then you find where that location is referenced

okay

in other cases the search is for a specific instruction sequence

but first you need to identify what you need to find first

im assuming its a specific function

yeah 2 of them

its open source btw @cloud yacht

the engine is yeah

@cloud yacht for gameseagull i used a memmem 'fork' that looks 1 method instead of the whole binary to search for mov w8, #0x42700000 which is the stock instruction for the cheat

I'm trying to find whetre the function is

here is luaL_loadbuffer for arcade

sub_10012C258

the easiest way to patchfind this is memmem for the =[love \"arg.lua\"] string,
find the xref,
then search for the first bl instruction after the string xref,
lastly resolve the bl to address

oh intresting

I'm not sure if loadbufferx is actually nessicary

so I would have to use #development message to find the correct image, then use memmem on the image to find the string, then from that fnd the instruction I desire, then resolve it's pointer, which I can pass to MSHookFunction?

you only have to find the correct image on rootless, you can hardcode index 0 on rootful most likely

but its safer to just find the image on both regardless

For some reason balatro just crashes on launch for my rootful device and no point writing 2 different implementations

Oh yeah I forgot theres a bunch of symbols the tool uses but doesn't patch

Although methrul said we can probably just include our own lua and use it's functions for that

I'll see how much work finding all those symbols would be

Given functions:

• lua_call
• lua_pcall
• lua_getfield
• lua_setfield
• lua_gettop
• lua_settop
• lua_pushvalue
• lua_pushcclosure
• lua_tolstring
• lua_toboolean
• lua_topointer
• lua_type
• lua_typename
• lua_isstring

but for now I'll just worry about the one's im patchijng

doesn't crash for me

it's not even a tweak thing I don't thiml

how did you install the app

App Store

well it tells you why

yeah but i don't know how I would fix it

you can't easilly unless you patch the app binary itself

yeah not sure how they managed this

you are just gonna have to disable all calls to ads

optool uninstall -p "/System/Library/Frameworks/AdServices.framework/AdServices" Balatro -c LC_LOAD_DYLIB

honestly

it's prob better to create a stub framework

Ok wtf I am trying to compile a theos project and it's failing with
libfakeroot: connect: Permission denied

It's also spewing a bunch of warnings(?)

average brew moment

this is linux

interesting

what's it connecting to?

some kind of daemon?

are you running native linux

yeah

fakeroot is from the system as far as I'm aware

fedora 41

I probably upgraded from 40 after the last time I ran theos on here

I already got lua_tolstring, lua_call, and lua_pcall patchfinder written

Didn’t I tell you this a while ago

I’m literally doing a stupid scan for like the first couple of instructions for these functions cause it was easier that way

wait so apple just lets jitted lua on their appstore?

In Apple Arcade

but the premium app isn't arcade

Hold on, the jit is disabled on iOS

how does the lua execute then

Interpreter

Luajit has both a jit and interpreter

Note: the JIT compiler is disabled for iOS, because regular iOS Apps are not allowed to generate code at runtime. You'll only get the performance of the LuaJIT interpreter on iOS. This is still faster than plain Lua, but much slower than the JIT compiler. Please complain to Apple, not me. Or use Android. :-p

From https://luajit.org/install.html

ah

Yea, libflex just wasn’t injecting 🤦‍♂️🤦‍♂️

Yeah but I was hoping you were wrong

So what is the correct way to get the memory location to search for patch finding? Should i be relying on the result of MSGetImageByName, should I dlopen it with RTLD_NOLOAD (does that matter) and then use the result or is there some other way?

i like to use dladdr, it can return the base address of the binary youre targetting

https://www.youtube.com/watch?v=ih6gWZDuNME

https://x.com/tsoding/status/1880538313549107250 a certain dumbass YouTuber catching strays rn 💀

tsoding does the most cursed shit

any idea how to tell lldb where my dsc is stored? and what format the dsc needs to be in?

Where do I get developer disk images for frida from Linux for iOS after 17.0.1+ ?
I'm trying to use frida as injected on a jailed device

why do you need the disk images

They are personalised or something

They have to be generated for your device by Xcode

That only applies for iOS 17+

yeah but i didnt have to do that for using frida

i dont even own a mac

oh

so if all I have is linux?

that probably means that I'll be unable to connect to a running app, unless I get the app's pid somehow, which I dont' know how to do without trollstore or jb utilities

i'm on linux too

oh you're unjailbroken

yeah idk then

sorry

Well you can try a macOS vm

Or hackintosh your machine lol

i'm using a vm for unrelated reasons, its quite easy to setup

https://github.com/kholia/OSX-KVM

but then how would I be able to generate the customized disk images? currently, i've been using a monterey vm on a proxmox cluster, but that server died over winter break

If you pair your phone to the Mac OS vm and install Xcode it will be generated

https://github.com/doraorak/Spawn_debugserver

this is for lldb rather than frida but the script itself may help for whatever you are trying to do (also prints the PID)

afaik you dont really have to "get" the ddi to connect via a debugger, once you mount it its enough
python -m pymobiledevice3 mounter auto-mount
which this should do

i tried that, but the pymobiledevice3 mounter says that the ddi is mounted, but when I try running idevicescreenshot, it says that the ddi isn't mounted

how do i fix this

(ubuntu server)

the pipe to a file isn't running as root since your shell is handling it

how would i make it root

you can probably just run sudo -s to give yourself a root shell then run it, or write somewhere your user can access

ookay

thanks'

how would i use rm to delete all files and folders in a directory except a specific folder

give it all the files in the folder other than the specified folder

you probably could use find with exec

i figured it out

i had to do shopt -s extglob to enable extglob then do (while in the parent folder) rm -rf !(folder_name_i_want_to_keep)

It’s usually pulled from the device. Is a DDI mounted?

sir i'm on linux

i have a local copy of my dlc tho

Can use the dopamine fakeroot feature on my own tweaks? Is there a method for that or do I have to make a custom build?

Want my dylibs to look like they’re coming from a trusted path

he is on linux debugging an ios device, i opened an issue about this in llvm repo https://github.com/llvm/llvm-project/issues/94921 but they told me it was expected. Tbh i am not sure if it indeed affects performance, parsing frameworks was indeed very slow in my experience and i couldn't find a way to make it use a cache. but maybe thats just because i was on windows

you could patch and rebuild lldb, hardcoding your local cache path

there’s probably an easier way, but I didn’t see it when skimming around the repo

How do I install tailwind css

google

you could patch and rebuild lldb, hardcoding your local cache path
@reef trail there you go, no idea where you would find the original path though. I am glad i got a mac instead of dealing with all this tbh

It didn’t work

I tried

Using npm

Wait

I’m using windows on arm

with what tho

just html

Yeah

But i need tailwind

That sit

u can use the tailwind play cdn

just import it with script src

no build step needed

this is the most user friendly way to use tailwind

@grave orchid it work?

Dunno

Oh

Import with script

Oh

<script src="https://cdn.tailwindcss.com"></script>

add to the head

Oh

im gonna profit off of this

like this?

precisely

@grave orchid how are you seeing your changes though

do you have live server extension on vscode

no i dont 😭

I have that on my main machine

but not here

are you just opening the index.html everytime u make a change

yes 💀

oh get the extension

it will save a lot of time

it will give you a port to use so in the browser you would just go on http://localhost:4000 or smth

whatever number it gives u

@robust radish holy crap capstone docs suck

I finally figured out how to get this to work again lol

only took an hour and a half lol

im glad you got it working. how could the docs be more straightforward https://www.capstone-engine.org/lang_c.html

took me 50 minutes to realize that address meant whatever the virtual address of the instruction is, not what location I want to start disassembling within the code buffer

lol

yeah that’s fair

So do I do this?

symbol finder done

now I just need to make it so that it will run at runtime correctly, but that's for tomorrow me lol

no with the script src u can just start using it

no npm needed

Oh

I don't recommend the script if you gonna make it in production

The node package should dynamically create a css only of the classes you use

Doesn't npm build do this for you

Or whatever your manager is

in my case it was vite build iirc

Yes... There is a script src too that brings the entire tailwind into one file and it's heavy af.. I'd avoid that @exotic spire

I mean building the site already does that?

Yes.. but am not talking about the build tho

And building only uses the classes you use

It's dynamic

Yeah the project is only 4MB after building

It scans all ur js html files

While the script uses the entire tailwind library which you always should avoid.. it's only intended for development and u don't use npm

Even tailwind Devs say that

Oh I see the issue

Yeah

I agree

https://tailwindcss.com/docs/installation/play-cdn

Yeah that makes no sense really

I recently found with a project in php I was working that many frameworks like vite or next whatever.. they always rebuild the tailwind css once u save the project..

In php you had to do manually... I was scratching my head why some classes never worked.. then found out the tailwind css file is made dynamically.. I never knew that

We really take hot reload for granted until you work on legacy web app like laravel

yeah that's what i was going to do

honestly if i tried to move over to mac id be frustrated even more. Tweak dev is only one type of development i do and i don't want to have to change my entire development workflow for it

@exotic spire @pastel dome my brothers in christ, if this was a production app with many moving parts then yeah i would not advise the play cdn for tailwind, but on a simple html site like okemos it makes sense, having a build step complicates things. this is like back in the day when you imported bootstrap with script src too. and whats great is you can start building right away, in the future if you want to switch to the build step version of tailwind you can, this just makes it easier to get your project started and get the ball rolling

the dev is relatively inexperienced so the other way is a little convoluted for now, it will likely get in the way of progress

I was very inexperienced first time I played with Tailwind and I still advise to go with the installation first

Configuring all that stuff is better at the beginning

we take for granted the installation route but its pretty daunting as a new dev, they are not using vite so even using the watch command every time is eh

so many pitfalls

if u didnt npm init ur project

you have to go into the package.json and change type to "module", then you have to create a tailwind config in the root folder just so that the vscode extension will activate in ur project

stuff that isnt in the docs necessarily that we personally know

for a basic ahh html site just use cdn lol

if you wanna build something you’d be using vite which solves it anyway

True I agree, didn't know the context, apologies

np

end of a 2 hour debugging session

i have depression

did u manage to fix the bug atleast

MRW I spend 4 hours trying to debug code and the issue was a missing semicolon

average developing experience

Did the compiler not give you an error code?

Are you implying I'm working with a modern competent compiler

Or maybe the compiler was just trolling

where would I find the lldb sdk that I need for iOS remote debugging for linux? Currently, whenever I try and connect, it says that it's unable to locate the sdk

Ok so not entirely sure how to do this now?
I did look at dladdr but it seems I need to pass it a function pointer, which means I need a function from the image, which I don't know how to reliably get.
I also found _dyld_get_image_header which seems promising, however, I realized I don't know how to get the length of the image to pass to memmem. Should I just get a large enough length that I know will contain my stuff or is there a smarter way to do it?

Also man it's hard to find proper documentation on the _dyld functions

oh there we go https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html

so for the mac header I assume sizeofcmds is the size of my binary

Looks like the return of _dyld_get_image_header and MSGetImageByName are the same

It is just an ios sdk, then you use this command with its path

what do you need to locate? A function or something more specific?

Yeah this is following a discussion from earlier. I need to find a few functions in a stripped binary (context: #development message).

yes

nice

i've spent 8 hour debugging sessions not being able to fix a bug ur better than me

i wrote
new_offset = offset
instead of
new_offset = offset + size

Are the function’s owner image a dylib or mh_execute?

but now shijima can import nested archives

(literally no one will use this feature)

I do not know what mh_execute is but it's in the dylib cache (the function is from an apps main binary)

so the functions you’re looking for are contained in the main executable of an application? Do they contain something unique enough to reliably identify them

Yeah I belive they are unlikely to change (they are public apis from a dependancy's dependancy) and at least a few of them are called with a unique string I should be able to find in the binary

Last question: are you injecting code into this process directly, or performing the search remotely from elsewhere?

I'm being injected

If it helps the main part of the code I'm injecting is open source (though the app I'm targeting is not) and I have an app without stripped binarys to help with testing.
I need to hook 2 functions but theres ~14 functions I need just a reference to to call

Uneducated opinion; it sounds like what you want is indeed dyld get image header, and the size for memmem should be the size of the executable (can check it with filza/finder)

You need the addresses of the strings that can be used to identify the target functions. You can get them by parsing the strings table from the mach header or by doing a blind search starting around the load address of the main executable (the address of the mach header). The most straightforward API for fetching the mach header of the process main executable is _dyld_get_prog_image_header()

To find cross-references to those strings (their usage in the target functions), you can again do a blind search across the address range of the main executable for the literal address of the string, or more efficient, you can parse the LC_FUNCTION_STARTS load command from the main execs mach header. That will give you a list of addresses of every function in the binary, regardless of whether or not it has a symbol name / stripped. That reduces the scope of the search area. If you can roughly gauge (in a disassembler) the distance between the string reference relative to the start of its containing function, that's another way to further reduce search scope (bail out on functions early, don't look at the entire thing)

If you do a blind search, you need to know the end address of the image, so that you know when to stop looking. You can determine that by enumerating segments in the header. The range starts at the address of the mach header, and ends at vmaddress + vmsize of the last-encountered LC_SEGMENT/LC_SEGMENT_64 segment

Thank you I'll take a look

ih8sn0w's old iboot patcher has some straightforward examples of locating stuff using only string xrefs (its armv7 but still a decent reference point): https://github.com/iH8sn0w/iBoot32Patcher/blob/master/finders.c#L109-L130

What I ended up doing was for a few of the functions, lua_call, lua_pcall and one other I don’t remember, I used just a memmem() for the first few instructions of the functions since they were unique.
For getfield, setfield, settop and a couple others, I did a memmem() for "LUA_NOENV" string then used siguza’s xref() to find the xref and disassembly that function with capstone to grab the like 4 b instructions to those functions, then I did the same with a couple other strings for the rest of the functions

ok I don't understand how the reference to a string in the binary is formatted

0x100000000 + (memmem(whatever) - topofmacho)

whatever being my string?

Whatever being the arguments that memmem() needs to find your string

okay

This is when doing it on a file, I’m actually unsure if half of this stuff is needed when working on loaded binaries, I was gonna figure that part out tonight

hmmm I must missunderstand somethng

#import <UIKit/UIKit.h>
#import <mach-o/dyld.h>
#include <CydiaSubstrate/CydiaSubstrate.h>

%ctor {
    NSLog(@"[Lovely] Hi Mom");
    int image_index = -1;
    for(int i = 0; i < _dyld_image_count(); i++) {
        NSLog(@"[Lovely] %s", _dyld_get_image_name(i));
        if (strstr(_dyld_get_image_name(i), ".app/")) {
            image_index = i;
            break;
        }
    }
    if(image_index < 0) {
        NSLog(@"[Lovely] Failed to find image: (Balatro.app/balatro)!");
        return;
    }
    const struct mach_header* header = _dyld_get_image_header(image_index);
    MSImageRef image = MSGetImageByName(_dyld_get_image_name(image_index));
    void* symbol_substrate = MSFindSymbol(image, "_luaL_loadbuffer");
    NSLog(@"[Lovely] Symbol: %p", symbol_substrate);
    NSLog(@"[Lovely] Header: %p, Image: %p", header, image);
    NSLog(@"[Lovely] size of cmds: %i", header->sizeofcmds);
    char needle[] = "=[love \"arg.lua\"]";
    int straddr = 0x100000000 + ((char *)memmem((const void *)header, 70000, needle, strlen(needle)) - (char *)header);
    NSLog(@"[Lovely] straddr: %i", straddr);
}
``` this is resulting in a negative value (which woudl be not found, right)

Why aren’t you using the file size from the header for the memmem() lol

good point

Still doesn't seem to work

#import <UIKit/UIKit.h>
#import <mach-o/dyld.h>
#include <CydiaSubstrate/CydiaSubstrate.h>

%ctor {
    NSLog(@"[Lovely] Hi Mom");
    int image_index = -1;
    for(int i = 0; i < _dyld_image_count(); i++) {
        NSLog(@"[Lovely] %s", _dyld_get_image_name(i));
        if (strstr(_dyld_get_image_name(i), ".app/")) {
            image_index = i;
            break;
        }
    }
    if(image_index < 0) {
        NSLog(@"[Lovely] Failed to find image: (Balatro.app/balatro)!");
        return;
    }
    const struct mach_header* header = _dyld_get_image_header(image_index);
    MSImageRef image = MSGetImageByName(_dyld_get_image_name(image_index));
    void* symbol_substrate = MSFindSymbol(image, "_luaL_loadbuffer");
    NSLog(@"[Lovely] Symbol: %p", symbol_substrate);
    NSLog(@"[Lovely] Header: %p, Image: %p", header, image);
    NSLog(@"[Lovely] size of cmds: %i", header->sizeofcmds);
    char needle[] = "=[love \"arg.lua\"]";
    char * ptr = (char *)memmem((const void *)header, header->sizeofcmds, needle, strlen(needle));
    int straddr = 0x100000000 + (ptr - (char *)header);
    NSLog(@"[Lovely] pointer: %p, straddr: %i", ptr, straddr);
}

<Notice> 15:31:28 love[1454]: [Lovely] /usr/lib/systemhook.dylib
<Notice> 15:31:28 love[1454]: [Lovely] /private/var/containers/Bundle/Application/3EBCAC08-0F59-42EB-8474-A6C19E6176F0/love.app/love
<Notice> 15:31:28 love[1454]: [Lovely] Symbol: 0x1006ba968
<Notice> 15:31:28 love[1454]: [Lovely] Header: 0x1003d0000, Image: 0x1003d0000
<Notice> 15:31:28 love[1454]: [Lovely] size of cmds: 4496
<Notice> 15:31:28 love[1454]: [Lovely] pointer: 0x0, straddr: -3997696

Idk, is memmem returning anything?

Ditch the pointer to vmaddr math thing and only log the memmem pointer

yeah it's the ptr value whcih is returnign 0x0

Oh there’s your issue

Fix your memmem()

yeah but what am I doing wrong?

First of all sizeofcmds is not the right field lol

I’m not at my computer right now

When I get home in like 30 min I’m gonna be adapting my symbolfinder to run on device and I’ll send it to you

idk which value I would use

I can make an example that’s more directly applicable

I’m doing the exact same thing as him, so as soon as I finish it I’ll just send it all to him lol

send it to me too

https://gist.github.com/EthanArbuckle/6b3ce401dd1f98caadb29f0580a419df

Will this be able to find an xref that’s an adrp followed by an add?

@wooden yarrow you might like this lol https://github.com/acquitelol/ichigo

oh god so cursed

(so good)

look at main.igo 😭

imagine the horrors

imagine needing to write the characters seisuu on your keyboard for an int

oh it uses the full width characters

might as well make use of the english full width ones too

yeah easier to type with an ime

yea

@placid kraken how

ellec /usr/local/include/elle/std/runtime/index.le -o libelle.o -c -nogc -nosm -nofmt -nostd
thread 'main' panicked at src/misc/build.rs:25:10:
Failed to execute QBE.: Os { code: 2, kind: NotFound, message: "No such file or directory" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
make: *** [install-runtime] Error 101

you need to get qbe probably

What’s the licenses on this, cause I’m going to steal it 😂

right yeah that was the issue

thanks

$ ./いちご trol.igo
(identifier, 関数)
(identifier, メイン)
(punctuation, （)
(punctuation, ）)
(punctuation, 『)
(identifier, プリント)
(punctuation, （)
(string, これ結構英語で言う『カースド』やな)
(punctuation, ）)
(punctuation, 。)
(punctuation, 』)

incredible

😭😭😭😭😭

available without restriction. not my problem if it has bugs

soon it’ll be able to actually compile things

you know what ill make this even funnier by making all the debug prints jp too

@placid kraken this may be your first external bug report but uh

unicode is something i definitely did not have in mind when i wrote that function lmao i’ll need to rewrite it completely at some point

although that throwing an error is strange

「苺」がエレの開発を助けとるみたいやな：３

wait actually is it エリー or エレ

probably more like エレ actually

うん、少し：３

：３

:3

コピペやんけ

what the fuck did i click upon on

ごめんな、今の所＃開発は日本語喋るチャンネルになっとるねん

これは学校のプロジェクトで、先生は日本語を知らないんだ 🎀🎀

え

これ、大好きになるよ

hehe

うん＾＾＾

Translate in english plz

nee bc こないして说是 muy divertido

thanks

LMAO @wooden yarrow it interpreted え as 絵

「え」ってどない言う意味か知っとるん？

いいえ、どうやら違う 😭

「え」って言ったら「どない言う意味や」って聞いとるって意味やねん

まあ、わかってるけど、Google 翻訳はわかってないね

：３

わかってる、それは明らかだよ

と思う

まあそりゃグッグル翻訳使っとったら今喋っとる関西弁の癖と喋り方も全部消えてまう

？

うん、全部フォーマルだよ

ignore that i meant to apply it to the last sentence 😭

せやろ

英語から日本語に翻訳するときも問題やねん

うん

最初っから英語はこんなに喋り方とか癖とかないからかもしれんけど

まあバイリンガルの人やったらトーンでわかるやろう

help

なんや

wat

that is indeed a plausable translation of the message you're replying to, yes

まあ、仕方ないね。まだ勉強中だし、へへ

wat

？？

誰が勉強中って

ohhhh

"なんや" is a dialectal expression from the Kansai region of Japan, particularly associated with the Osaka area. It's an informal way of saying "what" or "what's this?" It can convey curiosity or surprise. In standard Japanese, you might see it as "何ですか" (nandesuka).

私😭

こっちはグッグル翻訳の話しとったんやけど、まあ

あ

The phrase "こっちはグッグル翻訳の話しとったんやけど、まあ" translates roughly to "I was talking about Google Translate, but oh well."

• "こっちは" (kocchi wa) means "about this" or "we."
• "グッグル翻訳" (Guguru hon'yaku) means "Google Translate."
• "の話しとった" (no hanashitotta) means "was talking about."
• "んやけど" (n'yakedo) is a dialectal way of saying "but."
• "まあ" (maa) is often used to express resignation or indifference, similar to "well."

Overall, it reflects a casual, conversational tone, likely indicating a shift in focus or acceptance of the conversation's direction.

i love ai slop

i mean it’s right

but?

thanks bro I attached my original code for working on file that I'm in the process of adapting to work in process now I just modified siguza's xref but yours is so much simpler

lol

確かにチャットジーピーティみたいなん使っとったら日本語の方言の癖と喋り方を掴みやすいかもな

The sentence "確かにチャットジーピーティみたいなん使っとったら日本語の方言の癖と喋り方を掴みやすいかもな" translates to:

"Indeed, if you use something like ChatGPT, it might be easier to grasp the quirks and speaking style of Japanese dialects."

• "確かに" (tashika ni) means "indeed" or "certainly."
• "チャットジーピーティ" (ChatGPT) refers to ChatGPT.
• "みたいなん" (mitai nan) means "like" or "something like."
• "使っとったら" (tsukattottara) means "if you were using."
• "日本語の方言の癖" (Nihongo no hōgen no kuse) means "quirks of Japanese dialects."
• "と喋り方" (to shaberikata) means "and speaking style."
• "を掴みやすいかもな" (o tsukami yasui kamo na) means "might be easier to grasp."

Overall, it's expressing the idea that using a language model like ChatGPT can help users better understand Japanese dialects.

you dont have to keep posting its outputs here

Ok!

うん、そうだね。なんか、翻訳が上手だね

誰が？チャットジーピーティのこと？

うん

まあそりゃLLMやからな

驚いたです

llm? where

そうだね

今さっきチャットジーピーティ言ったやんけ

w

i assume this means yes

no

ああ、もう1時だね。おやすみ🎀

it’s an informal way to say yes, it’s more like “yeah” in english

(should probably be 驚きました but .)

oh

nice

im gonna go sleep

gn

oop true actually good point

ほんまこっちも2時や、おやすみ〜

じゃね　(⌒▽⌒)

@tacit spade i am curious to know if you can understand the backlog of this convo

i’m curious would it be better to use 少し or ちょっと in this context

for a little bit

in where

in this

also i kinda got confused by like the mix of formal and casual lang mixed in here .

ちょっと is prob better

also i didnt realize what this said until the google tl output .

yeah i do that sometimes 😭 my notion of formality is all over the place

trold

did i write it incorrectly..?

what is it suppoed to say in english

actually

(strawberry aka this) is a school project and my teacher doesnt understand japanese

although i put sore

silly

ohh so prob more like 「これは学校のプロジェクトなんだけど先生は日本語を知らないんだ 🎀🎀」

(sorry i cant speak in hyoujungo v well so i just kansai ben)

yeah that would work too

god i literally cant think of what "なんやけど" would be in hyoujungo

i can raise it to the formal 「なんですけど」but wtf is the casual form in hyoujungo

ohhh right chatgpt told me it would be「なんだけど」

なんだけど is what i was thinking but i wasn’t completely sure

ずっと関西弁喋っとったらごっつい標準語喋るの難しいw

because iirc there’s a pattern where you replace da or desu with ya in kansai ben

right

草

me when no theory knowledge

🎀

anyways gn

I am convinced that the most incomprehensible dialect in Japan is Tsugaru dialect (I don't even think it's Japanese anymore)

gn

true

@cloud yacht @robust radish here's your symbol finder wilson it grabs all the symbols that lovely-injector is actually using

have fun hooking that up (or better yet, converting it to rust lol)

you'll need capstone for it, but you can actually use the static library from https://apt.procurs.us/pool/main/iphoneos-arm64-rootless/1800/capstone/libcapstone-dev_5.0\~git20230223.6e6e602_iphoneos-arm64.deb and you'll be good on all platforms

Thank you I will look into it

mister objc giving me that xref() saved me a ton of time

I didn't have to fixup siguza's to work on mapped binaries

lmk how it goes

will do

my mac has procursus on it so will jsut installing libcapstone-dev on it be enough or do I need to pull in the ios builds?

You need iOS build

the linked deb doesn't work

like it's a 404

https://apt.procurs.us/pool/main/iphoneos-arm64-rootless/1800/capstone/libcapstone-dev_5.0~git20230223.6e6e602_iphoneos-arm64.deb

And yes, that static library will work fine on both rootful and rootless

Just put the libcapstone.a into your theos lib and the capstone folder into theos include

This deb has it at include/include/capstone for some reason though lol

yeah I noticed that on the mac one

Don’t do the extra include, that’s a bug

not sure how I should build this for iOS

tried clang -I./lib/include -L./lib/lib -lcapstone patchfinder.c -target arm64-apple but it couldn't find mach-o/dyld.h

that should be in your SDK

If it’s not in your SDK, it should be in your theos headers

This code should be compiled into a dylib and injected into Balatro btw

You can just do it with theos even

I have an idea, to get this to work in lovely injector you should make a version of the libloading crate that is specifically for grabbing these symbols that is api compatible and just gets swapped in when you compile for iOS

I got it to compile and hooked up to rust but it can't find the symbols (also it is warning me about ios version differences)

Hm good luck

I hope you figure it out

me too

where the hell do I begin

since i need to recompile this from scratch I got time, is there a way to pass args to an iOS app (argv, enviroment variables, etc)

Wrong target + no --sysroot

its arm64-apple-ios(ver)

arm64-apple-ios13.0

I ended up just giving it to the rust cc crate which I belive is handling the target correctly (probably)

Also why ios 10

idk

I'm assuming something weird with cargo

Isn’t apple arcade 13+

I'm not sure how it's even choosing it's target ios version

That’s minimum ios ver rust supports

I was experimenting with stuff and was wondering if rust wasn't liking that it was a pointer to a function so I tried making a function to just return the value and calling that and now I'm getting

Try setting IPHONEOS_DEPLOYMENT_TARGET=13.0

Also

x64_86-darwin

????

????

this would be capstone isn't targeting correctly?

yeah I had to build rust from source for arm64e so thats a toolchain for compiling on x64_86-darwin machines

do I need to link to capstone when building the patchfinder or building my main library?

That changes it but still complains

setting it to 16.4 doesn't complain

idk why it wants that verision in particualr

building the main library

it compiled for arm64 but arm64e isn't working now

looks like capstone doesn't have an arm64e slice

update @ocean raptor

it seems to crash when running on non-balatro love apps

#development message

I don't know what exactly you're trying to do here but if it helps: There is absolutely no reason to build for arm64e unless it's a dylib that you want to be able to inject into system processes

i have a phone with trollstore 17.0. Would i be to directly plant a file into an apps data from my computer with like a py script or something? Or would i need to elevate some stuff with trollstore before i could do that? If it helps i already have filza installed not sure tough if that has some kind of api or something

Put some logs in the symbol finder and lmk if every symbol is actually found

ok i have to ask

are my sentences coherent

i talk with people in jp pretty often but i usually do a lot more reading and don’t say very much

by coherent do you mean understandable or

like grammatically correct (for the most part)

yes

good

@wooden yarrow i was having this conversation a few days ago

what is the most common usage for “everything”

－　全て
－　すべて
－　全部

全て is the same thing as すべて

from what i know 全て is more formal than すべて

and 全部 is the least formal

maybe in text

equivalent in speech

well yeah obviously it’s the same pronunciation lol

although in recent writing i think 全て is equivalent in formality to すべて

ah

and 全部 is less formal?

i think you use 全て/すべて and 全部 in different contexts actually

ah

or well you're more likely to use one over the other

well yeah surely because formality right

zenbu is casual and subete is more formal

全て消す instead of like 全部消す for example although the latter does still work

or is there another context when you would use one over the other

hmmm

in literal terms 全て is "all" while 全部 is from "all parts"

i see

I guess I should ask, where is it crashing? Is it crashing when hooking? When running the hook? When running orig? When symbolfinding?

That looks like some mod is loading nativefs.lua which needs to be fixed to support macOS/ios

Orrrr

I guess we need to get the symbolfinder to find PHYSFS_getMountPoint

Idea: get the symbolfinder to locate PHYSFS_getMountPoint then MSHookFunction dlsym to return it if it’s searching for the symbol

It was crashing while symbol finding. I was going to do some debugging but it was late so I was going to bed right away.

I wonder if just exporting the symbol from the symbol finder/rustland would be enough to find it

Also I guess I could have sent this other video I made with debug mod working https://media.discordapp.net/attachments/1324835018299670558/1331548962636824596/RPReplay_Final1737536386.mov

I tried adding logging, thought it doesn't seem that it worked. However I can see the print I had in the assembly view so hopefully this should help

For some reason its not making a log but I can get one from last night

https://haste.antti.codes/tecererele

Importantly: t’s crashing when a mod is trying to dlsym a symbol provided by love, not when my symbolfinder is running

The solution is to update my symbolfinder to support finding whatever symbols the nativefs lua module is trying to ffi

Then hook dlsym to return that function when passed the name of it

I might also be able to patch the mod to not need that native function

My solution seems better but whatever 🤷‍♂️

it probably is

I can provide the lua of the crasig function if it would help

No, I found it

though I get a real crash wne opening a non-balatro love

It’s the nativefs module’s ffi

Where’s the crash log bro?

#development message

for these there are symbols so I can probably do some heuristics on them to switch to MSFindSymbol

but idk if some other love app will come to popularity and not have symbols

probably because of the functions that I did searches for specific bytes

yeah

hold on I can send the ipa for the one

I already have it

oh okay good

Just ditch these searches and get real symbol finding like I did for the other functions

fair enough

Also, please update my code to close the capstone handle lol

oh yeah did I mention my cursed fix for the issue earlier of it not finding symbols

I saw that yeah

Please make it just bail out if symbol finding doesn’t work instead of crashing btw

I suspsect it might be memmem going to far and getting killed

also does this mean I can just use an arm64 build and I didn't need to comple rust from source for arm64e?

Yes

App Store apps are never arm64e

No

Unlikely

https://www.youtube.com/watch?v=lhp1YMl3mjw

Cause the memmem only scans the __TEXT.__text section

so where is it crashing?

Attach lldb to it

I do but theres no symbols

2025-01-22 04:32:12.6370 -0700 default 0x428f0 0x0 Balatro[3044] (LovelyPatchfinderPOC.dylib): [Lovely] pointer: 0x0, straddr: -1900544

This is probably part of it

lol

wait where is this from?

Who cares about symbols, show me the instruction it’s crashing on and the context around it

The very bottom of the crash log you sent me

#development message

oh that was another thing I was working on (but failing)

I should remove that

More context

I thought the printf was supposed to go to xcode but I don't see where it would be

Does whatever binary you’re trying to hook have the code point string?

Yeah seems like it

Wait it’s crashing Balatro?

fake balatro

Idk

From this tool https://github.com/blake502/balatro-mobile-maker

is there a quick way to see if a binary still has symbols?

I sent my symbol finder but that runs on macho files yesterday

Find that and get it to compile and you can run it on your Mac

whar?

@cloud yacht

Compile that a run ./a.out Balatro and it’ll try to find all the symbols

real or fake balatro

do you have the macho.h

Either

Replace that with mach-o/dyld.h

first is fake second is real

Wtf

Decrypt your real one lol

I thought I did

That doesnt look like it got decrypted

oh wait I might've only put the decrypted one on my pc not the mac

wait I might've mixed up my binarys

okay here is the non-balatro for sure one

Ok cool

Seems to work fine

So why is it crashing on the in memory version?

Idk

lol

true

attach lldb to the app and step through

I'm not sure how to get it to have the proper debugging info to let me do that

probably I just don't have the nessicary debugger knowledge to do this

Don’t strip your binary

I tried doing debug build and it didn't work but I just realized that puts my deb in a different place so I installed the wrong deb

oh I also just broke my deb script for debug builds

There we go

thats for the codepointstr_xref

Oh yeah this may be useful

seems odd that has bad access

hmm on love it crashes on the lua_noenv_xref

yeah frankly idk whats going wrong and for some reason I can't debug normal balatro to see whats different

uhhh does anyone know how to prevent injected dylibs from appearing in the list of NSBundles, and/or how to use dopamine's .fakelib to disguise the origin of these

I FIGURED IT OUT

Ugh this is so stupid

Look at the very top of the constructor

Where it finds the image index

It's not that

the fake balatro app has the same name and I modifed it to find the love one

although it seems like if it fails to find it will keep running which it shouldn't

also I verifed in the debugger it had the right image name

Ok well I’m going to update that xref function to only scan __TEXT.__text and we’ll see if that fixes it

Or actually you can do that

isn't that already what it does?

also doesn't the mh's cancel out here?

No

But I am questioning that math

No, it does the entire macho

so would i just want to change end to seg->vmsize?

No

I don't get how this end pointer works

We’re gonna rework this entire logic for getting it

right

seg has vmaddr

so can current not be vmaddr and then end be vmaddr + vmsize?

that didn't fix it but it also didn't break it

Well have to and the slide to vmaddr I think

oh is the slide it's spot in memory rn?

uint64_t xref(const void *text_sec, size_t text_sec_sz, uint64_t string_addr) {
    uint32_t *current = (uint32_t *)text_sec;

    uint32_t *end = (uint32_t *)((uintptr_t)text_sec + text_sec_sz);

Try with that

You’ll have to update the forward declaration and all the calls to xref() to pass in the text_sec and text_sec_sz vars instead of mh and text_segment

new crash

looks like this is caused by codepointstring_xref being 0

but now xref isn't erroring

Ugh, what is the value of codepointstring_xref?

0

Ugh

What is codepointstr addr?

The address that is getting xref’d

Also potential new issue

Hahaha

OK yeah these memmem() for bytes ain’t working

In hex pls lol

104E4D9A7

I'll have to check where this is used to see if this is happening on the real balatro

On a real Balatro, I think it should only find lua_tolstring or luaL_checklstring

it seems ot be functioning proper on real balatro so I'll assumue it correctly found the function

It isn't pretty but I got it to work

What’d you do?

I checked if any of the xrefs were null and if so returned early and set a flag there was an error. Then in rust code if there was an error fallback to using MSFindSymbol

since the other two have symbols this works

Hmm

That works

yeah

so if I'm only building for aarch64 do I need to worry about old and new abi?

no

nah they only changed the auth/got abi

also can I use the same build for rootless and rootful if I just set my rpath to include the rootful paths?

Same dylib, not same deb

Oh nice that would simplify my build process

hooking a specific instance

object_setClass?

Oh

The code is there

Okay yeah

Had to do that in Rune to fix a tweak conflict

What about a keyboard conflict

nope

did i just notice that objc uses YES and NO as booleans

and not true or false

Both

brainfuck

1/0 >>

i hope you

bro

NULL YOURSELF

Sorry

(night bullied me into not using them smh)

yes

do not

thank you

good job @radiant idol

😭

icraze's original statement was right

1984

MOds

llease keep deleting maxines message

thank you

https://tenor.com/view/goodbye-krill-world-krill-lobster-lobster-fried-krill-fried-gif-7150912747510295957

@modulators

self report

what if instead of icraze we just had craze

Proton Mail Bridge

what the fuck am i saying

@modturators

reels

What if 16player had good code

Hard to even imagine.

https://cdn.discordapp.com/attachments/1308149005267501190/1330247389868589297/caption.gif

honestly real

🤔

16player may just be the definition of “if it works it works”

@shut stag Can you check audit logs and see who's deleting my messages and shit 👍

i plead the 5th

16player

that's horrifying

its the definition of “if it works dont touch it”

?

mods

snipe

now

@lofty juniper

I saw that

?

farther back

what if it's like 16player and doesnt work

Fuck.

maybe don’t say shit like that to minors

so the cow falls

it’s fine bro

i am a minor :/

twas a silly joke

yea exactly why i am

ok

nvm

oh, i’m revoking your manage message perms now as well

what ❓

you’re not to delete messages in development.

:/

Based Nooka.

everything im not made me everything i am

@hasty ruin

question

is it possible to make a react ios app

i know discord is one

yes…?

dont

but how hard is it actually

to make one

it’s just react native

Making RN apps should get you banned from this channel

it’s native in the ios framework?

no

then why the hell does discord use it

stupid shits

Making 16player should get you banned from this channel

because they do cross platform development?

cross compat between ios and android

react native makes that easier

True

but

🗣️

thats just

I think neither of them have delete perms lmao

more work for them

react is so much more buggy than just using swift or uikit

swift and uikit dont work on android

bro they can hire dedicated teams for android or ios

makes it harder to sync development

theres no purpose for them really

react native does the work just fine, its just us jailbreakers who dont like it

there’s so many features on ios missing that desktop/android has

that's not due to the language

they're just lazy

or maybe its just a limitation cuz of react

Not really a jb thing, it just runs like ass

no its not? whar

and also isnt react incredibly slow

no, android is react native too

dc is RN...

a 20mb app should not take 15 seconds to launch

on all platforms ?

but it doesnt

they’re not synced tho are they

like theyre not

it takes 2 seconds maybe

identical

ok lemme close discord really quicn and launch it

and see how long it takes to get to this channel (which discord should automatically do)

now enable tweak injection

7 seconds

broke ass phone

A15

ok a17 pro launches under a second

a second is still slow

or under

I mean when you need to make network requests its not bad.

buddy.. have you used a meta app

no

meta uses react and react native too

thats because they made react

what

oh

well that probably explains why they actually have good usage and speeds of it

Instagram is a good app because it’s actually still native

@hasty ruin

do i fix some issues at my code and stay awake all day or get 55 minutes of sleep and do not fix my code

decide

quick

https://cdn.discordapp.com/attachments/1209506360987877408/1323142460393918608/rendered.gif

noo

i go sleep

gn

gn

You gonna wake up tired if you sleep now

Dead chat

i thought that was common knowledge lmfao

@cloud yacht so is all that’s left is to update the symbolfinder to find the PHYSFS_ symbols?

TIL C files must end with a newline

What

that's not just for C it's for all text based files

it's in the POSIX standard

all text files must end in a newline because otherwise the last line wont be counted as a line

what

what

yeah it would apply if you wanted to use POSIX utils

Because of the missing newline char?

yes

what is an empty string in C

wait wouldn’t that be just a ptr to NULL

no

ptr to null terminator \0

^

pointer to a valid region of memory containing a null terminator

that is what i said

predictive code completion is ass

why are we checking for iOS 11 in 2025 bruh 😭

i legit did yesterday 💀

NULL != Null terminator (probably)

null terminator is an i8 that holds the value 0

NULL is usually a macro to 0 in most C compilers

so usually it is identical

just semantic differences maybe

a pointer to null is not the same as a pointer to memory that contains null

can you show an example

doing

char x[1];
*x = 0;
``` is an empty string surely

0 == ‘\0’ anyway

// The absence of string
char* a = NULL;
// Empty string
char* b = "";

// idk if your printf has null checks or not
printf("a: %p (%s)\n", a, a);
printf("b: %p (%s)\n", b, b);

printf("b[0]: %d\n", b[0], b[0]);

remember, a string is a pointer to contiguous characters in memory, so a pointer = NULL is not the same as a pointer to memory where the one and only character is 0

absence of string vs empty string

you probably understand by now but

swift be like: "contiguous" nah fuck that

rude

yes, a pointer to null is a valid address that points to NULL, 0

i did not say the ptr itself is NULL

i said the ptr points to NULL

that isn’t what i said lol

read what i said earlier closely

“ptr to NULL” not “ptr that is NULL”

or am i going insane

an empty string in C is a pointer that points to a zero char

that is equivalent to what i said i think

the size of a char is at least 8 bits and platform-defined

well not going by the C abi because NULL can be anything it doesn’t need to be 0 but it tends to be 0

pointer to NULL is interpreted as ptr = NULL, at least to me

the pointer points to address 0

windows with wchar

but that's wchar

idk its language nuance

ah i guess that’s another way to interpret it

Also wchar is a stupid type it doesn't even work

i see

who decided to make wchar 2 bytes come on

any MS type is just dumb lol

Microware

usually i think of the ptr itself as the address

same, cuz i mean, it is lol

so when i think of a ptr to NULL i think like “ptr, aka some number, that when derefed gives 0”

isn't wchar_t a standard type

i think the size of that is also platform defined

that is so fucking cursed you can’t even do utf8 with it

what’s the point