Leaderboard

GameGuardian work without root So, as for work without root. This is not magic. Technical limitations were, and have remained. So it will not work anywhere and always. Actually it looks like this: 1. You put an application of virtual space (Parallel Space, VirtualXposed, Parallel Space Lite, GO multiple, 2Face and many others). 2. In it you add the game and installed GameGuardian. 3. From the virtual space application, you launch the game and GameGuardian. Actually everything. GameGuardian can be used to hack the game. Everything is simple and transparent. It was a good part of the news. Now about the bad: 1. The game has zero progress. You can not transfer the progress from the existing installation of the game, if the game itself does not provide it (through the cloud or somehow). 2. Not all games work through virtual spaces. 3. There may be another account in the game. 4. Not all functions will be available in GameGuardian. 5. On some firmware it does not work at all. If you cannot choose a proсess in GameGuardian, or get an error 105/106, then on your firmware, GG, without root, will not work. Try optimized versions of virtual spaces or another firmware or other device or get root. 6. In some virtual spaces GameGuardian does not work. What can be done in case of problems: 1. Try different virtual spaces if the problem is in them. Best option: Parallel Space. 2. Try changing the firmware. 3. Get a root and do not fool yourself. Once again: it will not work at all and always. It is possible that it will work for you and will not. Virtual spaces to run GameGuardian without root (#ct7bob3) Proper install without root - GameGuardian (#abausujp) Help: https://gameguardian.net/help/help.html#work_without_root Video-examples: Balls Bounce Free - hack balls - without root - GameGuardian, Parallel Space Bejeweled Stars: Free Match 3 - hack without root - group search - GameGuardian, GO Multiple Hack Tap Counter without root via GO Multiple on Android 7.1.1 - GameGuardian Hack Tap Counter without root via GO Multiple - GameGuardian Work without root via Parallel Space - GameGuardian Work without root via 2Face - GameGuardian Work without root via Mutiple Accounts - GameGuardian Work without root via GO Multiple - GameGuardian No root via VirtualXposed - GameGuardian (#b6l7k1qu) No root via VirtualXposed (without error 105) - GameGuardian (#bpb5835m) No root via optimized Parallel Space Lite - GameGuardian (#47glijbj) No root [from scratch] (boring and long video) - GameGuardian (#9rf9317c) No root via Dr. Clone - GameGuardian (#aft8whcy)

Hi @chrislin2k, Currently Game Guardian haven't been updated for quite some time. There's 3 thing that you can do: - Use Virtual Machine: VPhoneGaGa, VMos Pro, x8SandBox, F1 VM - Change Game Guardian SDK version to 33 using: APK Editor - Force Install Game Guardian using ADB: adb install --bypass-low-target-sdk-block gameguardian.apk

So I believe this game already has all your dice rolls calculated for your account. Server already knows where you'll land on your next roll. I believe minigames, outcomes are already determined before you even land on them (pre determined like all your dice rolls). Wouldn't it be nice to know how much your next roll would've won, then you would've done multiplier to maximize....... Well, that's just what this is going to be about. To see your future rolls/minigames, you'll have game open and switch to offline mode. Using a root file explorer navigate to here: /data/data/com.scopely.monopolygo/files/ Each turn you take a file is generated, something like this: 48d4483b70674c02951ddfd3a289f5d7.ca When you reconnect, it'll send these and get your account synced. If you get prompted no connection, you can click back to remove message and tap roll really quick. So you can roll indefinitely and write down/log all your rolls. Even if you stay on one board logging it all. When you switch to a new board, your dice roll continues. Not like a new board, new roll pattern. When you land on a spot that gives a good size reward. You can delete those .ca files, close, restart game online and use max multiplier to really bonus up those wins. Bank Heist, don't think you had a chance of picking the right combination.... No matter where you selected, what flips over, will always be same when you play it again. So if I flipped coin, ring, cash, cash, ring, cash. When I go to play again, it's going to be that exact order. See attached video. I'm honestly really disappointed in my findings with this developer. It feels like a scam of a game and you're not really "playing". It's basically scripted and if you do x1, x5, x10 at ideal times, that's about the only user "input" that seems to have a chance on the outcome. mobizen_20230426_211255.mp4

New version 12.0.1.5.4 released!

So what I'm finding, I think should be noted and possibly call out the developer on the matter. I'll probably share what I know and how it can benefit within a couple days or so... I'm not really impressed though with the developer. It feels like a scam of a game, you'll all see after I do more tests.

Armv8 C80E42B8r;081540FDr::3809 Edit 28008052r;E803679Er And if you want to set so you can claim all without playing (set number of keys collected). Offset (Version 6.9.5) 3FBCA54 Edit 00FA8052r

New version 12.1.2.5.0 released! read change logs!

New version 12.0.2.5.5 released!

No luck... Definitely have put some time into figuring out dice. And not making any progress. Still trying though.

https://www.mediafire.com/file/6qowx7yuctayo3t/rr3_race_mode.v11.4.1.4.9.x64.bin.lua/file

Working on it.... Their is some stuff in the dump, that if server didn't kick back an error, would be perfect.

View File RR3 v12.0.1 Reset bonus price (VP) Reset bonus price (VP) in all rounds, both architectures And open all expired rounds. This script uses pointer chains, so it may not work with another game version. Tested on NOX 7.1.2 (32bit) and tablet with Android 10 (x64) and VirtualXposed. reset-vp.mp4 Submitter Count_Nosferatu Submitted 04/29/2023 Category LUA scripts  

New version 12.1.2.6.1 released!

New version 12.0.2.5.4 released!

New version 12.0.1.5.4 released!

New version 12.0.1.4.14 released!

New version 11.5.2.4.11 released!

New version 11.5.1.4.1.x64 released! Added 'Search mode' Changed menu

Sorry for the delay on this y'all, I was away for a bit. The issue was affecting new uploads because of security changes we recently made. Should be resolved now.

Hi, your game is protected with CodeStage anti cheat, thankfully this is one of easy one to bypass. First you will need to dump the game using Il2cppDumperGUI any or il2cpp dumper of your choice. next you're going to look for CodeStage detection methods. note those StartDetection methods, most have some overload if you want to be safe you will need to bypass them all, but it is rare that the game use them all, but better be safe than sorry. so here is the list and overloads. CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(); // 0x00818a3c static CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(System.Action callback); // 0x00818ce8 CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetectionInternal(System.Action callback); // 0x00818b70 System.Void StartDetectionAutomatically(); // 0x00819058 static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(); // 0x008190e0 static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback); // 0x0081948c static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval); // 0x008194e4 static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval, System.Byte maxFalsePositives); // 0x0081954c static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval, System.Byte maxFalsePositives, System.Int32 coolDown); // 0x008195c4 CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetectionInternal(System.Action callback, System.Single checkInterval, System.Byte falsePositives, System.Int32 shotsTillCooldown); // 0x008192dc System.Void StartDetectionAutomatically(); // 0x00819a54 static System.Void StartDetection(); // 0x00818648 static System.Void StartDetection(System.Action<System.String> callback); // 0x008186b0 System.Void StartDetectionAutomatically(); // 0x008187e8 there is two way to bypass those. 1. you can just patch each of them using the "NOP RET/BX LR" opcode. 2. allocate memory page and replace and replace those method with there respective StopDetection, that mean when the game call StartDetection instead it will call StopDetection Now for GEMS/XP/Gold/Health Note at this stage since you have already bypassed the AntiCheat editing your stat wont trigger anything. but you need first to understand how ObscuredInt work. note every obscure value you see on your screen is a fake value. you should not edit it directly but the edit the hidden value using the crypto key. Here bellow is what you need to remember about the structure. public struct ObscuredInt [FieldOffset(Offset = "0x0")] private int currentCryptoKey; [FieldOffset(Offset = "0x4")] private int hiddenValue; [FieldOffset(Offset = "0xC")] private int fakeValue; (what you see on screen) What you see on your screen is the fakeValue. to edit it you will need to edit the hidden value. Here is how to. (note offset might varies depending on the game and version so you better have the latest dump and check the correct offset) When you find an ObscureInt fakeValue. you need to go back into the base pointer so in this case: fakeValue.Address - 0xC which will bring you to currentCryptoKey copy the value of currentCryptoKey in (DWORD) then offset to currentCryptoKey.address + 0x4 this will bring you to the hiddenValue now to edit this to your desired value you need to perform XOR (exclusive OR) to your desired value using the currentCryptoKey as a key. you can do that inside gg, you type the value then apply the xor key That it you are done. you can edit any ObscureInt using this method. now specially for your game there are some vulnerabilities that i found you can exploit to edit your stat and in game money. there are some method likes: public class game_manager : MonoBehaviour [Address(RVA = "0xA65A94", Offset = "0xA65A94", VA = "0xA65A94")] public void gem_plus(int gem) [Address(RVA = "0xA65890", Offset = "0xA65890", VA = "0xA65890")] public void gold_plus(int gold) [Address(RVA = "0xA64DFC", Offset = "0xA64DFC", VA = "0xA64DFC")] public void iron_plus(int iron) All those share the almost the same structure so i will be giving an example only for gem_plus In this de-compiled function gem_plus, you can see that they are loading the value of the ObscureInt field public ObscuredInt gem_total; // 0x2CC into the variable puVar1 which later on they add it value + param_2 which is the gem parameter, to instantiate a new ObscureInt from that sum. the result of that sum will be stored into the register W0, so all we have to do is just hijack this register and change the value to what we want. here is a video of how to do that. This method do not trigger the anti cheat cause the game is writing legit value for us. also if you want to move large value you might want to explore the MOVZ instruction or you can allocate a memory page and spam multiple ADD instruction like this add w0, w0, #500000000 add w0, w0, #500000000 add w0, w0, #500000000 add w0, w0, #500000000 add w0, w0, #500000000 .... Last thing for gems you will need to stay on the main screen like in the video when you start the game cause that function trigger only there. I kinda like the game i might continue working on it and update this thread

[ Introduction ] Hi @everyone, in recent times, Android has just released version 14, which includes some SDK restrictions. The requirements are that apps should at least be under SDK version 24+, or else installation fails. Another problem is that Game Guardian hasn't been updated for years (March 22, 2021, since the last update), a total of 2 years. I understand that life can be unbothered sometimes, and I hope there's some confirmation regarding this instead of intending it as an "unforseeable future" kind of thing. I've seen a rising number of these issues on Help, General Discussion, and in other possible sections of the forum. I recommend anyone who has a newer device or just recently updated to Android 14 to follow this topic. Here, I propose several possible solutions regarding this issue: [ Main Course ] You can bypass SDK enforcement using shell commands, which you need to install Game Guardian manually through command line. You can achieve this through ADB: Android Debug Bridge or Termux: Terminal for Command Line application. This tutorial will split into 2: { ADB: Android Debug Bridge } This step doesn't require "Root" permission, but before proceeding into the main tutorial. We should prepare several things: Computer / Laptop running Windows OS A cable data Download ADB depedencies: here Android device with "USB debugging". If your device "cant be recognized" or simply not exist on "Device Manager", you need to install: Universal ADB Driver Then read: XDA: Install ADB & Enable USB Debugging. Now put this command on your command prompt / powershell / gitbash / or whatever terminal you use: # Check if our device works properly adb devices # Install Game Guardian manually through ADB adb install --bypass-low-target-sdk-block <path_to_game-guardian.apk> # If ADB is unresponsive / bugged, do: adb kill-server adb start-server { Termux: Terminal } The only requirement is you need "Root" permission, this is the most easiest way. Since you're going to Install Game Guardian, I assume you already have one (Yes, Game Guardian requires "Root" permission, duh). Download: Termux and Just go ahead execute this command: pkg update pkg upgrade pkg install tsu pkg install android-tools sudo adb install --bypass-low-target-sdk-block <path_to_game-guardian.apk> { Virtual Machine } This is suitable way for non-rooted users. Android 14 is relatively new, some of your ROM/OS might not support "Rooting" yet. Virtual Machine allows you to emulate another Android inside your Android 14 (or etc). Usually it comes with older Android version. I suggest to use Virtual Machine with Android 7 or 9 as you're not going to face any redundant issues, like Android 10-14 did. I would recommend using "VPhoneGaGa": VPhoneGaGa VMos Pro X8Sandbox F1VM { Modded APK } You can try to edit Game Guardian SDK: ("android:targetSdkVersion" to version 24+) and ("android:minSdkVersion" to 24+) on Manifest.xml using: APK Editor. You can also download already modded Game Guardian here (credit to @HEROGAMEOfficial ) : : Game Guardian : [ Aftermath ] With that, you can simply reference this topic in case there's someone that facing the same problem. I hope this topic can help you and other people. Thank you for reading.

New version 12.2.2.5.1 released!

My grandfather used to say: "Everything is new, this is long forgotten old."

New version 12.1.2.6.1 released! see changelogs

Disclaimer: This guide is for educational purposes only. The techniques explored here are intended for understanding the technical aspects of Android games. Users are advised to use this knowledge responsibly and within legal and ethical boundaries. I disclaim any liability for misuse or unauthorized activities. Use this information at your own risk. As you explore with me, remember it's all about learning, not mischief. If you decide to try out any of these tricks, make sure it's within the rules and plays nice with the devs. I'm not taking responsibility for any shenanigans, so be cool, and enjoy the learning ride. Cheers! Goals : • Identify server-side data from local data. • How to tamper server-side data . • bypass SSL encryption. Requirement : • You should be familiar with requests ( http ) . • You should have some level of knowledge about reverse-engeneering / Exploits / etc. Tools : • GameGuardian. • Frida. • IDA (Pro). • BurbSuite / any other proxy interceptor. • LUA Decryption and Encryption for cocos2dlua. Difficulty : 8/10 ----- Let's Dive IN -----First step is to collect information about the game start playing the game normally to get some information about it, it's concept and what data they have like items , coins , gems , vip , battlepass, etc and what they call it in game. Open GameGuardian or root explorer to know what engine the game use and it's libs, like libIl2cpp.so for Unity , Cocos2d for coco's 2d games , or a custom lib built on top of other games engines like libLotaApp. BurbSuite Start Intercepting traffic. Set Up Your Environment Install Burp Suite: Download and install Burp Suite from the official website. Configure Your Android Device: Connect your Android device to the same network as your computer. Go to Wi-Fi settings, find your connected network, and set the proxy to your computer's IP address and the port Burp Suite is running on (default is 8080). Step 2: Configure Burp Suite Start Burp Suite: Open Burp Suite and go to the "Proxy" tab. Configure Proxy Settings: Under the "Options" tab, go to "Proxy" settings. Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings. Install Burp's CA Certificate: In Burp Suite, go to "Proxy" > "Options" > "Import / export CA certificate." Click "Save CA Certificate" to save the certificate. Transfer the certificate to your Android device and install it. when Exporting the Certificate You should put the Extention of it .ctr Step 3: Configure Android Device Install and Configure Proxy on Android: Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings. For APN edit the Access point name : Install the Exported Certificate from burb to your Android phone Step 4: Start Capturing Traffic In the "Target" tab, you should see the target host(s) that your Android device has communicated with. Browse on Android Device: Open the browser on your Android device and start browsing. Burp Suite will capture the traffic, In the "Target" tab, you should see the target host(s) that your Android device has communicated with. Inspect and Manipulate Traffic: In the "Proxy" tab, you can intercept requests and responses, inspect them, and even manipulate them before forwarding. Use Other Burp Suite Tools: Explore other tools in Burp Suite, such as "Repeater" and "Intruder," to perform further analysis and testing. Hierarchy: The Site Map is organized in a hierarchical structure that represents the different hosts and paths your client has communicated with. Hosts and Paths: Hosts represent the web servers or domains that your client has interacted with. Paths represent specific URLs or routes within those hosts. HTTP Methods: Each entry in the Site Map includes information about the HTTP methods used (GET, POST, etc.). Status Codes: The status codes of the responses (e.g., 200 OK, 404 Not Found) are displayed, providing insights into the server's responses. Request and Response Details: Clicking on an entry in the Site Map reveals detailed information about the request and response for that specific interaction. This includes headers, parameters, and content. Filtering and Searching: You can filter and search for specific requests or hosts, making it easier to focus on relevant parts of the traffic. Context Menu: Right-clicking on an entry provides a context menu with various options, such as sending the request to other Burp Suite tools for further analysis. Interactivity: The Site Map is an interactive tool that allows you to manipulate and analyze the captured traffic in real-time. Use Cases: Analysis and Debugging: Identify patterns and anomalies in your web traffic for analysis and debugging purposes. Security Testing: Spot potential security issues, such as vulnerabilities or unusual behaviors. Mapping Application Flow: Understand how different paths in your application are accessed and interacted with. select all URLs and right click -> delete selected items ( we don't need them ) launch the app and watch what the app send when it execute I launched "Mythic Su*moner" and this traffic get captured But Most games use SSL pinning and they don't show the full trafic even when intercepting with them . in this case we need Frida to UnSSL it. ( u can use it to bypass root detection aswell ). SSL pinning, also known as certificate pinning or public key pinning, is a security mechanism employed in applications to enhance the security of SSL/TLS connections. It involves associating a specific SSL certificate or public key with a particular domain, and the application will only accept connections with that specific certificate or key. Normal SSL/TLS Connection: In a standard SSL/TLS connection, a client (e.g., a mobile app) connects to a server, and the server presents its digital certificate to the client during the handshake process. SSL Pinning Process: With SSL pinning, the client embeds a specific SSL certificate or public key within the application. When establishing a connection to the server, the client checks whether the server's presented certificate matches the embedded certificate or public key. Verification and Trust: If the presented certificate matches the pinned certificate or key, the connection is considered trusted, and the communication proceeds. If there's a mismatch or the server presents a different certificate, the connection is rejected, preventing potential man-in-the-middle attacks. Using Brbsuite To listen to the game traffic is man-in-the-middle attack. that's why Most of the trafic is rejected in the 1st capture FRIDA Connect your phone with ur pc via USB & and inject an Agent into the process to UNSSL Pinning : when You UNSSL the game you get More Trafic : With this traffic UNSSLed you can play with it, inspect it and modify it with the repeater ( this is how you hack the server-side ) this method called Tampering data. How to Identify Server Data and Local Data. Select the inapps.appflyer.com and watch it when you play every changement in data ( server side ) get registered by this url ( most cases ) it will send a gzip to server and save it there . any local data will be saved in your machine ( android device ) or memory and the inapps.appflyer.com won't send a request. Some games use SOCKET to connect the game and the server and keeps the connection open until the game get terminated or the server get shut down, with burb you can Intercept sockets aswell. TIP : while you intercepting traffic from burb open the lib with IDA pro to dissassemble it. IDA make sure IDA fully dissassemble the lib by showing idle on the buttom go to the functions menu hit ctrl + F to start searching for keywords I mentioned at the beginning ( gold , items name , coins , player stats etc ) when I search for the keywords no functions / methods found that mean the logic and the data proccess isn't in the lib nor in the traffic ( most of them ) that means the only way to store the logic is in the files in this example game. if you found functions your starting point start with frida, you can use Frida to hook it and track the pointers and afterword GG to create a script. Decrypt LUAC take the apk and unzip it ( open with rar / 7zip ) you'll end up with the game files and Done the logic is found in the game files , the game use lua to run with C and cocos2d. but the game won't leave the game logic and codes open and public the must use some sort of encryption to it , for that they use LUAC is the Lua compiler responsible for taking Lua source code and transforming it into Lua bytecode encrypted. try another file : notice : i0lzCcmB1Cjxk6DpvlmdPINybrXXeBA1 each file have this signature at the start ofthe it IDA & LUA Decryption and Encryption for cocos2dlua. copy the signature and search ida for it but this time in the string if found you should find the key aswell : I use IDA & LUA Decryption and Encryption for cocos2dlua to decrypt the files. after it's done every file will be unencrypted and easy to read : and with that data you can create anything you want / mod / script etc Why not just frida? to use frida you need a pc ( termux users isn't included because you just need a pc to use frida -_-) agents ( frida scripts ) isn't portable you always need your pc to use the script powerd with usb I mean too much pain that's why in my opinion GameGuardian is the best choice you can run the script anywhere anytime + lua much easier than js. not all libs work with libc and not all of them contain usefull resources like the example above. ---- tips : the data should be stored in -server -local machine ( your device ) the game files "apk" ( your device aswell ) look at these 3 places to find the game resource. game logic either in the files or in the lib ( like il2cpp ) android games can't afford Hosted Hypervisor for the logic processing. I can update this topic, comment out what you want to know more about ( exluding server-side hacks ) I won't provide tools all you need is your brain to outsmart devs.

New version 12.0.1.3.4 released!

Not posting his info publicly.... can DM for info.

New version 11.6.1.4.12 released!

Just follow my tutorial

New version 11.5.1.5.1.x64 released! I added 'Search mode' for users that have problems running this script. This release also replace 'old cars unlocker' and 'single car unlocker' scripts.

stumble this on localization.lua lmao, say alot about their care to players that gives feedbacks i also working on promocode hacks, but this one is Paid, because i need to pay the host for hosting it, alternatively you can use the script, i'll update it to 3.1, with fixes, so until it done, stay tune

@NoFear I managed to find the ID's for the dice, which are 739FF0E960, 7551EB71F4 and 7551EEB114. After this 1.0.4. update it's not possible anymore to 'know' the dice by going offline in parallel system and do the same on the 'main' account. There is some kind of randomizer now. When going offline it's also not possible for me to alter the dice count. Maybe you can have another look how to alter the dice count, because I think all players are mainly looking for that feature. They don't really care (I think) about the rest of the game, the highest amount of dice will give you respect and jaw-breaking from your friends and family

https://www.mediafire.com/file/mepx82j23mrw33c/rr3_car_upgrader.v11.4.1.4.9.x64.bin.lua/file

New version 11.4.1.4.9.x64 released!

X32 True : ~A MOV R0, #0x1 ~A BX LR False : ~A MOV R0, #0x0 ~A BX LR Int : -------------------------------- -- 9999 ~A MOVW R0, #0x270F ~A BX LR -------------------------------- -- 99999999 ~A MOVW R0, #0xE0FF ~A MOVT R0, #0x05F5 ~A BX LR Float : --100 ~A MOVT R0, #0x42C8 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --50 ~A MOVT R0, #0x4248 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --10 ~A MOVT R0, #0x4120 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --0.1 ~A MOVW R0, #0xCCCD ~A MOVT R0, #0x3DCC ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --0.01 ~A MOVW R0, #0xD70A ~A MOVT R0, #0x3C23 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --999999999.999999999 ~A MOVW R0, #0x6B28 ~A MOVT R0, #0x4E6E ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR Double : --100 ~A MOV R0, #0x0 ~A MOVT R1, #0x4059 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --50 ~A MOV R0, #0x0 ~A MOVT R1, #0x4049 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --10 ~A MOV R0, #0x0 ~A MOVT R1, #0x4024 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --0.1 ~A MOVW R0, #0x999A ~A MOVT R0, #0x9999 ~A MOVW R1, #0x9999 ~A MOVT R1, #0x3FB9 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --0.01 ~A MOVW R0, #0x999A ~A MOVT R0, #0x9999 ~A MOVW R1, #0x9999 ~A MOVT R1, #0x3FB9 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --999999999.999999999 ~A MOV R0, #0x0 ~A MOVW R1, #0xCD65 ~A MOVT R1, #0x41CD ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR X64 True : ~A8 MOV R0, #0x1 ~A8 RET False : ~A8 MOV R0, #0x0 ~A8 RET Int : -- 9999 ~A8 MOVK R0, #0x270F ~A8 RET --99999999 ~A8 MOVK W0, #0xE0FF, LSL #16 ~A8 MOVK W0, #0x05F5, LSL #32 ~A8 RET Float : --100 ~A8 MOVK W0, #0x0000, LSL #16 ~A8 MOVK W0, #0x42C8, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --50 ~A8 MOVK W0, #0x0000, LSL #16 ~A8 MOVK W0, #0x4248, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --10 ~A8 MOVK W0, #0x0000, LSL #16 ~A8 MOVK W0, #0x4120, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --0.1 ~A8 MOVK W0, #0xCCCD, LSL #16 ~A8 MOVK W0, #0x3DCC, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --0.01 ~A8 MOVK W0, #0xD70A, LSL #16 ~A8 MOVK W0, #0x3C23, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --99999999.99999999 ~A8 MOVK W0, #0xBC20, LSL #16 ~A8 MOVK W0, #0x4CBE, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET Double : --100 ~A8 MOVZ X0, #0x0 ~A8 MOVK X0, #0x0, LSL #16 ~A8 MOVK X0, #0x0, LSL #32 ~A8 MOVK X0, #0x4059, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --50 ~A8 MOVZ X0, #0x0 ~A8 MOVK X0, #0x0, LSL #16 ~A8 MOVK X0, #0x0, LSL #32 ~A8 MOVK X0, #0x4049, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --10 ~A8 MOVZ X0, #0x0 ~A8 MOVK X0, #0x0, LSL #16 ~A8 MOVK X0, #0x0, LSL #32 ~A8 MOVK X0, #0x4024, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --0.1 ~A8 MOVZ X0, #0x999A ~A8 MOVK X0, #0x9999, LSL #16 ~A8 MOVK X0, #0x9999, LSL #32 ~A8 MOVK X0, #0x3FB9, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --0.01 ~A8 MOVZ X0, #0x147B ~A8 MOVK X0, #0x47AE, LSL #16 ~A8 MOVK X0, #0x7AE1, LSL #32 ~A8 MOVK X0, #0x3F84, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --99999999.99999999 ~A8 MOVZ X0, #0xFFFF ~A8 MOVK X0, #0xFFFF, LSL #16 ~A8 MOVK X0, #0xD783, LSL #32 ~A8 MOVK X0, #0x4197, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET • You can find lua code to convert any value to ARM -> HERE ----> If you get an error comment it out

Slow start. Bummed SRDebugger was stripped.. Will check the game dump for something of use.

View File Real Racing 3 (12.1.2) - Race Type Changer REAL RACING 3 - RACE TYPE CHANGER Current version: 12.1.2.1.1 Working RR3 v.: 12.1.2 Description: Change race type: cup, endurance, head to head, etc... Instructions: Select a race, run the script and select current race type. Then choose new race type. Warning: There have been some big changes to the structure of the game. This is the first script that uses a new method for memory searching. So there may be some problems that will need to be resolved, be patient. Send me your feedback on the gameguardian.net website, thanks. Known issues: The script is not very stable or fast but this is the best I have managed to do at the moment. Video: Submitter MarioRossi93i Submitted 01/22/2024 Category LUA scripts  

Game: https://play.google.com/store/apps/details?id=com.unicostudio.gemdoku&hl=en_IN&gl=US I want to locate the level value in the com.unicostudio.gemdoku.v2.playerprefs.xml file so i can edit it with GG or CheatDroid. Normally i can cheat the level by overwriting the current com.unicostudio.gemdoku.v2.playerprefs.xml file with the one from older versions since the names and values where readable back then as shown in the screenshots. It was a quick work around but i am rather interested in finding out how the player level is really stored in the current xml file because i noticed quite some games have values like coins stored in a long string. On top of that the string will include more then just the coins, for example it can include some functions that are needed to have the coins appear properly. So if you don't edit the string correctly you will get a undesired result. So i started running some basic tests that i am familiar with. Like comparing the content in the .xml file when i was a level 5 with the content in the .xml file when i became lv6. Then replace the old string with the new string to see which string makes me go back to level 5. Eventually it came down to this string, the string when i was a level 5: <string name="1EBXq7XeVC545LnqsugT4jS%2FTXFJQZG%2BkJ1CodU1l%2BGkd5zLuX%2BoPk2Z1QWV9JkXAJmyRo9KdrM%3D">1EBXq7XeVC5e6TxnIVs%2FT%2BMZXc3zTi%2FMR5bkR5NzbftgLsNAbMjgO2EU4JrjCwSZusRXHZl1d4Li7vw0P3fcuvB36rs0RvYSfwduwbvRwLX%2Fi58tS5lkESmKdSQfxJFpIyTxQcSMn6qkwSNCDJhFDCf7Mp3mA9baBgWYX9q0oKTmi1l2NZ48vf1OXIehi0zKQpAMt6nTIMgQYxIhfxAOxVBrd0180%2FGzugECxwjNwcjfLy%2FaYaoiKA%3D%3D</string> Then when i whent to level 6 the string changed to this: <string name="1EBXq7XeVC545LnqsugT4jS%2FTXFJQZG%2BkJ1CodU1l%2BGkd5zLuX%2BoPk2Z1QWV9JkXAJmyRo9KdrM%3D">1EBXq7XeVC5e6TxnIVs%2FT%2BMZXc3zTi%2FMR5bkR5NzbftgLsNAbMjgO2EU4JrjCwSZusRXHZl1d4Li7vw0P3fcuvB36rs0RvYSe3e5rsbaG7LN%2FfLGOhZwig%2FMiGabQt1ZHSZBQ4B9j%2BAtDkZvUP2cKg9VEQkyvFwu7vRSk%2BtVVpC4EXD6C4IcgN8BjpNq%2FIuWKud5LzCmdIr9TlyHoYtMyuc%2FO%2BdfyyhyJhuGPpaK98AkejcbIKUeIKrfAcOjp%2F0gQSKbb6ZZdJo%3D</string> Only whent up one level in the game. Did not do any extra changes. So i believe every different between both strings should be related to the level. I dunno nothing about encoding or encryption but i did saw that "%2F" and "%3D" occurred a lot in both strings and the internet says that it is common in URL's although i doubt it's a URL did try to decode it as a URL and then it shows me the slashes in the string. Making it look like this (first string is level 5, second string level 6): -- decoded level 5 1EBXq7XeVC5e6TxnIVs/T+MZXc3zTi/MR5bkR5NzbftgLsNAbMjgO2EU4JrjCwSZusRXHZl1d4Li7vw0P3fcuvB36rs0RvYSfwduwbvRwLX/i58tS5lkESmKdSQfxJFpIyTxQcSMn6qkwSNCDJhFDCf7Mp3mA9baBgWYX9q0oKTmi1l2NZ48vf1OXIehi0zKQpAMt6nTIMgQYxIhfxAOxVBrd0180/GzugECxwjNwcjfLy/aYaoiKA== -- decoded level 6 1EBXq7XeVC5e6TxnIVs/T+MZXc3zTi/MR5bkR5NzbftgLsNAbMjgO2EU4JrjCwSZusRXHZl1d4Li7vw0P3fcuvB36rs0RvYSe3e5rsbaG7LN/fLGOhZwig/MiGabQt1ZHSZBQ4B9j+AtDkZvUP2cKg9VEQkyvFwu7vRSk+tVVpC4EXD6C4IcgN8BjpNq/IuWKud5LzCmdIr9TlyHoYtMyuc/O+dfyyhyJhuGPpaK98AkejcbIKUeIKrfAcOjp/0gQSKbb6ZZdJo= Then copy pasted MR5bkR5NzbftgLsNAbMjgO2EU4JrjCwSZusRXHZl1d4Li7vw0P3fcuvB36rs0RvYSfwduwbvRwLX into MR5bkR5NzbftgLsNAbMjgO2EU4JrjCwSZusRXHZl1d4Li7vw0P3fcuvB36rs0RvYSe3e5rsbaG7LN and then encoded it back which resulted the game to kind act weird. The font shows lv1 but then when trying to enter the map it shows lv500 with nothing on the background. This was not the intended result. Some help would be appreciated.

BAJADASAURUS = 662,471,111 BARRACUDASAURUS = -388,063,063 MONKEYDACTYL = 1,896,456,531

Use this script : TEST_UnlockEquipment.lua - to unlock and get 10pcs of equipments at Level 100 - script for 64bit(armv8) only Use this Equipment IDs : 17 F/ WOODEN STAFF 18 E/ METAL ORE STAFF 19 D/ STURDY STAFF 20 C/ MAGIC STAFF 21 B/ DIAMOND STAFF 22 F/ IRON STAFF 23 E/ WOODEN STAFF 24 C/ SPIKED STAFF 25 B/ SHINING STAFF 26 A/ LIGHT STAFF 27 E/ GREEN STAFF 28 D/ GRIEF STAFF 29 C/ LIGHTNING STAFF 30 B/ THUNDER STAFF 31 A/ FROSTY ROD 32 E/ RED STAFF 33 D/ ROYAL SCEPTER 34 C/ ANCIENT STAFF 35 A/ LEGENDARY STAFF 36 S/ MYSTIC STAFF 37 F/ WOODEN CLUB 38 E/ STURDY CLUB 39 D/ OAK CLUB 40 C/ ELDER CLUB 41 B/ HERO CLUB 42 E/ GNARLY GLUB 43 D/ LADLE 44 C/ CLUB 45 B/ IRON CLUB 46 A/ RED CLUB 47 D/ MACE 48 C/ CUDGEL 49 B/ MORNING STAF 50 A/ STEEL CLUB 51 S/ GOLDEN CLUB 52 F/ PRAYER CLUB 53 G/ HOLY CLUB 54 C/ LIGHT CLUB 55 A/ ANGELIC CLUB 56 S/ DIVINE CLUB 57 F/ BLUDGEON 58 E/ TOUGH CLUB 59 D/ SPIKE 60 C/ ARTISTIC CLUB 61 A/ EMERALD CLUB 62 F/ WOODEN STICK 63 E/ POKEY STICK 64 D/ SPIKED CLUB 65 C/ FOLK ART CLUB 66 B/ TREE BRANCH 67 F/ WOODEN SPEAR 68 E/ IRON SPEAR 69 D/ MASTER SPEAR 70 B/ TRIDENT 71 A/ LEGENDARY SPEAR 72 E/ FISHERMANS PIKE 73 C/ IRON PIKE 74 B/ RED SPEAR 75 A/ STEEL SPEAR 76 S/ FIRE SPEAR 77 E/ BRONZE SPEAR 78 C/ PALADINS SPEAR 79 B/ COMMANDERS SPEAR 80 A/ GOLDEN SPEAR 81 S/ BLACK SPEAR 82 F/ TINY MALLET 83 E/ MALLET 84 C/ IRON HAMMER 85 B/ BIG BAD HAMER 86 S/ FIRE HAMMER 87 E/ BASIC HAMMER 88 D/ LONG HAMMER 89 B/ SILVER HAMMER 90 A/ MASTERS HAMMER 91 S/ GOLDEN HAMMER 92 E/ SWORD 93 D/ STEEL SWORD 94 C/ MASTERS SWORD 95 B/ COMMANDERS SWORD 96 A/ ARTISINAL SWORD 97 F/ FRUIT KNIFE 98 E/ KITCHEN KNIFE 99 D/ SILVER KNIFE 100 B/ MASTERS KNIFE 101 A/ GOLDEN KNIFE 102 F/ TINY KNIFE 103 E/ SCALPEL 104 C/ SILVER SCALPEL 105 B/ LIGHTNING SCALPEL 106 A/ ICE SCALPEL 107 E/ PIRATE SWORD 108 D/ CUTLASS 109 C/ TORNADO SWORD 110 A/ TEARDROP SWORD 111 S/ FIRE SWORD 112 E/ INFANTRY SWORD 113 D/ SABRE 114 C/ SILVER SWORD 115 B/ DESTRUCTION SWORD 116 A/ ANCIENT SWORD 117 E/ ICE KNIFE 118 D/ ICE SWORD 119 C/ ICE GREATSWORD 120 B/ FROSTY SWORD 121 S/ BLIZZARD SWORD 122 E/ KUNAI 123 D/ NINJA STAR 124 C/ GIANT NINJA STAR 125 B/ FLAME NINJA STAR 126 A/ GIGA NINJA STAR 127 F/ SIMPLE KATANA 128 E/ SAMURAI SWORD 129 C/ SHOGUNS KATANA 130 B/ MASTERS KATANA 131 A/ LEGENDARY KATANA 132 F/ BRONZE SWORD 133 E/ COPPER SWORD 134 C/ TEMPERED SWORD 135 B/ LIGHTWEIGHT SWORD 136 A/ HONOR SWORD 137 E/ LONGISH SWORD 138 D/ BÀSTÃRD SWORD 139 C/ SAINTS SWORD 140 A/ SWORD OF RAGE 141 S/ LEGENDARY SWORD 142 D/ BLACK SWORD 143 C/ DARKNESS SWORD 144 B/ SWORD OF THE VOID 145 A/ ROYAL SWORD 146 S/ CONQUERORS SWORD 147 D/ NORMAL SWORD 148 C/ COURAGE SWORD 149 B/ HERO SWORD 150 A/ IMMORTAL SWORD 151 S/ YGGDRASIL SWORD 152 F/ NOVEL 153 D/ RESEARCH GUIDE 154 E/ MAGNIFYING GLASS 155 C/ ANCIENT TIME 156 B/ PAINTBRUSH 157 D/ PISTOL 158 C/ RIFLE 159 B/ MUSKET 160 A/ MIGHTY RIFLE 161 S/ GOLDEN GUN 162 D/ BOW 163 C/ INFANTRY BOW 164 B/ HUNTING BOW 165 A/ SWIFT BOW 166 S/ CHAMPIONS BOW 167 F/ ADZE 168 D/ LUMBERJACKS AXE 169 C/ STEEL AXE 170 B/ BATTLE AXE 171 S/ LEGENDARY AXE 172 A/ KAIRO SWORD 173 A/ KAIRO HAMMER 174 A/ KAIRO LANCE 175 A/ KAIRO BOW 176 A/ KAIRO GUN 177 F/ WOODEN SHIELD 178 F/ LEATHER SHIELD 179 E/ INFANTRY SHIELD 180 E/ BUCKLER 181 D/ IRON SHIELD 182 C/ NOBLE SHIELD 183 A/ HERO SHIELD 184 A/ CRYSTAL SHIELD 185 B/ SHELL SHIELD 186 S/ WAIRO SHIELD 187 B/ SCHOLARS SHIELD 188 A/ HOLY SHIELD 189 D/ FOLK ART SHIELD 190 D/ STURDY SHIELD 191 C/ NIGHTMARE SHIELD 192 B/ LEGENDARY SHIELD 193 B/ GREEN SHIELD 194 S/ MIRROR SHIELD 195 A/ GOLDEN SHIELD 196 S/ SHINING SHIELD 197 C/ DEMONIC SHIELD 198 B/ LEGENDARY SHIELD 199 C/ CONQUERORS SHIELD 200 S/ KAIRO SHIELD 201 F/ LOIN CLOTH 202 F/ LINEN GARMENT 203 F/ COMMON GARMENT 204 E/ YELLOW GARMENT 205 E/ DURABLE GARMENT 206 D/ STYLISH GARMENT 207 D/ THICK GARMENT 208 D/ CHAIN MAIL 209 C/ SKIRT 210 B/ DRESS 211 D/ PAJAMAS 212 C/ FUR COAT 213 C/ COAT 214 C/ ROBE 215 B/ FINE ROBE 216 C/ MENS KIMONO 217 D/ CAPE 218 C/ DURABLE CAPE 219 B/ PURPLE CAPE 220 A/ ROYAL ROBE 221 E/ LEATHER ARMOR 222 D/ IRON CHEST GUARD 223 C/ LEATHER ARMOR 224 C/ LIGHT MAIL 225 B/ BRONZE ARMOR 226 B/ SILVER ARMOR 227 A/ VERDANT ARMOR 228 A/ HEAVY ARMOR 229 S/ GOLDEN ARMOR 230 S/ BLACK CHAINMAIL 231 F/ BANDANA 232 F/ ALICE BAND 233 F/ HEADBAND 234 F/ TURBAN 235 E/ HAT 236 E/ HELMET 237 E/ HAT 238 D/ BANDANA 239 D/ NINJA HEADBAND 240 D/ FOREHEAD GUARD 241 F/ CHEF HAT 242 F/ TOP HA 243 F/ HAT 244 F/ HOLY HAT 245 E/ ANGELS HALO 246 E/ PIRATE HAT 247 E/ DIRECTORS BERET 248 D/ WINGED BANDANA 249 D/ WINGED HAT 250 D/ WINGED HELM 251 D/ MAGIC HAT 252 C/ MAGES HAT 253 B/ WIZARDS HAT 254 A/ LEGENDARY HAT 255 B/ MYSTIC HAT 256 C/ MAIL COIL 257 B/ SHAMPOO HAT 258 A/ KAIRO HAT 259 S/ ROYAL CROWN 260 A/ TIARA 261 D/ LOOKOUT HAT 262 C/ GUARD HELMET 263 C/ BRONZE HEADPIECE 264 C/ HELMET 265 B/ IRON MASK 266 B/ IRON HEADPIECE 267 A/ BLACK HEADPIECE 268 S/ GOLDEN HEADPIECE 269 A/ DRAGON HEADPICE 270 A/ ROBOT HELMET 271 E/ LOCKET 272 D/ NECKLACE 273 C/ AMULET 274 B/ BLUE PENDANT 275 A/ RED PENDANT 276 S/ GOLDEN PENDANT 277 C/ MAGIC PENDANT 278 B/ GOLDEN BRACELET 279 D/ LEATHER BAND 280 C/ WRIST BAND 281 S/ GOLD MEDAL 282 D/ SCARF 283 B/ COLLAR 284 A/ GOLDEN COLLAR 285 D/ RING 286 C/ PEARL RING 287 B/ SILVER RING 288 A/ LIGHT RING 289 S/ GOLDEN RING 290 C/ GLOVES 291 B/ LEATHER GLOVES 292 A/ SILK GLOVES 293 B/ SILVER EARRINGS 294 A/ GOLDEN EARRINGS 295 S/ ROYAL EARRINGS 296 E/ LEATHER SHOES 297 F/ WOODEN SANDALS 298 D/ LOAFERS 299 A/ SILVER BOOTS 300 B/ BOOTS 301 S/ WINGED BOOTS 302 C/ CANDLE 303 B/ CHARM 304 A/ GOLDEN BELL 305 B/ RED RIBBON 306 A/ RIBBON 307 C/ WOODEN CARVING 308 C/ CLOTH BAG 309 B/ GOLD BAG 310 S/ SALLY PRIN FIGURE 311 S/ SANTA STAFF 312 S/ SANTA SHIELD - IDs are from previous work by other people in this thread. i take no credits for it.

View File RR3 Unlocks hidden vinyl packs Unlocks follow packs: St.Patrick's day - 12 vinyls Christmas - 14 vinyls Halloween - 24 vinyls Submitter Count_Nosferatu Submitted 08/19/2023 Category LUA scripts  

for anyone in need JWTG_ID.txt

New version 11.5.1.4.10.x64 released!

if people that knowns somethings about something shares, it's like opening a pandora box at first i thought i can just EOL revolted on v3 and move on, but after watching a series of video by some internet security and such, the dude name in youtube was LiveOverflow, i thought myself, what if i can tamper the connection, so i tried to bruteforce the encryption first, but then i realize this is not a normal data transfer, so i look up the source and as expected it's encrypted, and since then ive been snooping the request and such, but like always, just if the community just like Unknowncheats, this game will be dead eons ago. anyway, i found a modifier that modify the search quantity accidentally when i trying to find alternative for leveling let's say you search a pharmacy, you'll get 1-4 amount of certain meds, and since i found this modifier, you know can get 10K+ i also found alot of multiplayer settings, unprotected, just as it, Gift Limit, Chat cooldown, banned items, opening gift cooldown, i kinda want to scrap the idea to try replay attacks on websocket connection. cuz like i dont find anything special from it, i'll try to unban myself without slash command by mod, if i do, i wouldnt be surprised i think i should make YT tutorials for day r hacking lmao imma start with caps, cuz all i see on yt is "this hacks doesn't work after 766, devs patched it"

New version 11.4.1.4.9.x64 released!

Quick Notes: Low Registers (R0 to R7): Accessible by all instructions using general-purpose registers. High Registers (R8 to R12): Accessible by 32-bit instructions specifying a general-purpose register, not all 16-bit instructions. Stack Pointer (R13): Used as the Stack Pointer (SP). Autoaligned to a word, four-byte boundary, ignoring writes to bits [1:0]. Link Register (R14): Subroutine Link Register (LR). Receives return address from PC during Branch and Link (BL) or Branch and Link with Exchange (BLX). Also used for exception return. Treat as a general-purpose register. Program Counter (R15): PC. FPU (Floating Point Unit): Supports single-precision operations - add, subtract, multiply, divide, multiply and accumulate, and square root. Also handles conversions between fixed-point and floating-point formats, and floating-point constant instructions. FPU Registers: Sixteen 64-bit doubleword registers: D0-D15. Thirty-two 32-bit single-word registers: S0-S31. ->Source <- --------------------------------------------------------------------------------------------------------------------------------- In Arm Patching we are using only Low Registers and the FPU. True and false Editing. ~A MOV R0, #1 MOV means Move , by this instruction we are telling the proccessor to move the value 1 to register R0 similar when you assign a variable name : R0 = 1 in most programing languages the true statment always = 1 and the false statment = 0 so #1 = true and #0 = false ~A BX LR BX Means branch exit LR or in another way return the value we stored to the caller. Int Editing : we can use MOV R0, # aswell for the int value but you need to know the integral data types. • byte : Signed: From −128 to 127 ­ ­ ­ ­ ­ ­ ­ ­ ­: Unsigned: From 0 to 255 we can use MOV here if the int value we want is between -128 and 255 so the instruction will be : ~A MOV R0, #-128 or #255 at max • short : Signed: From −32,768 to 32,767 : Unsigned: From 0 to 65,535 in this case we use MOVW the W stands for Word so same as above the instruction will be : ~A MOVW R0, #−32,768 or #65,535 at max NOTE : • Don't forget to return (~A BX LR) • We can Use MVN which mean Move Negative so the Max Negative Value will be #255 for Byte and MVNW for Short #65,535 (Don't add "-" since we already telling the proccessor we are dealing with negative number) • #value will be converted automatically to hex value in the Register means #8 will be 0x00000008 and so on • Int 32 : Signed: From −2,147,483,648 to 2,147,483,647 : Unsigned: From 0 to 4,294,967,295 the typical DWORD in GG : here we move to the advanced Part of this guide: as I said in the Note above the values are converted in the register automatically to hex so the max value in short in hex will be 0x0000FFFF so we have 4 zero's we can't change in the int 32, in this case we use one more instructon MOVT T stands for Top example : MOVW R0, #22136 -> R0 will be : 0X00005678 MOVT R0 , #4660 -> R0 will be : 0x12345678 So in case of INT32 we need 2 things • Convert the value we want to change to hex value • 3 instruction in total the Same concept here work for QWORD aswell (64 bit) 0x0000000000000001 Note : MVN R0, #2 will change to 0xFFFFFFF2 in hex MOV R0, #2 or MOV R0, #0x2 are the same Float and Double: • Float and Double are IEEE 754 Floating-Point: We need the FPU here and things will get a little bit complicated, • we need 2 or 3 registers in this case R0 , R1 and S0(for float) or D0(for double) Suppose the hex value of this float 12.6 is : 0x4149999A same as the int 32 : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 now = 0x4149999A) now R0 is set but if we return the value (~A BX LR) the result will be : 1095342490 and we don't want that value we want 12.6 as float (This Doesn't Work Because we didn't tell the proccessor that is a float number) the right way is to use FPU VMOV S15, R0 ( VMOV is the instruction MOV in the FPU : by that instruction we mean move the register value of R0 to the FPU register R15 ) VMOV.F32 S0, S15 (here we are telling the FPU we are dealing with Float number (F32) and move the value from S15 to S0 ) for double we use the same concept except we use F64 instead and register D16 and D0 Float : so the final code will be : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 = 0x4149999A) ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ----------------- Double : For double the hex value of 12.6 is : 0x4029333333333333 (Same Concept for Big Float Number) • Here we use R0, R1 , D0 and D16 • divide the hex value 0x4029333333333333 into 2 part 0x40293333 and 0x33333333 one goes for R0 and the other one goes for R1 Be carful of the placement of the hex value we start from the last 4 to the 1st 4 means we start with 0x3333 -> 0x4029 Use same concept of MOVW and MOVT to get the result. Result: ~A MOVW R0, #0x3333 (R0 = 0x00003333) ~A MOVT R0, #0x3333 (R0 = 0x33333333) ~A MOVW R1, # 0x3333 (R1 = 0x00003333) ~A MOVT R1, #0x4029 (R1 = 0x40293333) ~A VMOV D16, R0, R1 (Move value Of R0 and R1 to register D16 Be Careful here R0 last 8 hex 1st then R1 the top 8 hex) ~A VMOV.F64 D0, D16 (here we use F64 and D0 , and D16 instead of F32 , S0 and S15 because the hex value is 64 bit) ~A BX LR ------ This is How you arm patch bool / int / float / double NOTE : When it comes to function args and returns the only register that give return or args are R0,R1,R2,R3 (and SP) this is why we use R0 and VMOV S15/D16 to S0/D0 ARMv8 : In ARMv8, LSL stands for "Logical Shift Left". It is an instruction used to shift the bits in a register to the left by a specified number of bits, and the bits that are shifted off the left-hand end are discarded. LSL can be used with immediate values or with a register value. The immediate value specifies the number of bits to shift, which can be between 0 and 63. When using a register value, the bottom byte of the register specifies the number of bits to shift Example : Level 1 ) LSL X1, X2, #3 --> Shift the contents of X2 left by 3 bits and store the result in X1 -> In this example, X2 is being multiplied by 8 (since 8 is 2 to the power of 3), and the result is stored in X1. Level 2) MOV and LSL example: MOV X1, #0x10 -->Move the value 0x10 into register X1 LSL X1, X1, #3 --> Shift the contents of X1 left by 3 bits (multiply by 8 ) Level 3) Float Value : 3.14159 / Hex : 0x40490FD0 --Load the value 0x0FD00000 into bits 16-31 of W0 • MOVK W0, #0x0FD0, LSL #16 --> W0 = 0x00000FD0 -- Load the value 0x40490000 into bits 32-47 of W0 • MOVK W0, #0x4049, LSL #32 -> W0 = 0x40490FD0 -- Move the value of W0 into single-precision floating-point register S0 • FMOV S0, W0 --> S0 = 0x40490FD0 (interpreted as a floating-point value) Note : 4 bytes hex (32) value we use register W and for float we use S Level 4 ) Double value : 3.14159 / Hex : 0x400921F9F01B866E MOVK X0, #0xF01B866E, LSL #16 -->X0 = 0x00000000F01B866E MOVK X0, #0x400921F9, LSL #48 -->X0 = 0x400921F9F01B866E FMOV D0, X0 Note: 8 bytes hex (64) value we use register X and for Double we use D NOTE: SAME CONCEPT IN AARCH32 WITH (INT, BOOL, FLOAT, AND DOUBLE) LSL and MOV(Z/K) is the diffrences. PART II (LDR / STR): [STRING] ( NON UNITY GAMES ) Little-endian / Big-endians : LDR and STR are instructions used in ARMv7 and ARMv8 architectures to load and store data from memory. LDR stands for "Load Register" and is used to load a value from memory into a register. The syntax for LDR in ARMv7 and ARMv8 is LDR <Register>, [<Address>] STR stands for "Store Register" and is used to store a value from a register into memory. The syntax for STR in ARMv7 and ARMv8 is STR <Register>, [<Address>] where <Register> is the name of the register to load the value into, and <Address> is the memory address from which to load the value. In both cases, the square brackets around <Address> indicate that the value inside the brackets is a memory address, rather than a register. To load the string 'GG TESTING' into a register, you can use the LDR instruction. Assume the pointer to 'G' is 0x00000004 we can use this address as the base address for the LDR instruction. The instruction for loading the first four characters of the string into a 32-bit register (e.g., R1/X1) would be: • LDR R1/X1, [0x00000004] -- R1/X1 = 'GG T' This instruction loads the 32-bit value at memory address 0x00000004 into R1/X1. Note: Use the Move instructions above (PART I) to assign the value (address) to a register BEFOR USING LDR --> LDR R1/X1, [R0] -- R0 = 0x123456789 ( use MOV to assign the correct address to R0 or X0) To load the entire string into a register, you can use the LDR instruction with a register offset. Assuming the string is stored in consecutive memory locations, we can use the following instruction to load the entire string into a register (e.g., R1/X1) LDR R1/X1, [0x00000004], #10 This instruction loads the 32-bit value at memory address 0x00000004 into R1 and increments the base address by 10 (the length of the string). As a result, the entire string 'GG TESTING' will be loaded into R1. ADVANCED : If 'GG TESTING' is a half-word (i.e., each character is 2 bytes or 16 bits) and the pointer to 'G' is located at memory address 0x0000004 + 0x8, then the instructions for loading the string into a register would be different Dummy memory: 0x0000004 (<-- pointer )= 123 0x0000008 = 21 0x000000C = 9999999 0x0000010 = 'GG' 0x0000014 = ' T' -- with space at the start. 0x0000018 = 'ES' etc.. --> between every byte value ( character ) there is 0 [ example in memory 0x00000010 = 71 (G) <-- byte 0x00000011 = 0 <-- byte 0x00000012 = 71 (G) <-- byte 0x00000013 = 0 <-- byte 0x00000014 = 32 (space) <- byte ] To load the half-word 'GG' into a 32-bit register (e.g., R0/X0), we can use the LDRH instruction as follows: LDRH R0, [0x00000004, 0x8] This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R0/X0. Since we want to load the first two characters of the string, we add an offset of 0x8 to the base address. Read more about LDR To load the entire string into a register, we can use the LDRH instruction with a register offset as follows: LDRH R0, [0x00000004, 0x8], #0xC This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R1, and increments the base address by 0xC (or 12 bytes) to load the remaining characters of the string. The 'GG TESTING' string has a length of 10 characters, which corresponds to 20 bytes (11 characters x 2 bytes per character), so we need to load 12 bytes in addition to the first 2 bytes to load the entire string. AARCH64 : LDRH --> LDURH (Load Unsigned Halfword with a 64-bit offset) or LDSRH (signed) LDURH W0, [X1, #16] ; Load a halfword from the memory address X1 + 16 into W0 This loads a 16-bit unsigned halfword from the memory address X1 + 16 into the 32-bit register W0. Note that the offset value is added to the base register X1 to form the memory address. Also, because LDURH is an unsigned load instruction, the loaded halfword is zero-extended to 32 bits. NOTE: the LDURH instruction is specific to AArch64 architecture and is not available in AArch32 architecture. STR: STR is used to store the contents of a register into a memory location that is addressed using a base register and an optional offset. The contents of the register are written to the memory location, overwriting any previous data that was stored at that location. -->STR Rd, [Rn {, #offset}] where Rd is the source register whose contents will be stored in memory, Rn is the base register that points to the memory location where the data will be stored, and offset is an optional 32-bit offset that is added to the base register to form the memory address. Example of using the STR instruction to store the contents of R0 register into a memory location: --> STR R0/X0, [R1/X1, #4] ; Store the contents of R0/X1 into the memory location R1/X1 + 4. NOTE : STR Wd, [Xn, #offset], imm | the STR instruction with the imm option is only available in AArch64. |--> Wd/Xd, [Xn, #offset] The imm option allows you to add an immediate value to the offset to form the memory address. The immediate value is sign-extended to 64 bits, shifted left by the scale factor (which is determined by the size of the data being transferred), and then added to the offset. -> STR W0, [X1, #0x100], #0x20 -- This stores the contents of register W0 into the memory location pointed to by register X1 plus 0x100 plus 0x20, overwriting any previous data stored at that location. In AArch32, there is no imm option for the STR instruction. However, you can achieve a similar effect by adding the immediate value to the offset before using it in the instruction. Here's an example: ADD R2, R1, #0x120 --> R2 = R1 + 0x120 STR R0, [R2] --> Store R0 at address R2 Here, the ADD instruction adds the immediate value 0x20 to the base register R1, storing the result in R2. The STR instruction then stores the contents of register R0 into the memory location pointed to by register R2. Note: that the immediate value is added to the offset before using it in the instruction, rather than being added as a separate operand like the imm option in AArch64. --->FOR Using LDR / STR on values just LDR/STR R0/X0, [DESTINATION ADDRESS] Note : Unity games use pointers for the string ----------------------------------------------> Converting Float and Double to Hex <--------------------------------- This is mainly IEEE Standard for Floating-Point Arithmetic. (you can skip this part by using online converter) > You need : • Advanced Lua scripting Knowladge. • Math Knowladge. • Binary 32 and 64 Knowladge. --------------Please read--------------

I have been lurking as a Guest on this thread, but I have signed up here to respond to your findings - This is absolute garbage of a game, and it is highly addicting if you have a group of friends that made it a bit competitive. Anyway, the trick you found is helpful, and thank you for sharing it with us.

basically it did worked but so did for the wilds one. meaning if you activate Attack the enemy also get high Attack too. the script search for all stats point including a value for all which if change will edit the stat of all the coromons in game. manually filter the values is needed to edit the coromons in your squad only. others stats value are nearby. search one stat then goto and scroll up or down to find the others.