Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation since 03/28/2023 in Posts

  1. GameGuardian work without root So, as for work without root. This is not magic. Technical limitations were, and have remained. So it will not work anywhere and always. Actually it looks like this: 1. You put an application of virtual space (Parallel Space, VirtualXposed, Parallel Space Lite, GO multiple, 2Face and many others). 2. In it you add the game and installed GameGuardian. 3. From the virtual space application, you launch the game and GameGuardian. Actually everything. GameGuardian can be used to hack the game. Everything is simple and transparent. It was a good part of the news. Now about the bad: 1. The game has zero progress. You can not transfer the progress from the existing installation of the game, if the game itself does not provide it (through the cloud or somehow). 2. Not all games work through virtual spaces. 3. There may be another account in the game. 4. Not all functions will be available in GameGuardian. 5. On some firmware it does not work at all. If you cannot choose a proсess in GameGuardian, or get an error 105/106, then on your firmware, GG, without root, will not work. Try optimized versions of virtual spaces or another firmware or other device or get root. 6. In some virtual spaces GameGuardian does not work. What can be done in case of problems: 1. Try different virtual spaces if the problem is in them. Best option: Parallel Space. 2. Try changing the firmware. 3. Get a root and do not fool yourself. Once again: it will not work at all and always. It is possible that it will work for you and will not. Virtual spaces to run GameGuardian without root (#ct7bob3) Proper install without root - GameGuardian (#abausujp) Help: https://gameguardian.net/help/help.html#work_without_root Video-examples: Balls Bounce Free - hack balls - without root - GameGuardian, Parallel Space Bejeweled Stars: Free Match 3 - hack without root - group search - GameGuardian, GO Multiple Hack Tap Counter without root via GO Multiple on Android 7.1.1 - GameGuardian Hack Tap Counter without root via GO Multiple - GameGuardian Work without root via Parallel Space - GameGuardian Work without root via 2Face - GameGuardian Work without root via Mutiple Accounts - GameGuardian Work without root via GO Multiple - GameGuardian No root via VirtualXposed - GameGuardian (#b6l7k1qu) No root via VirtualXposed (without error 105) - GameGuardian (#bpb5835m) No root via optimized Parallel Space Lite - GameGuardian (#47glijbj) No root [from scratch] (boring and long video) - GameGuardian (#9rf9317c) No root via Dr. Clone - GameGuardian (#aft8whcy)
    15 points
  2. Hi @chrislin2k, Currently Game Guardian haven't been updated for quite some time. There's 3 thing that you can do: - Use Virtual Machine: VPhoneGaGa, VMos Pro, x8SandBox, F1 VM - Change Game Guardian SDK version to 33 using: APK Editor - Force Install Game Guardian using ADB: adb install --bypass-low-target-sdk-block gameguardian.apk
    9 points
  3. So I believe this game already has all your dice rolls calculated for your account. Server already knows where you'll land on your next roll. I believe minigames, outcomes are already determined before you even land on them (pre determined like all your dice rolls). Wouldn't it be nice to know how much your next roll would've won, then you would've done multiplier to maximize....... Well, that's just what this is going to be about. To see your future rolls/minigames, you'll have game open and switch to offline mode. Using a root file explorer navigate to here: /data/data/com.scopely.monopolygo/files/ Each turn you take a file is generated, something like this: 48d4483b70674c02951ddfd3a289f5d7.ca When you reconnect, it'll send these and get your account synced. If you get prompted no connection, you can click back to remove message and tap roll really quick. So you can roll indefinitely and write down/log all your rolls. Even if you stay on one board logging it all. When you switch to a new board, your dice roll continues. Not like a new board, new roll pattern. When you land on a spot that gives a good size reward. You can delete those .ca files, close, restart game online and use max multiplier to really bonus up those wins. Bank Heist, don't think you had a chance of picking the right combination.... No matter where you selected, what flips over, will always be same when you play it again. So if I flipped coin, ring, cash, cash, ring, cash. When I go to play again, it's going to be that exact order. See attached video. I'm honestly really disappointed in my findings with this developer. It feels like a scam of a game and you're not really "playing". It's basically scripted and if you do x1, x5, x10 at ideal times, that's about the only user "input" that seems to have a chance on the outcome. mobizen_20230426_211255.mp4
    9 points
  4. 7 points
  5. So what I'm finding, I think should be noted and possibly call out the developer on the matter. I'll probably share what I know and how it can benefit within a couple days or so... I'm not really impressed though with the developer. It feels like a scam of a game, you'll all see after I do more tests.
    7 points
  6. New version 12.1.2.5.0 released! read change logs!
    6 points
  7. No luck... Definitely have put some time into figuring out dice. And not making any progress. Still trying though.
    6 points
  8. https://www.mediafire.com/file/6qowx7yuctayo3t/rr3_race_mode.v11.4.1.4.9.x64.bin.lua/file
    6 points
  9. Working on it.... Their is some stuff in the dump, that if server didn't kick back an error, would be perfect.
    6 points
  10. Armv8 C80E42B8r;081540FDr::3809 Edit 28008052r;E803679Er And if you want to set so you can claim all without playing (set number of keys collected). Offset (Version 6.9.5) 3FBCA54 Edit 00FA8052r
    5 points
  11. 5 points
  12. 5 points
  13. New version 12.0.1.4.14 released!
    5 points
  14. This post cannot be displayed because it is in a forum which requires at least 1 post to view.
  15. New version 11.5.2.4.11 released!
    5 points
  16. New version 11.5.1.4.1.x64 released! Added 'Search mode' Changed menu
    5 points
  17. Sorry for the delay on this y'all, I was away for a bit. The issue was affecting new uploads because of security changes we recently made. Should be resolved now.
    5 points
  18. Name of Game: MONOPOLY GO! Play Store Link: https://play.google.com/store/apps/details?id=com.scopely.monopolygo&hl=en&gl=US What cheat? Health, xp, gold...: Dice, money
    4 points
  19. New version 12.2.2.5.1 released!
    4 points
  20. My grandfather used to say: "Everything is new, this is long forgotten old."
    4 points
  21. New version 12.1.2.6.1 released! see changelogs
    4 points
  22. Disclaimer: This guide is for educational purposes only. The techniques explored here are intended for understanding the technical aspects of Android games. Users are advised to use this knowledge responsibly and within legal and ethical boundaries. I disclaim any liability for misuse or unauthorized activities. Use this information at your own risk. As you explore with me, remember it's all about learning, not mischief. If you decide to try out any of these tricks, make sure it's within the rules and plays nice with the devs. I'm not taking responsibility for any shenanigans, so be cool, and enjoy the learning ride. Cheers! Goals : • Identify server-side data from local data. • How to tamper server-side data . • bypass SSL encryption. Requirement : • You should be familiar with requests ( http ) . • You should have some level of knowledge about reverse-engeneering / Exploits / etc. Tools : • GameGuardian. • Frida. • IDA (Pro). • BurbSuite / any other proxy interceptor. • LUA Decryption and Encryption for cocos2dlua. Difficulty : 8/10 ----- Let's Dive IN -----First step is to collect information about the game start playing the game normally to get some information about it, it's concept and what data they have like items , coins , gems , vip , battlepass, etc and what they call it in game. Open GameGuardian or root explorer to know what engine the game use and it's libs, like libIl2cpp.so for Unity , Cocos2d for coco's 2d games , or a custom lib built on top of other games engines like libLotaApp. BurbSuite Start Intercepting traffic. Set Up Your Environment Install Burp Suite: Download and install Burp Suite from the official website. Configure Your Android Device: Connect your Android device to the same network as your computer. Go to Wi-Fi settings, find your connected network, and set the proxy to your computer's IP address and the port Burp Suite is running on (default is 8080). Step 2: Configure Burp Suite Start Burp Suite: Open Burp Suite and go to the "Proxy" tab. Configure Proxy Settings: Under the "Options" tab, go to "Proxy" settings. Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings. Install Burp's CA Certificate: In Burp Suite, go to "Proxy" > "Options" > "Import / export CA certificate." Click "Save CA Certificate" to save the certificate. Transfer the certificate to your Android device and install it. when Exporting the Certificate You should put the Extention of it .ctr Step 3: Configure Android Device Install and Configure Proxy on Android: Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings. For APN edit the Access point name : Install the Exported Certificate from burb to your Android phone Step 4: Start Capturing Traffic In the "Target" tab, you should see the target host(s) that your Android device has communicated with. Browse on Android Device: Open the browser on your Android device and start browsing. Burp Suite will capture the traffic, In the "Target" tab, you should see the target host(s) that your Android device has communicated with. Inspect and Manipulate Traffic: In the "Proxy" tab, you can intercept requests and responses, inspect them, and even manipulate them before forwarding. Use Other Burp Suite Tools: Explore other tools in Burp Suite, such as "Repeater" and "Intruder," to perform further analysis and testing. Hierarchy: The Site Map is organized in a hierarchical structure that represents the different hosts and paths your client has communicated with. Hosts and Paths: Hosts represent the web servers or domains that your client has interacted with. Paths represent specific URLs or routes within those hosts. HTTP Methods: Each entry in the Site Map includes information about the HTTP methods used (GET, POST, etc.). Status Codes: The status codes of the responses (e.g., 200 OK, 404 Not Found) are displayed, providing insights into the server's responses. Request and Response Details: Clicking on an entry in the Site Map reveals detailed information about the request and response for that specific interaction. This includes headers, parameters, and content. Filtering and Searching: You can filter and search for specific requests or hosts, making it easier to focus on relevant parts of the traffic. Context Menu: Right-clicking on an entry provides a context menu with various options, such as sending the request to other Burp Suite tools for further analysis. Interactivity: The Site Map is an interactive tool that allows you to manipulate and analyze the captured traffic in real-time. Use Cases: Analysis and Debugging: Identify patterns and anomalies in your web traffic for analysis and debugging purposes. Security Testing: Spot potential security issues, such as vulnerabilities or unusual behaviors. Mapping Application Flow: Understand how different paths in your application are accessed and interacted with. select all URLs and right click -> delete selected items ( we don't need them ) launch the app and watch what the app send when it execute I launched "Mythic Su*moner" and this traffic get captured But Most games use SSL pinning and they don't show the full trafic even when intercepting with them . in this case we need Frida to UnSSL it. ( u can use it to bypass root detection aswell ). SSL pinning, also known as certificate pinning or public key pinning, is a security mechanism employed in applications to enhance the security of SSL/TLS connections. It involves associating a specific SSL certificate or public key with a particular domain, and the application will only accept connections with that specific certificate or key. Normal SSL/TLS Connection: In a standard SSL/TLS connection, a client (e.g., a mobile app) connects to a server, and the server presents its digital certificate to the client during the handshake process. SSL Pinning Process: With SSL pinning, the client embeds a specific SSL certificate or public key within the application. When establishing a connection to the server, the client checks whether the server's presented certificate matches the embedded certificate or public key. Verification and Trust: If the presented certificate matches the pinned certificate or key, the connection is considered trusted, and the communication proceeds. If there's a mismatch or the server presents a different certificate, the connection is rejected, preventing potential man-in-the-middle attacks. Using Brbsuite To listen to the game traffic is man-in-the-middle attack. that's why Most of the trafic is rejected in the 1st capture FRIDA Connect your phone with ur pc via USB & and inject an Agent into the process to UNSSL Pinning : when You UNSSL the game you get More Trafic : With this traffic UNSSLed you can play with it, inspect it and modify it with the repeater ( this is how you hack the server-side ) this method called Tampering data. How to Identify Server Data and Local Data. Select the inapps.appflyer.com and watch it when you play every changement in data ( server side ) get registered by this url ( most cases ) it will send a gzip to server and save it there . any local data will be saved in your machine ( android device ) or memory and the inapps.appflyer.com won't send a request. Some games use SOCKET to connect the game and the server and keeps the connection open until the game get terminated or the server get shut down, with burb you can Intercept sockets aswell. TIP : while you intercepting traffic from burb open the lib with IDA pro to dissassemble it. IDA make sure IDA fully dissassemble the lib by showing idle on the buttom go to the functions menu hit ctrl + F to start searching for keywords I mentioned at the beginning ( gold , items name , coins , player stats etc ) when I search for the keywords no functions / methods found that mean the logic and the data proccess isn't in the lib nor in the traffic ( most of them ) that means the only way to store the logic is in the files in this example game. if you found functions your starting point start with frida, you can use Frida to hook it and track the pointers and afterword GG to create a script. Decrypt LUAC take the apk and unzip it ( open with rar / 7zip ) you'll end up with the game files and Done the logic is found in the game files , the game use lua to run with C and cocos2d. but the game won't leave the game logic and codes open and public the must use some sort of encryption to it , for that they use LUAC is the Lua compiler responsible for taking Lua source code and transforming it into Lua bytecode encrypted. try another file : notice : i0lzCcmB1Cjxk6DpvlmdPINybrXXeBA1 each file have this signature at the start ofthe it IDA & LUA Decryption and Encryption for cocos2dlua. copy the signature and search ida for it but this time in the string if found you should find the key aswell : I use IDA & LUA Decryption and Encryption for cocos2dlua to decrypt the files. after it's done every file will be unencrypted and easy to read : and with that data you can create anything you want / mod / script etc Why not just frida? to use frida you need a pc ( termux users isn't included because you just need a pc to use frida -_-) agents ( frida scripts ) isn't portable you always need your pc to use the script powerd with usb I mean too much pain that's why in my opinion GameGuardian is the best choice you can run the script anywhere anytime + lua much easier than js. not all libs work with libc and not all of them contain usefull resources like the example above. ---- tips : the data should be stored in -server -local machine ( your device ) the game files "apk" ( your device aswell ) look at these 3 places to find the game resource. game logic either in the files or in the lib ( like il2cpp ) android games can't afford Hosted Hypervisor for the logic processing. I can update this topic, comment out what you want to know more about ( exluding server-side hacks ) I won't provide tools all you need is your brain to outsmart devs.
    4 points
  23. 4 points
  24. Not posting his info publicly.... can DM for info.
    4 points
  25. View File RR3 v12.0.1 Reset bonus price (VP) Reset bonus price (VP) in all rounds, both architectures And open all expired rounds. This script uses pointer chains, so it may not work with another game version. Tested on NOX 7.1.2 (32bit) and tablet with Android 10 (x64) and VirtualXposed. reset-vp.mp4 Submitter Count_Nosferatu Submitted 04/29/2023 Category LUA scripts  
    4 points
  26. New version 11.6.1.4.12 released!
    4 points
  27. New version 11.5.1.5.1.x64 released! I added 'Search mode' for users that have problems running this script. This release also replace 'old cars unlocker' and 'single car unlocker' scripts.
    4 points
  28. stumble this on localization.lua lmao, say alot about their care to players that gives feedbacks i also working on promocode hacks, but this one is Paid, because i need to pay the host for hosting it, alternatively you can use the script, i'll update it to 3.1, with fixes, so until it done, stay tune
    4 points
  29. @NoFear I managed to find the ID's for the dice, which are 739FF0E960, 7551EB71F4 and 7551EEB114. After this 1.0.4. update it's not possible anymore to 'know' the dice by going offline in parallel system and do the same on the 'main' account. There is some kind of randomizer now. When going offline it's also not possible for me to alter the dice count. Maybe you can have another look how to alter the dice count, because I think all players are mainly looking for that feature. They don't really care (I think) about the rest of the game, the highest amount of dice will give you respect and jaw-breaking from your friends and family
    4 points
  30. https://www.mediafire.com/file/mepx82j23mrw33c/rr3_car_upgrader.v11.4.1.4.9.x64.bin.lua/file
    4 points
  31. New version 11.4.1.4.9.x64 released!
    4 points
  32. X32 True : ~A MOV R0, #0x1 ~A BX LR False : ~A MOV R0, #0x0 ~A BX LR Int : -------------------------------- -- 9999 ~A MOVW R0, #0x270F ~A BX LR -------------------------------- -- 99999999 ~A MOVW R0, #0xE0FF ~A MOVT R0, #0x05F5 ~A BX LR Float : --100 ~A MOVT R0, #0x42C8 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --50 ~A MOVT R0, #0x4248 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --10 ~A MOVT R0, #0x4120 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --0.1 ~A MOVW R0, #0xCCCD ~A MOVT R0, #0x3DCC ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --0.01 ~A MOVW R0, #0xD70A ~A MOVT R0, #0x3C23 ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ------------------- --999999999.999999999 ~A MOVW R0, #0x6B28 ~A MOVT R0, #0x4E6E ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR Double : --100 ~A MOV R0, #0x0 ~A MOVT R1, #0x4059 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --50 ~A MOV R0, #0x0 ~A MOVT R1, #0x4049 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --10 ~A MOV R0, #0x0 ~A MOVT R1, #0x4024 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --0.1 ~A MOVW R0, #0x999A ~A MOVT R0, #0x9999 ~A MOVW R1, #0x9999 ~A MOVT R1, #0x3FB9 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --0.01 ~A MOVW R0, #0x999A ~A MOVT R0, #0x9999 ~A MOVW R1, #0x9999 ~A MOVT R1, #0x3FB9 ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR ------------------- --999999999.999999999 ~A MOV R0, #0x0 ~A MOVW R1, #0xCD65 ~A MOVT R1, #0x41CD ~A VMOV D16, R1, R0 ~A VMOV.F64 D0, D16 ~A BX LR X64 True : ~A8 MOV R0, #0x1 ~A8 RET False : ~A8 MOV R0, #0x0 ~A8 RET Int : -- 9999 ~A8 MOVK R0, #0x270F ~A8 RET --99999999 ~A8 MOVK W0, #0xE0FF, LSL #16 ~A8 MOVK W0, #0x05F5, LSL #32 ~A8 RET Float : --100 ~A8 MOVK W0, #0x0000, LSL #16 ~A8 MOVK W0, #0x42C8, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --50 ~A8 MOVK W0, #0x0000, LSL #16 ~A8 MOVK W0, #0x4248, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --10 ~A8 MOVK W0, #0x0000, LSL #16 ~A8 MOVK W0, #0x4120, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --0.1 ~A8 MOVK W0, #0xCCCD, LSL #16 ~A8 MOVK W0, #0x3DCC, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --0.01 ~A8 MOVK W0, #0xD70A, LSL #16 ~A8 MOVK W0, #0x3C23, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET ----------------------------- --99999999.99999999 ~A8 MOVK W0, #0xBC20, LSL #16 ~A8 MOVK W0, #0x4CBE, LSL #32 ~A8 FMOV S15, W0 ~A8 VMOV.F32 S0, S15 ~A8 RET Double : --100 ~A8 MOVZ X0, #0x0 ~A8 MOVK X0, #0x0, LSL #16 ~A8 MOVK X0, #0x0, LSL #32 ~A8 MOVK X0, #0x4059, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --50 ~A8 MOVZ X0, #0x0 ~A8 MOVK X0, #0x0, LSL #16 ~A8 MOVK X0, #0x0, LSL #32 ~A8 MOVK X0, #0x4049, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --10 ~A8 MOVZ X0, #0x0 ~A8 MOVK X0, #0x0, LSL #16 ~A8 MOVK X0, #0x0, LSL #32 ~A8 MOVK X0, #0x4024, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --0.1 ~A8 MOVZ X0, #0x999A ~A8 MOVK X0, #0x9999, LSL #16 ~A8 MOVK X0, #0x9999, LSL #32 ~A8 MOVK X0, #0x3FB9, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --0.01 ~A8 MOVZ X0, #0x147B ~A8 MOVK X0, #0x47AE, LSL #16 ~A8 MOVK X0, #0x7AE1, LSL #32 ~A8 MOVK X0, #0x3F84, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET ----------------------------- --99999999.99999999 ~A8 MOVZ X0, #0xFFFF ~A8 MOVK X0, #0xFFFF, LSL #16 ~A8 MOVK X0, #0xD783, LSL #32 ~A8 MOVK X0, #0x4197, LSL #48 ~A8 FMOV D16, X0 ~A8 VMOV.F64 D0, D16 ~A8 RET • You can find lua code to convert any value to ARM -> HERE ----> If you get an error comment it out
    4 points
  33. Slow start. Bummed SRDebugger was stripped.. Will check the game dump for something of use.
    4 points
  34. Yes, it is il2cpp. I was struggling to use BadCase Toolbox as its a split apk. I managed to get the dump.cs eventually but still wasn't able to find anything. Will look forward to any updates from you.
    4 points
  35. il2cpp I'm guessing? If I get some time. Might check it out.
    4 points
  36. Wow, I'd only recently pre-registered for this game and here you guys are hacking it already
    4 points
  37. OpCodes changed slightly. But still works.
    3 points
  38. https://www.bilibili.tv/en/video/2003180753 Just follow how this guy do it. Don't mind the thai words his writing those are instructions. Warning: don't hack or change the value of elements soul and anything on special inventory you'll get banned. If you just do what the video had shown you will not get banned. I've been playing for weeks now.
    3 points
  39. Starting from version 8.28.0 GG have support of LUA scripts. It can be loaded and run. https://www.lua.org/manual/5.2/manual.html Scripting Documentation: https://gameguardian.net/help/
    3 points
  40. What you said it's correct. They changed the way stats are managed in the game so now the numbers that you see in the menu are not the real values. Until we find the offset for any stat this method won't be usable anymore in future updates(probably forced by Monday/Tuesday like Pokemon go). I recommend to play like you never did using this method during the weekend event because it won't exist after that. I will post if I find anything related to this game
    3 points
  41. 3 points
  42. if people that knowns somethings about something shares, it's like opening a pandora box at first i thought i can just EOL revolted on v3 and move on, but after watching a series of video by some internet security and such, the dude name in youtube was LiveOverflow, i thought myself, what if i can tamper the connection, so i tried to bruteforce the encryption first, but then i realize this is not a normal data transfer, so i look up the source and as expected it's encrypted, and since then ive been snooping the request and such, but like always, just if the community just like Unknowncheats, this game will be dead eons ago. anyway, i found a modifier that modify the search quantity accidentally when i trying to find alternative for leveling let's say you search a pharmacy, you'll get 1-4 amount of certain meds, and since i found this modifier, you know can get 10K+ i also found alot of multiplayer settings, unprotected, just as it, Gift Limit, Chat cooldown, banned items, opening gift cooldown, i kinda want to scrap the idea to try replay attacks on websocket connection. cuz like i dont find anything special from it, i'll try to unban myself without slash command by mod, if i do, i wouldnt be surprised i think i should make YT tutorials for day r hacking lmao imma start with caps, cuz all i see on yt is "this hacks doesn't work after 766, devs patched it"
    3 points
  43. There's also some way to get the packs they're offering. Someone told me about that there's a friend that is able to buy all packs for $ 0 (also stickers)
    3 points
  44. Quick Notes: Low Registers (R0 to R7): Accessible by all instructions using general-purpose registers. High Registers (R8 to R12): Accessible by 32-bit instructions specifying a general-purpose register, not all 16-bit instructions. Stack Pointer (R13): Used as the Stack Pointer (SP). Autoaligned to a word, four-byte boundary, ignoring writes to bits [1:0]. Link Register (R14): Subroutine Link Register (LR). Receives return address from PC during Branch and Link (BL) or Branch and Link with Exchange (BLX). Also used for exception return. Treat as a general-purpose register. Program Counter (R15): PC. FPU (Floating Point Unit): Supports single-precision operations - add, subtract, multiply, divide, multiply and accumulate, and square root. Also handles conversions between fixed-point and floating-point formats, and floating-point constant instructions. FPU Registers: Sixteen 64-bit doubleword registers: D0-D15. Thirty-two 32-bit single-word registers: S0-S31. ->Source <- --------------------------------------------------------------------------------------------------------------------------------- In Arm Patching we are using only Low Registers and the FPU. True and false Editing. ~A MOV R0, #1 MOV means Move , by this instruction we are telling the proccessor to move the value 1 to register R0 similar when you assign a variable name : R0 = 1 in most programing languages the true statment always = 1 and the false statment = 0 so #1 = true and #0 = false ~A BX LR BX Means branch exit LR or in another way return the value we stored to the caller. Int Editing : we can use MOV R0, # aswell for the int value but you need to know the integral data types. • byte : Signed: From −128 to 127 ­ ­ ­ ­ ­ ­ ­ ­ ­: Unsigned: From 0 to 255 we can use MOV here if the int value we want is between -128 and 255 so the instruction will be : ~A MOV R0, #-128 or #255 at max • short : Signed: From −32,768 to 32,767 : Unsigned: From 0 to 65,535 in this case we use MOVW the W stands for Word so same as above the instruction will be : ~A MOVW R0, #−32,768 or #65,535 at max NOTE : • Don't forget to return (~A BX LR) • We can Use MVN which mean Move Negative so the Max Negative Value will be #255 for Byte and MVNW for Short #65,535 (Don't add "-" since we already telling the proccessor we are dealing with negative number) • #value will be converted automatically to hex value in the Register means #8 will be 0x00000008 and so on • Int 32 : Signed: From −2,147,483,648 to 2,147,483,647 : Unsigned: From 0 to 4,294,967,295 the typical DWORD in GG : here we move to the advanced Part of this guide: as I said in the Note above the values are converted in the register automatically to hex so the max value in short in hex will be 0x0000FFFF so we have 4 zero's we can't change in the int 32, in this case we use one more instructon MOVT T stands for Top example : MOVW R0, #22136 -> R0 will be : 0X00005678 MOVT R0 , #4660 -> R0 will be : 0x12345678 So in case of INT32 we need 2 things • Convert the value we want to change to hex value • 3 instruction in total the Same concept here work for QWORD aswell (64 bit) 0x0000000000000001 Note : MVN R0, #2 will change to 0xFFFFFFF2 in hex MOV R0, #2 or MOV R0, #0x2 are the same Float and Double: • Float and Double are IEEE 754 Floating-Point: We need the FPU here and things will get a little bit complicated, • we need 2 or 3 registers in this case R0 , R1 and S0(for float) or D0(for double) Suppose the hex value of this float 12.6 is : 0x4149999A same as the int 32 : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 now = 0x4149999A) now R0 is set but if we return the value (~A BX LR) the result will be : 1095342490 and we don't want that value we want 12.6 as float (This Doesn't Work Because we didn't tell the proccessor that is a float number) the right way is to use FPU VMOV S15, R0 ( VMOV is the instruction MOV in the FPU : by that instruction we mean move the register value of R0 to the FPU register R15 ) VMOV.F32 S0, S15 (here we are telling the FPU we are dealing with Float number (F32) and move the value from S15 to S0 ) for double we use the same concept except we use F64 instead and register D16 and D0 Float : so the final code will be : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 = 0x4149999A) ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ----------------- Double : For double the hex value of 12.6 is : 0x4029333333333333 (Same Concept for Big Float Number) • Here we use R0, R1 , D0 and D16 • divide the hex value 0x4029333333333333 into 2 part 0x40293333 and 0x33333333 one goes for R0 and the other one goes for R1 Be carful of the placement of the hex value we start from the last 4 to the 1st 4 means we start with 0x3333 -> 0x4029 Use same concept of MOVW and MOVT to get the result. Result: ~A MOVW R0, #0x3333 (R0 = 0x00003333) ~A MOVT R0, #0x3333 (R0 = 0x33333333) ~A MOVW R1, # 0x3333 (R1 = 0x00003333) ~A MOVT R1, #0x4029 (R1 = 0x40293333) ~A VMOV D16, R0, R1 (Move value Of R0 and R1 to register D16 Be Careful here R0 last 8 hex 1st then R1 the top 8 hex) ~A VMOV.F64 D0, D16 (here we use F64 and D0 , and D16 instead of F32 , S0 and S15 because the hex value is 64 bit) ~A BX LR ------ This is How you arm patch bool / int / float / double NOTE : When it comes to function args and returns the only register that give return or args are R0,R1,R2,R3 (and SP) this is why we use R0 and VMOV S15/D16 to S0/D0 ARMv8 : In ARMv8, LSL stands for "Logical Shift Left". It is an instruction used to shift the bits in a register to the left by a specified number of bits, and the bits that are shifted off the left-hand end are discarded. LSL can be used with immediate values or with a register value. The immediate value specifies the number of bits to shift, which can be between 0 and 63. When using a register value, the bottom byte of the register specifies the number of bits to shift Example : Level 1 ) LSL X1, X2, #3 --> Shift the contents of X2 left by 3 bits and store the result in X1 -> In this example, X2 is being multiplied by 8 (since 8 is 2 to the power of 3), and the result is stored in X1. Level 2) MOV and LSL example: MOV X1, #0x10 -->Move the value 0x10 into register X1 LSL X1, X1, #3 --> Shift the contents of X1 left by 3 bits (multiply by 8 ) Level 3) Float Value : 3.14159 / Hex : 0x40490FD0 --Load the value 0x0FD00000 into bits 16-31 of W0 • MOVK W0, #0x0FD0, LSL #16 --> W0 = 0x00000FD0 -- Load the value 0x40490000 into bits 32-47 of W0 • MOVK W0, #0x4049, LSL #32 -> W0 = 0x40490FD0 -- Move the value of W0 into single-precision floating-point register S0 • FMOV S0, W0 --> S0 = 0x40490FD0 (interpreted as a floating-point value) Note : 4 bytes hex (32) value we use register W and for float we use S Level 4 ) Double value : 3.14159 / Hex : 0x400921F9F01B866E MOVK X0, #0xF01B866E, LSL #16 -->X0 = 0x00000000F01B866E MOVK X0, #0x400921F9, LSL #48 -->X0 = 0x400921F9F01B866E FMOV D0, X0 Note: 8 bytes hex (64) value we use register X and for Double we use D NOTE: SAME CONCEPT IN AARCH32 WITH (INT, BOOL, FLOAT, AND DOUBLE) LSL and MOV(Z/K) is the diffrences. PART II (LDR / STR): [STRING] ( NON UNITY GAMES ) Little-endian / Big-endians : LDR and STR are instructions used in ARMv7 and ARMv8 architectures to load and store data from memory. LDR stands for "Load Register" and is used to load a value from memory into a register. The syntax for LDR in ARMv7 and ARMv8 is LDR <Register>, [<Address>] STR stands for "Store Register" and is used to store a value from a register into memory. The syntax for STR in ARMv7 and ARMv8 is STR <Register>, [<Address>] where <Register> is the name of the register to load the value into, and <Address> is the memory address from which to load the value. In both cases, the square brackets around <Address> indicate that the value inside the brackets is a memory address, rather than a register. To load the string 'GG TESTING' into a register, you can use the LDR instruction. Assume the pointer to 'G' is 0x00000004 we can use this address as the base address for the LDR instruction. The instruction for loading the first four characters of the string into a 32-bit register (e.g., R1/X1) would be: • LDR R1/X1, [0x00000004] -- R1/X1 = 'GG T' This instruction loads the 32-bit value at memory address 0x00000004 into R1/X1. Note: Use the Move instructions above (PART I) to assign the value (address) to a register BEFOR USING LDR --> LDR R1/X1, [R0] -- R0 = 0x123456789 ( use MOV to assign the correct address to R0 or X0) To load the entire string into a register, you can use the LDR instruction with a register offset. Assuming the string is stored in consecutive memory locations, we can use the following instruction to load the entire string into a register (e.g., R1/X1) LDR R1/X1, [0x00000004], #10 This instruction loads the 32-bit value at memory address 0x00000004 into R1 and increments the base address by 10 (the length of the string). As a result, the entire string 'GG TESTING' will be loaded into R1. ADVANCED : If 'GG TESTING' is a half-word (i.e., each character is 2 bytes or 16 bits) and the pointer to 'G' is located at memory address 0x0000004 + 0x8, then the instructions for loading the string into a register would be different Dummy memory: 0x0000004 (<-- pointer )= 123 0x0000008 = 21 0x000000C = 9999999 0x0000010 = 'GG' 0x0000014 = ' T' -- with space at the start. 0x0000018 = 'ES' etc.. --> between every byte value ( character ) there is 0 [ example in memory 0x00000010 = 71 (G) <-- byte 0x00000011 = 0 <-- byte 0x00000012 = 71 (G) <-- byte 0x00000013 = 0 <-- byte 0x00000014 = 32 (space) <- byte ] To load the half-word 'GG' into a 32-bit register (e.g., R0/X0), we can use the LDRH instruction as follows: LDRH R0, [0x00000004, 0x8] This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R0/X0. Since we want to load the first two characters of the string, we add an offset of 0x8 to the base address. Read more about LDR To load the entire string into a register, we can use the LDRH instruction with a register offset as follows: LDRH R0, [0x00000004, 0x8], #0xC This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R1, and increments the base address by 0xC (or 12 bytes) to load the remaining characters of the string. The 'GG TESTING' string has a length of 10 characters, which corresponds to 20 bytes (11 characters x 2 bytes per character), so we need to load 12 bytes in addition to the first 2 bytes to load the entire string. AARCH64 : LDRH --> LDURH (Load Unsigned Halfword with a 64-bit offset) or LDSRH (signed) LDURH W0, [X1, #16] ; Load a halfword from the memory address X1 + 16 into W0 This loads a 16-bit unsigned halfword from the memory address X1 + 16 into the 32-bit register W0. Note that the offset value is added to the base register X1 to form the memory address. Also, because LDURH is an unsigned load instruction, the loaded halfword is zero-extended to 32 bits. NOTE: the LDURH instruction is specific to AArch64 architecture and is not available in AArch32 architecture. STR: STR is used to store the contents of a register into a memory location that is addressed using a base register and an optional offset. The contents of the register are written to the memory location, overwriting any previous data that was stored at that location. -->STR Rd, [Rn {, #offset}] where Rd is the source register whose contents will be stored in memory, Rn is the base register that points to the memory location where the data will be stored, and offset is an optional 32-bit offset that is added to the base register to form the memory address. Example of using the STR instruction to store the contents of R0 register into a memory location: --> STR R0/X0, [R1/X1, #4] ; Store the contents of R0/X1 into the memory location R1/X1 + 4. NOTE : STR Wd, [Xn, #offset], imm | the STR instruction with the imm option is only available in AArch64. |--> Wd/Xd, [Xn, #offset] The imm option allows you to add an immediate value to the offset to form the memory address. The immediate value is sign-extended to 64 bits, shifted left by the scale factor (which is determined by the size of the data being transferred), and then added to the offset. -> STR W0, [X1, #0x100], #0x20 -- This stores the contents of register W0 into the memory location pointed to by register X1 plus 0x100 plus 0x20, overwriting any previous data stored at that location. In AArch32, there is no imm option for the STR instruction. However, you can achieve a similar effect by adding the immediate value to the offset before using it in the instruction. Here's an example: ADD R2, R1, #0x120 --> R2 = R1 + 0x120 STR R0, [R2] --> Store R0 at address R2 Here, the ADD instruction adds the immediate value 0x20 to the base register R1, storing the result in R2. The STR instruction then stores the contents of register R0 into the memory location pointed to by register R2. Note: that the immediate value is added to the offset before using it in the instruction, rather than being added as a separate operand like the imm option in AArch64. --->FOR Using LDR / STR on values just LDR/STR R0/X0, [DESTINATION ADDRESS] Note : Unity games use pointers for the string ----------------------------------------------> Converting Float and Double to Hex <--------------------------------- This is mainly IEEE Standard for Floating-Point Arithmetic. (you can skip this part by using online converter) > You need : • Advanced Lua scripting Knowladge. • Math Knowladge. • Binary 32 and 64 Knowladge. --------------Please read--------------
    3 points
  45. I have been lurking as a Guest on this thread, but I have signed up here to respond to your findings - This is absolute garbage of a game, and it is highly addicting if you have a group of friends that made it a bit competitive. Anyway, the trick you found is helpful, and thank you for sharing it with us.
    3 points
  46. basically it did worked but so did for the wilds one. meaning if you activate Attack the enemy also get high Attack too. the script search for all stats point including a value for all which if change will edit the stat of all the coromons in game. manually filter the values is needed to edit the coromons in your squad only. others stats value are nearby. search one stat then goto and scroll up or down to find the others.
    3 points
  47. This post cannot be displayed because it is in a forum which requires at least 1 post to view.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.