Leaderboard

View File GameGuardian Overview: Play games your way! “GameGuardian” is a game cheat / hack / alteration tool. With it, you can modify money, HP, SP, and much more. You can enjoy the fun part of a game without suffering from its unseasonable design. Requires Android: 2.3.3+ GameGuardian Features Summary Runs on ARM, x64 and x86 devices, including x86 emulators (LDPlayer, Droid4X, MOMO, KOPlayer, Andy, Memu, Leapdroid, AMIDuOS, Windroye, RemixOS, PhoenixOS, AVD, Genymotion, Nox, BlueStacks etc.) Supports Android 2.3.3+ (Gingerbread) through Lollipop (5+), Marshmallow (6+), Nougat (7+), Oreo (8+), Pie (9+), 10+. Support work without root via different virtual spaces. Support different emulators like PPSSPP, ePSXe, GameBoy etc. Game deceleration and acceleration (speedhack) for ARM and x86 devices, including x86 emulators. Also supports both 32-bit and 64-bit applications on 64-bit devices using speedhack. Search feature: encrypted values. Search of unknown values when specifying the difference between values. Search addresses by mask. Explicit and "fuzzy" numeric searches. Text (String, Hex, AoB) search. Supports: Double, Float, Qword, Dword, XOR, Word, Byte, or Auto data-type searches. Lua scripting support. Modify all search results at once. Filtering of search results (address greater than and less than, value greater than and less than). Search in the background feature. 'The fill' feature. Time jump feature. Dump memory. Copy memory. Customizable UI. App locale for over 50 languages. And, much, much more. Notes: ** ROOT or VIRTUAL ENVIRONMENT ONLY ** This tool only works on rooted devices or in virtual environment (without root in limited mode)! GG can work in limited mode without root, through a virtual environment. For example, through Parallel Space, VirtualXposed, Parallel Space Lite, GO multiple, 2Face and many others. Read the help for more details. You can find more information about rooting your device at XDA Developers. Want to help us improve, or add a translation? Then please visit thread "If you want to add a new translation or improve an existing". If you are having issues with the app, please visit thread "Gathering information about GG errors". Want to donate and help keep the project going? That's awesome! You can donate any amount (anything helps) here: Donate Need help with how to use this application? Please visit "Video tutorials" and forum "Guides". Credit: @d2dyno - Owner, lead designer, project management. @Enyby - Lead coder, project management. @Trasd - Technical consultant, project management. @Aqua - Creator (retired). Submitter Enyby Submitted 05/19/2012 Category Official Downloads  

Quick Notes: Low Registers (R0 to R7): Accessible by all instructions using general-purpose registers. High Registers (R8 to R12): Accessible by 32-bit instructions specifying a general-purpose register, not all 16-bit instructions. Stack Pointer (R13): Used as the Stack Pointer (SP). Autoaligned to a word, four-byte boundary, ignoring writes to bits [1:0]. Link Register (R14): Subroutine Link Register (LR). Receives return address from PC during Branch and Link (BL) or Branch and Link with Exchange (BLX). Also used for exception return. Treat as a general-purpose register. Program Counter (R15): PC. FPU (Floating Point Unit): Supports single-precision operations - add, subtract, multiply, divide, multiply and accumulate, and square root. Also handles conversions between fixed-point and floating-point formats, and floating-point constant instructions. FPU Registers: Sixteen 64-bit doubleword registers: D0-D15. Thirty-two 32-bit single-word registers: S0-S31. ->Source <- --------------------------------------------------------------------------------------------------------------------------------- In Arm Patching we are using only Low Registers and the FPU. True and false Editing. ~A MOV R0, #1 MOV means Move , by this instruction we are telling the proccessor to move the value 1 to register R0 similar when you assign a variable name : R0 = 1 in most programing languages the true statment always = 1 and the false statment = 0 so #1 = true and #0 = false ~A BX LR BX Means branch exit LR or in another way return the value we stored to the caller. Int Editing : we can use MOV R0, # aswell for the int value but you need to know the integral data types. • byte : Signed: From −128 to 127 ­ ­ ­ ­ ­ ­ ­ ­ ­: Unsigned: From 0 to 255 we can use MOV here if the int value we want is between -128 and 255 so the instruction will be : ~A MOV R0, #-128 or #255 at max • short : Signed: From −32,768 to 32,767 : Unsigned: From 0 to 65,535 in this case we use MOVW the W stands for Word so same as above the instruction will be : ~A MOVW R0, #−32,768 or #65,535 at max NOTE : • Don't forget to return (~A BX LR) • We can Use MVN which mean Move Negative so the Max Negative Value will be #255 for Byte and MVNW for Short #65,535 (Don't add "-" since we already telling the proccessor we are dealing with negative number) • #value will be converted automatically to hex value in the Register means #8 will be 0x00000008 and so on • Int 32 : Signed: From −2,147,483,648 to 2,147,483,647 : Unsigned: From 0 to 4,294,967,295 the typical DWORD in GG : here we move to the advanced Part of this guide: as I said in the Note above the values are converted in the register automatically to hex so the max value in short in hex will be 0x0000FFFF so we have 4 zero's we can't change in the int 32, in this case we use one more instructon MOVT T stands for Top example : MOVW R0, #22136 -> R0 will be : 0X00005678 MOVT R0 , #4660 -> R0 will be : 0x12345678 So in case of INT32 we need 2 things • Convert the value we want to change to hex value • 3 instruction in total the Same concept here work for QWORD aswell (64 bit) 0x0000000000000001 Note : MVN R0, #2 will change to 0xFFFFFFF2 in hex MOV R0, #2 or MOV R0, #0x2 are the same Float and Double: • Float and Double are IEEE 754 Floating-Point: We need the FPU here and things will get a little bit complicated, • we need 2 or 3 registers in this case R0 , R1 and S0(for float) or D0(for double) Suppose the hex value of this float 12.6 is : 0x4149999A same as the int 32 : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 now = 0x4149999A) now R0 is set but if we return the value (~A BX LR) the result will be : 1095342490 and we don't want that value we want 12.6 as float (This Doesn't Work Because we didn't tell the proccessor that is a float number) the right way is to use FPU VMOV S15, R0 ( VMOV is the instruction MOV in the FPU : by that instruction we mean move the register value of R0 to the FPU register R15 ) VMOV.F32 S0, S15 (here we are telling the FPU we are dealing with Float number (F32) and move the value from S15 to S0 ) for double we use the same concept except we use F64 instead and register D16 and D0 Float : so the final code will be : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 = 0x4149999A) ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ----------------- Double : For double the hex value of 12.6 is : 0x4029333333333333 (Same Concept for Big Float Number) • Here we use R0, R1 , D0 and D16 • divide the hex value 0x4029333333333333 into 2 part 0x40293333 and 0x33333333 one goes for R0 and the other one goes for R1 Be carful of the placement of the hex value we start from the last 4 to the 1st 4 means we start with 0x3333 -> 0x4029 Use same concept of MOVW and MOVT to get the result. Result: ~A MOVW R0, #0x3333 (R0 = 0x00003333) ~A MOVT R0, #0x3333 (R0 = 0x33333333) ~A MOVW R1, # 0x3333 (R1 = 0x00003333) ~A MOVT R1, #0x4029 (R1 = 0x40293333) ~A VMOV D16, R0, R1 (Move value Of R0 and R1 to register D16 Be Careful here R0 last 8 hex 1st then R1 the top 8 hex) ~A VMOV.F64 D0, D16 (here we use F64 and D0 , and D16 instead of F32 , S0 and S15 because the hex value is 64 bit) ~A BX LR ------ This is How you arm patch bool / int / float / double NOTE : When it comes to function args and returns the only register that give return or args are R0,R1,R2,R3 (and SP) this is why we use R0 and VMOV S15/D16 to S0/D0 ARMv8 : In ARMv8, LSL stands for "Logical Shift Left". It is an instruction used to shift the bits in a register to the left by a specified number of bits, and the bits that are shifted off the left-hand end are discarded. LSL can be used with immediate values or with a register value. The immediate value specifies the number of bits to shift, which can be between 0 and 63. When using a register value, the bottom byte of the register specifies the number of bits to shift Example : Level 1 ) LSL X1, X2, #3 --> Shift the contents of X2 left by 3 bits and store the result in X1 -> In this example, X2 is being multiplied by 8 (since 8 is 2 to the power of 3), and the result is stored in X1. Level 2) MOV and LSL example: MOV X1, #0x10 -->Move the value 0x10 into register X1 LSL X1, X1, #3 --> Shift the contents of X1 left by 3 bits (multiply by 8 ) Level 3) Float Value : 3.14159 / Hex : 0x40490FD0 --Load the value 0x0FD00000 into bits 16-31 of W0 • MOVK W0, #0x0FD0, LSL #16 --> W0 = 0x00000FD0 -- Load the value 0x40490000 into bits 32-47 of W0 • MOVK W0, #0x4049, LSL #32 -> W0 = 0x40490FD0 -- Move the value of W0 into single-precision floating-point register S0 • FMOV S0, W0 --> S0 = 0x40490FD0 (interpreted as a floating-point value) Note : 4 bytes hex (32) value we use register W and for float we use S Level 4 ) Double value : 3.14159 / Hex : 0x400921F9F01B866E MOVK X0, #0xF01B866E, LSL #16 -->X0 = 0x00000000F01B866E MOVK X0, #0x400921F9, LSL #48 -->X0 = 0x400921F9F01B866E FMOV D0, X0 Note: 8 bytes hex (64) value we use register X and for Double we use D NOTE: SAME CONCEPT IN AARCH32 WITH (INT, BOOL, FLOAT, AND DOUBLE) LSL and MOV(Z/K) is the diffrences. PART II (LDR / STR): [STRING] ( NON UNITY GAMES ) Little-endian / Big-endians : LDR and STR are instructions used in ARMv7 and ARMv8 architectures to load and store data from memory. LDR stands for "Load Register" and is used to load a value from memory into a register. The syntax for LDR in ARMv7 and ARMv8 is LDR <Register>, [<Address>] STR stands for "Store Register" and is used to store a value from a register into memory. The syntax for STR in ARMv7 and ARMv8 is STR <Register>, [<Address>] where <Register> is the name of the register to load the value into, and <Address> is the memory address from which to load the value. In both cases, the square brackets around <Address> indicate that the value inside the brackets is a memory address, rather than a register. To load the string 'GG TESTING' into a register, you can use the LDR instruction. Assume the pointer to 'G' is 0x00000004 we can use this address as the base address for the LDR instruction. The instruction for loading the first four characters of the string into a 32-bit register (e.g., R1/X1) would be: • LDR R1/X1, [0x00000004] -- R1/X1 = 'GG T' This instruction loads the 32-bit value at memory address 0x00000004 into R1/X1. Note: Use the Move instructions above (PART I) to assign the value (address) to a register BEFOR USING LDR --> LDR R1/X1, [R0] -- R0 = 0x123456789 ( use MOV to assign the correct address to R0 or X0) To load the entire string into a register, you can use the LDR instruction with a register offset. Assuming the string is stored in consecutive memory locations, we can use the following instruction to load the entire string into a register (e.g., R1/X1) LDR R1/X1, [0x00000004], #10 This instruction loads the 32-bit value at memory address 0x00000004 into R1 and increments the base address by 10 (the length of the string). As a result, the entire string 'GG TESTING' will be loaded into R1. ADVANCED : If 'GG TESTING' is a half-word (i.e., each character is 2 bytes or 16 bits) and the pointer to 'G' is located at memory address 0x0000004 + 0x8, then the instructions for loading the string into a register would be different Dummy memory: 0x0000004 (<-- pointer )= 123 0x0000008 = 21 0x000000C = 9999999 0x0000010 = 'GG' 0x0000014 = ' T' -- with space at the start. 0x0000018 = 'ES' etc.. --> between every byte value ( character ) there is 0 [ example in memory 0x00000010 = 71 (G) <-- byte 0x00000011 = 0 <-- byte 0x00000012 = 71 (G) <-- byte 0x00000013 = 0 <-- byte 0x00000014 = 32 (space) <- byte ] To load the half-word 'GG' into a 32-bit register (e.g., R0/X0), we can use the LDRH instruction as follows: LDRH R0, [0x00000004, 0x8] This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R0/X0. Since we want to load the first two characters of the string, we add an offset of 0x8 to the base address. Read more about LDR To load the entire string into a register, we can use the LDRH instruction with a register offset as follows: LDRH R0, [0x00000004, 0x8], #0xC This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R1, and increments the base address by 0xC (or 12 bytes) to load the remaining characters of the string. The 'GG TESTING' string has a length of 10 characters, which corresponds to 20 bytes (11 characters x 2 bytes per character), so we need to load 12 bytes in addition to the first 2 bytes to load the entire string. AARCH64 : LDRH --> LDURH (Load Unsigned Halfword with a 64-bit offset) or LDSRH (signed) LDURH W0, [X1, #16] ; Load a halfword from the memory address X1 + 16 into W0 This loads a 16-bit unsigned halfword from the memory address X1 + 16 into the 32-bit register W0. Note that the offset value is added to the base register X1 to form the memory address. Also, because LDURH is an unsigned load instruction, the loaded halfword is zero-extended to 32 bits. NOTE: the LDURH instruction is specific to AArch64 architecture and is not available in AArch32 architecture. STR: STR is used to store the contents of a register into a memory location that is addressed using a base register and an optional offset. The contents of the register are written to the memory location, overwriting any previous data that was stored at that location. -->STR Rd, [Rn {, #offset}] where Rd is the source register whose contents will be stored in memory, Rn is the base register that points to the memory location where the data will be stored, and offset is an optional 32-bit offset that is added to the base register to form the memory address. Example of using the STR instruction to store the contents of R0 register into a memory location: --> STR R0/X0, [R1/X1, #4] ; Store the contents of R0/X1 into the memory location R1/X1 + 4. NOTE : STR Wd, [Xn, #offset], imm | the STR instruction with the imm option is only available in AArch64. |--> Wd/Xd, [Xn, #offset] The imm option allows you to add an immediate value to the offset to form the memory address. The immediate value is sign-extended to 64 bits, shifted left by the scale factor (which is determined by the size of the data being transferred), and then added to the offset. -> STR W0, [X1, #0x100], #0x20 -- This stores the contents of register W0 into the memory location pointed to by register X1 plus 0x100 plus 0x20, overwriting any previous data stored at that location. In AArch32, there is no imm option for the STR instruction. However, you can achieve a similar effect by adding the immediate value to the offset before using it in the instruction. Here's an example: ADD R2, R1, #0x120 --> R2 = R1 + 0x120 STR R0, [R2] --> Store R0 at address R2 Here, the ADD instruction adds the immediate value 0x20 to the base register R1, storing the result in R2. The STR instruction then stores the contents of register R0 into the memory location pointed to by register R2. Note: that the immediate value is added to the offset before using it in the instruction, rather than being added as a separate operand like the imm option in AArch64. --->FOR Using LDR / STR on values just LDR/STR R0/X0, [DESTINATION ADDRESS] Note : Unity games use pointers for the string ----------------------------------------------> Converting Float and Double to Hex <--------------------------------- This is mainly IEEE Standard for Floating-Point Arithmetic. (you can skip this part by using online converter) > You need : • Advanced Lua scripting Knowladge. • Math Knowladge. • Binary 32 and 64 Knowladge. --------------Please read--------------

I have tried everything and have ran out of charges to try this on. I can change the coins and gems super easily but the emoji charges are not working the same at all. Same with player level, not working. The game does have a "playerblob.json" file which is where everything is stored but there is some sort of encoding/encryption on it preventing the human eye from being able to read it (a form of scrambling the data) and I cannot for the life of me figure it out. Ultimately figuring this method out would be the easiest to manage but I haven't seen anyone successfully decode it yet. Maybe there's a smart person out there that can.

great, thank you

Oke, thanks for info. Will take a look.

Hi there, I am trying to manipulate memory value (related to health) at runtime based on an identified offset address. I can currently access the memory address that holds the health value by manually searching the exact health value of double type, but this address changes when I close and open the application. I would eventually like to persistently modify the health value after closing and opening the application, without having to manually search for the address. I am unsure what to do next in order to modify the health value using libil2cpp offsets. These are the following steps I've done so far: Used a rooted 64-bit Android emulator (Nox Player) with arm64-v8a instruction set. Retrieved the latest .apk file directly from the Android emulator's root /data directory using "adb pull". Dumped the "libil2cpp.so" file from the game's .apk using il2cppdumper. Used the dumped output from above to identify interesting function names "public double get_hp()" that contains offset addresses such as "Offset: 0x18D0258". On GameGuardian I've used "goto", then selected "Xa" and chose "libil2cpp.so". On GameGuardian I've used "Offset calculator" where the base address is from above and the offset is "18D0258" from step 4. I am presented with a couple of interesting ARM64 instructions: LDR D0, [X0, #0x28]; RET; My understanding is that X0 (general-purpose register, like a variable) holds a memory address and 0x28 offset is added to the X0 register and the result of X0 + 0x28 becomes the accessed memory address, where the value inside it is loaded into the D0 register. Knowing that this is related to public double get_hp() what minimal changes do I need to make so that I can return a specific value to change the health or make it so that the health does not change at all? Thanks!

Using "offset calculator" I go to the address (base addr + offset addr). should give you "PUSH" instruction (-- this will indicate the start of the function ) -- "POP" instruction indicate the end of the function. overwrite the original code won't crush the game if you do it right with the correct instructions. --return 100 as double value instructions are : ~A8 MOVZ X0, #0x5900 -- overwrite push instrunction ( dummy address : 0x0000 ) ~A8 MOVK X0, #0x4000, LSL #16 -- the instruction below push ( dummy address : 0x0004 ) ~A8 MOVK X0, #0x0000, LSL #32 -- etc ( dummy address : 0x0008 ) ~A8 MOVK X0, #0x0000, LSL #48 -- ( dummy address : 0x000C ) ~A8 FMOV D0, X0 ~A8 RET -- 6 (4 bytes address edits ) in total ( look dummy address ) -- the CPU will assume the function body is like after the edit : -- double currentHP () { -- return 100 -- } after you edit these 6 addresses the left over address until POP instructions became code cave you can inject a code in it without using gg.allocatePage() ( some game detect new alloc memory and it force close the game ) note : register X will hold 64 bit values , W will hold 32 bit values

GameGuardian work without root Parallel Space－Multi Accounts Best choice (no error 105)! Requires Android: Android 4.0.3 (IceCreamSandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK VirtualXposed Requires Android: Android 5.0 (Lollipop) or later. There is support for x86. Optimized version (no error 105): Download APK DualSpace Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. Optimized version (no error 105): Download APK Parallel Space Lite－Dual App Requires Android: Android 4.0.3 (IceCreamSandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Parallel Space Pro－App Cloner Requires Android: Android 4.0.3 (IceCreamSandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK DualSpace Blue Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. Optimized version (no error 105): Download APK DualSpace Lite Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. Optimized version (no error 105): Download APK ES Parallel Accounts Requires Android: Android 4.4 (KitKat) or later. Optimized version (no error 105): Download APK GO Multiple Requires Android: Android 4.0 (IceCreamSandwich) or later. There is support for x86. Optimized version (no error 105): Download APK Dr. Clone Requires Android: Android 4.4 (KitKat) or later. There is support for x86. Optimized version (no error 105): Download APK Virtual Space Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK NoxApp+ Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Octopus Requires Android: Android 4.4 (KitKat) or later. Optimized version (no error 105): Download APK AppBox Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Multiple Space Requires Android: Android 4.1 (Jelly Bean) or later. Optimized version (no error 105): Download APK clonneapp Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Parallel Accounts Requires Android: Android 4.2 (Jelly Bean MR1) or later. There is support for x86. Optimized version (no error 105): Download APK APP Cloner Requires Android: Android 4.1 (Jelly Bean) or later. Optimized version (no error 105): Download APK APP Hider Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Calculator+ Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Multi Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK 2Face - Multi Accounts Requires Android: Android 4.2 (Jelly Bean MR1) or later. There is support for x86. Optimized version (no error 105): Download APK App Hider Lite Requires Android: Android 4.0 (Ice Cream Sandwich) or later. There is support for x86. Optimized version (no error 105): Download APK Dual App Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Phone (Dialer Vault) Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK Notepad Requires Android: Android 4.0.3 (Ice Cream Sandwich MR1) or later. There is support for x86. Optimized version (no error 105): Download APK VMOS Requires Android: Android 5.0 (Lollipop) or later. Google Play APKPure Clone App Requires Android: Android 4.4 (KitKat) or later. Optimized version (no error 105): Download APK You can use other virtual spaces, but there may be a 105 error. These virtual spaces are used most often and for them there are optimized versions, so we recommend using them. Complete list of all optimized virtual spaces.

new icon for GameGuardian?