Jump to content


  • Content Count

  • Donations

  • Joined

  • Last visited

  • Days Won


Everything posted by Un_Known

  1. Because tencent Upgraded 3rd party app prevention system and enhanced detection of cheating behavior via Virtual App, emulators and modifiers.
  2. Introducing Some themes would be a great idea!
  3. Okk so continuing........ Now What's the possibility okk if VMLS is changed to VMLA then Fuel won't reduce instead it will increase! VMLA (Vector Multiply Accumulate) multiplies corresponding elements in two vectors, and accumulates the results into the elements of the destination vector. To edit it open this file in hex editor and navigate to address 0009ec84 and change Value 479B06EE to 079B06EE or directly search for pattern 479B06EE and replace it. NOP can also be used because it do nothing so that fuel will neither increase nor decrease. For NOP hex code is 00F020E3 Instruction set is Armv7
  4. Guide 1: Game version : 1.42.2 How to mod so that fuel Increase Instead of decreasing!! Steps: Load the libgame.so into IDA Note: Modding the ARMEABI-v7a is preferred! Use lib from this folder And delete other two Folders ARMEABI and ARM64-v8 Lets start! Find the offset of mechanism which decides the amount of fuel we have. I will explain it in another guide on how to find that! So Now I know that Offset is Libgame.so+0x9ec84 which means when you would load lib file in IDA, press G and enter 0009ec84 it would be the required address! VMLS.F64 D9 D6 D7 Ohh! This would be instruction at given address. What is it doing? so here prefix V stands vector ML for Multiplication and S for Subtraction. This instruction would be processed by floaing point coprocessor! Here F.64 means double precision and if it would be F.32 then it would means single precision. D9 D6 D7 are double precision registers for results and operand VMLS(Vector Multiply Subtract) multiplies corresponding elements in two vectors, subtracts the results from corresponding elements of the destination vector, and places the final results in the destination vector. Vector multiplication between content of D6 and D7 Then SUB the above results from D9 and then placing result of subtraction in D9. So this is the mechanism. We will alter this mechanisms in next guide to get unlimited fuel! Check out ARM reference guide for more information about these instructions.
  5. I will Post guides here About how to mod : Unlimited Coins Unlimited Diamonds Get Unlimited Fuel Unlock All Worlds Unlock All Vehicles Remove ads All vehicles Full upgraded! All guides would be posted here so stay tuned Prerequisites: I won't start from scratch Basic Knowledge About Using IDA Basics knowledge of ARM instruction set Apk signing and libgame.so extraction and putting modified libgame.so into apk. Hex editor! Some useful links: Orginal Apk Link: https://www.google.com/amp/s/m.apkpure.com/hill-climb-racing/com.fingersoft.hillclimb/amp Hxd Hex Editor: https://mh-nexus.de/en/hxd/
  6. A quick and easy guide on how to mod Hill Climb Racing (1.41.1) to get unlimited fuel mod (fuel will increase instead of decreasing) Working on version 1.41.1 Prerequisites: Hex Editor Apk or Zip Signer libgame.so Note: Generally 3 lib folders are found in this game but only edit libgame.so in Armeabi-v7a and delete other two folders. Steps: Extract the libgame.so file from apk Open it using hex editor search for hex pattern 479B06EE There would be two occurrences of this pattern Only edit the first one to 079B06EE save changes put libgame.so back to apk sign the Apk and install it. Enjoy and Explaination coming soon. It doesn't require a pc or laptop you can it it only using Your smartphone! com.myprog.hexedit_98.apk kellinwood.zipsigner2_31.apk
  7. Un_Known

    Base Address!!

    I got answers thnx everyone.
  8. Un_Known

    Base Address!!

    So i loaded lib in IDA it start from 00000000 and ends at 00378A98. Load segment 00000000-00064994 .plt segment 00064994-00065308 .text segment 00065308-002DCABC and so on. So here what should be my base address to which offset shouls be added! I think it should be 00000000 but want any further confirmation! @Enyby
  9. Un_Known

    Base Address!!

    I found a value in Game located at libgame.so + 0x8AE13. But when I would open lib in IDA what should be base address to which I have to add this offset to find that value? would it be 0000000 OR something else
  10. While lib files on android can be analysed statically very easily but dynamic lib debugging is also another option to get to know what is happening during runtime. When static analysis may take up alot of time dynamic analysis is always a better option! So how to debug libs? lib files are not independent they need a running process to be debugged. Let's Start: Perquisites: IDA PRO ADB Rooted Device USB cable Note: Enable usb debugging And don't select Filetransfer mode select PTP mode otherwise device won't be listed by ADB Google if you don't Know how to Connect to PC using ADB Now Load lib in IDA PRO first which is to be analysed. Now connect your device to PC over ADB Go to IDA PRO installation directory and from folder dbgsrv copy file android_server to adb folder And execute following commands: adb devices [To make sure device is connected ] adb push android_server /local/data/tmp adb shell su cd /data/local/tmp ll [To Get list of files incurrent directory] chmod 755 android_server ./android_server Minimizethe windows where android_server is running and open a new command prompt window and run following command: adb forward tcp:23946 tcp:23946 select the "Remote ARM Linux/Android debugger", go into "ProcessOptions" in the debugger menu, and set the hostname to localhost.And port : 23946 Now Run the apk on your device from which this lib was extracted! And In IDA go to: Debugger menu Choose attach to process and from list of processes select the process of your apk. Thnx Any correction and suggetion would be welcomed!
  11. I was dynamically analysing LIB file of a game using IDA pro's debugger when I got SIGTRAP exception. And control Flow stopped! How to work around such anti debugging techniques.
  12. You have to make a search first! It only work if values are available in search list!
  13. Feature not added so Feeling sad! No update since long Time !
  14. It's for understanding game logic and then modding the game!
  15. Sorry bit of confusion was there correction LDR r2,[r1],r0,lsl#3 = 802191E6 LDR R0,[R1],R2,LSL#3 = 820191E6 just want to know what is happening in this particular example
  16. If above Answer is confusing this might be better explanation: In ARM State: PC (Program counter , R15). stores the address of the current instruction plus 8 (two ARM instructions) in ARM state. In Thumb State: For B, BL, CBNZ, and CBZ instructions, the value of the PC is the address of the current instruction plus 4 bytes. For all other instructions that use labels, the value of the PC is the address of the current instruction plus 4 bytes, with bit[1] of the result cleared to 0 to make it word-aligned.
  17. No! I think take a look. The instruction i shared was v7 ARM and it's legitimate one but i want to understand this particular example only because i know the concept of post indexing addressing but this particaular example is giving me hard time! I read guide and references but couldn't find clue to it! This is bit difficult than others hope somebody would help!
  18. No.Instruction is absolutely correct ! Here ARM v7 Hex for this instruction is : 820191E6 and equivalent ARM v7 Thumb instruction for this is : LSLS R2, R0, #6 B #0xFFFFFD28 @NoFear
  19. So finally I Got answer to this thnx to @saiaapiz . Posting Answer here because it can help many! The Program Counter is automatically incremented by the size of the instruction executed. This size is always 4 bytes in ARM state and 2 bytes in THUMB mode. When a branch instruction is being executed, the PC holds the destination address. During execution, PC stores the address of the current instruction plus 8 (two ARM instructions) in ARM state, and the current instruction plus 4 (two Thumb instructions) in Thumb(v1) state. This is different from x86 where PC always points to the next instruction to be executed.
  20. Can somebody explain following post indexing example from ARM instruction set LDR r0, [r1] ,r2, lsl#3
  21. which game software ? plz elaborate and clarify your question for good understanding.
  • Create New...