[Help me With Instruction logic]

It's for understanding game logic and then modding the game!

 

[Help me With Instruction logic]

9 hours ago, Un_Known said:

So finally I Got answer to this thnx to @saiaapiz .

Posting Answer here because it can help many!

The Program Counter is automatically incremented by the size of the instruction executed. This size is always 4 bytes in ARM state and 2 bytes in THUMB mode. When a branch instruction is being executed, the PC holds the destination address. During execution, PC stores the address of the current instruction plus 8 (two ARM instructions) in ARM state, and the current instruction plus 4 (two Thumb instructions) in Thumb(v1) state. This is different from x86 where PC always points to the next instruction to be executed. 

If above Answer is confusing this might be better explanation:

In ARM State:

PC (Program counter , R15). stores the address of the current instruction plus 8 (two ARM instructions) in ARM state.

In Thumb State:

For B, BL, CBNZ, and CBZ instructions, the value of the PC is the address of the current instruction plus 4 bytes.

For all other instructions that use labels, the value of the PC is the address of the current instruction plus 4 bytes, with bit[1] of the result cleared to 0 to make it word-aligned.

[Help me With Instruction logic]

On 6/27/2019 at 2:30 AM, Un_Known said:

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

So finally I Got answer to this thnx to @saiaapiz .

Posting Answer here because it can help many!

The Program Counter is automatically incremented by the size of the instruction executed. This size is always 4 bytes in ARM state and 2 bytes in THUMB mode. When a branch instruction is being executed, the PC holds the destination address. During execution, PC stores the address of the current instruction plus 8 (two ARM instructions) in ARM state, and the current instruction plus 4 (two Thumb instructions) in Thumb(v1) state. This is different from x86 where PC always points to the next instruction to be executed. 

[Help me With Instruction logic]

3 hours ago, saiaapiz said:

Let me explain this real quick.

How they load offset, and calculate address ?

Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14

You can find lot of information here, The ARM instruction set

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

[Help me With Instruction logic]

50 minutes ago, saiaapiz said:

Let me explain this real quick.

How they load offset, and calculate address ?

Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14

You can find lot of information here, The ARM instruction set

Thnx buddy for putting a lot of effort just to helpme!

[Help me With Instruction logic]

Above question can be ignored Updated:

I think it is offset is loaded into R1 after subtraction between ahighscore and 0x19D8B4 and their addresses being subtracted!

so Here ahighscore has address =>00319CEC

so 00319CEC - 0x19D8B4 =17C438

So R1, = 17C438 would it be an offset?

Am.i correct or Wrong?

@saiaapiz @Enyby

[Help me With Instruction logic]

1 hour ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

R3 is address of dword_36BD38

What is happening here can u explain? I have highlighted offset pushed to R1 with cursor?

what type of sign is between ahighscore and offset is it just a dash ? What is purpose of ahighscore here? 

Any reference guide for arm instruction set ?

[Help me With Instruction logic]

1 minute ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

R3 is address of dword_36BD38

ohh thnx buddy once again sorry for disturbing you

[Help me With Instruction logic]

It generally means that value of coins would be highest (because 2147483647 is largest dword) only when value in R0 is less than 0

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check 

is it correct

 

and plz elaborate this part =(dword_36BD38 - 0x19D86C)

couldn't understand this That 

What would be value in R3 register

@saiaapiz

 

[Help me With Instruction logic]

I have learnt a lot after joining GG forum. 

Thnx to @saiaapiz @Enyby

 

[Help me With Instruction logic]

Can anybody explain logic here 

It's ARM instruction set:

Here dword_36BD38 is uninitialized variable in .bss section

LDR       R3, =(dword_36BD38 - 0x19D86C) 

ADD      R3, PC, R3  ; dword_36BD38

CMP      R0, #0

STR       R0, [R3]

MOVLT   R2, #0x7FFFFFFF

STRLT     R2, [R3]

I have a little idea what's happening here but couldn't understand whole logic!

[Chainer]

Any update about this script @Enyby plz reply

[Chainer]

1 hour ago, Un_Known said:

@Enyby What's your view on this I mean adding ability to maually select chains.. which should be saved to script!

Would you like to include it in next update??

 

@Enyby hoping that you would listen to above suggestion and respond

[Libgame.so]

On 6/20/2019 at 11:36 PM, Enyby said:

Memory page is 4096 bytes. or 1000 in hex.

In general, you do not need to understand what and why. Enough to round up.
I do not have time for long and extensive explanations.

Thnx @Enyby

I Got the concept which you were trying to explain to me.

God Bless u!

[Chainer]

6 hours ago, Un_Known said:

Hello @Enyby for now i have a suggestion for chainer .lua script

and i think it would help to determine correct offsets.

what you should improve is to add ability to manually select the chains and save to script.

instead of saving all the chains to script.

Option to manually select chains.

And If you want an explaination on why that would be helpful tell me.

But adding option to select chains will Help us a lot.Thnx

@Enyby What's your view on this I mean adding ability to maually select chains.. which should be saved to script!

Would you like to include it in next update??

 

[Script Hill Climb Racing]

51 minutes ago, Zig said:

I found the value at fuel (Memory Xa: Code app) 

I found it in CA .

Check this script it will provide fuel value in CA.which u can modify to what u want.

com.fingersoft.hillclimb10.lua 

Use it when you start driving other wise won't work.

[Script Hill Climb Racing]

I need ur  help !

How did u found offset of fuel.

reply @Zig

or share what is offset to fuel thnx

[Chainer]

Hello @Enyby for now i have a suggestion for chainer .lua script

and i think it would help to determine correct offsets.

what you should improve is to add ability to manually select the chains and save to script.

instead of saving all the chains to script.

Option to manually select chains.

And If you want an explaination on why that would be helpful tell me.

But adding option to select chains will Help us a lot.Thnx

[Libgame.so]

32 minutes ago, Un_Known said:

Okk I got this concept very well but can't Kill my Curiosity and Enthusiasm and asking you another question that!

003A4BA8 is the address to be rounded off and and as you said we have to round off to thousand (last 3 digits 0)

and here 4 is rounded up to 5 because i think B which equals 11 in hex is a large no but if instead of B there would be a small number such as 3

and address should be like 003A43A8 in this case would it be rounded down means 4 would be reduced to 3 and  rounded off address should be like 003A3000. Is it correct ?

why we have to round off why is it required!

longlive well wishes @Enyby

 

I think I must be wrong with the above concept.

If that is so plz pardon me and instead i understood Rounding off but couldn't understand that what Full page or rounding to full page means or what are you trying to say can you help me with that @Enyby

[Libgame.so]

19 minutes ago, Enyby said:

Try read my messages.

You need round up .bss start address to full page. 3 last numbers must be zero.

[added 1 minute later]

00p to 003A5000. So you need add 5170 to it. In hex math of course.

Okk I got this concept very well but can't Kill my Curiosity and Enthusiasm and asking you another question that!

003A4BA8 is the address to be rounded off and and as you said we have to round off to thousand (last 3 digits 0)

and here 4 is rounded up to 5 because i think B which equals 11 in hex is a large no but if instead of B there would be a small number such as 3

and address should be like 003A43A8 in this case would it be rounded down means 4 would be reduced to 3 and  rounded off address should be like 003A3000. Is it correct ?

why we have to round off why is it required!

longlive well wishes @Enyby

 

[Libgame.so]

3 hours ago, Enyby said:

It can be any. 6.5 or 6.8 maybe even 5.0, maybe more new. Does not matter.

@Enyby I have shared two pics one depicting  from where my .bss section another depicting where it(.bss section) ends.

As i know that 5170 is the value or offset to be added to some address but bit confused about the address to which i have to add 5170, means how to figure out that address. Help_me Thanx

[Libgame.so]

36 minutes ago, Enyby said:

Round up to full page: 003D5000.

003D5000 + 5170 = 003DA170

Goto (key G):

We here:

We can press X and go on.

Thnx again for ur keen support

[Libgame.so]

6 minutes ago, Enyby said:

Round up to full page: 003D5000.

003D5000 + 5170 = 003DA170

Goto (key G):

We here:

We can press X and go on.

which version of ida do you use?  

[Libgame.so]

 

If know that this is static address of coins?

And I reverse libgame.so what address should i be looking for  during static analysis of LIbgame.so to find coins ?

@Enyby @NoFear

[Pubg VIP Decrypted Script! ℅Gain Knowledge℅]

View File

Pubg VIP Decrypted Script! ℅Gain Knowledge℅

---

Gain knowledge about hacks from script.

Enjoy learning!  would add beta features such as no bluezone damage and no Assault rifle damage but they are not mature yet.

Tell me if you still want them

Never Stop learning  

8x and 15x codes.

Hulk jump 

No Recoil lobby .

Underground scope .

Speed flash; Speed no lag etc

VVIP antenna and much more!!!.

 

---

• Submitter
  Un_Known
• Submitted
  06/19/2019
• Category
  PUBG