NoFear

Monday at 02:52 AM

3 hours ago, HorridModz said:
@EnybyHello, I am reporting a behavior that appears to be a bug in gameguardian.

It seems that the "Copy as group search", when used with "UTF-8" and "UTF-16", assumes that the values are consecutive, i.e. one byte apart. However, this is not always the case, causing group searches to sometimes fail.

This is best illustrated by examples: Let's search the string "abc" in UTF-8 and save the first 3 results, but leave out the second one:
gg.clearResults()
gg.setRanges(gg.REGION_ANONYMOUS)
gg.searchNumber(":abc", gg.TYPE_BYTE)
gg.addListItems(gg.getResults(1)) -- first result - "a"
gg.addListItems(gg.getResults(1, 2)) --third result - "c"
Now, we have two results: 97 byte, representing the character "a", and 99, representing the character "c". These results are a byte apart - so they do not directly form the string "ac" and would not be searchable as ":ac"; rather, they would be searchable by a group search that accounts for the byte in between: 97B;0~~0B;99B::3. However, the Copy as Group Search function, when I select UTF-8, gives ":ac". This is not the right group search and seems to be a bug.

In order to show why this is wrong, here is the situation where I discovered the bug. I had a script that writes a string to memory, like this:
function Write_String(mystring)
    --[[ Allocate memory in Anonymous region and write string to allocated memory ]]--
    address = gg.allocatePage(gg.PROT_READ | gg.PROT_WRITE, gg.REGION_ANONYMOUS)
    values = {}
    for i = 0, #mystring do
        values[#values + 1] = {address = address + i, value = ":" .. mystring:sub(i, i), flags = gg.TYPE_BYTE}
    end
    gg.loadResults(values) -- must load results before we can edit with setvalues
    gg.setValues(values)
end

Write_String("Here is my special string!")
If I run this script, I get the string written in consecutive byte values. I use Copy as Group Search for UTF-8, and it gives me the correct search: ":Here is my special string!".

But now let's revert what we just did by refreshing the game, change the address spacing to every 2 bytes, so the string is no longer consecutive, and copy it as a group search again:
function Write_String(mystring)
    --[[ Allocate memory in Anonymous region and write string to allocated memory ]]--
    address = gg.allocatePage(gg.PROT_READ | gg.PROT_WRITE, gg.REGION_ANONYMOUS)
    values = {}
    for i = 0, #mystring do
        values[#values + 1] = {address = address + i*2, value = ":" .. mystring:sub(i, i), flags = gg.TYPE_BYTE}
    end
    gg.loadResults(values) -- must load results before we can edit with setvalues
    gg.setValues(values)
end

Write_String("Here is my special string!")
We copy it as group search again, and get the exact same thing: ":Here is my special string!". However, now that the addresses are 2 bytes apart, this is wrong and will not work. If we try to search it, nothing comes up.

So, this is definitely not working right. I'm pretty sure that it's a bug. My suggestion for fixing this would simply be displaying an error message if the addresses were not consecutive, like this: "UTF-8 [or UTF-16] group search only works for consecutive addresses. Please use a different type of group search."

If there's any other information anyone would like, feel free to ask.

I believe the utf-8 and utf-16 is assumed consecutive characters, so will always be treated that way. Not really a bug. Can't search utf with "wildcard"/missing character. Byte search would be best approach.

April 17

4 hours ago, zwz said:

About hybridclr, I think it can be dumped completely, the field offsets are correct, but the method addresses are wrong, you can try to change the fields, and for hybridclr, you can dm me if you are interested.

I think I'm all set. Unless you think this info can help allow to mod the game. Would have friend mod the ios version.

April 10

4 hours ago, MonkeySAN said:

yup.

nothing happen when changing the gems directly while/after the offsets are modified.

but it need to remain modified after restart.

otherwise it trigger the ban.

Kinda figured. Curious if gems set back to 0 when done, if restart would still get banned...

April 10

Which game (playstore link)?

Can give better directions.

April 10

22 minutes ago, MAARS said:

Interesting, this technique could be also useful with my other project, which tool you use to monitor memory access ?

Gdb, rwatch on value. If editing value with GG triggers a ban or local error, just rwatch value to see everything reading it. Sometimes you'll get many results, just have to go through and find the one that triggers ban. Ideally, it'd be a branch to one anti cheat function. Then you could xref that function, NOP all the branches to it, or RET the function.

April 10

3 hours ago, imperialx said:

All was good but i tried unlocking legendary hero with 20 epic heros and boom instant ban

Offset was for gems. But I think eventually ban will occur unless the anti ban (for each item) needs to remain modified.

April 10

Without checking dump or going into ida, just simple debug to find what's reading gems.

Armv8

Offset: 11A6C34

Edit to

B [PC,#0x80]

This will skip the area that would trigger ban.

Then this

Offset: 113DD74

Mov w22 (large value).

This is what writes value after it does a check. So you can force it to write something excessive after it checks value (I don't think you have limit since the check will never branch to ban, see attached image).

You could apply this same concept to any value, just set read watch to see what is checking it, then bypass the ban. Could check dump or something to see what the offset is part of or maybe what it branches to.

April 2

12 hours ago, eliottalderson said:

Hello @NoFear
I know this is a bit late but is there any chance I can get the link to the discord server?

I don't have one for this

March 26

4 hours ago, 8ernity said:

I feel like it's impossible to see the functions in the game i'm tring to mod.
Any tips ? the screen of app goes black when i'm rwatch an address (which i guess is OK) then i only see "??" @NoFear
Tried IDA, now GG + gdb but no luck so far

The blue is an address location. Need to calculate the offset from start of lib to that address. That will be your offset that you would go-to in ida if using ida.

But the lib hit on your screen shot is system and not game lib... Can't debug on emulator if that's what you're attempting...

March 26

9 minutes ago, Fencey said:

Actually @NoFear can you teach us what software we need to use to find these values? So we can find them ourselves in the future

I used GG...

One could use ida or ghidra. But GG worked fine for finding it this time.

March 25

1 hour ago, 8ernity said:

How do you install GDB in termux ?

pkg install gdb

March 25

Armv8

C80E42B8r;081540FDr::3809

Edit

28008052r;E803679Er

And if you want to set so you can claim all without playing (set number of keys collected).

Offset (Version 6.9.5)

3FBCA54

Edit

00FA8052r

March 21

OpCodes changed slightly.

But still works.

March 20

20 hours ago, kotako said:

I trying change -

Android ID, ip address, IMEI, boot id, phone number, MAC-ADRESS, Serial info , Device ID, ID, reinstalling game/virtual machine clear all google services, well and offsets. And maybe something similar. but already forgot

This doesn't mean it was done correctly. I know in Android Faker, can do all those toggles and randomize. But if correct apps/services aren't selected, it won't matter what you change.

March 19

2 hours ago, kotako said:

As I said at the beginning, I used a virtual space with built-in android fakers, where I could select all the parameters for the phone. And it didnt work, but i get idea that the game can see a real IP through VPN, because even VPN does not change everything about a person. There is always the "original IP" and the game requests a "request for confidential information" every time when u enter the game. I think it would be better if you check it out for yourself, I'm just not a master at explaining something.

0x1E7AAC4 its offset for hack

diamonds, use it and buy any item in the store and try relogin game, then u get max. type ban.

Well, of course it's just a request, I won't force it, if you don't want to, then don't need

Then I can't help you. I had recommendation on tools that would work. It's your choice.

Good luck

March 18

4 hours ago, kotako said:

Well, in my opinion, I did everything right, but nothing works. + i tired use offset for delete check unique identifiers, but then i cant logging to online.

Well, thx for help

When module activated, what did you select for apps to apply it to?

March 18

12 minutes ago, kotako said:

I remember have virtual with "android faker" there will be fake boot id, imei and all other, but too didnt help

If not done correctly, it won't help.

March 18

If familiar with xposed framework, can try lsposed with either Android Faker or Geergit module.

March 17

4 hours ago, sammax71 said:

Now you'll get a million more pm's

Inbox full

March 16

2 hours ago, afmatt said:

Thanks for responding, figured that they had patched it - mainly was asking cause if there was a discord server talking about modding the game I'd be very interested in joining

It's not patched... He's just not selling anymore.

March 13

5 minutes ago, DoDevil said:

@NoFearso far i can find both diamond, gold and energy but i don't get how to add them or edit them, can you guide me? or just trick about encrypt

every time i edited game always freeze

btw i can copy cat QWORD of gem value to Coin or Energy and game not freeze

Yes. They are all pointers... You need to follow the pointer to see the "value".

March 12

1 hour ago, DoDevil said:

well, i don't know how to edit but if i freeze values it's work well

That's a pointer. You're on the right track... Follow it.

March 12

5 minutes ago, DoDevil said:

dump file

dump - Copy.zip 1.69 MB · 0 downloads

Fairly certain dump is incomplete and of no use...

Hybridclr

https://github.com/AkiKurisu/HybridCLR_IL2CPP_Modding

But even with that, I don't think you'll have much luck either.

March 12

6 minutes ago, DoDevil said:

i saw your post on iosgod and then try with GG but no clues

i will try again with unknown search on directly values

You have VIP at iosgods? It's exactly the same method.

March 12

It is possible with GG if that helps you any...

Sign In

Profiles

Forums

Downloads

Gallery

Posts posted by NoFear

Important Information