NoFear
-
Posts
2,980 -
Joined
-
Last visited
-
Days Won
226
Content Type
Profiles
Forums
Downloads
Gallery
Posts posted by NoFear
-
-
I think iosgods has lldb debugging guide for ios.
It's not too different than Android. Lldb only supports x64 on Android. So you may want to do the equivalent with gdb.
3 minutes ago, CmP said:It's xor-encryption with the key "1 545 691 265" (equal to value with 0 coins).
1 545 691 265 xor 37 = 1 545 691 300
1 545 691 265 xor 487 = 1 545 691 494
Therefore, to get encrypted value Y that corresponds to real value X, you need to use the following formula:
Y = 1 545 691 265 xor X
This will work, if the key is constant. If it is not, you will first need to find it out to be able to calculate encrypted values.
Heh, didn't even think to try that first
Edit:
For more complex Encryption, debugging could help.
1 -
Maybe with gdb. Set write watchpoint on the value. Then you'll get an offset related to the encryption. Assuming game is lib file and not dll.
1 -
3 hours ago, NotATypicalHacker said:
This developer make me got an extreme headache because the security of the game was god d*** high even when i'm edit the right things it will get banned so soon hope they figure out how to modded it at least
Do you know how to hack the XP or Level NoFear?
Yes, I do.
3 hours ago, NotATypicalHacker said:How many the limit of numbers in putting the medkit,food,water value max so it will not get banned is it more than 10k or less? i'm only do 1k max incase my alt got banned
or maybe Stats Points value
As for limits. Not sure the exact limits. Seems most things are safe. Hard currency is the one with a limit.
Editing values, is very complex...
0 -
50 minutes ago, NotATypicalHacker said:
I wonder how IOSGOD manage to make damage hack ?
The hack pretty works on Med kit,food,water but when wrong edit the game force closes and got banned
Anyways how to do Level or XP hack ?
I talked with the modder about it.
Seems game is very different for ios on its protections.
He was looking at the American version too.
If you edit things correctly and within limits, seems save.
Even if you edit perfectly and do something too high, you'll just have delayed ban instead.
0 -
3 minutes ago, saiaapiz said:
Not watchpoint support.
Backtrace ? I only can find LR (Address of current function caller.)
I've created shellcode that save R0-R12, LR into stack. Then copy the stack address into my allocated region, so i can read it with script.ROM:00000000 STMFD SP!, {R0-R12,LR} ROM:00000004 LDR R0, =0xBBBBBBBB ROM:00000008 STR SP, [R0] ROM:0000000C ROM:0000000C isLocked ; CODE XREF: ROM:00000014↓j ROM:0000000C LDR R0, =0 ROM:00000010 CMP R0, #1 ROM:00000014 BNE isLocked ROM:00000018 LDMFD SP!, {R0-R12,LR} ROM:0000001C LDR PC, =0xAAAAAAAA ROM:0000001C ; --------------------------------------------------------------------------- ROM:00000020 _returnaddress DCD 0xAAAAAAAA ; DATA XREF: ROM:0000001C↑r ROM:00000024 _stackaddress DCD 0xBBBBBBBB ; DATA XREF: ROM:00000004↑r ROM:00000028 _spinlockctl DCD 0 ; DATA XREF: ROM:isLocked↑r
Ok. I'll stick with gdb for sure. Thank you.
0 -
5 minutes ago, saiaapiz said:
Yes, it look like when you setting up breakpoint with gdb, where you can view/change register in realtime.
In short terms, can you add api for PTRACE_SETREGS and PTRACE_GETREGS into GG, So we can view register on any address.
Watch point? (Not break point)
And it does back trace too?
Just find it interesting GG is implementing debugging features when Enyby was/is firmly against it for the last couple years.
0 -
1 hour ago, Linkrag said:
I can only find health, by using auto because it's a float number with random numbers after the value. So just insert the original health take dmg and refine. But I can't find anything else from the stats.
Fairly certain that not the right value. On the right track.
1 -
Is this like debugging? Finding offset in lib to edit? Or not quite? I don't use the script. For I just use gdb to debug and get offsets.
2 -
1 hour ago, saiaapiz said:
I wish enyby would add this feature into GG, so i can avoid compatibility issue with shellcode.
We can get dynamic pointer by viewing its register, and make cheating more advanced.
This using that chainer script?
I haven't tried using it yet. It gives offsets on lib file for modify register?
0 -
25 minutes ago, DuDono said:
LP doesn't work for me and I don't understand the method with GG. I need help
Can't help without knowing with what you need it for.
0 -
I don't use LP at all personally. My thought is if LP works, I should be able to do it myself with GG.
0 -
21 minutes ago, Enyby said:
All of that is hard task and need a lot of work for each game. LP work on general basis with many games.
It is a lot of work.
But where LP fails, this could succeed.
0 -
4 hours ago, Enyby said:
The reverse is also true.
Purchases within applications are not things that can be done through a memory editor.
There a request is sent to the market, in one part of the code, and the other part of the code receives the response from the market. These are not things that can be easily changed through the memory editor.
In any case, if we are talking about a fake request, and not its modification.I remap pointers or can change the purchase type from inapp to currency.
Pointers I remap are changing the item(s) that you buy with gold/gems.
0 -
GG can do stuff too where LP may fail.
1 -
26 minutes ago, DuDono said:
I can't buy candies, and the candies are used to buy some special plants (mints)
Candy not obtainable any other way then?
Seems pictures above person edited then fine.
0 -
1 hour ago, DuDono said:
How should it help?
What do the currencies allow you to buy?
1 -
-
4 minutes ago, Enyby said:
This is a basic idea. It can be developed further. But the main point is this.
And logging cannot help bypass such protection. It is fundamentally impossible.
Even in the simplest version, such protection is enough to stop most fans to copy pieces of code from the logs.
Just too bad GG can't implement some type of protection against the ability to see searches/edits...
Guess as always, takes a few to ruin it for all.
0 -
1 hour ago, Enyby said:
Search in a complicated way, not a simple one. Since the code can be hidden and it is much more difficult to get to it - look for several things, read offsets from them, and then edit through setValues. Also use getValues. This will not allow tracking logic to repeat it. For example, I do three searches, then from one of the results I take an offset of 100, read the value from it, and so on. In the log it will be a jumble.
Ahhhh. Gotcha.
Basically have multiple searches, only 1 search is the legit search.
As it is, the scripts, I have badcase do, we rarely to never search the real value. And the real value is no where near it either.
1 -
On 3/6/2019 at 8:45 PM, Enyby said:
Here is an example of the simplest code:
gg.clearResults() gg.searchNumber('111', gg.TYPE_DWORD) gg.getResults(10) gg.editAll('222', gg.TYPE_DWORD) gg.clearResults() gg.searchNumber('333', gg.TYPE_DWORD) gg.getResults(10) gg.editAll('444', gg.TYPE_DWORD) gg.clearResults() gg.searchNumber('555', gg.TYPE_DWORD) gg.getResults(10) gg.editAll('666', gg.TYPE_DWORD) gg.clearResults()
It is easy to steal it by logging:
gg.clearResults() gg.searchNumber("111", gg.TYPE_DWORD) gg.getResults(10) gg.editAll("222", gg.TYPE_DWORD) gg.clearResults() gg.searchNumber("333", gg.TYPE_DWORD) gg.getResults(10) gg.editAll("444", gg.TYPE_DWORD) gg.clearResults() gg.searchNumber("555", gg.TYPE_DWORD) gg.getResults(10) gg.editAll("666", gg.TYPE_DWORD) gg.clearResults()
And now I wrote the same script like this:
gg.clearResults() gg.searchNumber('111', gg.TYPE_DWORD) t1 = gg.getResults(10) gg.clearResults() gg.searchNumber('333', gg.TYPE_DWORD) t2 = gg.getResults(10) gg.clearResults() gg.searchNumber('555', gg.TYPE_DWORD) t3 = gg.getResults(10) for i,v in ipairs(t1) do v.value = '222' end for i,v in ipairs(t2) do v.value = '444' end for i,v in ipairs(t3) do v.value = '666' end gg.setValues(t1) gg.setValues(t2) gg.setValues(t3) gg.clearResults()
Here is the log of its execution:
gg.clearResults() gg.searchNumber("111", gg.TYPE_DWORD) gg.getResults(10) gg.clearResults() gg.searchNumber("333", gg.TYPE_DWORD) gg.getResults(10) gg.clearResults() gg.searchNumber("555", gg.TYPE_DWORD) gg.getResults(10) gg.clearResults() gg.setValues({ -- table(5347211c) [ 1] = { -- table(533fe154) ['address'] = 0xa67977d4, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 2] = { -- table(533f8d04) ['address'] = 0xa6799900, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 3] = { -- table(533f48bc) ['address'] = 0xa679aec8, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 4] = { -- table(533f41f4) ['address'] = 0xa679c8b8, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 5] = { -- table(533f1c04) ['address'] = 0xa67a252c, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 6] = { -- table(533eea74) ['address'] = 0xa67a4278, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 7] = { -- table(533ee8b0) ['address'] = 0xa67bf908, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 8] = { -- table(533ecf4c) ['address'] = 0xa67e2fdc, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [ 9] = { -- table(533e0e24) ['address'] = 0xa6804924, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, [10] = { -- table(533e01c0) ['address'] = 0xa680e8f4, ['flags'] = 4, -- gg.TYPE_DWORD ['value'] = 666, }, }) gg.setValues({ -- table(534751bc) }) gg.setValues({ -- table(534b5408) })
Did he help you to understand what the script is doing?
And after all I could make only one call setValues, having united three tables.Also, this log can not be run and use as a script. Unlike the first option.
So instead of complaining that everything is bad, write scripts so that they cannot be stolen through logging. And no checks will be needed.
Appears it only disguises the edit, not the search.
Half the battle with gg is what to find, not how to edit. If value is Encrypted and unique and your search gives it away, editing can easily be figure out without logging.
0 -
1 hour ago, Enyby said:
You can say thank you to ssu (DoS site), TisNquyen (malicious scripts) and others, whose actions led to the addition of powerful logging.
But, as I have written repeatedly, you can write scripts so that logging does not help steal the scripts. This is just a matter of desire and qualification.
Maybe give a hint as the direction to go in writing such protected scripts?
You imply it's possible, but I feel no one knows how except yourself.
0 -
Double value type is the common value in this game fyi.
2 -
No idea. Never looked at that game.
1 -
Don't bother on this game. Trust me.
1
Decrypt values
in Help
Posted
Yes.