MC874

Hi! It's possible, haven't you tried this list of tools? - Memory-Dumper - MemDumper - MemDumper APK Try the APK one first, it's should be work accross libs. To run others, you need Termux. Make sure to run the commands using elevated Root permissions:

I would say: Yes and No, most Wallhack involves GLes lib (OpenGL), it act as Shaders. On Lib Dumps, you can search for "vertex", "renderer", "buffer", "shader", "alpha" on Player properties. Or you can play around with Floats, since vertex are mostly stored in Floats. EDIT1: Maybe you can refer to this topic: Wallhack for Most Games

Hi! I don't think Wallhack is simply defined by offset. Infact; it modifies Device OpenGL, kinda like shaders. That's why it depends on Device Processors (Snapdragon, Mediatek, etc). Different from ESP, it hooking player class and then drawed on Overlay. Making ESP is possible from Dumped Lib, while Wallhack not (Correct me if I'm wrong).

Hi! Pseudo-code views doesn't convert offset into literal bytes, it shows as a function name . Usually it named as sub_5678, unk_5678, etc. You can simply click on that function and takes note on the address. Sometimes it's also include encrypted string, so you need to xored that. To view it very clearly, you need to dump the SDK instead of using Disassemblers. Sorry that I can't give a visual example, I don't have much time to do that. Typed this on my mobile phone xD

Hi! IDA by default only dissasembling bytecode into set of instruction, this is harder for starters because they also need to learn assembly language. For easier read, you can use Pseudo-code plugin on IDA. - If you're using IDA Pro crack version, you need to find IDA that has Hex-Rays feature to able use Pseudo-code. - Use CTRL+Enter to open a new Pseudo-code window in IDA - You can search IDA 7.0/7.2 (I forgot) that has Hex-Rays feature. Alternatively, you can use Ghidra. It's a similar app to IDA and it's Free. I think they also have some Decompiler that able to create a Pseudo-code from plain library (I haven't test it yet, so IDK). Or you can learn Assembly itself, usually concatenate MOV, JMP, BL Instruction would lead to an Offset. Anyway here's some Reference related to Assemblies: - Hex-Patching - Libil2cpp.so Editing

- Probably some Admin can rename the 'View' to contents name? @Collen Or is it hardcoded by default? - The second link is not Accessible for Guest, but can only accessed by the Owner. need to update it ASAP (See the Attachment on your DM)

Hi! There's 2 issues on your Post: - The files are named as 'View', please naming them accordingly ( I can't tell the differences which VPhoneGaGa or VMos) - The VMos Pro links are dead, please update the Google Drive link or upload it to Mediafire or ZippyShare

That's unfortunate, what version that you've tried? For me, it's working well using Modded VPhoneGaGa from here: Modded VPhoneGaGa. Also, note that: VPhoneGaGa is using 64-bit Architecture, so you either need Arm64/x64 Phone to make it works well. But i think there's 32-Bit version as well, here: 32-Bit VPhoneGaGa. I haven't tried it though, I don't have x86 device with me. If this still crashing, perhaps it's depends on the device itself.

Hi! You need to restart your VPhoneGaGa after installing magisk. Also don't forget to disable SuperSu option; so it don't conflict with MagiskSu.

Hi! What you mean is to "dump all the lib files other than LibilCPP", is that correct? You can try: MemDumper, it will dump any lib files from memory. Just specify your target lib using: ./memdumper -p [Your.Game.Pkg] -l -r -n YourTargetLib.so -o /storage/emulated/0/dump ./memdumper -i [123YourgamePID] -l -r -n YourTargetLib.so -o /storage/emulated/0/dump # Automate for i in $(pidof your.game.pkg) do ./memdumper -i $i -l -r -n YourTargetLib.so -o /storage/emulated/0/dump done

Hi! could it the script confused by one-liner? You might want to try this: function setprops(address,flags,value) local tt={} tt[1]={} tt[1].address=address tt[1].flags=flags tt[1].value=value gg.setValues(tt) end so=gg.getRangesList('libil2cpp.so')[1].start py=0x10BBCDC setprops(so+py,4,1384440288) - Fixed Indentation - Changing Function Name

I'm not sure, I don't have Android 12 device. I'm just deriving from previous post, some people commented that Old version works, you might try it yourself:

Hi! You can see the version history from APKCombo. You can check it here: PARALLEL SPACE APK - 4.0.9165 PARALLEL SPACE - 64BIT SUPPORT APK - 1.0.3075

Your script working fine but the problem is on search value. The script unable to find result at Index 1 according to this: Are you really sure you got the correct one? Values can be dynamic or based on Game Session.

Hi! The problem is on .value1 while it's should be just .value; it's hardcoded function not a variable. Change it to this: your_values2[1].value = 5000 your_values2[6].value = 5000 your_values2[9].value = 5000

Hi! There's some attempt for this but i haven't tried it myself. Maybe look-up on Runtime Libil2cpp dumper such as this: Auto Il2cppDumper or use Magisk Zygisk Dumper: Zygisk Il2CppDumper, they are relatively new; might work with the latest one. It might only works on low-level games, so the idea to dump lib without metadata in most games is hard/impossible.

Hi! It looks like the game has kind of protection? Did this happen instantly or when you're changing some values? I assume it's somehow detect some hooker apps, here's what you can do: 1) If you're on an Emulator, why not using Cheat Engine? This will avoid app/hook detection of the game. (Recommended) 2) If the game uses some package blacklisting; you might try SudoHide but make sure to have LSPosed / XPosed framework to be installed. In summary, this could happen because of several things: 1) The game has Emulator Detection and it forbids you to play the game in Emulation 2) The game detects Game Guardian Installation 3) The game has hooker detection; meaning it will trigger that screen when you attaching GG into the game 4) The game has memory detection; it will shows the screen when you're changing some values. You can add more description to your post; if it's related to any one of these.

Hi! there's several ways that indicate this: 1) Check if the game communicating with game server oftenly; even when not scrolling through in-game marketplace/items. You can use PCAPDroid or HTTPCanary to check your game connection. 2) The game use Online Account / GPlay account, etc 3) When you're changing some values, the game will revert it by sending some connection; check it on PCAP. For websocket connection, find the game connection that sill "Open". This could be the case but not always indicate the values being stored on server. Here's why: 1) It's not a real value, meaning that is only visual and being updated based on real values. You should find the right one by finding what address that changing the visual, it may lead to the real one. 2) The game has memory changes detection, it means you need to disable the address that access your values to make it stay unchange. See common hex patching here: Hex Patching 3) The game is client sided but the server forcing previous saved values; you can just simply block the connection that causing this on PCAP. Actually, server sided games can still be hacked but just need some different workaround instead of directly changing the values: 1) If you want to increase the game money to buy some item, you can just hack the item instead. Change the price into 0 or Free state, each game may different, it can depends purely on currency or game state. For example: "free": false is a state of item that aren't free or you can change the price itself ("currency": 1234) something like that. 2) You can do connection swap; using a network engineering using Postman, you can try to get a free item. When click on claim, change the Item ID on the game connection with Paid item, you will get paid item for free by manipulating this. 3) If the game is related to Google Play accounts, you might check this post: Hacking Rare Currencies

Hi! Instead of waiting for updates; you can try the Alternative: LSPosed, it's XPosed Framework but using Magisk and it's updated regularly. I think it's should work with Android 12 with ease but the advantage is: You need to replace your SuperSu and Migrate to MagiskSu, it's recommended that you're doing it on Virtual Andorid: VPhoneGaGa. There's many tutorials available online, but if you're confused; you can always ask me for installation tutorial.

Hi! I'm trying to answer as easy as possible, hopefully it's also easy to understand. Starts off the first one; Memory range is 'How long the Memory'. First of all, Memory is consist of many addresses. In that memory, there's App data that currently processed/used by the app. To understand memory range, let's take a real-life example: there's a library, it has many rack of books. - Cooking books are served in the last 8-9 rack - Utensils are in the first - 3 row and - Novels is on upstairs. From this; you can get the idea on how the memory works: - 8-9 rack are location range of Cooking books - Utensils are stored in 1-3 row range, and - Novels is on upstairs (It's related to offset, we going to talk about it next) Libs is a Library; it contains saved data that app will use to run. There's a memory-range with various data related to players, weapon, etc. It's the same as a Book Library we talked about earlier, it contains many rack of books for people to read. There's a range place of cooking books, novels and etc. It's the name of Unity Games Library. Unity is a game engine; that people use to make games. So, if a game is made from Unity; it has many chance from being similar from another unity game. Each game engine has it's own unique library name and data-structure; in Unreal Engine 4, the lib naming is LibUE4.so. You shouldn't be worry about this, it's just a naming; the same as a product brand. So.. Offsets.. It's a displacement or an instructional form to get into your destination. In Memory; There's address. It's the same to regular address in real-life. Taking an example from earlier; Rack 8 and Rack 9 is address for Cooking books; Row 1, 2, and 3 is address for Utensils. The different is: Memory Address is written like this: 01234567 in Hex form. For clarity; Hex can also be written like this - 01 23 45 67 - 0x01234567 - 0x01 0x23 0x45 0x67 Alright, let's dive into Offsets. Offset is how to get into your address, in instructional form. Again, we going to use the same example: Let's say you're on a library and you want to read a cooking book. So the offset to cooking book is: - From the entrance, walk straight to the end - Turn right into rack 8 Now, in Memory; again let's say that you want to get into 12345678 address, the offsets would be: - From base/first address 00 00 00 00 - Add 12 34 56 78 (00000000 + 12345678 = 12345678) Let's do another example: if you're on Address 00 A0 and want to reach 01 50; you can do (00 A0 + 00 B0 = 01 50). If you're confused with hexing, you can experiment with: Hex Calculator

@HorridModz Provides a Nice detailed explanation. Hex patching is rather easy as it's only a form of data that simply overwrited / added, the important thing is: to understand the assembly itself. Probably I'll provide a little more coverage about the topic. [ Usage ] - Replacement: You can only replace hex at fixed length. The hex length is depends on Data types that you're dealing with, it could be a Set / Subset Instruction. In general it can take 2-4 bytes, make sure to read the instruction as a string not in hex form. More simple coverage on the next section. - Addition: This used when doing references such as memory allocation. To manually add a custom instruction; you need to write it in empty/unread memory region (the indication is: it's filled with 00) and then reference the game function to your allocated memory. It's the general idea, you shouldn't be worry about it; most tools already provide this feature. Why no substraction? You can't remove a function even after proper patching and 'disabling' any reference to that function, directly or memorily. It leads to data corrupt/crashing; so it's uncommon. You can use this to cut fake data (such as malware app that filled with 00 to make a large size) because "they" only add additional hex at the end. There's more reason to this. [ Data Types ] - Function/Instructional data takes 4 length; mov r0, r0 #00 00 A0 E1 bx lr #1E FF 2F E1 - Inner Function/Subset Instruction takes 2-4 length. It's called as thumb and can be found on 32-bit architecture. mov r0, r0 #00 46 bx lr #70 47 [ Patching ] - Lazy Patch: You can 'remove' instruction without removal, simply fills with 00. This off course wouldn't work if the app have high security but the benefit is: You don't need to understand Assembly. - Proper Patch: You can just memorize this common patch and applies it anywhere; it's simple and not a time consuming. Well, for more instruction patches; you need to learn assembly. Learn returning values and Jump instruction (BL/JMP) patches would mostly help. [Patch 1] Instruction: mov r0, r0 Arm Encoded: 00 00 A0 E1 Thumb Encoded: 00 46 [Patch 2]: Usually a boolean/takes value Instruction: mov r0, #0 Arm Encoded: 00 00 A0 E3 Thumb Encoded: 4F F0 00 00 [End Patch]: Indicate closing, put after patches Instruction: bx lr Arm Encoded: 1E FF 2F E1 Thumb Encoded: 70 47 [ Misc ] - 00 is equal to 1 Hex - Hex can present in 00 or 0x00 - Thumb can be found on 32-Bit Architecture (x86, Armeabi / Armv7 / Arm32 ) - Thumb can also takes 4 length; the same length as Arm encoded - To differentiate Thumb and Arm encoding; 1) Copy the instruction hex, 2) Compare hex and instruction, including after and before offset

The continuation of this; yes, it can be done through DNS Server but alternatively, you can just use AdGuard DNS: It has inbuilt ad-list and even can import one, this can avoid to setup wordlist manually, Altho; the queries are limited to 300K Requests, should've use DNS List from SimpleDNSCrypt. To use Both DNS, just simply put the address into DNS setting. Alternatively, you can use MyAndroidToolsPro and disable Ad-mob services from the app, altho; you need root for this.

Yeah that's the tricky part; that's why i suggest step #2 using Ghidra and using breakpoint. - The purpose of this is to make read things easily as Ghidra will offer current task that process are doing. Also you can set breakpoint to pause the task momentarily, although you can do it with CE but you need to find the right address first; unlike Ghidra. - Sandboxing the game allows it to only the game that's running; if you have Android Emulator, you probably got background system apps/service that running and that's the challange when attaching a debugger to an Android Emulator. Although you can just do it remotely that really slow or using an Android Debugger app (If it's exist and I'm not sure if the features will equal to current standards) That's a challange for Reversing the game; it's good to assume but you had to find another when it's not. Honestly, you can keep experimenting everyday; notes on the progress; and eventually you will get somewhere. Good Luck on your findings!

Hi! there's an Hide root detection app called HideSu but it's old and most likely won't work anymore; especially for banking apps. SuperSu is semi-hardcoded since it's patching some Android image file. So I recommends to use VPhoneGaGa and use Magisk for rooting. So far, VPhoneGaga is the one that can use Magisk properly, but why Magisk? You can use root systemless meaning; it's not deep-rooted into your Android and can easily to be removed. Also, the current popular one is to use Shamiko for hiding Magisk root. If you need XPosed Framework, use Magisk LSPosed instead: LSPosed

Hi! Hex isn't really a language but rather a data representation. Hex can forms almost everything, almost the same to other data-types like dword or etc. You can even convert a plain-text into a hex or others. Comes to the question; mov /// Moves signed int/value into target register/operand r0 /// Register location #1 /// Moves signed value 1 into the register #1 is equals to True which the game/projectiles will always register any shots as an Headshot. Some games, #1 value is inherit range of value that the game already sets. For example; if the game has an auto-update enabled predefine as follow: 1 #Auto Update enabled 2 #Connection Error 3 #Update Received 4 #No Updates mov r0, #[1-4] /// Choose the corresponding, and it will be that Mostly it would be 0-1 (False/True) that 0 will be nothing or false, the game will ignore and continue with next instruction. As for "bx lr"; it's a common way to indicate "The End of Function". This tells the game that;" Hey it's the end, Jump to default or next function". If it's a lazy patching, this will neglect any instruction after "bx lr" in that same function. This can leads to Memory Detection, although it's mostly fine.