MC874

Hi @DARK_DEMON_SCRIPTER, I'm sorry if that sounds rude to you. I dont have any intention to do that. I was gonna say, it is not possible. Well, you can try to use GG as IDA Replacement. You can try to freeze the game and jump into Memory Range where the Libs are allocated. With this, you can still see the Instruction, copy the Hex and find it on the Libs using Hex Editors. About CRC things, you can install the CLI version through Termux.

Hi @DARK_DEMON_SCRIPTER, you can instead place the lib inside the APK, so Non-Root users can still use it. I'm confused, all values are inside the game files (except Online Games), so you can't modify the Values WITHOUT modifying the Game Files. You need to tell us specifically about: - The games Name - What are you trying to Achieve (Includes the Value that you're trying to Change). - Is the game has some kind of Protection? - Is it Online Games? My previous answers is considered Hex Patching, where you modify the Instruction inside Libs file or OBB. This way, you can still change the value without the help of Memory Editors. Another alternative way is to Create your own Mod Menu that bundled inside the Game. This is some intermediate level of Modding, since you need to prepare anything from scratch and Hooking Service into the game (If the game APK don't have any Protection at all). How to make a Mod Menu Above tutorial is mostly for Unity Related games, if the game Implements some APK Protection (Signatures, etc), you need to Create the Mod Menu as separate APK. You can also invade the Anti-Cheat (Hooking Detection) by using some Custom Drivers to it.

Hi @DARK_DEMON_SCRIPTER, if "edit that value inside the game without gg" means edit it directly into the Game Assets, then it is possible but it depends on the game itself. Findings - You can either find where the values relies, it could be a class name, function name, identifier or nearby debug symbol. - Now check the value Memory Range and see what files that associated with it through /proc/[pid]/maps or GG Memory List. Or if it's allocated, you can try to check it one by one inside Game Main files. For example, Main Game library are often specified inside AndroidManifest.xml - You can check both Game Main Lib and OBB (if exist). Games like PUBGM do share Player properties on both OBB and LibUE4. - Each option has it's own difficulties. Libs are often Encrypted or Obfuscated, the only way is to understand the Structure by manually inspecting it. Or OBB that often protected by Hashing. For example: PUBGM protects it's OBB using some MD5 Key. I don't know how they do it though. - Taking advantage of libs (as it is more easy to work with rather than OBB) you can do some Arm adjustment inside but still keeping the Libs length. - Now compare both CRC32 from Original Libs and Edited one. Copy the CRC32 value from the Original lib and use CRC Manipulator and apply it to your Edited libs. - Now move the New Libs into the Game Libs directory at: /data/app/com.game.name/libs/[architecture]/ You're basically done in general. Repeat the same CRC steps if you're trying to adjust the value.

Hi @Ginge, what kind of error? It requires more context and information to solve the problem. Attach some screenshort or Logs produced by the Error.

Hi @ali60, It is likely to be the Parallel Space fault, not Game Guardian. I suggest to use Virtual Machine like others has been recommended above: - VPhoneGaGa - F1 VM - VMos Pro

That's why you need to Calculate it or Pushing the Address into the Register first. Which it's depend on your approach. Something hard to predict doesn't make it wrong. Personally I prefer in using PC instead: - You can judge the PC pattern by being 8-bytes ahead from initial. - PC withhold next instruction, otherwise an unknown address (mentioned in offset) will raise errors. I don't know if Android or GG has some kind of prevention to this, I mainly use Emulators. - It avoids of re-moving address to registers, it's unnecessary in my opinion, just straight accessing them which debugger will happily tells you. EDIT: I don't know if you thought 0xsomething is an Address, then it is misunderstanding, I definitely said it was offset in the end.

Hi @Alessa-, (LDR register, =addr) is a Pseudo-code that: 1) It is not widely supported, since it requires more translation. 2) PSeudo-code is intended for readability. Being a Pseudo, you can even put a labels on it (LDR R0, =Function._Name) 3) A reminder: Arm Patching must follow length. If exceeded, you can replace the next instruction and it will still considered your patched Instruction. Your code above will roughly translated as below, where #0xsomething is offset and PC is a relative register that holds next instruction. LDR R0, [pc, #0xsomething] --If somewhere around PC and loads into R0 LDR R0, [pc] -- If at the Start of PC and loads into R0 Your code above is 16-bits long, thus it's why it's translated into relative addresses using PC. ARM can only handle 8-bits: LDR R0, =1C5AF30 04 00 1F E5 30 AF C5 01 Thus needs to be splitted by either pushing the content into the register or manually calculate the offset (pc, #calculate._here) : https://azeria-labs.com/memory-instructions-load-and-store-part-4/

Off course, it's depend on what you're trying to achieve though. Changing game currency would be hard or impossible since it's mostly saved on the Server, thus cannot be changed using CheatEngine. However, doing SpeedHack is possible, even in Online Games such as PUBGM. Anyway since the game is crashing, is there any Pop-Up or some Notice before the game exits? You can try to Hide the Game Guardian using the following: - HideMyAppList. It requires Magisk and LSPosed - Try to also adjust 'Hide Game Guardian from the Game' settings to level 2-3 or All, 'Prevent Unload' to 3, 'Data in the Ram' to No. - Disable some GET from Permission from the App using XPrivacyLua

Hi @Kirill_000, then it is highly related to Anti-Cheat. If you're using Emulator, you can avoid this by simply using CheatEngine. The game can't detect something outside Android itself, but beware of Memory Detection though. Dealing with Anti-Cheat is rather Hard and Time Consuming process. Mention your game's name, so others can try it out.

Either the values result contain incorrent address or there's some Anti-Cheat going on. Are this issues is also exist when you increment it manually? (not using loops).

You either need some intervals inside loops increment or make the game access the value each time it's incremented using mov instruction.

Your terminology is correct, just use what you think is good or just try it. - In general this shouldn't be a problem. Usually the game just doing a simple check by comparing current_HP with max_Health or some values limitation that will cause crash, restarting match or bans. Overwriting 1 Instruction with multiple is allowed but this could lead into a problem if your game also check for Function Sizes or Memory Pages. - Now, you can also allocate Memory for your modified function and make the game access that. This gives you more advantage to revert the values to original or to avoid #1 detection. This also comes with some caveat: the game can also detect this if the accessed codes not in the same Memory Range the games allocated. - If you're planning to overwrite the Instruction directly on the Lib Files, then it would surely make the game crash since the hash size doesn't match. Nowadays, games uses MD5 hashing to prevent this. To be honest, it doesn't really matter. If the game has some kind of protection, then we should just 'Disable' it instead of tirelessly hiding cheats. I assume you're only want Increased Health and not Godmode?

Hi @chateau, the instruction will Load values from [X0, #0x28] into D0 register: - LDR or LoaD Register will load a value from memory into the Register. - D0 here is indeed Double Floating Point Register - Meanwhile, X0 is a register where the Address is exist with 0x28 as Offset or a Displacement. (X0: 0000) + (Offset: 0x28) = 0028, for example. [ Patches ] You can try to force it with sending custom Values. For high precision you can read ARM Patching # Basic: Double 1 fmov d0, #1.00000000 # Low Precision : Double 12.5 fmov d0, #12.50000000 # Mid Precision: Double 101 mov w0, #0x40590000 // Double 101 in Hex form fmov d0, w0 // Push Double in w0 to d0 [ Scenario ] HP are really depends on Mechanism the game use. Here is some variation: 1) In some RPG games, the Character has it's own HP Scope which then get_HP will catch changes in-game and save it on either Save files or Configs. get_HP on this type of game will not affect whole entity that you can apply above patches. 2) It's common, especially in Online Games where get_HP are basically handles all Entity list. All Entity will have HP values derived from get_HP. Altho it affects All Entity, in P2P Games, modifying get_HP directly won't affect other players or NPC where the Server are hosted by another Player. Minecraft Realm for Example (Tho it is now patched on BDS) [ Conclusion ] - Player Health are always, either tricky to find or impossible. As it depends on How the game really implements it. - Changing get_HP is generally a bad practice. You should instead lookup for an Entity List and adjust it's attribute accordingly. I forgot the games name, but it has the pattern of Entity naming like player-0-[random_identifier] for player or bot-1-[random_identifier] for bot, also kinda the same in Minecraft: minecraft:player-0-[UUID] for Player Identifier. The point is: you should lookup to 'identifier' instead of get_HP - Also See: General Games Implementation

Hi @nok1a, I think you should do Reverse Engineering since it is Unity based Game. I have take a glance look at the Game Library: - There's get_cookie and set_cookie function inside the libil2cpp.so but it is assigned to Unity graphics, I don't know if its just the naming, but, you should dump it instead to see a better look. - Since it's tied to Unity Graphics, I'm thinking that the get_cookie I look is for applying the Config. It is more likely that the Token is handled, parsed, and generated Server Sidedly. Thus, the Client only using the Token instead of doing anything to the Token. I might be wrong, since I don't have dump.cs. There's no direct mention of setCookie inside the lib, so you might as well take a look at libjs as well because the Response roughly involve JSon format. configs ruYshared/as/ru/contextConfig.amf?ux=1676491510enYshared/as/en/contextConfig.amf?ux=1676491508 { "configs:{ "ru": "shared/as/ru/contextConfig.amf?ux=1676491510", "en": "shared/as/en/contextConfig.amf?ux=1676491508" }

Hi @nok1a, I'm not yet touching the Game since I dont really have the time for it, but, I have experimenting with the API above and I will give my thoughts to it. [ Response ] Your Initial API response differently each time you make Request. The response contains some interesting things that I will talk about it in this section. As you can see, it's generating a new setCookie token. Even tho it's generating a new one, the initial Token that made the Request is still Valid. This lead me to assume that this is a Token Dispenser. The response also contains some key, which likely to prove that this is a Token Dispenser. I don't know which one that are used by the game, is it the key or the new generated cookies. A User-Info? Hmm, interesting. Judging from the Response, it is likely that you can somehow increase the Level just only sending data into the API. I assume that this request Response will later be used by the game to Access other API Link, Download Configs, etc. This is the response when you're doing request to gobmobile.akamaized.net/shared/as/en/contextConfig.amf?ux=1676491508 that mentioned from the first Response. It is a config with .amf extension. Oh wait, I remember something. The request with your JWT token also mention to save the response as .amf config. Perhaps that can be used as a Payload to access something, as binary off course. Perhaps you need to find a request that contains a Payload/Body through fidler. [ Thoughts ] With that being said, I assume: - It is a Token Dispenser that will generate a new Token for temporarily access something. You might want to investigate this further by taking the generated Token and find if it's being used elsewhere. - The Token might not be a JWT but it is only base64 encoded payload with some 'check algorithm' as you said earlier, since the generated token is having the same length as the first one. - I also find it weird that the User Cookie has 1 different character length between the generated version and the original one. [ Conclusion ] I hope this provides an answer to this thread. - The Config Links can be accessed directly without the need of Parameter / Authorization. - setCookie[account] and setCookie[user] are both inherited each other. - 'check algorithm' and base64 Payload are both inherited each other (in One setCookie) - Made another request will cause the Previous generated token Invalid, a one time use or session based Token.

Hi @nok1a, I would want to know what apps that you obtain this JWT from? Hence, We can only talk about it from the surface area. [ Answers ] The thing is: it resembles encrypted data. My thought about your JWT Tokens: I would highly sure it is a payload not the headers. Headers usually un-encrypted and mention the use of encryption algorithm that JWT used. See RFC7516 Section 3.3: Example JWE Your JWT Token don't have JWT Tags which mention "enc" for encryption or "alg" for algorithm used, according to the same RFC (Or the Headers can also be customized?) Normal JWT token is surely supports for Payload Encryption, but, the game can also do another client-side encryption to 'HIDE' the JWT Token, like I mentioned in the Previous Examples. The requirement is atleast one dot only according to RFC7519 Section 7.2: Validating JWT. It's true, both JWS and Main JWT RFC papers seems strictly use the format of Header.Payloads.Signature as mentioned in RFC 7515 Section 3.3: Example JWS. Altho, There's no mention of such concatenation format in JWE. Are you getting this JWT from Memory or Packet Request or LocalCache files? To me, this seems roughly taken from Memory or Response Packet, this partially explain the missing of signature. From your initial JWT Tokens, there're no sign of Signature. As expected, the server replied with such. I also left confused, I'm in the same boat as you. The problem with your token is: - There're no such mention about encryption and algorithm being used, it will portray the signature being used in the JWT. - It don't have signature / authentication. All types of JWT puts it's auth/sig at the end, but this token have None. Most likely, then it would be just a regular Authentication that similar to JWT (Use [.] for parsing). The indication is, it's usualy have Query Parameter in its URL (?acess_token=blah) [ Main Section ] Taken from RFC 7518 Section 8.5: Unsecured JWS, this perhaps explain why the headers and signature are missing, the JWT Token is considered as Unsecure since both are incorrect. However, this doesn't explain 'Wrong Signature Error'. We can assume several things: - This is the correct JWT Tokens, since it's follow one dot requirement. Let's assume that this is used for POST Method bearers. Perhaps, the server replies 'Wrong Signature Error' can comes from the missing of Request Payload (Not JWT Payload). Usually, it's sends as Raw, Json, or XML format. - JWT Signature are probably added Automaticly when the Requests are sent by the App, this left only chunks of JWT that are saved, if the tokens are taken from LocalCache. - The Server does NOT support others type of Request Method other than POST. - The Server is reserve for Proxy. This usually used in Online type of App, which can result in '400 vip_default_vip' or '400 Bad Request'. You need to put Absolute URL as Request Path. GET http://blah.com HTTP/1.1\r\nAuthorization: ey... [ Notes ] So far it's still Unclear where the Exact Problem is, we can only assume based on your mentioned JWT Tokens. Perhaps, the Token itself is Invalid from the beginning. - Attach the Request that you sends to the server (Payload, Headers, URI, and some Dummy JWT) - Attach the Server Response, including (Response Status Code, Response Header, and Response Content) - Mention the Apps Name or the Link to it.

Hi @nok1a, as above presence, the JWT mentioned is not a valid one. JWT Header should be in JSon Format. In your string, the JWT Header is incorrect, which can be assumed it is a payload or the footer of JWT. Not to mention that: the mentioned JWT don't have the footer. Both Payload and Header usually use the same JSon object which formatted as: ( ey (.) ey (.) AvBnCD ). Let's talk about it more: [ Main Section ] 1) If you switched the header position into Payload section, you'll get a glimpse of escaped Unicode character (\u001a) that wrapped in double-quotes. This may indicate something: 2) The scrambled result maybe comes from Memory Artifact, which the Data are partially flushed from the memory but it remains there as a glimpse. Usually, Memory reserves this Data multiple times in many addresses, perhaps you need to find them that follow JWT format. 3) The game can also Encrypt the JWT Format, partially or entire token. Which usually involve XORing of your Game Account and Session. [ Notes ] Examples are taken from real schenario by comparing both situation with it's precendence case.

Hi @ByTwiiixy, there's so many reasons that can cause this. Perhaps giving more additional information would help: - Make sure attach the logs both Game Guardian when running the script and Game Crashes through logcat. - If possible, also attach the mentioned script here. Make sure it it readble or mention the password if it's protected. - Mention your NFS version, perhaps the script is already outdated and causes unproper changes that lead to Game Crashing.

Hi @angeloA2512M, considering it's an old thread. Please provide more context on what actually failed to download? Is it the VX or GPlay? In the meantime, I can only offer you some alternative that has Google Play Services working properly, which use Virtual Machine: - VPhoneGaGa - X8Sandbox

Aha, I love it.

Hi @bluechipps, I'm not an expert in this debugging field and also; I don't have the problem in hand: - Based on 'Breakpoint', we can't really sure if that's the exact problem but it can be the one trivia. GG sets breakpoint into Kernels, specificly time() function, to do Client-sided Speed-Hack. Altho it's related, we need to dive further into function side of the game or the kernel itself. - Also judging from WIF's, it returns a True value. It means the sys call / process that are called is stopped. As you can see from WIFSTOPPED(1). - It reminds me that SpeedHack is intended for 32-bit architecture (Altho, many x64 games can also use it). Probably try the Armeabi version of the game. - I'm afraid you're running the latest version of Android as it can be more problematic. On newer Android 11-13, introduces new Phantom processes, which limits the Access to Higher Permission. The behavior is: It will likely to stop the process if it's exceed high memory limit, Apps can't see the process side of another Apps, etc. It's been painful. I can be wrong about my points. I think it also safe to say that: don't use newer Android version for Kernels / High Permission related activity. About returning the phone, I can't really say if it's the Phone faults but I've been biased towards Xiaomi/Infinix community for something related to Rooting. The community has been really great by being really active and also still provides Android 10.

Hi @bluechipps, I can't really dive into the Issue since it's Paid Game. Are you sure it's Split Apk? - Split APK are reserving it's own Library inside split_config.[architecture].apk. So it's not inside the base.apk or the Application. Also, because of this, the main Library are no where to be found inside Lib folder but instead accessed via Services/Symlink. So, extracting the libs from split_config.[architecture].apk into libs folder accessed here: /data/app/com.archison.randomadventureroguelike2/lib/[architecture] or it's symlink to that in /data/data/com.archison.randomadventureroguelike2/lib would make it accessible for GG or other application (hooker). Not to mention that /data/user/ is also a symlink to /data/data/. So, it would explain why it's also looking up for lib6.so inside /data/user/0/com.zgifjxcwdghpyjtpjd - To fix this issue is to combine all the Split APK into a single APK using APKToolM. However this doesn't work if each split_apk has it's own signature.

Sure, I'll tell you if I found anything useful.

Hi @MANDO01, I think it's just confirm it. F1 VM has a buggy Daemon that causing this, MyAndroidToolsPro also requires Daemon to see the LogCat. - Basicly, the app aren't able to deploy it's services. Have you tried another Virtual Machine or check new updates for F1 VM? - You can always check if Services is deployed when You see multiple PID on the running process: su -c pidof com.myandroidtools.pro #Should be shows: 1084, 8089 (or more PID) - Alternatively, you can use Termux again to see the LogCat: su -c 'logcat > /sdcard/log.txt' In the end, I'm really sure it was F1 VM Fault. If Daemon is buggy, then it would affect any Apps, not just GG. Termux and MyAndroidToolsPro can fails because of this.

Hi @MANDO01, Daemon Failed means it can't instantiate a background process/service because of Occupied Permission/Access. The cause is something that accessing a Root Directory or accessing Local Network (something that requires High Level of Permission). The only way is to restart your device. There's no effective solution to this since the causes may vary. If you're anoyyed, you can always try several things as your first step: - You can determine the reason behing Failing Daemons by monitoring your app activtiy using logcat: MyAndroidTools Pro has a nice logcat feature or even modifying system app properties. Don't forget to also analyse malicious / unnecessary apps that accessing Libnetd, a simple Packet Capturer can give you a better result: PCAPdroid - I don't know if F1 VM has a Dual User Space like Xiaomi did, as it can cause the same issue related to Daemon. Probably, creating multiple Instance of F1 VM can also be the reason. - You might want to disable any existing Firewall Client through Termux. export ANDROID_NO_USE_FWMARK_CLIENT = 1 However, it could also because of GG being buggy on F1 VM (or opposite), as you said: "sometimes it works fine and sometimes i get this error".