MC874

That's why you need to Calculate it or Pushing the Address into the Register first. Which it's depend on your approach. Something hard to predict doesn't make it wrong. Personally I prefer in using PC instead: - You can judge the PC pattern by being 8-bytes ahead from initial. - PC withhold next instruction, otherwise an unknown address (mentioned in offset) will raise errors. I don't know if Android or GG has some kind of prevention to this, I mainly use Emulators. - It avoids of re-moving address to registers, it's unnecessary in my opinion, just straight accessing them which debugger will happily tells you. EDIT: I don't know if you thought 0xsomething is an Address, then it is misunderstanding, I definitely said it was offset in the end.

Hi @Alessa-, (LDR register, =addr) is a Pseudo-code that: 1) It is not widely supported, since it requires more translation. 2) PSeudo-code is intended for readability. Being a Pseudo, you can even put a labels on it (LDR R0, =Function._Name) 3) A reminder: Arm Patching must follow length. If exceeded, you can replace the next instruction and it will still considered your patched Instruction. Your code above will roughly translated as below, where #0xsomething is offset and PC is a relative register that holds next instruction. LDR R0, [pc, #0xsomething] --If somewhere around PC and loads into R0 LDR R0, [pc] -- If at the Start of PC and loads into R0 Your code above is 16-bits long, thus it's why it's translated into relative addresses using PC. ARM can only handle 8-bits: LDR R0, =1C5AF30 04 00 1F E5 30 AF C5 01 Thus needs to be splitted by either pushing the content into the register or manually calculate the offset (pc, #calculate._here) : https://azeria-labs.com/memory-instructions-load-and-store-part-4/

Off course, it's depend on what you're trying to achieve though. Changing game currency would be hard or impossible since it's mostly saved on the Server, thus cannot be changed using CheatEngine. However, doing SpeedHack is possible, even in Online Games such as PUBGM. Anyway since the game is crashing, is there any Pop-Up or some Notice before the game exits? You can try to Hide the Game Guardian using the following: - HideMyAppList. It requires Magisk and LSPosed - Try to also adjust 'Hide Game Guardian from the Game' settings to level 2-3 or All, 'Prevent Unload' to 3, 'Data in the Ram' to No. - Disable some GET from Permission from the App using XPrivacyLua

Hi @Kirill_000, then it is highly related to Anti-Cheat. If you're using Emulator, you can avoid this by simply using CheatEngine. The game can't detect something outside Android itself, but beware of Memory Detection though. Dealing with Anti-Cheat is rather Hard and Time Consuming process. Mention your game's name, so others can try it out.

Either the values result contain incorrent address or there's some Anti-Cheat going on. Are this issues is also exist when you increment it manually? (not using loops).

You either need some intervals inside loops increment or make the game access the value each time it's incremented using mov instruction.

Your terminology is correct, just use what you think is good or just try it. - In general this shouldn't be a problem. Usually the game just doing a simple check by comparing current_HP with max_Health or some values limitation that will cause crash, restarting match or bans. Overwriting 1 Instruction with multiple is allowed but this could lead into a problem if your game also check for Function Sizes or Memory Pages. - Now, you can also allocate Memory for your modified function and make the game access that. This gives you more advantage to revert the values to original or to avoid #1 detection. This also comes with some caveat: the game can also detect this if the accessed codes not in the same Memory Range the games allocated. - If you're planning to overwrite the Instruction directly on the Lib Files, then it would surely make the game crash since the hash size doesn't match. Nowadays, games uses MD5 hashing to prevent this. To be honest, it doesn't really matter. If the game has some kind of protection, then we should just 'Disable' it instead of tirelessly hiding cheats. I assume you're only want Increased Health and not Godmode?

Hi @chateau, the instruction will Load values from [X0, #0x28] into D0 register: - LDR or LoaD Register will load a value from memory into the Register. - D0 here is indeed Double Floating Point Register - Meanwhile, X0 is a register where the Address is exist with 0x28 as Offset or a Displacement. (X0: 0000) + (Offset: 0x28) = 0028, for example. [ Patches ] You can try to force it with sending custom Values. For high precision you can read ARM Patching # Basic: Double 1 fmov d0, #1.00000000 # Low Precision : Double 12.5 fmov d0, #12.50000000 # Mid Precision: Double 101 mov w0, #0x40590000 // Double 101 in Hex form fmov d0, w0 // Push Double in w0 to d0 [ Scenario ] HP are really depends on Mechanism the game use. Here is some variation: 1) In some RPG games, the Character has it's own HP Scope which then get_HP will catch changes in-game and save it on either Save files or Configs. get_HP on this type of game will not affect whole entity that you can apply above patches. 2) It's common, especially in Online Games where get_HP are basically handles all Entity list. All Entity will have HP values derived from get_HP. Altho it affects All Entity, in P2P Games, modifying get_HP directly won't affect other players or NPC where the Server are hosted by another Player. Minecraft Realm for Example (Tho it is now patched on BDS) [ Conclusion ] - Player Health are always, either tricky to find or impossible. As it depends on How the game really implements it. - Changing get_HP is generally a bad practice. You should instead lookup for an Entity List and adjust it's attribute accordingly. I forgot the games name, but it has the pattern of Entity naming like player-0-[random_identifier] for player or bot-1-[random_identifier] for bot, also kinda the same in Minecraft: minecraft:player-0-[UUID] for Player Identifier. The point is: you should lookup to 'identifier' instead of get_HP - Also See: General Games Implementation

Hi @nok1a, I think you should do Reverse Engineering since it is Unity based Game. I have take a glance look at the Game Library: - There's get_cookie and set_cookie function inside the libil2cpp.so but it is assigned to Unity graphics, I don't know if its just the naming, but, you should dump it instead to see a better look. - Since it's tied to Unity Graphics, I'm thinking that the get_cookie I look is for applying the Config. It is more likely that the Token is handled, parsed, and generated Server Sidedly. Thus, the Client only using the Token instead of doing anything to the Token. I might be wrong, since I don't have dump.cs. There's no direct mention of setCookie inside the lib, so you might as well take a look at libjs as well because the Response roughly involve JSon format. configs ruYshared/as/ru/contextConfig.amf?ux=1676491510enYshared/as/en/contextConfig.amf?ux=1676491508 { "configs:{ "ru": "shared/as/ru/contextConfig.amf?ux=1676491510", "en": "shared/as/en/contextConfig.amf?ux=1676491508" }

Hi @nok1a, I'm not yet touching the Game since I dont really have the time for it, but, I have experimenting with the API above and I will give my thoughts to it. [ Response ] Your Initial API response differently each time you make Request. The response contains some interesting things that I will talk about it in this section. As you can see, it's generating a new setCookie token. Even tho it's generating a new one, the initial Token that made the Request is still Valid. This lead me to assume that this is a Token Dispenser. The response also contains some key, which likely to prove that this is a Token Dispenser. I don't know which one that are used by the game, is it the key or the new generated cookies. A User-Info? Hmm, interesting. Judging from the Response, it is likely that you can somehow increase the Level just only sending data into the API. I assume that this request Response will later be used by the game to Access other API Link, Download Configs, etc. This is the response when you're doing request to gobmobile.akamaized.net/shared/as/en/contextConfig.amf?ux=1676491508 that mentioned from the first Response. It is a config with .amf extension. Oh wait, I remember something. The request with your JWT token also mention to save the response as .amf config. Perhaps that can be used as a Payload to access something, as binary off course. Perhaps you need to find a request that contains a Payload/Body through fidler. [ Thoughts ] With that being said, I assume: - It is a Token Dispenser that will generate a new Token for temporarily access something. You might want to investigate this further by taking the generated Token and find if it's being used elsewhere. - The Token might not be a JWT but it is only base64 encoded payload with some 'check algorithm' as you said earlier, since the generated token is having the same length as the first one. - I also find it weird that the User Cookie has 1 different character length between the generated version and the original one. [ Conclusion ] I hope this provides an answer to this thread. - The Config Links can be accessed directly without the need of Parameter / Authorization. - setCookie[account] and setCookie[user] are both inherited each other. - 'check algorithm' and base64 Payload are both inherited each other (in One setCookie) - Made another request will cause the Previous generated token Invalid, a one time use or session based Token.

Hi @nok1a, I would want to know what apps that you obtain this JWT from? Hence, We can only talk about it from the surface area. [ Answers ] The thing is: it resembles encrypted data. My thought about your JWT Tokens: I would highly sure it is a payload not the headers. Headers usually un-encrypted and mention the use of encryption algorithm that JWT used. See RFC7516 Section 3.3: Example JWE Your JWT Token don't have JWT Tags which mention "enc" for encryption or "alg" for algorithm used, according to the same RFC (Or the Headers can also be customized?) Normal JWT token is surely supports for Payload Encryption, but, the game can also do another client-side encryption to 'HIDE' the JWT Token, like I mentioned in the Previous Examples. The requirement is atleast one dot only according to RFC7519 Section 7.2: Validating JWT. It's true, both JWS and Main JWT RFC papers seems strictly use the format of Header.Payloads.Signature as mentioned in RFC 7515 Section 3.3: Example JWS. Altho, There's no mention of such concatenation format in JWE. Are you getting this JWT from Memory or Packet Request or LocalCache files? To me, this seems roughly taken from Memory or Response Packet, this partially explain the missing of signature. From your initial JWT Tokens, there're no sign of Signature. As expected, the server replied with such. I also left confused, I'm in the same boat as you. The problem with your token is: - There're no such mention about encryption and algorithm being used, it will portray the signature being used in the JWT. - It don't have signature / authentication. All types of JWT puts it's auth/sig at the end, but this token have None. Most likely, then it would be just a regular Authentication that similar to JWT (Use [.] for parsing). The indication is, it's usualy have Query Parameter in its URL (?acess_token=blah) [ Main Section ] Taken from RFC 7518 Section 8.5: Unsecured JWS, this perhaps explain why the headers and signature are missing, the JWT Token is considered as Unsecure since both are incorrect. However, this doesn't explain 'Wrong Signature Error'. We can assume several things: - This is the correct JWT Tokens, since it's follow one dot requirement. Let's assume that this is used for POST Method bearers. Perhaps, the server replies 'Wrong Signature Error' can comes from the missing of Request Payload (Not JWT Payload). Usually, it's sends as Raw, Json, or XML format. - JWT Signature are probably added Automaticly when the Requests are sent by the App, this left only chunks of JWT that are saved, if the tokens are taken from LocalCache. - The Server does NOT support others type of Request Method other than POST. - The Server is reserve for Proxy. This usually used in Online type of App, which can result in '400 vip_default_vip' or '400 Bad Request'. You need to put Absolute URL as Request Path. GET http://blah.com HTTP/1.1\r\nAuthorization: ey... [ Notes ] So far it's still Unclear where the Exact Problem is, we can only assume based on your mentioned JWT Tokens. Perhaps, the Token itself is Invalid from the beginning. - Attach the Request that you sends to the server (Payload, Headers, URI, and some Dummy JWT) - Attach the Server Response, including (Response Status Code, Response Header, and Response Content) - Mention the Apps Name or the Link to it.

Hi @nok1a, as above presence, the JWT mentioned is not a valid one. JWT Header should be in JSon Format. In your string, the JWT Header is incorrect, which can be assumed it is a payload or the footer of JWT. Not to mention that: the mentioned JWT don't have the footer. Both Payload and Header usually use the same JSon object which formatted as: ( ey (.) ey (.) AvBnCD ). Let's talk about it more: [ Main Section ] 1) If you switched the header position into Payload section, you'll get a glimpse of escaped Unicode character (\u001a) that wrapped in double-quotes. This may indicate something: 2) The scrambled result maybe comes from Memory Artifact, which the Data are partially flushed from the memory but it remains there as a glimpse. Usually, Memory reserves this Data multiple times in many addresses, perhaps you need to find them that follow JWT format. 3) The game can also Encrypt the JWT Format, partially or entire token. Which usually involve XORing of your Game Account and Session. [ Notes ] Examples are taken from real schenario by comparing both situation with it's precendence case.

Hi @ByTwiiixy, there's so many reasons that can cause this. Perhaps giving more additional information would help: - Make sure attach the logs both Game Guardian when running the script and Game Crashes through logcat. - If possible, also attach the mentioned script here. Make sure it it readble or mention the password if it's protected. - Mention your NFS version, perhaps the script is already outdated and causes unproper changes that lead to Game Crashing.

Hi @angeloA2512M, considering it's an old thread. Please provide more context on what actually failed to download? Is it the VX or GPlay? In the meantime, I can only offer you some alternative that has Google Play Services working properly, which use Virtual Machine: - VPhoneGaGa - X8Sandbox

Aha, I love it.

Hi @bluechipps, I'm not an expert in this debugging field and also; I don't have the problem in hand: - Based on 'Breakpoint', we can't really sure if that's the exact problem but it can be the one trivia. GG sets breakpoint into Kernels, specificly time() function, to do Client-sided Speed-Hack. Altho it's related, we need to dive further into function side of the game or the kernel itself. - Also judging from WIF's, it returns a True value. It means the sys call / process that are called is stopped. As you can see from WIFSTOPPED(1). - It reminds me that SpeedHack is intended for 32-bit architecture (Altho, many x64 games can also use it). Probably try the Armeabi version of the game. - I'm afraid you're running the latest version of Android as it can be more problematic. On newer Android 11-13, introduces new Phantom processes, which limits the Access to Higher Permission. The behavior is: It will likely to stop the process if it's exceed high memory limit, Apps can't see the process side of another Apps, etc. It's been painful. I can be wrong about my points. I think it also safe to say that: don't use newer Android version for Kernels / High Permission related activity. About returning the phone, I can't really say if it's the Phone faults but I've been biased towards Xiaomi/Infinix community for something related to Rooting. The community has been really great by being really active and also still provides Android 10.

Hi @bluechipps, I can't really dive into the Issue since it's Paid Game. Are you sure it's Split Apk? - Split APK are reserving it's own Library inside split_config.[architecture].apk. So it's not inside the base.apk or the Application. Also, because of this, the main Library are no where to be found inside Lib folder but instead accessed via Services/Symlink. So, extracting the libs from split_config.[architecture].apk into libs folder accessed here: /data/app/com.archison.randomadventureroguelike2/lib/[architecture] or it's symlink to that in /data/data/com.archison.randomadventureroguelike2/lib would make it accessible for GG or other application (hooker). Not to mention that /data/user/ is also a symlink to /data/data/. So, it would explain why it's also looking up for lib6.so inside /data/user/0/com.zgifjxcwdghpyjtpjd - To fix this issue is to combine all the Split APK into a single APK using APKToolM. However this doesn't work if each split_apk has it's own signature.

Sure, I'll tell you if I found anything useful.

Hi @MANDO01, I think it's just confirm it. F1 VM has a buggy Daemon that causing this, MyAndroidToolsPro also requires Daemon to see the LogCat. - Basicly, the app aren't able to deploy it's services. Have you tried another Virtual Machine or check new updates for F1 VM? - You can always check if Services is deployed when You see multiple PID on the running process: su -c pidof com.myandroidtools.pro #Should be shows: 1084, 8089 (or more PID) - Alternatively, you can use Termux again to see the LogCat: su -c 'logcat > /sdcard/log.txt' In the end, I'm really sure it was F1 VM Fault. If Daemon is buggy, then it would affect any Apps, not just GG. Termux and MyAndroidToolsPro can fails because of this.

Hi @MANDO01, Daemon Failed means it can't instantiate a background process/service because of Occupied Permission/Access. The cause is something that accessing a Root Directory or accessing Local Network (something that requires High Level of Permission). The only way is to restart your device. There's no effective solution to this since the causes may vary. If you're anoyyed, you can always try several things as your first step: - You can determine the reason behing Failing Daemons by monitoring your app activtiy using logcat: MyAndroidTools Pro has a nice logcat feature or even modifying system app properties. Don't forget to also analyse malicious / unnecessary apps that accessing Libnetd, a simple Packet Capturer can give you a better result: PCAPdroid - I don't know if F1 VM has a Dual User Space like Xiaomi did, as it can cause the same issue related to Daemon. Probably, creating multiple Instance of F1 VM can also be the reason. - You might want to disable any existing Firewall Client through Termux. export ANDROID_NO_USE_FWMARK_CLIENT = 1 However, it could also because of GG being buggy on F1 VM (or opposite), as you said: "sometimes it works fine and sometimes i get this error".

Hi @Marks01. I have been able to temporarily disable the Detection, but it will be triggered again if you press any button. So that's a progress. In the meantime, here's some alternative: - Technically, you can run both Game Guardian inside a Virtual Machine and on your phone, like suggested above. - Since you are use LDPlayer, why bother to use Game Guardian? On Windows you have many option, you can use Cheat Engine (Game Guardian Alternative) or HxD (Simple) or Ghidra (Advanced). - You can temporarily disable the detection in-game using: (Attach Game Guardian at first, then run the command below after inside the game before LIAPP appears.) cd/d "%~dp0" adb shell su -c "for i in $(pidof com.hidea.cat); do mount -o bind /proc/2/maps /proc/$i/maps; done" It act as Memory Flushing, so Earlier Game Guardian Trace will be removed but not on the next check. Currently, I'm still finding a permanent way, if you're interested. Otherwise I'll stop if you're decided to use Cheat Engine. [ Visual Demo ] Temporarily Hide PTrace (Memory Flush):

Hi @Marks01, the purpose of the video is to use HideMyAppList to Hide GG from the Game as an Alternative to SudoHide, and it works. The idea to Install Magisk is just for that. I can't help you more than this, unless you gave me some Screen-Record of your problem. I'm really sorry, I don't have the idea what's being the problem here. You can use OBS to record your screen. In reply to your previous question, it's because LSPosed and Shamiko requires newer SDK. You're using LDPlayer 4 with Android 7-5 that has lower SDK (26-24). You need at least Android 9 or newer to able to install. I'm using LDPlayer 9.0.11.0 x64-bit. I suggest you to install Windows 10 x64-bit to install LDPlayer 64bit. You might want to follow my setup, altho it's not needed, it must be other thing that cause this problem. Again, I request you to do some Screen-Record, so I can inspect the possible causes.

Hi @Marks01, are you sure you're doing the exact same step like I did on the video? The reason it's need to be disabled is because: MagiskSu will conflct with SuperSu ( See 'Install Magisk on Emulator' video at 01:34 ). Please clarify the following: - The reason Modules tab is greyed out: Magisk isn't installed properly ( Redo steps from 'Install Magisk on Emulator' video at 00:10 - 00:41 ). - From the first Installation, make sure You still have the Root ENABLED when opening Magisk App ( See 'Install Magisk on Emulator' video at 01:13 ). - DONT USE 'Hide Magisk App' or the Magisk App will lose it's Root previleges. The reason for this is: Magisk Root are handled by Magisk App. Be paying attention when Installing Magisk App. The Indication of MagiskSu is successfully installed are mentioned in this time list: - The Magisk Terminal says 'Done' and the Installation ended ( See 'Install Magisk on Emulator' video at 0:38) - The Magisk App will ask for Root and it says 'Abnormal State' ( See 'Install Magisk on Emulator' video at 01:13 and 01:34 ) Above timestamp is a VITAL Part of Magisk Installation. I can't really tell if you're doing something wrong, perhaps a screen-recording would helps.

Hi @Marks01, I've conducted experiment and it seems to hide GG completely. Here's what you need to do: [ Resources ] - Magisk or Magisk Terminal for Android Emulator. - Shamiko Magisk Module - LSPosed Framework (Use Zygisk Variant) - HideMyApplist for SudoHide Alternative. [ Practice ] - First Install Magisk [below demonstration are performed on LDPlayer Emulator using Magisk Terminal] - Install Shamiko & LSPosed Module on Magisk App - Navigate into /data/adb/manager.apk and Install it - Install Game Guardian (If haven't) and setup: 1) Hide Guardian from the Game: check all of them or experiment it Yourself, 2) PTrace Potrection: set to Freeze. - Now reboot Your device. - Inside LSPosed App, enable HideMyApplist module and then delete LSPosed App after doing so. - Reboot again - On HideMyApplist, select Template > Blacklist > Invisible > (Select GG and Any App that You want to Hide). - Go back and select Applied > Hidea Game (Or Any LIAPP Game) - Go back again and add a name for Your template. - Just go back to Main Menu (It will Automaticly save the Template) - Done. Go ahead enjoy the game. [ Note ] - If this helps, consider to mark this post as a Solution. If not, You can mention me @MC_ on this thread. - If Speedhack doesn't work, it because of 'Hide Guardian from the Game'. You can experiment it yourself by unchecking some level (1-4) and see if it works. - Make sure to keep follow the Reboot step, it's intended to Apply the changes. [ Visual Demo ] Magisk on LDPlayer: LIAPP Alert Bypass (Hide Mode)

Hi! Certainly You can Install VirtualXPosed on LDPlayer. Here's what You can do: - Use specific version of VirtualXPosed 3.1.5: VirtualXPosed LDPlayer - Alternatively, You can instead install Magisk on LDPlayer using Magisk.Terminal.Emulator.apkand use LSPosed.