MC874

Your script working fine but the problem is on search value. The script unable to find result at Index 1 according to this: Are you really sure you got the correct one? Values can be dynamic or based on Game Session.

Hi! The problem is on .value1 while it's should be just .value; it's hardcoded function not a variable. Change it to this: your_values2[1].value = 5000 your_values2[6].value = 5000 your_values2[9].value = 5000

Hi! There's some attempt for this but i haven't tried it myself. Maybe look-up on Runtime Libil2cpp dumper such as this: Auto Il2cppDumper or use Magisk Zygisk Dumper: Zygisk Il2CppDumper, they are relatively new; might work with the latest one. It might only works on low-level games, so the idea to dump lib without metadata in most games is hard/impossible.

Hi! there's several ways that indicate this: 1) Check if the game communicating with game server oftenly; even when not scrolling through in-game marketplace/items. You can use PCAPDroid or HTTPCanary to check your game connection. 2) The game use Online Account / GPlay account, etc 3) When you're changing some values, the game will revert it by sending some connection; check it on PCAP. For websocket connection, find the game connection that sill "Open". This could be the case but not always indicate the values being stored on server. Here's why: 1) It's not a real value, meaning that is only visual and being updated based on real values. You should find the right one by finding what address that changing the visual, it may lead to the real one. 2) The game has memory changes detection, it means you need to disable the address that access your values to make it stay unchange. See common hex patching here: Hex Patching 3) The game is client sided but the server forcing previous saved values; you can just simply block the connection that causing this on PCAP. Actually, server sided games can still be hacked but just need some different workaround instead of directly changing the values: 1) If you want to increase the game money to buy some item, you can just hack the item instead. Change the price into 0 or Free state, each game may different, it can depends purely on currency or game state. For example: "free": false is a state of item that aren't free or you can change the price itself ("currency": 1234) something like that. 2) You can do connection swap; using a network engineering using Postman, you can try to get a free item. When click on claim, change the Item ID on the game connection with Paid item, you will get paid item for free by manipulating this. 3) If the game is related to Google Play accounts, you might check this post: Hacking Rare Currencies

Hi! Instead of waiting for updates; you can try the Alternative: LSPosed, it's XPosed Framework but using Magisk and it's updated regularly. I think it's should work with Android 12 with ease but the advantage is: You need to replace your SuperSu and Migrate to MagiskSu, it's recommended that you're doing it on Virtual Andorid: VPhoneGaGa. There's many tutorials available online, but if you're confused; you can always ask me for installation tutorial.

Hi! I'm trying to answer as easy as possible, hopefully it's also easy to understand. Starts off the first one; Memory range is 'How long the Memory'. First of all, Memory is consist of many addresses. In that memory, there's App data that currently processed/used by the app. To understand memory range, let's take a real-life example: there's a library, it has many rack of books. - Cooking books are served in the last 8-9 rack - Utensils are in the first - 3 row and - Novels is on upstairs. From this; you can get the idea on how the memory works: - 8-9 rack are location range of Cooking books - Utensils are stored in 1-3 row range, and - Novels is on upstairs (It's related to offset, we going to talk about it next) Libs is a Library; it contains saved data that app will use to run. There's a memory-range with various data related to players, weapon, etc. It's the same as a Book Library we talked about earlier, it contains many rack of books for people to read. There's a range place of cooking books, novels and etc. It's the name of Unity Games Library. Unity is a game engine; that people use to make games. So, if a game is made from Unity; it has many chance from being similar from another unity game. Each game engine has it's own unique library name and data-structure; in Unreal Engine 4, the lib naming is LibUE4.so. You shouldn't be worry about this, it's just a naming; the same as a product brand. So.. Offsets.. It's a displacement or an instructional form to get into your destination. In Memory; There's address. It's the same to regular address in real-life. Taking an example from earlier; Rack 8 and Rack 9 is address for Cooking books; Row 1, 2, and 3 is address for Utensils. The different is: Memory Address is written like this: 01234567 in Hex form. For clarity; Hex can also be written like this - 01 23 45 67 - 0x01234567 - 0x01 0x23 0x45 0x67 Alright, let's dive into Offsets. Offset is how to get into your address, in instructional form. Again, we going to use the same example: Let's say you're on a library and you want to read a cooking book. So the offset to cooking book is: - From the entrance, walk straight to the end - Turn right into rack 8 Now, in Memory; again let's say that you want to get into 12345678 address, the offsets would be: - From base/first address 00 00 00 00 - Add 12 34 56 78 (00000000 + 12345678 = 12345678) Let's do another example: if you're on Address 00 A0 and want to reach 01 50; you can do (00 A0 + 00 B0 = 01 50). If you're confused with hexing, you can experiment with: Hex Calculator

@HorridModz Provides a Nice detailed explanation. Hex patching is rather easy as it's only a form of data that simply overwrited / added, the important thing is: to understand the assembly itself. Probably I'll provide a little more coverage about the topic. [ Usage ] - Replacement: You can only replace hex at fixed length. The hex length is depends on Data types that you're dealing with, it could be a Set / Subset Instruction. In general it can take 2-4 bytes, make sure to read the instruction as a string not in hex form. More simple coverage on the next section. - Addition: This used when doing references such as memory allocation. To manually add a custom instruction; you need to write it in empty/unread memory region (the indication is: it's filled with 00) and then reference the game function to your allocated memory. It's the general idea, you shouldn't be worry about it; most tools already provide this feature. Why no substraction? You can't remove a function even after proper patching and 'disabling' any reference to that function, directly or memorily. It leads to data corrupt/crashing; so it's uncommon. You can use this to cut fake data (such as malware app that filled with 00 to make a large size) because "they" only add additional hex at the end. There's more reason to this. [ Data Types ] - Function/Instructional data takes 4 length; mov r0, r0 #00 00 A0 E1 bx lr #1E FF 2F E1 - Inner Function/Subset Instruction takes 2-4 length. It's called as thumb and can be found on 32-bit architecture. mov r0, r0 #00 46 bx lr #70 47 [ Patching ] - Lazy Patch: You can 'remove' instruction without removal, simply fills with 00. This off course wouldn't work if the app have high security but the benefit is: You don't need to understand Assembly. - Proper Patch: You can just memorize this common patch and applies it anywhere; it's simple and not a time consuming. Well, for more instruction patches; you need to learn assembly. Learn returning values and Jump instruction (BL/JMP) patches would mostly help. [Patch 1] Instruction: mov r0, r0 Arm Encoded: 00 00 A0 E1 Thumb Encoded: 00 46 [Patch 2]: Usually a boolean/takes value Instruction: mov r0, #0 Arm Encoded: 00 00 A0 E3 Thumb Encoded: 4F F0 00 00 [End Patch]: Indicate closing, put after patches Instruction: bx lr Arm Encoded: 1E FF 2F E1 Thumb Encoded: 70 47 [ Misc ] - 00 is equal to 1 Hex - Hex can present in 00 or 0x00 - Thumb can be found on 32-Bit Architecture (x86, Armeabi / Armv7 / Arm32 ) - Thumb can also takes 4 length; the same length as Arm encoded - To differentiate Thumb and Arm encoding; 1) Copy the instruction hex, 2) Compare hex and instruction, including after and before offset

The continuation of this; yes, it can be done through DNS Server but alternatively, you can just use AdGuard DNS: It has inbuilt ad-list and even can import one, this can avoid to setup wordlist manually, Altho; the queries are limited to 300K Requests, should've use DNS List from SimpleDNSCrypt. To use Both DNS, just simply put the address into DNS setting. Alternatively, you can use MyAndroidToolsPro and disable Ad-mob services from the app, altho; you need root for this.

Yeah that's the tricky part; that's why i suggest step #2 using Ghidra and using breakpoint. - The purpose of this is to make read things easily as Ghidra will offer current task that process are doing. Also you can set breakpoint to pause the task momentarily, although you can do it with CE but you need to find the right address first; unlike Ghidra. - Sandboxing the game allows it to only the game that's running; if you have Android Emulator, you probably got background system apps/service that running and that's the challange when attaching a debugger to an Android Emulator. Although you can just do it remotely that really slow or using an Android Debugger app (If it's exist and I'm not sure if the features will equal to current standards) That's a challange for Reversing the game; it's good to assume but you had to find another when it's not. Honestly, you can keep experimenting everyday; notes on the progress; and eventually you will get somewhere. Good Luck on your findings!

Hi! there's an Hide root detection app called HideSu but it's old and most likely won't work anymore; especially for banking apps. SuperSu is semi-hardcoded since it's patching some Android image file. So I recommends to use VPhoneGaGa and use Magisk for rooting. So far, VPhoneGaga is the one that can use Magisk properly, but why Magisk? You can use root systemless meaning; it's not deep-rooted into your Android and can easily to be removed. Also, the current popular one is to use Shamiko for hiding Magisk root. If you need XPosed Framework, use Magisk LSPosed instead: LSPosed

Hi! Hex isn't really a language but rather a data representation. Hex can forms almost everything, almost the same to other data-types like dword or etc. You can even convert a plain-text into a hex or others. Comes to the question; mov /// Moves signed int/value into target register/operand r0 /// Register location #1 /// Moves signed value 1 into the register #1 is equals to True which the game/projectiles will always register any shots as an Headshot. Some games, #1 value is inherit range of value that the game already sets. For example; if the game has an auto-update enabled predefine as follow: 1 #Auto Update enabled 2 #Connection Error 3 #Update Received 4 #No Updates mov r0, #[1-4] /// Choose the corresponding, and it will be that Mostly it would be 0-1 (False/True) that 0 will be nothing or false, the game will ignore and continue with next instruction. As for "bx lr"; it's a common way to indicate "The End of Function". This tells the game that;" Hey it's the end, Jump to default or next function". If it's a lazy patching, this will neglect any instruction after "bx lr" in that same function. This can leads to Memory Detection, although it's mostly fine.

Yep this is good alternative, although I don't really familiar with procmon; this is can also be done with Ghidra at previous step #2. But taking PC version of the game is more better than trying to sandbox the game. Is there a chance of Metadata being differs between PC and Android?

Hi! From previous behaviour that "Dumped Metadata is identical to Obfuscated/Encrypted one", I assume that; it is because of Metadata is still on loading stage. 1) Since Metadata is got flushed from memory so quickly, here we going to suffer from trial and error to make sure we got the right timing. Highly recommend to do it on PC with some Android Emulator because of milisecond is really important. On PC, you need to prepare Cheat Engine and some script for Auto Suspend/Freeze emulator. Prepare everything, by the time you launch the game; run the script (Highly suggest to use Custom Hotkey to execute the script) and search the Metadata Header on Cheat Engine. If not found, do Unfreeze-Freeze and scan again on CE, do this until you got some interesting bytes. You can try to use PsSuspend and make a script to automate that. 2) You might need the game sandboxed, although you can try it using emulator but it has whole Android emulated, too big for us to debug it. The reason for this is; we can use Ghidra and attach it directly into the game. This will make read things more easily. 3) If you're sure that the Decryption thing is happen on HProtect Java Class, probably you can try some external hooking. Frida seems the right choice but I'm not sure if it's able to read what the function are currently doing, since it's just read class? I'm not an expert, so I didn't know the full ability of Frida. You can try to create custom hooks from scratch and make it access the data that's currently handled by HProtect. This yet a big effort to just looking for Metadata, not recommend since it's wasting of time. From Platonic, it's more likely that Metadata will exist in bare form for doing step #1, since there's multiple Metadata co-exist? At this point, the only option is to Reverse Engineering the game; since every current tools aren't able to do the job.

I'm not really sure but it does exist on my 6 rank or probably it was 'titles' dependant.

You guys reach the same idea, just a slight difference: 1) Phone manufacturers intend to keep the speed balance and it can only throttle into maximum speed and decrease once high temp is reached. Overclocking OEM speed can only reach intended Maximum speed and it will stay (Clocking) even in high temp but there would be BDProchot triggered. For example; 1.8Ghz ~ 2.4Ghz speed by this concept; only overclocking 1.8Ghz balance/manufacture speed into maximum 2.4Ghz 2) Meanwhile, another Overclocking concept is by setting beyond max speed. For example; 1.8Ghz ~ 2.4Ghz speed would be: 2.5Ghz+ more by this concept but this can't be reached in Android BDProchot is a rig that: other hardware will tell the CPU to slows-down in order to lowering the temp. This is the reason you can't do Overclocking#2 in Android, because you can't disable BDProchot in Android. Unless.. somehow with modified microcode into the chip.

It's really hard to debug if it's OS specific, fortunately there's someone that happen have the same OS. Judging by the APP Behavior, i will try to give some alternative suggestion beside of Root related. 1) 'Not running in background': Make sure that you have enabled 'Drawing Apps' permission to get Game Guardian Overlay to work. Also try to disable battery optimization for Game Guardian from your Android Settings; Settings -> Battery -> Battery Usage -> Apps -> Game Guardian -> Run in Background. Every OS is different but you can find it around Battery and Apps settings. 2) 'Sometime it Freeze, Cannot Hit, Sometime it Stop and must Restart'; Check your RAM Usage, it's basic but it happens to be a common issue. Some Android OS intend to do this when reaching certain amount of RAM Usage or Processes or Heat. The only thing is go to your Developer Option and disable Background Processes option, set it to 'System Managed'. Other possible fixes is to set GG priority into TopMost priority -1, the Default is 0 & also check your Android Architecture, is it matched with your current GG or not.

I'm afraid that you need to switch to X8 Sandbox with Android 11 launcher.

Several problem to this if you keep "randomizing" gg.getValue/searchNumber: 1) In theory it should be working but when you keep "Randomizing" gg.getValue, eventually the attacker still got the correct values. An Attacker can extract all the gg.getValue from the logs and make a script on top of that, this somewhat an alternative for harder reads, not an entirely make the script unlogable. 2) Will this going to be a memory-hog? With current available options, it's still enough to protect your script. However, i'm still curious if GG has actually offers some flag if the logs are running? Despite all of that, we're only struggling with GG internal logs, not really prevent from 3rd-party like memdumper.

It would be usefull if you share the method here, as the Author can patch the script to avoid that. GG Lua Encryption mostly based on Client side and GG itself. It's a good practice if you're not trust the Client-Sided process, you might combine Good Encryption with several ways to make it more harder to read: 1) Migrate your script into Online Reserver (Pastebin, etc) 2) Splits your Script into several mini-script: Import Extra GG Code 3) Obfuscate your LUA / Encrypt LUA to make it more harder to poke. It would be good if you have write your own Cheats manually (not GG based), as you can implement more things without restriction.

First of all, what kind source that you're going to apply encryption, lua files?. If you're willing to use some Advanced way, you can use JWT or SHA hashing but for LUA Files; i think you should also obfuscate your script and then encrypting it. Yes, most of LUA encryption are decryptable so you need to atleast make it more harder to read. For example; you can calling another LUA Files from the first Lua, etc.

It's true, just suggesting what arch most device use.

Probably he just mentioned about debug symbols wich can be the same on each update. Just search some string near or on that area of target, it can pinpoint you to that target. On the other hand, game may have different offsets depending on library architecture wich can differs each device. I only recommend doing it only on Armeabi (armv7), x86, or arm64 arch if you're going to make public hacks.

Gameloop is indeed bloated with External AC for Debug and Overlay detection, but there's a workaround for it by using Modded Gameloop wich already include some dll patching. It's fast but not recommended for compability; that's only the main problem.

Hi! It maybe a little difficult to do on/of firewall, so i suggest to use shell (.sh) script instead as it will give you more control. Inside the script use IPtable packages, here's some example of port blocking inside iptables: #Enable Port Block iptables=/system/bin/iptables ip6tables=/system/bin/ip6tables iptables -A INPUT -p 6 --dport 443 -j DROP iptables -A OUTPUT -p 6 --dport 443 -j DROP iptables -A INPUT -p 6 --dport 80 -j DROP iptables -A OUTPUT -p 6 --dport 80 -j DROP #Disable Port Block iptables=/system/bin/iptables ip6tables=/system/bin/ip6tables iptables -A INPUT -p 6 --dport 443 -j ACCEPT iptables -A OUTPUT -p 6 --dport 443 -j ACCEPT iptables -A INPUT -p 6 --dport 80 -j ACCEPT iptables -A OUTPUT -p 6 --dport 80 -j ACCEPT I have provide you some basic shell script for port blocking using IPTables. Usually its already preinstalled inside your Android, but if its not; you can search iptable installer apk online. It does require root however. In the end, its just personal preferences wether its simple or not. You disable the wrong services, leave the important services enabled. As always, you need to suffer trial and error, if its crashing your game, just revert the changes. Also, you can to try to disable the game databases in there. I'll probably leave some of my CriticalOps data in here next. I see that you're using termux, probably try doing it using 'sh' or use Android Terminal Emulator even tho its doesnt have any c/p feature, so you need to write them manually. I think just put it as sh script would be more easy, since you just execute it on termux like this : sh ./your-sh-script -Good Luck!

Hi! Virtual Exposed are kind of apps that only emulate apps along with its storage on top of your Android, so its kinda buggy/unstable. I recommend to use VMos Pro as its emulate Android inside your Android, so its should be more stable. Myself didnt even try yet to use online login on virtual exposed as im using direct browser login instead of apps. Probably try to use similar alternative like F1 VM. -Good Luck!