MC874

@HorridModz Provides a Nice detailed explanation. Hex patching is rather easy as it's only a form of data that simply overwrited / added, the important thing is: to understand the assembly itself. Probably I'll provide a little more coverage about the topic. [ Usage ] - Replacement: You can only replace hex at fixed length. The hex length is depends on Data types that you're dealing with, it could be a Set / Subset Instruction. In general it can take 2-4 bytes, make sure to read the instruction as a string not in hex form. More simple coverage on the next section. - Addition: This used when doing references such as memory allocation. To manually add a custom instruction; you need to write it in empty/unread memory region (the indication is: it's filled with 00) and then reference the game function to your allocated memory. It's the general idea, you shouldn't be worry about it; most tools already provide this feature. Why no substraction? You can't remove a function even after proper patching and 'disabling' any reference to that function, directly or memorily. It leads to data corrupt/crashing; so it's uncommon. You can use this to cut fake data (such as malware app that filled with 00 to make a large size) because "they" only add additional hex at the end. There's more reason to this. [ Data Types ] - Function/Instructional data takes 4 length; mov r0, r0 #00 00 A0 E1 bx lr #1E FF 2F E1 - Inner Function/Subset Instruction takes 2-4 length. It's called as thumb and can be found on 32-bit architecture. mov r0, r0 #00 46 bx lr #70 47 [ Patching ] - Lazy Patch: You can 'remove' instruction without removal, simply fills with 00. This off course wouldn't work if the app have high security but the benefit is: You don't need to understand Assembly. - Proper Patch: You can just memorize this common patch and applies it anywhere; it's simple and not a time consuming. Well, for more instruction patches; you need to learn assembly. Learn returning values and Jump instruction (BL/JMP) patches would mostly help. [Patch 1] Instruction: mov r0, r0 Arm Encoded: 00 00 A0 E1 Thumb Encoded: 00 46 [Patch 2]: Usually a boolean/takes value Instruction: mov r0, #0 Arm Encoded: 00 00 A0 E3 Thumb Encoded: 4F F0 00 00 [End Patch]: Indicate closing, put after patches Instruction: bx lr Arm Encoded: 1E FF 2F E1 Thumb Encoded: 70 47 [ Misc ] - 00 is equal to 1 Hex - Hex can present in 00 or 0x00 - Thumb can be found on 32-Bit Architecture (x86, Armeabi / Armv7 / Arm32 ) - Thumb can also takes 4 length; the same length as Arm encoded - To differentiate Thumb and Arm encoding; 1) Copy the instruction hex, 2) Compare hex and instruction, including after and before offset

The continuation of this; yes, it can be done through DNS Server but alternatively, you can just use AdGuard DNS: It has inbuilt ad-list and even can import one, this can avoid to setup wordlist manually, Altho; the queries are limited to 300K Requests, should've use DNS List from SimpleDNSCrypt. To use Both DNS, just simply put the address into DNS setting. Alternatively, you can use MyAndroidToolsPro and disable Ad-mob services from the app, altho; you need root for this.

Yeah that's the tricky part; that's why i suggest step #2 using Ghidra and using breakpoint. - The purpose of this is to make read things easily as Ghidra will offer current task that process are doing. Also you can set breakpoint to pause the task momentarily, although you can do it with CE but you need to find the right address first; unlike Ghidra. - Sandboxing the game allows it to only the game that's running; if you have Android Emulator, you probably got background system apps/service that running and that's the challange when attaching a debugger to an Android Emulator. Although you can just do it remotely that really slow or using an Android Debugger app (If it's exist and I'm not sure if the features will equal to current standards) That's a challange for Reversing the game; it's good to assume but you had to find another when it's not. Honestly, you can keep experimenting everyday; notes on the progress; and eventually you will get somewhere. Good Luck on your findings!

Hi! there's an Hide root detection app called HideSu but it's old and most likely won't work anymore; especially for banking apps. SuperSu is semi-hardcoded since it's patching some Android image file. So I recommends to use VPhoneGaGa and use Magisk for rooting. So far, VPhoneGaga is the one that can use Magisk properly, but why Magisk? You can use root systemless meaning; it's not deep-rooted into your Android and can easily to be removed. Also, the current popular one is to use Shamiko for hiding Magisk root. If you need XPosed Framework, use Magisk LSPosed instead: LSPosed

Hi! Hex isn't really a language but rather a data representation. Hex can forms almost everything, almost the same to other data-types like dword or etc. You can even convert a plain-text into a hex or others. Comes to the question; mov /// Moves signed int/value into target register/operand r0 /// Register location #1 /// Moves signed value 1 into the register #1 is equals to True which the game/projectiles will always register any shots as an Headshot. Some games, #1 value is inherit range of value that the game already sets. For example; if the game has an auto-update enabled predefine as follow: 1 #Auto Update enabled 2 #Connection Error 3 #Update Received 4 #No Updates mov r0, #[1-4] /// Choose the corresponding, and it will be that Mostly it would be 0-1 (False/True) that 0 will be nothing or false, the game will ignore and continue with next instruction. As for "bx lr"; it's a common way to indicate "The End of Function". This tells the game that;" Hey it's the end, Jump to default or next function". If it's a lazy patching, this will neglect any instruction after "bx lr" in that same function. This can leads to Memory Detection, although it's mostly fine.

Yep this is good alternative, although I don't really familiar with procmon; this is can also be done with Ghidra at previous step #2. But taking PC version of the game is more better than trying to sandbox the game. Is there a chance of Metadata being differs between PC and Android?

Hi! From previous behaviour that "Dumped Metadata is identical to Obfuscated/Encrypted one", I assume that; it is because of Metadata is still on loading stage. 1) Since Metadata is got flushed from memory so quickly, here we going to suffer from trial and error to make sure we got the right timing. Highly recommend to do it on PC with some Android Emulator because of milisecond is really important. On PC, you need to prepare Cheat Engine and some script for Auto Suspend/Freeze emulator. Prepare everything, by the time you launch the game; run the script (Highly suggest to use Custom Hotkey to execute the script) and search the Metadata Header on Cheat Engine. If not found, do Unfreeze-Freeze and scan again on CE, do this until you got some interesting bytes. You can try to use PsSuspend and make a script to automate that. 2) You might need the game sandboxed, although you can try it using emulator but it has whole Android emulated, too big for us to debug it. The reason for this is; we can use Ghidra and attach it directly into the game. This will make read things more easily. 3) If you're sure that the Decryption thing is happen on HProtect Java Class, probably you can try some external hooking. Frida seems the right choice but I'm not sure if it's able to read what the function are currently doing, since it's just read class? I'm not an expert, so I didn't know the full ability of Frida. You can try to create custom hooks from scratch and make it access the data that's currently handled by HProtect. This yet a big effort to just looking for Metadata, not recommend since it's wasting of time. From Platonic, it's more likely that Metadata will exist in bare form for doing step #1, since there's multiple Metadata co-exist? At this point, the only option is to Reverse Engineering the game; since every current tools aren't able to do the job.

I'm not really sure but it does exist on my 6 rank or probably it was 'titles' dependant.

You guys reach the same idea, just a slight difference: 1) Phone manufacturers intend to keep the speed balance and it can only throttle into maximum speed and decrease once high temp is reached. Overclocking OEM speed can only reach intended Maximum speed and it will stay (Clocking) even in high temp but there would be BDProchot triggered. For example; 1.8Ghz ~ 2.4Ghz speed by this concept; only overclocking 1.8Ghz balance/manufacture speed into maximum 2.4Ghz 2) Meanwhile, another Overclocking concept is by setting beyond max speed. For example; 1.8Ghz ~ 2.4Ghz speed would be: 2.5Ghz+ more by this concept but this can't be reached in Android BDProchot is a rig that: other hardware will tell the CPU to slows-down in order to lowering the temp. This is the reason you can't do Overclocking#2 in Android, because you can't disable BDProchot in Android. Unless.. somehow with modified microcode into the chip.

It's really hard to debug if it's OS specific, fortunately there's someone that happen have the same OS. Judging by the APP Behavior, i will try to give some alternative suggestion beside of Root related. 1) 'Not running in background': Make sure that you have enabled 'Drawing Apps' permission to get Game Guardian Overlay to work. Also try to disable battery optimization for Game Guardian from your Android Settings; Settings -> Battery -> Battery Usage -> Apps -> Game Guardian -> Run in Background. Every OS is different but you can find it around Battery and Apps settings. 2) 'Sometime it Freeze, Cannot Hit, Sometime it Stop and must Restart'; Check your RAM Usage, it's basic but it happens to be a common issue. Some Android OS intend to do this when reaching certain amount of RAM Usage or Processes or Heat. The only thing is go to your Developer Option and disable Background Processes option, set it to 'System Managed'. Other possible fixes is to set GG priority into TopMost priority -1, the Default is 0 & also check your Android Architecture, is it matched with your current GG or not.

I'm afraid that you need to switch to X8 Sandbox with Android 11 launcher.

Several problem to this if you keep "randomizing" gg.getValue/searchNumber: 1) In theory it should be working but when you keep "Randomizing" gg.getValue, eventually the attacker still got the correct values. An Attacker can extract all the gg.getValue from the logs and make a script on top of that, this somewhat an alternative for harder reads, not an entirely make the script unlogable. 2) Will this going to be a memory-hog? With current available options, it's still enough to protect your script. However, i'm still curious if GG has actually offers some flag if the logs are running? Despite all of that, we're only struggling with GG internal logs, not really prevent from 3rd-party like memdumper.

It would be usefull if you share the method here, as the Author can patch the script to avoid that. GG Lua Encryption mostly based on Client side and GG itself. It's a good practice if you're not trust the Client-Sided process, you might combine Good Encryption with several ways to make it more harder to read: 1) Migrate your script into Online Reserver (Pastebin, etc) 2) Splits your Script into several mini-script: Import Extra GG Code 3) Obfuscate your LUA / Encrypt LUA to make it more harder to poke. It would be good if you have write your own Cheats manually (not GG based), as you can implement more things without restriction.

First of all, what kind source that you're going to apply encryption, lua files?. If you're willing to use some Advanced way, you can use JWT or SHA hashing but for LUA Files; i think you should also obfuscate your script and then encrypting it. Yes, most of LUA encryption are decryptable so you need to atleast make it more harder to read. For example; you can calling another LUA Files from the first Lua, etc.

It's true, just suggesting what arch most device use.

Probably he just mentioned about debug symbols wich can be the same on each update. Just search some string near or on that area of target, it can pinpoint you to that target. On the other hand, game may have different offsets depending on library architecture wich can differs each device. I only recommend doing it only on Armeabi (armv7), x86, or arm64 arch if you're going to make public hacks.

Gameloop is indeed bloated with External AC for Debug and Overlay detection, but there's a workaround for it by using Modded Gameloop wich already include some dll patching. It's fast but not recommended for compability; that's only the main problem.

Hi! It maybe a little difficult to do on/of firewall, so i suggest to use shell (.sh) script instead as it will give you more control. Inside the script use IPtable packages, here's some example of port blocking inside iptables: #Enable Port Block iptables=/system/bin/iptables ip6tables=/system/bin/ip6tables iptables -A INPUT -p 6 --dport 443 -j DROP iptables -A OUTPUT -p 6 --dport 443 -j DROP iptables -A INPUT -p 6 --dport 80 -j DROP iptables -A OUTPUT -p 6 --dport 80 -j DROP #Disable Port Block iptables=/system/bin/iptables ip6tables=/system/bin/ip6tables iptables -A INPUT -p 6 --dport 443 -j ACCEPT iptables -A OUTPUT -p 6 --dport 443 -j ACCEPT iptables -A INPUT -p 6 --dport 80 -j ACCEPT iptables -A OUTPUT -p 6 --dport 80 -j ACCEPT I have provide you some basic shell script for port blocking using IPTables. Usually its already preinstalled inside your Android, but if its not; you can search iptable installer apk online. It does require root however. In the end, its just personal preferences wether its simple or not. You disable the wrong services, leave the important services enabled. As always, you need to suffer trial and error, if its crashing your game, just revert the changes. Also, you can to try to disable the game databases in there. I'll probably leave some of my CriticalOps data in here next. I see that you're using termux, probably try doing it using 'sh' or use Android Terminal Emulator even tho its doesnt have any c/p feature, so you need to write them manually. I think just put it as sh script would be more easy, since you just execute it on termux like this : sh ./your-sh-script -Good Luck!

Hi! Virtual Exposed are kind of apps that only emulate apps along with its storage on top of your Android, so its kinda buggy/unstable. I recommend to use VMos Pro as its emulate Android inside your Android, so its should be more stable. Myself didnt even try yet to use online login on virtual exposed as im using direct browser login instead of apps. Probably try to use similar alternative like F1 VM. -Good Luck!

Hi! Sorry for the late response, usually i can only contribute thread per day because i'm busy with my project. Anyway, i kinda can't quote some of your question because i'm on mobile device, so i will answer a few here xD. Any files has its own permission assigned, its consist of user, group, system. As its name, it's permit the allowed party to do such thing with the files (Read, Write, Modify). To access the file permission, just hold the file until the file option comes. You might find something like 'attributes' or 'permission'. I recommend to use MiXplore or ES File Explorer to see that kind of option because the stock file manager usually doesn't have it. An alternative way to this is to delete unnecessary game files and replace them using blank file with the same name. You might ask 'wich file?'; thus you can do this on database, app_cache, files folder, etc. You might do it your-self, just try the file one by one, if it affect the game (Make the game crash), revert the file to original one and leave untouched Yes, you can try the shell code i gave you above. The memory manipulation will work as memory bypass, so you can use memory hacks without being detected. I might unclear to explain this, just run the code using Android Terminal Emulator or ADB. You might wonder what game PID is, basically the game has its own process ID when its running. To find the game PID, use this code: pidof com.criticalforceentertainment.criticalops It will show some kind of number, make sure to copy it. Now put the pid into '[pid]' field that i've been mention in the code. You might find this difficult, you can just try this one-liner: if $a in "pidof com.criticalforceentertainment.criticalops"; do mount -o bind /proc/2/maps /proc/$a/maps; end -Good Luck!

Hi! The reason its says deleted is because its already unloaded from the memory, so to dump the memory maps, you need certain timing to properly dump the metadata. I recommend to freeze the app at launch or first game loading screen then do the dumping process [Method 1] >I recommend doing it on an Android Emulator as its give you an easy practice >Freeze the game on launch or 5-15 seconds after the game launch. Now freeze the game with GG >Make sure you freeze the game completely, you can check if there's the game services/activity running. If there's some of it running in the background, do the deep-freeze / terminate the game activity/service (Not Main Activity) with 'pm' shell command >After the game freeze completely, now do the dumping, it may take a while. >Now check if the metadata.dat has been properly tampered, if not, you may need to freeze the game with different interval. It can be more faster or wait a little bit more. This might tricky, so i recommend method number 2 [Method 2] >This way, you definitely required to use Android Emulator (LDPlayer, Nox) >Write 2 bat script, one for freezing the Android Emulator, and the second is for freeze-unfreeze-freeze the Emulator with 1ms delay >Launch the game and then freeze it immediately >Pull some memory debugger like Cheat Engine or HxD >Now scan for "metadata" string or the metadata.dat header if you already know some bytes of the metadata file >If the bytes/string doesnt exist, now launch the second script and scan the memory again. Do this until you can find the full metadata file -Good Luck!

Hi! Using an FTP Server requires internet access, this is might not good for easy access. Maybe try some Json Web Token (JWT) so you can encrypt-decrypt script offline with ease. -Yuuki

Hi! Does this also script also prevent the script being mapped in memory? I mean to prevent memory fisher from being able to get the script value. -Thanks

Hi! Just stumble accross your post, and seems no one already answer this. Anyway, since the host is patched or they changing the Server Name, i recommend to use port blocking. Try to block 443 and 80 port while in game and remove the blocker after the match is finish. You can do this using No Root Firewall or using IPTables (Requires root) [For Advanced User]: You can start by disabling unnecessary files using permission 0 and disable the game services using MyAndroidTools Pro. As for memory manipulation, you can try to nullified the game memory maps inside proc using bind. >mount -o bind /proc/2/maps /proc/[Game PID]/maps >mount --bind /proc/2/maps /proc/[Game PID]/maps -Good Luck!

Hi! Unfortunately that the detailed tutorial about esp is kinda limited. Usually people put paid tutoring for this but i think its not worth it. But yeah, what you can do probably is just messing around with the template. I mean, changing the base address and add the offset (May also changing the driver / target app) and see if its working. Sadly that UDP Stream tutorial is also limited or almost hard to find. I can only tell you the main idea and a little bit of implementation behind the UDP Stream trick. In the end, you need to do it yourself as self learning. Yeah, its sucks when nobody teaches you directly. Happen to me all the time xD Anyway Goodluck!