nok1a

It was a mistake in the script, try this function class_Pointer() local range = gg.getRangesList("global-metadata.dat") -- get dll pointer UserProfile gg.setRanges(gg.REGION_OTHER) gg.searchNumber("h00 55 73 65 72 50 72 6F 66 69 6C 65 2E 49 6E 66 72 61 73 74 72 75 63 74 75 72 65 2E 64 6C 6C 00", gg.TYPE_BYTE, nil, nil, range[1].start, range[1]["end"]) -- UserProfile.Infrastructure.dll local char_UserProfile = gg.getResults(2) gg.setRanges(gg.REGION_ANONYMOUS) gg.clearResults() gg.searchNumber(char_UserProfile[2].address, gg.TYPE_QWORD) local pointerCheck = gg.getResults(1) gg.clearResults() -- get class pointer JourneyProgress gg.setRanges(gg.REGION_OTHER) gg.searchNumber("h00 4A 6F 75 72 6E 65 79 50 72 6F 67 72 65 73 73 00", gg.TYPE_BYTE, nil, nil, range[1].start, range[1]["end"]) -- JourneyProgress local char_Journey = gg.getResults(2) gg.clearResults() gg.setRanges(gg.REGION_ANONYMOUS) gg.searchNumber(char_Journey[2].address, gg.TYPE_QWORD) local t = gg.getResults(gg.getResultsCount()) for i, v in ipairs(t) do v.address = v.address - 0x10 end t = gg.getValues(t) local class_Pointer_JourneyProcess = {} for i, v in ipairs(t) do if v.value == pointerCheck[1].address then class_Pointer_JourneyProcess[#class_Pointer_JourneyProcess + 1] = v.address end end gg.clearResults() return class_Pointer_JourneyProcess end local class_Pointer_JourneyProcess = class_Pointer() function field_numberOfCompletedJourney(input) local Level = input gg.searchNumber(class_Pointer_JourneyProcess[1], gg.TYPE_QWORD) local t = gg.getResults(gg.getResultsCount()) for i, v in ipairs(t) do v.address = v.address + 0x18 v.flags = gg.TYPE_DWORD end t = gg.getValues(t) local numberOfCompletedJourney = {} for i, v in ipairs(t) do if v.value == (tonumber(Level[1]) - 1) then numberOfCompletedJourney[#numberOfCompletedJourney + 1] = t[i] end end if #numberOfCompletedJourney == 0 then gg.toast("Level not found, did you input correct level?") gg.sleep(100) else local LevelSet = gg.prompt( {'Input desired Level to edit to'}, {[1]=''}, {[1]='number'} ) for i, v in ipairs(numberOfCompletedJourney) do v.value = tonumber(LevelSet[1]) - 1 end gg.setValues(numberOfCompletedJourney) gg.toast("Level set, go in game and back to lobby for apply the change visually") end gg.clearResults() end function start() local Level = gg.prompt( {'Input your current Level'}, {[1]=''}, {[1]='number'} ) if Level == nil then gg.toast("No input") else local nonNumb = 0 for i in string.gmatch(Level[1], "%U") do local char = string.byte(i) if char < 0x30 or char > 0x39 then nonNumb = nonNumb + 1 end if nonNumb ~= 0 then gg.toast("This is not a number") else field_numberOfCompletedJourney(Level) break end end end end while (true) do if gg.isVisible() then gg.setVisible(false) start() end gg.sleep(100) end

Copy the code and place it in a file, the file should have the extension .lua, then execute with GG

Level is protected, Are you using 32 or 64 bit of the game?

Can you show screenshots of those pure zeros?

If your using 64 Bit download this script, should work: function class_Pointer() local range = gg.getRangesList("global-metadata.dat") -- get dll pointer UserProfile gg.setRanges(gg.REGION_OTHER) gg.searchNumber("h00 55 73 65 72 50 72 6F 66 69 6C 65 2E 49 6E 66 72 61 73 74 72 75 63 74 75 72 65 2E 64 6C 6C 00", gg.TYPE_BYTE, nil, nil, range[1].start, range[1]["end"]) -- UserProfile.Infrastructure.dll local char_UserProfile = gg.getResults(2) gg.setRanges(gg.REGION_ANONYMOUS) gg.clearResults() gg.searchNumber(char_UserProfile[2].address, gg.TYPE_QWORD) local pointerCheck = gg.getResults(1) gg.clearResults() -- get class pointer JourneyProgress gg.setRanges(gg.REGION_OTHER) gg.searchNumber("h00 4A 6F 75 72 6E 65 79 50 72 6F 67 72 65 73 73 00", gg.TYPE_BYTE, nil, nil, range[1].start, range[1]["end"]) -- JourneyProgress local char_Journey = gg.getResults(2) gg.clearResults() gg.setRanges(gg.REGION_ANONYMOUS) gg.searchNumber(char_Journey[2].address, gg.TYPE_QWORD) local t = gg.getResults(gg.getResultsCount()) for i, v in ipairs(t) do v.address = v.address - 0x10 end t = gg.getValues(t) local class_Pointer_JourneyProcess = {} for i, v in ipairs(t) do if v.value == pointerCheck[1].address then class_Pointer_JourneyProcess[i] = v.address end end gg.clearResults() return class_Pointer_JourneyProcess end local class_Pointer_JourneyProcess = class_Pointer() function field_numberOfCompletedJourney(input) local Level = input gg.searchNumber(class_Pointer_JourneyProcess[1], gg.TYPE_QWORD) local t = gg.getResults(gg.getResultsCount()) for i, v in ipairs(t) do v.address = v.address + 0x18 v.flags = gg.TYPE_DWORD end t = gg.getValues(t) local numberOfCompletedJourney = {} for i, v in ipairs(t) do if v.value == (tonumber(Level[1]) - 1) then numberOfCompletedJourney[#numberOfCompletedJourney + 1] = t[i] end end if #numberOfCompletedJourney == 0 then gg.toast("Level not found, did you input correct level?") gg.sleep(100) else local LevelSet = gg.prompt( {'Input desired Level to edit to'}, {[1]=''}, {[1]='number'} ) for i, v in ipairs(numberOfCompletedJourney) do v.value = tonumber(LevelSet[1]) - 1 end gg.setValues(numberOfCompletedJourney) gg.toast("Level set, go in game and back to lobby for apply the change visually") end gg.clearResults() end function start() local Level = gg.prompt( {'Input your current Level'}, {[1]=''}, {[1]='number'} ) if Level == nil then gg.toast("No input") else local nonNumb = 0 for i in string.gmatch(Level[1], "%U") do local char = string.byte(i) if char < 0x30 or char > 0x39 then nonNumb = nonNumb + 1 end if nonNumb ~= 0 then gg.toast("This is not a number") else field_numberOfCompletedJourney(Level) break end end end end while (true) do if gg.isVisible() then gg.setVisible(false) start() end gg.sleep(100) end

Yeah, not sure why there is an error. Tried it manually and then it works. Do you have 64 or 32bit?

I would prefer if you send me video on how you did it.

My phone is not rooted, it's just crashing

Ok, i can't run the game. It insta crashes. Did you take a look at these tutorials in case the game applied some protection methods on the lib or metadata. Also watch the tutorials: Trying to correctly dump Imaginary Fest (#1vi9kopg) Also when sharing game. Better to give direct apk link or play store link. I won't install that QooApp.

I believe it's server sided but could be wrong. I dunno if possible. But in the late future perhaps will have a look. Can't promise.

Oke, but your not using gameguardian to dump the lib and metadata at runtime. I can't open the game on my emulator. Dump at runtime. You can use the script: libil2cpp.so and metadata.dat dumping script (#rpaaz4p)

I don't understand the question. I don't know anything about IDA but you need the codeRegistration and metaRegistration, why? Your using Il2CppDumper.GUI.2.1.0 ? What you mean with offsets being 0 ?

Are you sure it starts in Xa and not in Cd ? I never saw the start of the library being anything else then starting with the magical bytes of ELF. PRess that arrow to see the path names and double check which range your lib start.

The class and field should be the same. Is it not working anymore?

That's odd if it worked for you before, do you get any results if you manually search libRealRacing3.so in UTF8 in region code app ?

Script pointerTest.lua

That's not my script. You changed the search string and added your own string in it. It's also not how you implement it in the chainer and removed the function to i guess? Also i did not read the full chainer script which was very big mistake of me, so i did not knew you needed to load results in order for it to work. I do now. So will implement the function in the chainer script.

Personally with my current knowledge on the topic i just think that finding some unique values in the executable is enough. Search unique value. Then call gg.getRangesList(). All ranges will be displayed with there start and end address. In my case i know that the UTF8 string "libRealRacing3.so" resides in the Xa region of the executable. So i just search it and then get the first address of that char. So i know that's the right executable. But since lack of infomration on what your script does i adjusted my function getLib() for it to work with getRanges() by calling gg.getRangeList() to obtain the start address of the executable in which the string i just searched is located. Since the getRanges() function expects a table from gg.getRangeList(). Then knowing that the executable is divided in to 4 segments but the chainer only will take the first segment that includes the "w" permission i just increment the table i took from gg.getRangeList() by 3 since the third segment is the one the chainer use since it has the "w" permission. I test on 2 emulators that are 32 bit and on the 64 bit as well. Both worked. And as you can see in the post of Game lib (#c64p69nw) It worked for Count_Nosferatu after executing the script as expected.

To be honest i don't think it can work using size calculation. You will get all the BSS parts. But the size could differ. Did some tests: 32 bit 64 bit And then you have your size which is 32000

I only edited part of the chainer script since i dunno which part are used in the script. But i guess the issue is with the getRanges() function since you have to input the path name to get right executable.

Yes, for the chainer it is.

Not sure which part of the chainer script that has been included in the script, but i modified the getRanges() function little bit. function getLib() gg.setRanges(gg.REGION_CODE_APP) gg.searchNumber(":libRealRacing3.so", gg.TYPE_BYTE) local a = gg.getResults(1) gg.clearResults() local t = gg.getRangesList() local startAddress = {} for i, v in ipairs(t) do if ((a[1].address > v["start"]) and (a[1].address < v["end"])) then startAddress = {t[i], t[i+1], t[i+2]} end end return startAddress end function getRanges() local archs = {[0x3] = 'x86', [0x28] = 'ARM', [0x3E] = 'x86-64', [0xB7] = 'AArch64'} local ranges = {} local t = getLib() local arch = 'unknown' for i, v in ipairs(t) do if v.type:sub(2, 2) == '-' then local t = gg.getValues({{address = v.start, flags = gg.TYPE_DWORD}, {address = v.start + 0x12, flags = gg.TYPE_WORD}}) if t[1].value == 0x464C457F then arch = archs[t[2].value] if arch == nil then arch = 'unknown' end end end if v.type:sub(2, 2) == 'w' then v.arch = arch table.insert(ranges, v) end end return ranges end local ranges = getRanges() print(ranges) Hope it works.

Actually...i am not sure if you even need strings a pointers. The size of the executable is the same for everyone that has exact same game version. So what you could do is use gg.getRangeList() and check if the END address minus START address is equal to the size of your executable(only the Xa part of the executable) because the chance that there are 2 executables of the same size is really low. If size is same then that's your correct executable. Edit: This doesn't work

Yeah, i had this issue as well and had to tackle it somehow using strings and pointers so that script works for all. Also, i downloaded your game and it's not a issue of split apk. But it uses the executables that are located at base.apk. So the issue is the same. No executable name What's the name of the executable you working with?

Oke, try moving all the files that you find in the lib of installation apk to /data/app/com.game/.../ and see if works.