HorridModz

@EnybyHello, I am reporting a behavior that appears to be a bug in gameguardian. It seems that the "Copy as group search", when used with "UTF-8" and "UTF-16", assumes that the values are consecutive, i.e. one byte apart. However, this is not always the case, causing group searches to sometimes fail. This is best illustrated by examples: Let's search the string "abc" in UTF-8 and save the first 3 results, but leave out the second one: gg.clearResults() gg.setRanges(gg.REGION_ANONYMOUS) gg.searchNumber(":abc", gg.TYPE_BYTE) gg.addListItems(gg.getResults(1)) -- first result - "a" gg.addListItems(gg.getResults(1, 2)) --third result - "c" Now, we have two results: 97 byte, representing the character "a", and 99, representing the character "c". These results are a byte apart - so they do not directly form the string "ac" and would not be searchable as ":ac"; rather, they would be searchable by a group search that accounts for the byte in between: 97B;0~~0B;99B::3. However, the Copy as Group Search function, when I select UTF-8, gives ":ac". This is not the right group search and seems to be a bug. In order to show why this is wrong, here is the situation where I discovered the bug. I had a script that writes a string to memory, like this: function Write_String(mystring) --[[ Allocate memory in Anonymous region and write string to allocated memory ]]-- address = gg.allocatePage(gg.PROT_READ | gg.PROT_WRITE, gg.REGION_ANONYMOUS) values = {} for i = 0, #mystring do values[#values + 1] = {address = address + i, value = ":" .. mystring:sub(i, i), flags = gg.TYPE_BYTE} end gg.loadResults(values) -- must load results before we can edit with setvalues gg.setValues(values) end Write_String("Here is my special string!") If I run this script, I get the string written in consecutive byte values. I use Copy as Group Search for UTF-8, and it gives me the correct search: ":Here is my special string!". But now let's revert what we just did by refreshing the game, change the address spacing to every 2 bytes, so the string is no longer consecutive, and copy it as a group search again: function Write_String(mystring) --[[ Allocate memory in Anonymous region and write string to allocated memory ]]-- address = gg.allocatePage(gg.PROT_READ | gg.PROT_WRITE, gg.REGION_ANONYMOUS) values = {} for i = 0, #mystring do values[#values + 1] = {address = address + i*2, value = ":" .. mystring:sub(i, i), flags = gg.TYPE_BYTE} end gg.loadResults(values) -- must load results before we can edit with setvalues gg.setValues(values) end Write_String("Here is my special string!") We copy it as group search again, and get the exact same thing: ":Here is my special string!". However, now that the addresses are 2 bytes apart, this is wrong and will not work. If we try to search it, nothing comes up. So, this is definitely not working right. I'm pretty sure that it's a bug. My suggestion for fixing this would simply be displaying an error message if the addresses were not consecutive, like this: "UTF-8 [or UTF-16] group search only works for consecutive addresses. Please use a different type of group search." If there's any other information anyone would like, feel free to ask.

I'm wondering if there's some way to do it by seeing the highest address in the game. Like if I can somehow find the base address of the game, then I do an address search for base address + 0x1AD27480 (450000000) - equivalent to 450 million, or 450 mb. Then if the search comes up with a result, game process size is at least 450 MB. Could that work?

Sorry, I no longer maintain that script. That sucks, looks like pixel gun 3d is detecting gameguardian. This is device-specific, it seems, and not an issue with my script. So I can't help you - sorry! Perhaps you can ask around and see if anyone else has managed to circumvent this detection.

Okay, that's what I figured. You're right about the block not being continuous; sorry. @CmPprovided actual code which solves that problem by trying to allocate continuously, but I have no idea how often that would work and the tendency of it to fail (I'm unaware of how the kernel decides where to allocate the memory). A solution to that might be to allocate the first block in an obscure region (maybe an unused memory region, like c++ heap, would work? This is a gray area for me, so I wouldn't really know.) where you are sure there's enough consecutive space. If I were you, I would first take CmP's code and play around with it, seeing if you encounter any issues.

Hi, I have a hex patch that must be run when the game's process size is before approximately 450 MB. After this point, the game has gotten to the point in its initialization where the function I am patching has already been called. So, if you patch it when the game's process size is over around 450 MB, it will not work. I'm trying to write a script to do this patch. I want the script to detect if the game's process size is below 450 MB, and if not, tell the user to restart the game. However, I couldn't find anything for this in gg.getTargetInfo() or any other functions. So, I'm stumped on how to do this. I've given up with gameguardian and, as a workaround I'm now just trying to locate some kind of value in memory or function in the game that can give me a hint on the process size or initialization progress. My best guess right now is to see how much the game has loaded by finding the function that reports the % loaded. Is there any way to do this natively in gameguardian? Or is there any easy workaround I can use? Thanks!

I don't believe that's directly possible, but you can allocate as many pages as you need and chain them together. To do this calculate how many pages you need by dividing by 4KB, and in a loop allocate a block and add the return address of the allocated block to a list. You can then combine all of your memory into a table of values by looping over the list and adding the 1000 values (taking the start address and adding 4 each time, 1000 times) to the table for each address. If you don't understand, I can code that for you - it's pretty simple to do. Though I wonder what you're writing to memory that takes so much space? An image or save code, or something?

Do you just mean multiplication? Or do you want to add the value N separate times, with a pause in between? For the latter, you could write a simple script, like this: N = 10 -- how many times add = 100 -- value to add on every time timebetween = 1000 -- how long to wait between times (milliseconds) values = gg.getResults(gg.getResultsCount()) for _ in N do for i in values do values[i].value = values[i].value + add end gg.sleep(timebetween) end

View File UPDATED PG3D 24.3.2+ + ACTUAL 32bit SUPPORT - Pixel Gun 3D ALL UPDATE Custom Lottery Rewards Hack (32bit and 64bit) Contact Me: User123456789#6424 / @horridmodz on discord Ahhh, it's finally here! Over a year and a half after posting the original, and many, many requests, it's back! I promised to get this done today, and here it is, just barely in time. Since it's been so long, I am posting this update as a new thread. I've been meaning to update this for a while; and I'm sorry for such a looong wait. But this should be the last time you have to wait - because, if my crazy WIP All Update Script Generator tool works as well as I hope, this will be made so resilient it's practically unpatchable! So, here we are. The script is the same as last time, but with some minor improvements - and 32bit support! Unfortunately, I couldn't get 32bit custom values to work, but I got the predetermined values working. I was finally able to figure out that the issues I've been having are actually not my fault, but a limitation with the way lua itself handles integers - to get technical, the 32bit edit values exceed lua's integer limit, but the 64bit ones do not. I tried to workaround this, but just couldn't do it. However, a big rework of the script that I have planned, which changes the way editing is done, will fix this problem. I finally updated this script because I have time over spring break. Shoutout to @dizzy252for sending a request to update the script that I coincidentally saw right before spring break started - if it hadn't been for him, I probably wouldn't have had the thought to do this! Alongside this script, I've in the process of developing a revolutionary tool that creates resilient all update scripts; all you have to do is input your offset or hex and it spits out the full script. If you're interested, here's a sneak peak: https://www.youtube.com/watch?v=sVwODQcSy4A Want to update the script yourself? I have created a lotto sets template! Disclaimer: This script is bannable! Getting too much currency within a certain time frame will flag your account as suspicious and you will be banned in the next ban wave. I recommend only getting at most a few thousand gems per day, or your account will have a high risk of being banned. Even if you do play it safe, you can still be banned. By the way, due to a rework of sets by the developers, sets no longer work. Only lottery rewards are modified. Warning: Using the custom value option and setting the reward values to over 45,000 will instantly ban you! This is not an ordinary lottery script. Here's what unique about it: -This script will work on all game updates (the lowest game version tested is 22.4.3, but downgrading is impossible anyway), even future updates -The script supports various values, and lets you enter a custom value (currently custom values do not work for 32bit) if it does not have what you want. Currently, only whole numbers (no decimal values like 1.5) in the range of 0 to 65536 are supported. -This script supports both 32bit and 64bit devices -This script has a small antiban feature that warns you when you try to edit the reward values over 45,000 Enjoy! Submitter HorridModz Submitted 04/02/2024 Category LUA scripts  

I don't understand. What does disposing memory have to do with the memory layout? Also, I have an idea for dynamically finding out the address, though I don't quite know how to do it myself. If you know the field offset, perhaps you could find a method that references the field by using a hex search or offset calculation, then navigate to the instruction that references the field? From that point, I believe that you could extract the offset from the assembly instruction - it would be relative to something, maybe an ldr or an instruction of the like - and then determine the field's address in memory. Just a suggestion; again, I don't have the experience to know if that would work. Have you tried poking around in the dump using dnspy to find anything peculiar, such as an anticheat?

Unrelated, but I'm trying to learn Frida myself. I know you have posted some youtube videos on the subject; is there any description you could give me or tutorial you could link to show me just how you did this? Props!