[SPEEDHACK IN MOBILE LEGENDS BANG BANG]

On 10/14/2025 at 9:14 AM, Nekikono said:

Hi devs and exploiters, I need help huhu, I just want to use speedhack in game guardian in mobile legends for my slow-motion video but errors occur. In default settings, the speedhack doesnt work in normal use, like, my character is teleporting everywhere but the main idea is speedhack is working but not in optical motion. What I mean is, the speedhack doesnt really slow down the object, it just lags and teleports. Sometimes, the speedhack works like the object slows down. My speedhack also works in Game Guardian tester

Is this game server sided? That may be why you experience weird results.

[Total Battle IAP emulation]

On 3/30/2025 at 5:39 AM, Sheaverjoan said:

Managed to modify the in-app currency through dword but it got reverted, help anyone?? 

This means that currency is server sided. The next step is to try modding currently "indirectly", editing stuff like rewards instead. Also look for gameplay mods - have you tried speedhack, for instance?

[[Tool] All Updates Script Generator]

On 9/22/2025 at 10:55 AM, MC874 said:

Hi @HorridModz,
Thank you, I'm new to keystone, so reading your tool help me to understand it. Although the wordpress seems private.

Oops sorry, wrong link. Here you go.

Anyway, I found the keystone / capstone modes for x86 and x86_64. So I'll go update the tool right now. Here is the new version! Took 5 hours xD.
 

For your needs, this should be a sufficient script, though:

 

OFFSET = "0x970000"
LIB_PATH = r"C:\Users\zachy\Downloads\frida-gadget-17.3.2-android-x86.so"
ARCHITECTURE = "x86"  # OR: "x86_64"


from functools import cache
import itertools
import binascii
import keystone
import capstone


def remove_whitespace(s: str) -> str:
    return "".join(s.split())


def wraptext(s: str, size: int) -> list[str]:
    # Thanks to https://stackoverflow.com/questions/9475241/split-string-every-nth-character
    return [s[i:i + size] for i in range(0, len(s), size)]


def getbytes(hexstring: str) -> list[str]:
    """
    Splits a hex string into a list of bytes. Convenient function because it accounts for both
    whitespace-separated and un-separated hex strings.
    """
    hexstring = remove_whitespace(hexstring)
    assert len(hexstring) % 2 == 0, "Invalid hex string (odd length)"
    return wraptext(hexstring, 2)

@cache
def bytecount(hexstring: str) -> int:
    """
    Counts the number of bytes in a hex string. Very simple function, but improves readability.
    """
    return len(getbytes(hexstring))


@cache
def make_ks(architecture: str) -> keystone.Ks:
    if architecture == "32bit":
        return keystone.Ks(keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM)
    elif architecture == "64bit":
        return keystone.Ks(keystone.KS_ARCH_ARM64, keystone.KS_MODE_LITTLE_ENDIAN)
    elif architecture == "x86":
        return keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_32)
    elif architecture == "x86_64":
        return keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_64)
    else:
        raise ValueError(f"Unrecognized architecture: {architecture}. Only '32bit', '64bit', 'x86', and 'x86_64' are "
                         f"valid strings")


@cache
def make_cs(architecture: str) -> capstone.Cs:
    if architecture == "32bit":
        cs = capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
    elif architecture == "64bit":
        cs = capstone.Cs(capstone.CS_ARCH_ARM64, capstone.CS_MODE_LITTLE_ENDIAN)
    elif architecture == "x86":
        cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
    elif architecture == "x86_64":
        cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
    else:
        raise ValueError(f"Unrecognized architecture: {architecture}. Only '32bit', '64bit', 'x86', and 'x86_64' are "
                         f"valid strings")
    cs.detail = True
    return cs


def offset_to_hex(offset: str, libfile: str, hexbytes: int = 600, sep: str = " "):
    try:
        decimal_offset = int(offset, 16)
    except ValueError:
        raise ValueError(f"Invalid offset: {offset}. Please provide a hexadecimal value.")
    with open(libfile, "rb") as lib:
        # Read certain number of bytes from offset
        lib.seek(decimal_offset)
        hexstr = lib.read(hexbytes).hex().upper()
        if hexstr == "":
            raise Exception(f"Offset {offset} not found in file {libfile}")
        return sep.join(getbytes(hexstr))


@cache
def armtohex(armcode: str, architecture: str, sep: str = " ", upper: bool = True) -> str:
    ks = make_ks(architecture)
    # Convert string of code to list of instructions (split by newline)
    lines = armcode.split("\n")
    convertedhexlist = []
    for instruction in lines:
        if instruction.isspace():
            continue
        try:
            convertedinstruction = ks.asm(instruction, as_bytes=True)[0]
            convertedhexlist.append(binascii.hexlify(convertedinstruction).decode())
        except Exception:
            raise Exception(f"Failed to assemble ARM opcode: {instruction} with {architecture} "
                              f"architecture. Is the ARM instruction valid? Is the architecture correct?") from None
    convertedhex = sep.join(convertedhexlist)
    if upper:
        convertedhex = convertedhex.upper()
    return convertedhex


@cache
def hextoarm(hexstr: str, architecture: str) -> list[str]:
    if hexstr == "" or hexstr.isspace():
        return []
    cs = make_cs(architecture)
    convertedinstructions = []
    for insn in cs.disasm(bytearray.fromhex(remove_whitespace(hexstr)), 0x0):
        op = f"{insn.mnemonic} {insn.op_str}".strip()
        convertedinstructions.append(op)
    if not convertedinstructions:
        raise Exception(f"Failed to disassemble hex: {hexstr} with {architecture} architecture."
                        f" Check that the hex instruction comes from the right lib file at the "
                        f"right offset, and the architecture is correct.") from None

    return convertedinstructions

def is_relative_instruction(instruction: str, architecture):
    """
    Uses capstone and manual heuristics to check if an asm instruction is dynamic.
    Should work for any architecture!
    """
    cs = make_cs(architecture)
    # This is annoying. We need to assemble the instruction to hex, then disassemble it again to get capstone info.
    cs_insns = tuple(cs.disasm(bytearray.fromhex(remove_whitespace(armtohex(instruction, architecture))), 0x0))
    if len(cs_insns) != 1:
        raise Exception(f"Instruction {instruction} is not one instruction (it is {len(cs_insns)}) with architecture"
                        f" {architecture}")
    cs_insn = cs_insns[0]
    # noinspection IncorrectFormatting
    return ("0x" in instruction or "#" in instruction) or (cs_insn.group(capstone.CS_GRP_CALL) or
            cs_insn.group(capstone.CS_GRP_JUMP) or cs_insn.group(capstone.CS_GRP_BRANCH_RELATIVE))

def generate_aob(hexinstructions: str, architecture: str) -> str:
    # Convert string of code to list of instructions
    wildcard_byte = "??"
    hexlist = []
    for instruction in hextoarm(hexinstructions, architecture):
        instruction_hex = armtohex(instruction, architecture)
        if instruction_hex == "":
            continue
        if is_relative_instruction(instruction, architecture):
            hexlist.append(" ".join([wildcard_byte] * bytecount(instruction_hex)))
        else:
            hexlist.append(instruction_hex)
    # We want our separator in between every byte, so we do this little maneuver.
    aob = "".join(hexlist)  # Unformatted
    return " ".join(getbytes(aob))


hexstring = offset_to_hex(OFFSET, LIB_PATH, hexbytes=600)  # hexbytes = amount of bytes for AOB
print(generate_aob(hexstring, ARCHITECTURE))

x86 turned out to be a huge pain  because it has variable-length opcodes and it is harder to detect dynamic ones. But this should work - let me know if it suits you! If you need the dependencies, you can install the tool's requirements.txt.

[[Tool] All Updates Script Generator]

20 hours ago, MC874 said:

Hi @HorridModz,
Yeah, I noticed that every instruction containing defined 0x is being replaced. Well it works in the end by limiting the address range.

Yes, of course! But if that's all you want, just copy the few lines of code. In fact, I blogged the creation of the tool and all of the code snippets I used:

import itertools
import binascii
import keystone
import capstone


def remove_whitespace(s: str) -> str:
    return "".join(s.split())


def wraptext(s: str, size: int) -> list[str]:
    # Thanks to https://stackoverflow.com/questions/9475241/split-string-every-nth-character
    return [s[i:i + size] for i in range(0, len(s), size)]


def getbytes(hexstring: str) -> list[str]:
    """
    Splits a hex string into a list of bytes. Convenient function because it accounts for both
    whitespace-separated and un-separated hex strings.
    """
    hexstring = remove_whitespace(hexstring)
    assert len(hexstring) % 2 == 0, "Invalid hex string (odd length)"
    return wraptext(hexstring, 2)


def make_ks(architecture: str) -> keystone.Ks:
    if architecture == "32bit":
        return keystone.Ks(keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM)
    elif architecture == "64bit":
        return keystone.Ks(keystone.KS_ARCH_ARM64, keystone.KS_MODE_LITTLE_ENDIAN)
    else:
        raise ValueError(f"Unrecognized architecture: {architecture}. Only '32bit' and '64bit' are valid strings")


def make_cs(architecture: str) -> capstone.Cs:
    if architecture == "32bit":
        return capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
    elif architecture == "64bit":
        return capstone.Cs(capstone.CS_ARCH_ARM64, capstone.CS_MODE_LITTLE_ENDIAN)
    else:
        raise ValueError(f"Unrecognized architecture: {architecture}. Only '32bit' and '64bit' are valid strings")


def armtohex(instruction: str, architecture: str) -> str:
    ks = make_ks(architecture)
    convertedhexlist = []
    convertedinstruction = ks.asm(instruction, as_bytes=True)[0]
    return binascii.hexlify(convertedinstruction).decode().upper()


def hextoarm(hexinstruction: str, architecture: str) -> list[str]:
    cs = make_cs(architecture)
    return next(cs.disasm_lite(bytearray.fromhex(hexinstruction), 0x0))[2:]


def generateaobfromarm(armcode: str, architecture: str) -> str:
    # Convert string of code to list of instructions
    instructions = list(itertools.chain(*[split1.split(";") for split1 in armcode.split("\n")]))
    unknownhex = "??" * 4
    hexlist = []
    for instruction in instructions:
        if instruction == "" or instruction.isspace():
            continue
        if "0x" in instruction or "#" in instruction:
            hexlist.append(unknownhex)
        else:
            hexlist.append(armtohex(instruction, architecture))
    # Hexlist is a list of 4 byte sequences, and we want our separator in between every byte, so we do this little
    # maneuver.
    aob = "".join(hexlist)  # Unformatted
    return " ".join(getbytes(aob))

 

[[Tool] All Updates Script Generator]

On 9/6/2025 at 8:43 PM, MC874 said:

@HorridModz,
Definitely, it's getting quite a hassle to manually reversing through IDA. It would help me (And probably others) to make the process faster.

I just noticed your comment about IDA. If your use case is simply to find offsets, this tool does much more than what you're looking for. In terms of the AOB generation, all it does is dumbly check if instructions contains `0x` or `#` (which is not a foolproof system and results in false positives).

IDA supports AOB searches, and surely there's better tools out there that you can use to generate AOBs. For instance, https://guidedhacking.com/threads/aob-signature-maker.8524/ seems promising.

I'm not trying to discourage you from using my tool, I just want to clarify that it's nothing magical.

[[Tool] All Updates Script Generator]

On 9/6/2025 at 8:43 PM, MC874 said:

@HorridModz,
Definitely, it's getting quite a hassle to manually reversing through IDA. It would help me (And probably others) to make the process faster.

Awesome, thanks for the motivation. School started, so I will probably put this off for a while.

 

In the meantime, if you'd like to make the changes yourself, DM me and I can walk you through it. The code is hardcoded for arm64 and arm; that would be a trivial edit - though I don't know whether auto-detection of architecture would be supported (not that this feature matters much).

[How to do offset in script]

3 hours ago, FTRMN said:

Every time you do your job and leave, I don't help you without saying thank you, brother, mind your own business...

Yes, this thread is turning into a back-and-forth between you guys rather than a question-and-answer. @Ali7021, these forums are for asking for help for things you can't figure out and getting an answer. If you would like a greater degree of help, perhaps the "Requests" section is better suited. Otherwise, each new question would probably be better off as a new topic if it addresses something entirely different.

[[Tool] All Updates Script Generator]

On 9/1/2025 at 7:25 PM, PROHex said:

I can assist you with that if you want, just shoot me a pm

That sounds fantastic! I will PM you.

[The google sign-in on the website seems dead]

On 9/1/2025 at 8:17 PM, PROHex said:

It is about the forums login which is misconfigured for google login

 

Ah, I see. Still stand by my suggestion though... this is in no way am "unintended effect", and you're more likely to get help somewhere else. 

[How to do offset in script]

On 8/31/2025 at 5:31 AM, Ali7021 said:

 

Repeatedly freezing will not fix this. Is the value actually staying the same? If the value is frozen, this tells Gameguardian to constantly set this value back to what you edited it to. It does not stop the game from changing the value, which can cause back-and-forth fighting if both are trying to set the value. You can try to go into Gameguardian' settings and set the freeze interval to 0 (this will make Gameguardian change the frozen value every 0 milliseconds, or as frequently as possible). This setting should be in the Settings for the Game section, if I am not mistaken.

 

It's also possible that the address changes, and the one you freeze stays the same but the game uses another value. Another possibility is that this is not the right vslue at all - perhaps it's a visual value but not the underlying one, or perhaps the real value is encrypted.

[Please help me avoid rooting detection]

On 8/17/2025 at 10:58 AM, anhyunjin said:

Hello.

I found a fun mobile game after a long time. I tried hacking it, but LDPlayer and Nox detected rooting and the app wouldn't launch. I remembered my S8+, which I had rooted a few years ago, so I tried running the app, but it still detected rooting and wouldn't launch. I deleted the Magisk app, but it's the same.
It's been about three years since I stopped hacking games, so my memory is hazy...
Please help me avoid rooting detection. The game name is Coop TD.

I'm buying items from hackers on YouTube using PayPal. I want to hack something myself.

Try using the MagiskHide module and HideMyApplist. There are tons of guides online.

[Marvel Future Fight]

On 8/25/2025 at 9:57 AM, PizaDeliveryGuy said:

Is this still possible in 2025? 

Unfortunately, i can not seem to contact you through here.

I don't get why you can't just try to hide from nmcore. I have no idea, but I'd give the typical Hide Gameguardian from the Game settings / Magisk Hide / HideMyApplist a try.

[[Tool] All Updates Script Generator]

On 8/23/2025 at 10:27 PM, KINGVINAYYY said:

Launch Android app bro

Working on it. For compatibiliry purposes, I'm making it as a GUI rather than a CLI. It is almost done but is a lot of work.

 

If you really want to, you can download the repository and run it yourself (see usage instructions in the Github repository) - simply instal python and run the cli.py file in termux.

[Game Guardian on chromebooks ?]

12 hours ago, NebulaTheOC said:

No I install it but it says: Not compatible with your phone. When I do it multiple times it doesn't work. My android version is a 13. 

138.0.7204.232 (Official Build) (64-bit) 

Revisiona8a714b78b2eb7efa2837bf7b5e4065fee65f3a7-refs/branch-heads/7204@{#2982}

Platform16295.74.0 (Official Build) stable-channel jacuzzi

Firmware VersionGoogle_Kappa.12573.472.0

Customization IDkappa

ARC13892728 SDK Version: 33

JavaScriptV8 13.8.258.31

This issue isn't just for Chromebooks; it is a general issue with Android apps. There are several reasons for this; the forums have many threads on it such as this one: 

app not installed as app isn't compatible with your phone (#azg6l3h)

In addition to gameguardian-specific research, you can try researching the general issue ("android app not installed as it is not compatible with your phone") - a Google search will yield lots of suggestions and troubleshooting ideas.

[Finding an object's hitbox (genshin impact)]

On 2/23/2025 at 5:58 PM, nickc137 said:

I was trying to understand how I can find the hitbox of chests, I managed to make an X-Ray of the chest, this "antenna" and this "esp", but I don't know how I can directly find the hitbox...I tested several similar codes, but I failed and my game crashed. And this happened many, many times, I'm very sad about it. If anyone can help, I'll pass on the values to find the xray.

I'm pretty sure Mr. Dragon Star has a guide on Youtube. There are also several scripts.

[Game Guardian on chromebooks ?]

On 8/21/2025 at 11:50 AM, NebulaTheOC said:

I also need help I have a HP Chromebook jacuzzi and I want to use Game Guardian but it's not working. My Chromebook android is android 13 so why isn't it working? It's fully up to date. I'm also on developer mode it's easy press search + esc + power button at the same time and then when it says ChromeOS on press Ctrl +D and when it says its off press Ctrl D again I think. 

 

What is the problem, exactly? Do you have Gameguardian installed? Is it giving you an error message?

[[Tool] All Updates Script Generator]

On 8/3/2025 at 9:25 PM, MC874 said:

Hi @HorridModz, this is impressive. Does this work outside IL2CPP? Also with x86 / x64 architecture? (Not Arm)

Out of curiosity, would you use it if I implemented this? If I had motivation to I would; otherwise I'll just file a Github issue and kick the can down the road .

[Need Help finding/modifying the offset values from dump.cs file]

9 hours ago, Sasuke_Uchiha07 said:

I get this kind of box after i win, and the description just shows which items you may get after opening the boxes, i tried modifying the number of boxes but of course it is server sided , so only the modified value is being displayed, do you know how can i search for the reward after i open the chest , as you suggested ?

 

public class KKRoadMuseumRewardItem : MonoBehaviour // TypeDefIndex: 6559

{

    // Fields

    public UILabel nameLabel; // 0x18

    public UILabel needRankLabel; // 0x20

    public UILabel rewardTitleLabel; // 0x28

    public UIGrid rewardGrid; // 0x30


@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

// Namespace:

public class KKPVPRewardWindow : MonoBehaviour // TypeDefIndex: 6552

{

    // Fields

    public GameObject closeBtn; // 0x18

    public UIGrid rewardGtid; // 0x20

    public GameObject roadMuseumItem; // 0x28

    public UIGrid itemGrid; // 0x30

    public UIPanel itemPanel; // 0x38

    public Transform itemTrans; // 0x40

    private int m_CurrentShowId; // 0x48

    private List<KKRoadMuseumRewardItem> rewardItemList; // 0x50

i have also found classes and methods related to reward chest/ rewardItem .

If the number of chests is server sided, their contents likely are too. As I said before, you can try pausing the game + editing the value between when you find out your reward and when you claim it. Another approach is to search the reward after claiming it and edit + freeze it in the hopes that it will show up next time; again  there is no guarantee that this will work. Chests may be a dead end for you.

[Need Help finding/modifying the offset values from dump.cs file]

On 8/19/2025 at 8:57 AM, Sasuke_Uchiha07 said:

understood it. still i have one question, there is a chest reward which you can get once you defeat your opponent and it randomly gives one item after the battle , you can't see it in the youtube video link i posted above. Is there a way i can find the address of this chest item and change it to desired item? Let's say the chest randomly gives you 100 coins but we manipulate it so that we get 100 crystals instead of coins.  

Can you see the rewards before opening the chest? If not, maybe you can try pausing the game while opening the chest. But if the game generates the chest reward at the same time that you open / claim it, editing it may not be possible without hex patching the function itself. One more idea is to try searching for the chest rewards *after* you open it and editing + freezing the values so you get modified rewards next time.

[Need Help finding/modifying the offset values from dump.cs file]

On 8/16/2025 at 1:39 PM, Sasuke_Uchiha07 said:

i tried spending some coins to call the method but the system knows my real gold value. and I am using  Virtual Master to use game guardian , i downloaded your script but i can't find it in virtual master's space, hence i can't use the script. 

 

However i found this video some days ago  and i think there are some data which is stored on client side. I do have dump file but don't know how to differentiate which data is server sided and which one is client sided. Do you know any ways to find it?

Besides analyzing the code, there is no real way to know what is server sided and what is client sided. The best way is to try stuff, and if something doesn't work you move on. Unfortunately, modding is often a game of guessing and checking rather than getting what you want on the first try.

 

I am unfamiliar with Virtual Master, but for most Virtual spaces any files will not show up in them. Either download it inside of Virtual Master (go to this post in a web browser, inside of that space) or you can see if there is an option to transfer files.

[The google sign-in on the website seems dead]

On 6/22/2025 at 7:55 PM, bingobong said:

I'm really sorry if this is the wrong topic for this

 

Access blocked: This app’s request is invalid

You can’t sign in because this app sent an invalid request. You can try again later, or contact the developer about this issue. Learn more about this error

If you are a developer of this app, see error details.

Error 400: redirect_uri_mismatch

 

Tried on several devices, same thing

This should probably go in Help.

 

But anyway - what's the app, and what did you change?

[Game Guardian vs TaskWall]

On 7/3/2025 at 8:32 AM, nazuki said:

Hello. 
I have a question about playing games with TaskWall providers like Torox, BitLabs, etc.
Is it possible to hack the game for gold and pump levels that TaskWall would count the result?
I put Parallel Space, GG and hack succeeded - but the results of the hack are displayed only in Parallel Space. If I go into the game from a shortcut on the desktop, there are no results at all. 
What is the point if there are no results? 
I will wait for an answer. Thank you.

I am confused by what exactly you did - it sounds like you used parallel space on your phone and opened the game with the taskwall on a computer? If this is what you did, it will not work. I don't know exactly how these taskwalls work (you can definitely research it if you wish), but I believe they have several restrictions. One of these is that you must download and play the game on the *same device* as the one you one you initially start the offer on.

[Need Help finding/modifying the offset values from dump.cs file]

Also, another method is to directlly edit those fields you mentioned. Editing fields is doable, but a bit of a pain. Here is a script for doing so:

https://hackershouse.tech/feild-offset-finder-game-guardian

[Need Help finding/modifying the offset values from dump.cs file]

6 hours ago, Sasuke_Uchiha07 said:

As you can see, i tried editing via "~A8 MOV W0, #6500" and also edited the line below this one which returns the value but the amount of coins is still unchanged .Btw Thank you for your help.

Perhaps the game has yet to call the method. Try updating your coins (gaining or spending some).

[[Tool] All Updates Script Generator]

On 8/13/2025 at 1:45 AM, CmP said:

GG supports x86 and x86_64 architectures since very long time ago. From the description on download page: 

GG's disassembler and assembler aren't required functionality, so no wonder that they are only implemented for most common use cases.

Other than that, GG works just fine on x86 Android devices/emulators and nothing prevents one from doing whatever can be done on devices with ARM architecture. For example of modifying something in game code for x86 see:
https://gameguardian.net/forum/topic/33131-hotelstory-not-complying/#findComment-121354

Thank you for the info! This is very interesting.