XEKEX

@Rxhacker No you can't create thread using GG the only solution is by trampoline hooks, explaination : all games and apps are compiled and there is a linkage between it's functions(methods) and calls. read more it's either you jmp or pointer replace -> if the addCoins(int coins) is an actual method within the lib you can alloc mem with gg set up R1 (<- R1 not R0 bc R0 is the caller address / class field ) then call the original addCoins using BL ( or other branch instructions ) finally sweap the field pointer to the new allocmem this method is helpful if you have a global method like dmg or range ( changing it cause the enemy to have the same hack as u )

void methods are bascally for k,v in pairs(Dictionary[some index]) do -- logic here end

local results = gg.getResults(gg.getResultsCount()) gg.setRanges(gg.REGION_ANONYMOUS) gg.searchPointer(0) local results_pointers = gg.getResults(gg.getResultsCount()) -- this will have the all the pointers of all the searched values. --[[ Note: gg.searchPointer() mixed searchPointer ( int maxOffset, long memoryFrom = 0, long memoryTo = -1, long limit = 0 ) Searches for values that may be pointers to elements of the current search result. Parameters maxOffset Maximum offset for pointers. Valid values: 0 - 65535. memoryFrom Start memory address for the search. memoryTo End memory address for the search. limit Stopping the search after finding the specified number of results. 0 means to search all results. **Returns** true or string with error. Examples: gg.searchNumber('10', gg.TYPE_DWORD, false, gg.SIGN_EQUAL, 0, -1, 5) -- search some values gg.searchPointer(512) -- search for possible pointers to values finded before gg.searchNumber('10', gg.TYPE_DWORD) -- search some values gg.loadResults(gg.getResults(5)) gg.searchPointer(512) -- search for possible pointers to values loaded before local t = {} t[1] = {} t[1].address = 0x18004030 -- some desired address t[1].flags = gg.TYPE_DWORD t[2] = {} t[2].address = 0x18004040 -- another desired address t[2].flags = gg.TYPE_BYTE gg.loadResults(t) gg.searchPointer(512) -- search for possible pointers to values loaded before

it must be sending data using sockets instead of normal http requests. try to search for a function that kick players out ( pointer to it ) then call it with it's parameters or edit the parameters upon calling it

offset in a simple term is the distance between two addesses instead of meters we use hex

try this instructions (both are the same ) ~A8 MOV W0, #0x3333, LSL #16 ~A8 MOVK W0, #0x4083, LSL #32 ~A8 FMOV S0, W0 ~A8 RET

Good luck , if you have any other questions feel free to ask.

when dealing with processor you need to be more strict even an upper and lower naming can affect the instructions you can learn more about arm: https://developer.arm.com/documentation it's too complicated topic and not simple

I'm not a 64 user I can't test it however ,the error you're encountering is likely due to the fact that the value 0xC28F3D75 cannot be directly used as a floating-point constant in the FMOV instruction In AArch64 assembly, when using immediate values with FMOV, you typically need to represent the floating-point constant in a specific format: 0.06 FMOV S0, #0.06 or FMOV S0, 0.06 ( depending on the system ) In the 1st case #0xC28F3D75 is a 32bit value and the your instruction set it to 64bit value with the register X The third line (FMOV s0, w8) moves the value in register w8 into scalar floating-point register s0. This might be an issue depending on the context. If w8 contains a valid 32-bit integer, this conversion could be appropriate. However, if w8 contains a floating-point value, this operation might lead to unexpected results You should use W register instead to convert the register W8 to a valid 32bit floating-point: MOV w8, #0xC28F MOVK w8, #0x3D75, LSL #16 FMOV s0, w8 ret

you are using register X8 then sending register W8 to the fpu and this is wrong try this instead : FMOV S0, #0xC28F3D75 ret or try to change W8 to X8

yes • a script to manipulate your android system files that create a server in your phone and listen to it • an ELF shell get executed when you reboot your phone a script to handle the download and the setup of the shell in your phone ( creation of this kind of scripts is time consuming and not worth the try I won't recommend it )

Disclaimer: This guide is for educational purposes only. The techniques explored here are intended for understanding the technical aspects of Android games. Users are advised to use this knowledge responsibly and within legal and ethical boundaries. I disclaim any liability for misuse or unauthorized activities. Use this information at your own risk. As you explore with me, remember it's all about learning, not mischief. If you decide to try out any of these tricks, make sure it's within the rules and plays nice with the devs. I'm not taking responsibility for any shenanigans, so be cool, and enjoy the learning ride. Cheers! Goals : • Identify server-side data from local data. • How to tamper server-side data . • bypass SSL encryption. Requirement : • You should be familiar with requests ( http ) . • You should have some level of knowledge about reverse-engeneering / Exploits / etc. Tools : • GameGuardian. • Frida. • IDA (Pro). • BurbSuite / any other proxy interceptor. • LUA Decryption and Encryption for cocos2dlua. Difficulty : 8/10 ----- Let's Dive IN -----First step is to collect information about the game start playing the game normally to get some information about it, it's concept and what data they have like items , coins , gems , vip , battlepass, etc and what they call it in game. Open GameGuardian or root explorer to know what engine the game use and it's libs, like libIl2cpp.so for Unity , Cocos2d for coco's 2d games , or a custom lib built on top of other games engines like libLotaApp. BurbSuite Start Intercepting traffic. Set Up Your Environment Install Burp Suite: Download and install Burp Suite from the official website. Configure Your Android Device: Connect your Android device to the same network as your computer. Go to Wi-Fi settings, find your connected network, and set the proxy to your computer's IP address and the port Burp Suite is running on (default is 8080). Step 2: Configure Burp Suite Start Burp Suite: Open Burp Suite and go to the "Proxy" tab. Configure Proxy Settings: Under the "Options" tab, go to "Proxy" settings. Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings. Install Burp's CA Certificate: In Burp Suite, go to "Proxy" > "Options" > "Import / export CA certificate." Click "Save CA Certificate" to save the certificate. Transfer the certificate to your Android device and install it. when Exporting the Certificate You should put the Extention of it .ctr Step 3: Configure Android Device Install and Configure Proxy on Android: Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings. For APN edit the Access point name : Install the Exported Certificate from burb to your Android phone Step 4: Start Capturing Traffic In the "Target" tab, you should see the target host(s) that your Android device has communicated with. Browse on Android Device: Open the browser on your Android device and start browsing. Burp Suite will capture the traffic, In the "Target" tab, you should see the target host(s) that your Android device has communicated with. Inspect and Manipulate Traffic: In the "Proxy" tab, you can intercept requests and responses, inspect them, and even manipulate them before forwarding. Use Other Burp Suite Tools: Explore other tools in Burp Suite, such as "Repeater" and "Intruder," to perform further analysis and testing. Hierarchy: The Site Map is organized in a hierarchical structure that represents the different hosts and paths your client has communicated with. Hosts and Paths: Hosts represent the web servers or domains that your client has interacted with. Paths represent specific URLs or routes within those hosts. HTTP Methods: Each entry in the Site Map includes information about the HTTP methods used (GET, POST, etc.). Status Codes: The status codes of the responses (e.g., 200 OK, 404 Not Found) are displayed, providing insights into the server's responses. Request and Response Details: Clicking on an entry in the Site Map reveals detailed information about the request and response for that specific interaction. This includes headers, parameters, and content. Filtering and Searching: You can filter and search for specific requests or hosts, making it easier to focus on relevant parts of the traffic. Context Menu: Right-clicking on an entry provides a context menu with various options, such as sending the request to other Burp Suite tools for further analysis. Interactivity: The Site Map is an interactive tool that allows you to manipulate and analyze the captured traffic in real-time. Use Cases: Analysis and Debugging: Identify patterns and anomalies in your web traffic for analysis and debugging purposes. Security Testing: Spot potential security issues, such as vulnerabilities or unusual behaviors. Mapping Application Flow: Understand how different paths in your application are accessed and interacted with. select all URLs and right click -> delete selected items ( we don't need them ) launch the app and watch what the app send when it execute I launched "Mythic Su*moner" and this traffic get captured But Most games use SSL pinning and they don't show the full trafic even when intercepting with them . in this case we need Frida to UnSSL it. ( u can use it to bypass root detection aswell ). SSL pinning, also known as certificate pinning or public key pinning, is a security mechanism employed in applications to enhance the security of SSL/TLS connections. It involves associating a specific SSL certificate or public key with a particular domain, and the application will only accept connections with that specific certificate or key. Normal SSL/TLS Connection: In a standard SSL/TLS connection, a client (e.g., a mobile app) connects to a server, and the server presents its digital certificate to the client during the handshake process. SSL Pinning Process: With SSL pinning, the client embeds a specific SSL certificate or public key within the application. When establishing a connection to the server, the client checks whether the server's presented certificate matches the embedded certificate or public key. Verification and Trust: If the presented certificate matches the pinned certificate or key, the connection is considered trusted, and the communication proceeds. If there's a mismatch or the server presents a different certificate, the connection is rejected, preventing potential man-in-the-middle attacks. Using Brbsuite To listen to the game traffic is man-in-the-middle attack. that's why Most of the trafic is rejected in the 1st capture FRIDA Connect your phone with ur pc via USB & and inject an Agent into the process to UNSSL Pinning : when You UNSSL the game you get More Trafic : With this traffic UNSSLed you can play with it, inspect it and modify it with the repeater ( this is how you hack the server-side ) this method called Tampering data. How to Identify Server Data and Local Data. Select the inapps.appflyer.com and watch it when you play every changement in data ( server side ) get registered by this url ( most cases ) it will send a gzip to server and save it there . any local data will be saved in your machine ( android device ) or memory and the inapps.appflyer.com won't send a request. Some games use SOCKET to connect the game and the server and keeps the connection open until the game get terminated or the server get shut down, with burb you can Intercept sockets aswell. TIP : while you intercepting traffic from burb open the lib with IDA pro to dissassemble it. IDA make sure IDA fully dissassemble the lib by showing idle on the buttom go to the functions menu hit ctrl + F to start searching for keywords I mentioned at the beginning ( gold , items name , coins , player stats etc ) when I search for the keywords no functions / methods found that mean the logic and the data proccess isn't in the lib nor in the traffic ( most of them ) that means the only way to store the logic is in the files in this example game. if you found functions your starting point start with frida, you can use Frida to hook it and track the pointers and afterword GG to create a script. Decrypt LUAC take the apk and unzip it ( open with rar / 7zip ) you'll end up with the game files and Done the logic is found in the game files , the game use lua to run with C and cocos2d. but the game won't leave the game logic and codes open and public the must use some sort of encryption to it , for that they use LUAC is the Lua compiler responsible for taking Lua source code and transforming it into Lua bytecode encrypted. try another file : notice : i0lzCcmB1Cjxk6DpvlmdPINybrXXeBA1 each file have this signature at the start ofthe it IDA & LUA Decryption and Encryption for cocos2dlua. copy the signature and search ida for it but this time in the string if found you should find the key aswell : I use IDA & LUA Decryption and Encryption for cocos2dlua to decrypt the files. after it's done every file will be unencrypted and easy to read : and with that data you can create anything you want / mod / script etc Why not just frida? to use frida you need a pc ( termux users isn't included because you just need a pc to use frida -_-) agents ( frida scripts ) isn't portable you always need your pc to use the script powerd with usb I mean too much pain that's why in my opinion GameGuardian is the best choice you can run the script anywhere anytime + lua much easier than js. not all libs work with libc and not all of them contain usefull resources like the example above. ---- tips : the data should be stored in -server -local machine ( your device ) the game files "apk" ( your device aswell ) look at these 3 places to find the game resource. game logic either in the files or in the lib ( like il2cpp ) android games can't afford Hosted Hypervisor for the logic processing. I can update this topic, comment out what you want to know more about ( exluding server-side hacks ) I won't provide tools all you need is your brain to outsmart devs.

View File Mythic Summon Stats Attack, HP, Speed, Dodge, Crit, Armor and Resist Multiplier ALL HEROS !!::DON'T CHANGE STATS DURING BATTLE IT WILL CRASH UR GAME::!! OPEN SOURCE SCRIPT Don't Share it So they won't patch it , I won't Update it either. Submitter XEKEX Submitted 09/27/2023 Category LUA scripts  

or uninstall and reinstall both GG and the virtual

I know how to kick players out even the host ( IN PC GAMES ) what I use is I scan the requests using netshark + filter , then I ddos the other players ip this will set closed connection with the server and force them to disconnect from the game idk if that appliable to the game u mention but I guess yes it's possible but I never try it on mobile

try to modify the value below the address you've changed address : 421B1340 address below it : 421B1344 or address : 421B1340 <--- Set this value to 0 address below it : 421B1344 <--- Set this value to 99 and see the result it should increment if it doesn't that's the highest score

arm patch : if the PUSH start with R0 don't change R0 R1 will hold 1st arg R2 will hold 2ed arg R3 will hold 3ed arg if the PUSH start with R4 same as above skip R5 R6 will hold 1st argument R7 will hold 2ed argument R8 will hold 3ed argument Since it's Void scroll down until you find POP instruction then scroll up and change the R1 R2 R3 instruction ( best if original is MOV ) this might work ( 30% ) Try to avoid VOID methods for arm patching 2ed aproach : since void act on the fields of that class pointer search the fields related to movments or map and edit the values in the A REGION 3ed aproach : allocate a memory in XA Region write your custom ARM code then sweap pointers with the original method address pointer

what do u mean fast also is it 64 or 32

I might updated it for cleaner code maybe but its open source anyone can use it / update it himself I leave the source with comments aswell

local valueRes = gg.getResults(gg.getResultCount()) local valueHex = {} for k,v in ipairs(valueRes) do valueHex[#valueHex+1].address = valueRes[k].value end valueHex = gg.getValues(valueHex) gg.removeResults(valueRes) gg.loadResults(valueHex)