XEKEX
-
Posts
255 -
Joined
-
Last visited
-
Days Won
13
Content Type
Profiles
Forums
Downloads
Gallery
Everything posted by XEKEX
-
I guess you need to re-sign the apk
-
did you sign the apk ?
-
specify your case so i can make a tuto
-
Requests anti-tamper (ssl) : you can use frida to bypass ssl pinning and patch the apk this will make you see the requests contents and tamper them ( server side hacking ) . inner code anti-tamper ( anti-cheat ) : for il2cpp games you can search the dump file for the class which responsible for data compairing etc and disable it ( or arm patching it ) this will bypass the game anticheat, for non unity games : you can use ida to dissamble the lib from there you can do the same steps with il2cpp ( when it comes to arm patching using frida or similar debugger is recomanded ). another aproach is to use jadx & frida to hook the java (JM)
-
the ? region is a memory out of boundry means for each app to be executed the proccessor allocate a memory for the app , these addresses and values are for another application editing them won't affect the game but it does for the other application what cause this : it might be a GLIBC Heap bug or a heap overflow
-
you mean requests tamper or inner code tamper ?
-
what @CmP said is the answer
-
the il2cpp might be misconfigured by the dev and puted a linker for il2cpp in system region
-
this is why it's not a good practice because ipairs , pairs and every built-in functions in lua that deals with tables start the iteration by default at index 1 --> here is an example
-
void functions doenst have return , also it act like : for key , value in pairs() in lua
-
youre right forget that metatable doesn't work with numbers index
-
in lua the array always start at index 1 , however you can force it to start with 0 like : table[0] = somthing or table = {} for i = 0 , 10 do table[i] = somthing end or using metamethods note : forcing it to start with index 0 isn't a good practice.
-
after you destroy the script the user can redownload it and executed again ...
-
Note : the offset of the address 0xB179DE28 and 0x1AFFDACA4 should be a const offset if you want to implement it in a script otherwise if the offset between the lib and the address 0x1AFFDACA4 is a const offset use lib_base_address + offset to get the address then split it into 2 half MOVW r0, 0xACA4 MOVT r0, 0xAFFD LDR r0, [r0]
-
try #56872 -- idk why it give you error it should read it
-
put X lower case
-
@Alessa- try to use this code : ~A MOVW R0, 0XDE28 -- we set the value of R0 to be the LDR address ~A MOVT R0, 0XB179 ~A MOVW R1, 0XCE7C -- offset of the two values is : 0xFE83CE7C ( 0xAFFDACA4 - 0XB179DE28 = 0xFE83CE7C or 0XB179DE28 + 0xFE83CE7C = 0xAFFDACA4 ) ~A MOVT R1, 0XFE83 ~A LDR R0, [R0, R1] -- this will load the value of the address 0xAFFDACA4 ( 29883488 ) -> LDR R0, [0XB179DE28 + 0xFE83CE7C ] into R0 ( R0 = 29883488 )
-
if the offset is less then 4kb (0x400) you can use LDR R0, [PC, offset]
-
@Alessa- example : in memory : the pointer 0x12345678 will point to this address 0x87654321 -> this address got the value 99999. using LDR: LDR r0, [0x12345678] using this instruction will load the pointed value of 0x12345678 into R0 means : R0 = 99999
-
working with PC is so dangerous for whome don't understand arm instructions . LDR R0, [PC, 0x somthing] -- wrong cause the 2ed parameter in [ ] is the offset of the value [PC , + offset ] wont give the correct address and since we don't know the next instruction address this will give random address. ARM can only handle 8-bits: this is true LDR R0, =Function._Pointer / string literal ( BS region or Stringliteral.json will contain offsets [lib_ base address + offset = address ] ) / jump instruction ( B , BL ,) / a value from memory ( any )
-
Using the instructions movw and movt to load the address into register r0 and then using ldr to load the value from the address into the same register r0 will overwrite the original value of the address with the value at that address. This will result in the register r0 containing the value at address 0x12345678, rather than the address itself. movw r0, 0x5678 movt r0, 0x1234 ldr r0, [r0] <- ( LDR R1, [0x12345678]) the address should be a pointer
-
you can install frida server on mobile using frida application and use termux (it's complicated but still possible to run it with just you phone) -
Last thing I forget to mention , the company of grim soul changed and the dev are patching it's inner function and method etc , the game became more depending on LIBC -- and this open the usage of FRIDA , and hacking became more easy ( frida will reclone libil2cpp and perform trampoline hook on every class , method etc ) editing libil2cpp dynamiclay real-time and require no knowladge of assembly language , all you need is basic level of node js code or python , here is a tamplete I wrote for hooking il2cpp with FRIDA that work on grim soul : var lib = Module.findBaseAddress('libil2cpp.so'); function awaitForCondition(callback) { var i = setInterval(function () { var addr = Module.findBaseAddress('libil2cpp.so'); if (addr) { clearInterval(i); callback(+addr); } }, 0); } Java.perform(function () { // this will get the base adderess of il2cpp awaitForCondition(function (base) { lib = ptr(base); if (lib != null) { console.log('lib = ',lib) // this will print the start address of il2cpp in memory }}) }) // copy and paste the code below for multiple method hooks or create a function that does this Interceptor.attach(lib.add(0x1C665E0),{ // change the 0x1C665E0 to the offset of method and the function is hooked ( RVA or Offset in dump.cs) onEnter: function(args){ // time = 0 when the method is called // console.log('args : '+args[0]) arg[0] = R0 (they are the registers in CPU I guess) }, onLeave: function(retval){ // return value of the function // console.log('retval : '+retval) retval.replace(ptr(0x0)) // this will replace the return value to the one you want }, }) --> FRIDA --> Tuto on how to use FRIDA on il2cpp games you can call any function in the il2cpp with it with the parameter you want.
-
• its a field pointer sweap • in grim soul they use pointers in the field values , • "somthing"ScriptNode classes and entity are the main classes for almost every object in the game, • game functionality is based on tables similar to lua , • every item , event , actions etc are just strings , similar to Decision Trees Games ( in 3d ) • stringlinear.json file will be helpful in creating a powerful script for grim soul •( many traps set for hackers such as poker , sanct.. , friend chest keys etc) •you can use pointer sweap in many cases , il2cpp patching is powerful ( you can search for ENUM and lookup what methods / fields use these ENUM and patch them ) •you can patch echeckwall method etc using ENUM values to build upon anything including outside your home •pet rarity , gender , color is used by somthing ScriptNode you can patch it using ENUM • Error handdler in the game is based on ENUM also, 1 , 2 , 3 , 4 etc same for Echeck wall foundation etc the response should be OK enum , • you can exploit error handling to unban or manipulates requestes server-side ( I guess ) • igrim class will hold all the server-side data and encrypted data • hooking ENUM for il2cpp patch u need to use stringlinear.json file to get the offset of string in CB region • patch : use LDR to load the string pointer into a register then BLX to call a function that use string as parameter * use with caution * ( Not recomanded in grim soul since its heavy depending on strings, most of the time it crash for me ) • gg alloc memory will crush the game ( idk why )
-
dump.cs
