XEKEX

nah u just need to dump the lib and the metadata and start hacking the game see the Guide section it will help you alot and use youtube if u stuck on how to hack libil2cpp game

Fixed

Quick Notes: Low Registers (R0 to R7): Accessible by all instructions using general-purpose registers. High Registers (R8 to R12): Accessible by 32-bit instructions specifying a general-purpose register, not all 16-bit instructions. Stack Pointer (R13): Used as the Stack Pointer (SP). Autoaligned to a word, four-byte boundary, ignoring writes to bits [1:0]. Link Register (R14): Subroutine Link Register (LR). Receives return address from PC during Branch and Link (BL) or Branch and Link with Exchange (BLX). Also used for exception return. Treat as a general-purpose register. Program Counter (R15): PC. FPU (Floating Point Unit): Supports single-precision operations - add, subtract, multiply, divide, multiply and accumulate, and square root. Also handles conversions between fixed-point and floating-point formats, and floating-point constant instructions. FPU Registers: Sixteen 64-bit doubleword registers: D0-D15. Thirty-two 32-bit single-word registers: S0-S31. ->Source <- --------------------------------------------------------------------------------------------------------------------------------- In Arm Patching we are using only Low Registers and the FPU. True and false Editing. ~A MOV R0, #1 MOV means Move , by this instruction we are telling the proccessor to move the value 1 to register R0 similar when you assign a variable name : R0 = 1 in most programing languages the true statment always = 1 and the false statment = 0 so #1 = true and #0 = false ~A BX LR BX Means branch exit LR or in another way return the value we stored to the caller. Int Editing : we can use MOV R0, # aswell for the int value but you need to know the integral data types. • byte : Signed: From −128 to 127 ­ ­ ­ ­ ­ ­ ­ ­ ­: Unsigned: From 0 to 255 we can use MOV here if the int value we want is between -128 and 255 so the instruction will be : ~A MOV R0, #-128 or #255 at max • short : Signed: From −32,768 to 32,767 : Unsigned: From 0 to 65,535 in this case we use MOVW the W stands for Word so same as above the instruction will be : ~A MOVW R0, #−32,768 or #65,535 at max NOTE : • Don't forget to return (~A BX LR) • We can Use MVN which mean Move Negative so the Max Negative Value will be #255 for Byte and MVNW for Short #65,535 (Don't add "-" since we already telling the proccessor we are dealing with negative number) • #value will be converted automatically to hex value in the Register means #8 will be 0x00000008 and so on • Int 32 : Signed: From −2,147,483,648 to 2,147,483,647 : Unsigned: From 0 to 4,294,967,295 the typical DWORD in GG : here we move to the advanced Part of this guide: as I said in the Note above the values are converted in the register automatically to hex so the max value in short in hex will be 0x0000FFFF so we have 4 zero's we can't change in the int 32, in this case we use one more instructon MOVT T stands for Top example : MOVW R0, #22136 -> R0 will be : 0X00005678 MOVT R0 , #4660 -> R0 will be : 0x12345678 So in case of INT32 we need 2 things • Convert the value we want to change to hex value • 3 instruction in total the Same concept here work for QWORD aswell (64 bit) 0x0000000000000001 Note : MVN R0, #2 will change to 0xFFFFFFF2 in hex MOV R0, #2 or MOV R0, #0x2 are the same Float and Double: • Float and Double are IEEE 754 Floating-Point: We need the FPU here and things will get a little bit complicated, • we need 2 or 3 registers in this case R0 , R1 and S0(for float) or D0(for double) Suppose the hex value of this float 12.6 is : 0x4149999A same as the int 32 : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 now = 0x4149999A) now R0 is set but if we return the value (~A BX LR) the result will be : 1095342490 and we don't want that value we want 12.6 as float (This Doesn't Work Because we didn't tell the proccessor that is a float number) the right way is to use FPU VMOV S15, R0 ( VMOV is the instruction MOV in the FPU : by that instruction we mean move the register value of R0 to the FPU register R15 ) VMOV.F32 S0, S15 (here we are telling the FPU we are dealing with Float number (F32) and move the value from S15 to S0 ) for double we use the same concept except we use F64 instead and register D16 and D0 Float : so the final code will be : ~A MOVW R0, #0x999A (R0 = 0x0000999A) ~A MOVT R0, #0x4149 (R0 = 0x4149999A) ~A VMOV S15, R0 ~A VMOV.F32 S0, S15 ~A BX LR ----------------- Double : For double the hex value of 12.6 is : 0x4029333333333333 (Same Concept for Big Float Number) • Here we use R0, R1 , D0 and D16 • divide the hex value 0x4029333333333333 into 2 part 0x40293333 and 0x33333333 one goes for R0 and the other one goes for R1 Be carful of the placement of the hex value we start from the last 4 to the 1st 4 means we start with 0x3333 -> 0x4029 Use same concept of MOVW and MOVT to get the result. Result: ~A MOVW R0, #0x3333 (R0 = 0x00003333) ~A MOVT R0, #0x3333 (R0 = 0x33333333) ~A MOVW R1, # 0x3333 (R1 = 0x00003333) ~A MOVT R1, #0x4029 (R1 = 0x40293333) ~A VMOV D16, R0, R1 (Move value Of R0 and R1 to register D16 Be Careful here R0 last 8 hex 1st then R1 the top 8 hex) ~A VMOV.F64 D0, D16 (here we use F64 and D0 , and D16 instead of F32 , S0 and S15 because the hex value is 64 bit) ~A BX LR ------ This is How you arm patch bool / int / float / double NOTE : When it comes to function args and returns the only register that give return or args are R0,R1,R2,R3 (and SP) this is why we use R0 and VMOV S15/D16 to S0/D0 ARMv8 : In ARMv8, LSL stands for "Logical Shift Left". It is an instruction used to shift the bits in a register to the left by a specified number of bits, and the bits that are shifted off the left-hand end are discarded. LSL can be used with immediate values or with a register value. The immediate value specifies the number of bits to shift, which can be between 0 and 63. When using a register value, the bottom byte of the register specifies the number of bits to shift Example : Level 1 ) LSL X1, X2, #3 --> Shift the contents of X2 left by 3 bits and store the result in X1 -> In this example, X2 is being multiplied by 8 (since 8 is 2 to the power of 3), and the result is stored in X1. Level 2) MOV and LSL example: MOV X1, #0x10 -->Move the value 0x10 into register X1 LSL X1, X1, #3 --> Shift the contents of X1 left by 3 bits (multiply by 8 ) Level 3) Float Value : 3.14159 / Hex : 0x40490FD0 --Load the value 0x0FD00000 into bits 16-31 of W0 • MOVK W0, #0x0FD0, LSL #16 --> W0 = 0x00000FD0 -- Load the value 0x40490000 into bits 32-47 of W0 • MOVK W0, #0x4049, LSL #32 -> W0 = 0x40490FD0 -- Move the value of W0 into single-precision floating-point register S0 • FMOV S0, W0 --> S0 = 0x40490FD0 (interpreted as a floating-point value) Note : 4 bytes hex (32) value we use register W and for float we use S Level 4 ) Double value : 3.14159 / Hex : 0x400921F9F01B866E MOVK X0, #0xF01B866E, LSL #16 -->X0 = 0x00000000F01B866E MOVK X0, #0x400921F9, LSL #48 -->X0 = 0x400921F9F01B866E FMOV D0, X0 Note: 8 bytes hex (64) value we use register X and for Double we use D NOTE: SAME CONCEPT IN AARCH32 WITH (INT, BOOL, FLOAT, AND DOUBLE) LSL and MOV(Z/K) is the diffrences. PART II (LDR / STR): [STRING] ( NON UNITY GAMES ) Little-endian / Big-endians : LDR and STR are instructions used in ARMv7 and ARMv8 architectures to load and store data from memory. LDR stands for "Load Register" and is used to load a value from memory into a register. The syntax for LDR in ARMv7 and ARMv8 is LDR <Register>, [<Address>] STR stands for "Store Register" and is used to store a value from a register into memory. The syntax for STR in ARMv7 and ARMv8 is STR <Register>, [<Address>] where <Register> is the name of the register to load the value into, and <Address> is the memory address from which to load the value. In both cases, the square brackets around <Address> indicate that the value inside the brackets is a memory address, rather than a register. To load the string 'GG TESTING' into a register, you can use the LDR instruction. Assume the pointer to 'G' is 0x00000004 we can use this address as the base address for the LDR instruction. The instruction for loading the first four characters of the string into a 32-bit register (e.g., R1/X1) would be: • LDR R1/X1, [0x00000004] -- R1/X1 = 'GG T' This instruction loads the 32-bit value at memory address 0x00000004 into R1/X1. Note: Use the Move instructions above (PART I) to assign the value (address) to a register BEFOR USING LDR --> LDR R1/X1, [R0] -- R0 = 0x123456789 ( use MOV to assign the correct address to R0 or X0) To load the entire string into a register, you can use the LDR instruction with a register offset. Assuming the string is stored in consecutive memory locations, we can use the following instruction to load the entire string into a register (e.g., R1/X1) LDR R1/X1, [0x00000004], #10 This instruction loads the 32-bit value at memory address 0x00000004 into R1 and increments the base address by 10 (the length of the string). As a result, the entire string 'GG TESTING' will be loaded into R1. ADVANCED : If 'GG TESTING' is a half-word (i.e., each character is 2 bytes or 16 bits) and the pointer to 'G' is located at memory address 0x0000004 + 0x8, then the instructions for loading the string into a register would be different Dummy memory: 0x0000004 (<-- pointer )= 123 0x0000008 = 21 0x000000C = 9999999 0x0000010 = 'GG' 0x0000014 = ' T' -- with space at the start. 0x0000018 = 'ES' etc.. --> between every byte value ( character ) there is 0 [ example in memory 0x00000010 = 71 (G) <-- byte 0x00000011 = 0 <-- byte 0x00000012 = 71 (G) <-- byte 0x00000013 = 0 <-- byte 0x00000014 = 32 (space) <- byte ] To load the half-word 'GG' into a 32-bit register (e.g., R0/X0), we can use the LDRH instruction as follows: LDRH R0, [0x00000004, 0x8] This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R0/X0. Since we want to load the first two characters of the string, we add an offset of 0x8 to the base address. Read more about LDR To load the entire string into a register, we can use the LDRH instruction with a register offset as follows: LDRH R0, [0x00000004, 0x8], #0xC This instruction loads the 16-bit value at memory address 0x00000010 into the lower 16 bits of R1, and increments the base address by 0xC (or 12 bytes) to load the remaining characters of the string. The 'GG TESTING' string has a length of 10 characters, which corresponds to 20 bytes (11 characters x 2 bytes per character), so we need to load 12 bytes in addition to the first 2 bytes to load the entire string. AARCH64 : LDRH --> LDURH (Load Unsigned Halfword with a 64-bit offset) or LDSRH (signed) LDURH W0, [X1, #16] ; Load a halfword from the memory address X1 + 16 into W0 This loads a 16-bit unsigned halfword from the memory address X1 + 16 into the 32-bit register W0. Note that the offset value is added to the base register X1 to form the memory address. Also, because LDURH is an unsigned load instruction, the loaded halfword is zero-extended to 32 bits. NOTE: the LDURH instruction is specific to AArch64 architecture and is not available in AArch32 architecture. STR: STR is used to store the contents of a register into a memory location that is addressed using a base register and an optional offset. The contents of the register are written to the memory location, overwriting any previous data that was stored at that location. -->STR Rd, [Rn {, #offset}] where Rd is the source register whose contents will be stored in memory, Rn is the base register that points to the memory location where the data will be stored, and offset is an optional 32-bit offset that is added to the base register to form the memory address. Example of using the STR instruction to store the contents of R0 register into a memory location: --> STR R0/X0, [R1/X1, #4] ; Store the contents of R0/X1 into the memory location R1/X1 + 4. NOTE : STR Wd, [Xn, #offset], imm | the STR instruction with the imm option is only available in AArch64. |--> Wd/Xd, [Xn, #offset] The imm option allows you to add an immediate value to the offset to form the memory address. The immediate value is sign-extended to 64 bits, shifted left by the scale factor (which is determined by the size of the data being transferred), and then added to the offset. -> STR W0, [X1, #0x100], #0x20 -- This stores the contents of register W0 into the memory location pointed to by register X1 plus 0x100 plus 0x20, overwriting any previous data stored at that location. In AArch32, there is no imm option for the STR instruction. However, you can achieve a similar effect by adding the immediate value to the offset before using it in the instruction. Here's an example: ADD R2, R1, #0x120 --> R2 = R1 + 0x120 STR R0, [R2] --> Store R0 at address R2 Here, the ADD instruction adds the immediate value 0x20 to the base register R1, storing the result in R2. The STR instruction then stores the contents of register R0 into the memory location pointed to by register R2. Note: that the immediate value is added to the offset before using it in the instruction, rather than being added as a separate operand like the imm option in AArch64. --->FOR Using LDR / STR on values just LDR/STR R0/X0, [DESTINATION ADDRESS] Note : Unity games use pointers for the string ----------------------------------------------> Converting Float and Double to Hex <--------------------------------- This is mainly IEEE Standard for Floating-Point Arithmetic. (you can skip this part by using online converter) > You need : • Advanced Lua scripting Knowladge. • Math Knowladge. • Binary 32 and 64 Knowladge. --------------Please read--------------

open the apk as zip ull find folder called lib if u find libil2cpp then the game use unity engine if u find cocos2D then the game use lua and c if u find UEsomthing then the game use unreal engine some games write their own lib (rare case) the server side hacking is more higher in cocos2d bc they use libC aswell and you can exploit in many ways such as buffer over flow remote code execution and frida use ida or jadx to dump that lib and search for function that encrypt data and hook it with frida use burp suite aswell to intercept server data and decrypt it using frida most cases the game use firebase to transfer data server side + ngnix and the only solution to hack the server side is by brute force ssh and u need powrfull pc to perform that and linux machine using msf console or ghidra and nmap

View File Dump.CS to Lua Table This Script will change all the Dump.cs file into new file.lua contain a lua table • remove void function since they act on themself or on the class and no return values • filter all possible function / classes for hack usage • ENUM not included • seal / protected are filterd • filter system and all other dll functions • Work for PC and GG script Note : use the script on PC for faster results + the dump name MUST be "Dump.cs" --Script not Encoded feel free to learn Submitter XEKEX Submitted 01/23/2023 Category Tools  

I get it now , anyway your script is similar to elf binary you can research it it might help you

lua script runs from top to buttom it won't execute the condition befor the the val get increment also last value in dex won't meet the requirement for the condition this is why u need to put all conditions on top of the loop

to change 2 values u need to select 2 values u can add the 2ed address by adding new value to your table : arm_True= { ------------- we add new tabe that contain the arm instruction we want [1] = '~A MOV R0, #1', [2] = '~A BX LR', } -- in the table below (base_T) u can save only the address + offset of multiple functions (function a , b , c ,d .. ) base_T = {['address'] = gg.getRangesList('libil2cpp.so')[1].start + offset } -------- we add another table that contain the base address + offset for i = 1 ,#arm_True do ------------ I prefer use for loop this will make changes depending on the number of changes in arm table base_T[i].value = arm_True[i] base_T[i].address + 4 ------------- the 2ed address is always the prev one + 4 end -- if u use the loop above it will change all the functions a,b,c ,d .. to the arm instruction u want (true) without any other coding or searching for every 2ed address gg.setValues(base_T) ----- then we set the values --this method work for 2+ modification --u can also write base_T[1] = .. base_T[2] = .. manually instead -- u can add new index contain the original value in case u want to perform multiple changes base_T = gg.getValues(base) ---- and it's values

for i = 1, loop do if valStart >= range[3]["end"] then break ---->>>>>> make the if statment at the start so it won't add some unwanted addresses an cause crush later dex[#dex + 1] = {address = valStart, flags = gg.TYPE_QWORD} valStart = valStart + 0x250 end end

yes but it's time consuming

Lua Course Video --> link Pointers basic explain video --> link C# Beginners guide video link --> link GameGuardian Scripting reference --> link thats all u need to learn the basics also Google / youtube is ur best solution in case of learning how to create a script I don't recommend following some tutorials on youtube stick with GG doc read and try the more u write the more u learn that's all don't forget that this forum can give you more help in case u want a fast lua compiler use this one I prefer link also if u are intrested in arm use godbolt.org

View File Pure Lua library import this lib to your script : • setup ! XEK = nil load_lib = gg.makeRequest('https://raw.githubusercontent.com/chihaamin/XEKEX/main/xLIB.lua') if load_json_lib.code == 200 then -- check the status of the request XEK = load(load_json_lib.content,'bt')() end • Comment if you find a bug / error or if you have Idea for implementation. • All the file is documented and commented for beginners. ♥ Add "XEKEX was here" in your script if it was helful ------------------------------------------------------------------------------- IMPORT : JSON = XEK.import('https://raw.githubusercontent.com/rxi/json.lua/master/json.lua') -- this will import a lib into your script JSON.decode(response.content) Text2Dword : -- Text2Dword function Convert a text to dword value local DWORD = XEK.Text2Dword("berry") -- Print the result print(DWORD) --> Output: '6619234;7471218;121::9' Dword2Text : -- Dword2Text function Convert a Dword value to text local sampleValue = "6619234;7471218;121" local text = XEK.Dword2Text(sampleValue) -- Print the result print(text) --> Output: 'berry' hex : The 'hex' function takes two arguments: a value to convert to hexadecimal and a boolean 'hx' indicating whether to add '0x' or 'h' prefix to the output. --[[ If hx is true, the function returns the hexadecimal value with '0x' prefix. If hx is false, the function returns the hexadecimal value with 'h' suffix. If hx is not provided or not a boolean, the function returns the hexadecimal value without any prefix or suffix. The function uses string formatting to convert the value to hexadecimal. ]] --> Examples: --Convert decimal value to hexadecimal with '0x' prefix print(XEK.hex(255, true)) --> Output: 0xFF --Convert decimal value to hexadecimal with 'h' suffix print(XEK.hex(255, false)) --> Output: FFh --Convert decimal value to hexadecimal without any prefix or suffix print(XEK.hex(255)) --> Output: FF dump : --[[ dump function takes a table as input and returns a string representation of the table. If the input is not a table, it returns a string representation of the input. Parameters: tab (table): the table to be dumped Returns: (string): the string representation of the table ]] --> Example usage: local myTable = {name = "John", age = 30, hobbies = {"reading", "running"}} print(XEK.Dump(myTable)) -- Output: { ["name"] = "John", ["age"] = 30, ["hobbies"] = { [1] = "reading", [2] = "running", } } split : --split function splits a string into a table of substrings using a specified delimiter --The function takes two parameters: s, which is the string to be split, and delimiter, which is the character or string used to separate the substrings --> Example usage: local myString = "apple,banana,cherry,orange" local myTable = XEK.split(myString, ",") -- The above code will split the string "apple,banana,cherry,orange" into substrings using the comma as the delimiter and store the result in a table called myTable --The resulting table will contain the following values: myTable[1] = "apple" myTable[2] = "banana" myTable[3] = "cherry" myTable[4] = "orange" ARMIT fix : --# Example 1: Converting an Integer to Assembly Instructions local instructions = XEK.ARMIT(123456, "int", true) --The above function call will generate assembly instructions to move the value 123456 into a register in AArch64. --> Output: instructions = { [1] = '~A8 MOVK W0, #0xE240, LSL #16', [2] = '~A8 MOVK W0, #0x0001, LSL #32', [3] = '~A8 RET', } --# Example 2: Converting a Boolean to Assembly Instructions local instructions = XEK.ARMIT(true, "bool") --The above function call will generate assembly instructions to move the value 1 (true) into a register in AArch32. --> Output: instructions = { [1] = '~A MOV R0, #0x1', [2] = '~A BX LR', } --# Example 3: Converting a Float to Assembly Instructions local instructions = XEK.ARMIT(3.14159, "f", true) --The above function call will generate assembly instructions to move the value 3.14159 into a floating point register in AArch64. --> Output: instructions = { [1] = '~A8 MOVK W0, #0x0FD0, LSL #16', [2] = '~A8 MOVK W0, #0x4049, LSL #32', [3] = '~A8 FMOV S0, W0', [4] = '~A8 RET', } --# Example 4: Converting a Double to Assembly Instructions local instructions = XEK.ARMIT(123456789.987654321, "d") --The above function call will generate assembly instructions to move the value 123456789.987654321 into a double precision floating point register in AArch32. --> Output: instructions = { [1] = '~A MOVW R0, #0x5BA8', [2] = '~A MOVT R0, #0x57F3', [3] = '~A MOVW R1, #0x6F34', [4] = '~A MOVT R1, #0x419D', [5] = '~A VMOV D0, R1, R0', [6] = '~A BX LR', } readBytes | readWord | readDword | readFloat | readDouble : local words = XEK.readWord(addr, size, ';') <-| return a string local dwords = XEK.readDword(addr, size, '-') <-| return a string local floats = XEK.readFloat(addr, size, '|') <-| return a string local doubles = XEK.readDouble(addr, size, ':') <-| return a string -- OR local words = XEK.readWord(addr, size) <-| return a table local dwords = XEK.readDword(addr, size) <-| return a table local floats = XEK.readFloat(addr, size) <-| return a table local doubles = XEK.readDouble(addr, size) <-| return a table --<< these function purpose is to read values from memory for comparison >>-- getResults : --# Example usage of getResults function and its returned table local t = XEK.getResults(10) or t = XEK.getResults() <-|-- Get 10 results or all result | you can specified parameter same as GG print(t.data[1].address) <-|-- Print the address of the first result --# Example usage of focus function t:focus() <-|-- Save original values of results table print(t.original[1]) <-|-- Print the original value of the first result --# Example usage of update function t:update(999) <-|-- Set all values in result table to 999 --# Example usage of reset function t:reset() <-|-- Reset all values in result table to their original values --# Example usage of offset function t:offset(0x8) <-|-- Add 8 to the address of each result --# Example usage of append function local t2 = XEK.getResults(5) <-|-- Get 5 more results t:append(t2) <-|-- Append t2 results to t print(#t.data) <-|-- Print the total number of results in t --# Example usage of get function t:get() <-|-- Refresh the results table --# Example usage of clear function t:clear() <-|-- Destroy the results table and clear garbage MakeMenu : -- Create a new menu object local myMenu = XEK.MakeMenu().Menu:new({"Option 1", "Option 2", "Option 3"}) | this will add Menues -- Add a new action to the menu myMenu.actions:new(1, function() -- argument 1 is the index of menu ( option 1 function ) | index must be a number print("Option 1 was selected!") end) myMenu.actions:new(2, function() print("Option 2 was selected!") end) -- etc -- . -- . -- . -- Display the menu and wait for the user to make a selection myMenu:display() --whenever the user select a menu item it will trigger the functions inside myMenu.actions ( created with myMenu.actions:new(index, function) ) Submitter XEKEX Submitted 01/13/2023 Category Tools  

The x64 has been released

+ Learn Lua & some basic C++ / arm / pointers and You good to go

I know the Underline is illegal even if it's for game hacking

yeah Ive done it manytimes usally android games have a weak servers security means that u can exploit many server exploits like ssh, sql injection ,heartbleed, JWT etc it's not 100% success but u can try it Note : I'm not encouraging to do thoes kind of stuff it's illeagl and can cause jail so be careful unless u are experineced and have CISSP or CEH

You can use PUT / PATCH / DELETE aswell to add shell code to server-side if they use weak security You can Use fiddler(avrage) / Burp-suite (pro) / Charles proxy (easy)

Some games Uses Json /csv for items and in memory they use ID for every item ingame and from the ID it get it's information like status etc the ID might be an int value or pointer for unity games they usally use int value for ID or a string and for other libs like libcocos2d they use pointers in case U change the pointer and it's just visual then the data is server side in most cases it's both sides game and server and the server just check if it's the correct data depending on manythings like lvl / stages etc if the game isn't unity game use ida pro to debug that lib and search for encrypt function or md5 or whatever encryption they use after that use frida to hook that function and make sure that u use charls proxy or burpsuite as a listener and from thoes request the game made use that encrypt function as a new native function and copy it's data (encrypted in charls or burp ) to decrypt that data if you find somthing interresting edit it and use the encrypt function again to reencrypt it and post it to server-side this is how you hack non unity game server side in case of unity game they most likly use strings to the items as const if the dump file doesn't give thoes strings try to find a method or a class related to thoes string and write a custom script to dump them then from there u can hack the items easly