Jump to content

XEKEX

Contributor
 View Profile  See their activity

  • Posts

    250

  • Joined

  • Last visited

  • Days Won

    13

 Content Type 

Everything posted by XEKEX

  1. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    try #56872 -- idk why it give you error it should read it
  2. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    put X lower case
  3. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    @Alessa- try to use this code : ~A MOVW R0, 0XDE28 -- we set the value of R0 to be the LDR address ~A MOVT R0, 0XB179 ~A MOVW R1, 0XCE7C -- offset of the two values is : 0xFE83CE7C ( 0xAFFDACA4 - 0XB179DE28 = 0xFE83CE7C or 0XB179DE28 + 0xFE83CE7C = 0xAFFDACA4 ) ~A MOVT R1, 0XFE83 ~A LDR R0, [R0, R1] -- this will load the value of the address 0xAFFDACA4 ( 29883488 ) -> LDR R0, [0XB179DE28 + 0xFE83CE7C ] into R0 ( R0 = 29883488 )
  4. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    if the offset is less then 4kb (0x400) you can use LDR R0, [PC, offset]
  5. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    @Alessa- example : in memory : the pointer 0x12345678 will point to this address 0x87654321 -> this address got the value 99999. using LDR: LDR r0, [0x12345678] using this instruction will load the pointed value of 0x12345678 into R0 means : R0 = 99999
  6. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    working with PC is so dangerous for whome don't understand arm instructions . LDR R0, [PC, 0x somthing] -- wrong cause the 2ed parameter in [ ] is the offset of the value [PC , + offset ] wont give the correct address and since we don't know the next instruction address this will give random address. ARM can only handle 8-bits: this is true LDR R0, =Function._Pointer / string literal ( BS region or Stringliteral.json will contain offsets [lib_ base address + offset = address ] ) / jump instruction ( B , BL ,) / a value from memory ( any )
  7. XEKEX

    ARM LDR

    XEKEX replied to THETWINSOFFICIAL's question in Help

    Using the instructions movw and movt to load the address into register r0 and then using ldr to load the value from the address into the same register r0 will overwrite the original value of the address with the value at that address. This will result in the register r0 containing the value at address 0x12345678, rather than the address itself. movw r0, 0x5678 movt r0, 0x1234 ldr r0, [r0] <- ( LDR R1, [0x12345678]) the address should be a pointer
  8. XEKEX
    you can install frida server on mobile using frida application and use termux (it's complicated but still possible to run it with just you phone)
  9. XEKEX
    Last thing I forget to mention , the company of grim soul changed and the dev are patching it's inner function and method etc , the game became more depending on LIBC -- and this open the usage of FRIDA , and hacking became more easy ( frida will reclone libil2cpp and perform trampoline hook on every class , method etc ) editing libil2cpp dynamiclay real-time and require no knowladge of assembly language , all you need is basic level of node js code or python , here is a tamplete I wrote for hooking il2cpp with FRIDA that work on grim soul : var lib = Module.findBaseAddress('libil2cpp.so'); function awaitForCondition(callback) { var i = setInterval(function () { var addr = Module.findBaseAddress('libil2cpp.so'); if (addr) { clearInterval(i); callback(+addr); } }, 0); } Java.perform(function () { // this will get the base adderess of il2cpp awaitForCondition(function (base) { lib = ptr(base); if (lib != null) { console.log('lib = ',lib) // this will print the start address of il2cpp in memory }}) }) // copy and paste the code below for multiple method hooks or create a function that does this Interceptor.attach(lib.add(0x1C665E0),{ // change the 0x1C665E0 to the offset of method and the function is hooked ( RVA or Offset in dump.cs) onEnter: function(args){ // time = 0 when the method is called // console.log('args : '+args[0]) arg[0] = R0 (they are the registers in CPU I guess) }, onLeave: function(retval){ // return value of the function // console.log('retval : '+retval) retval.replace(ptr(0x0)) // this will replace the return value to the one you want }, }) --> FRIDA --> Tuto on how to use FRIDA on il2cpp games you can call any function in the il2cpp with it with the parameter you want.
  10. XEKEX
    • its a field pointer sweap • in grim soul they use pointers in the field values , • "somthing"ScriptNode classes and entity are the main classes for almost every object in the game, • game functionality is based on tables similar to lua , • every item , event , actions etc are just strings , similar to Decision Trees Games ( in 3d ) • stringlinear.json file will be helpful in creating a powerful script for grim soul •( many traps set for hackers such as poker , sanct.. , friend chest keys etc) •you can use pointer sweap in many cases , il2cpp patching is powerful ( you can search for ENUM and lookup what methods / fields use these ENUM and patch them ) •you can patch echeckwall method etc using ENUM values to build upon anything including outside your home •pet rarity , gender , color is used by somthing ScriptNode you can patch it using ENUM • Error handdler in the game is based on ENUM also, 1 , 2 , 3 , 4 etc same for Echeck wall foundation etc the response should be OK enum , • you can exploit error handling to unban or manipulates requestes server-side ( I guess ) • igrim class will hold all the server-side data and encrypted data • hooking ENUM for il2cpp patch u need to use stringlinear.json file to get the offset of string in CB region • patch : use LDR to load the string pointer into a register then BLX to call a function that use string as parameter * use with caution * ( Not recomanded in grim soul since its heavy depending on strings, most of the time it crash for me ) • gg alloc memory will crush the game ( idk why )
  11. XEKEX
    dump.cs
  12. XEKEX
    Using "offset calculator" I go to the address (base addr + offset addr). should give you "PUSH" instruction (-- this will indicate the start of the function ) -- "POP" instruction indicate the end of the function. overwrite the original code won't crush the game if you do it right with the correct instructions. --return 100 as double value instructions are : ~A8 MOVZ X0, #0x5900 -- overwrite push instrunction ( dummy address : 0x0000 ) ~A8 MOVK X0, #0x4000, LSL #16 -- the instruction below push ( dummy address : 0x0004 ) ~A8 MOVK X0, #0x0000, LSL #32 -- etc ( dummy address : 0x0008 ) ~A8 MOVK X0, #0x0000, LSL #48 -- ( dummy address : 0x000C ) ~A8 FMOV D0, X0 ~A8 RET -- 6 (4 bytes address edits ) in total ( look dummy address ) -- the CPU will assume the function body is like after the edit : -- double currentHP () { -- return 100 -- } after you edit these 6 addresses the left over address until POP instructions became code cave you can inject a code in it without using gg.allocatePage() ( some game detect new alloc memory and it force close the game ) note : register X will hold 64 bit values , W will hold 32 bit values
  13. XEKEX
    yes
  14. XEKEX
    godbolt will assume that the code you write is an actuel program it store the double value in memory and then call ldr on it , in arm patching it's different , FMOV it's an FPU mov instruction , we use movk and movz , lsl to modify X0 to the desired hex value then send the X0 to the fpu register. -- Load the lower 16 bits of the value into X0 MOVZ X0, #0x0000 -- Load the next 16 bits of the value into X0, left-shifted by 16 bits MOVK X0, #0x4000, LSL #16 -- Load the next 16 bits of the value into X0, left-shifted by 32 bits MOVK X0, #0x0000, LSL #32 -- Load the upper 16 bits of the value into X0, left-shifted by 48 bits MOVK X0, #0x0000, LSL #48 -- X0 now hold : 0x4040000000000000 -- Copy the value in X0 to D0 FMOV D0, X0 RET here is a better example of using lsl and movk : --X0 = 0x1234567891234567 -- Load the lower 16 bits of the value into X0 (0x0000000000004567) MOVZ X0, #0x4567 -- Load the next 16 bits of the value into X0, left-shifted by 16 bits (0x0000000091234567) MOVK X0, #0x9123, LSL #16 -- Load the next 16 bits of the value into X0, left-shifted by 32 bits (0x0000567891234567) MOVK X0, #0x5678, LSL #32 -- Load the upper 16 bits of the value into X0, left-shifted by 48 bits (0x1234567891234567) MOVK X0, #0x1234, LSL #48
  15. XEKEX
    LDR will load the register X0 + 0x28 into D0 adding [] will make the value X0 + offset a pointer, D0 will hold the value which this pointer hold *no edits happen* editing get_hp method arm code isn't good in most cases because usally this method related to enemy aswell (creating a god mod will result a god mod for npc aswell ) what access the methods is the class field (the caller (field). X0 will hold the caller address in the original arm code) look into the fields if there is an indice to player even a string searching the class name instead of the method and do some logic in a function to trigger the edit of the player hp only(by matching the player indice). the edit should be just the value no arm patching if the method get_hp in a class specific for player than you can edit the arm code with no problem
  16. XEKEX
    Only old accounts that abuse this method still got the money , they already patched it. i played this game since 2015 or somthing on facebook (with hack ofc) my acc didn't get ban. last years it does get ban when I try it on mobile and tryed to hack it again I did sevral attempts but all fail so I assume that they calculate the amount of cash that you can obtain for free and how much u perform in app purchase if it doesn't match your acc will trigger ban. this proccess is server side.
  17. XEKEX
    This is correct for int. you can check GodBolt.org
  18. XEKEX
    register W will hold 32 bit values and X will hold 64 values , local binary = string.pack("f", 4.0) -- this will convert the float 4 to binary form "f" = float / "d" = double local hex = "" for i = 1, #binary do -- this loop will give us the hex value of the binary above hex = hex .. string.format("%02X", string.byte(string.reverse(binary), i)) end --[[ the final arm code will be : ~A8 MOVK X0, #0x0000, LSL #16 -- LSL will shift our hex value ~A8 MOVK X0, #0x4080, LSL #32 ~A8 FMOV S0 ,X0 ~A8 RET ]] --reply if the code work for you
  19. XEKEX
    use 32 bit emulator
  20. XEKEX
    Not sure but some functions might give ban for example Poker, Sanctuary, Invite boxes try on unlinked acc if it get ban then delete data and start again
  21. XEKEX
    crafting points isn't an Item I'll add it in the next update
  22. XEKEX
    I recommand using rooted device , sorry for the inconvenience but i'm just using 32bit rooted device and I can't test the script on other devices
  23. XEKEX

    Puzzle and Survival

    XEKEX replied to warrior2023's question in Help

    nah u just need to dump the lib and the metadata and start hacking the game see the Guide section it will help you alot and use youtube if u stuck on how to hack libil2cpp game
  24. XEKEX
    Fixed
  25. XEKEX

    Dump.CS to Lua Table

    XEKEX commented on XEKEX's file in Tools

    Yes it filter the dump and give you the parts of the dump that can be hackable please read the description of the script. you can also access the script and modify it it's not encrypted.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept