Jump to content

kiynox

Contributor
 View Profile  See their activity

  • Posts

    472

  • Joined

  • Last visited

  • Days Won

    13

 Content Type 

Posts posted by kiynox

    LUA scripting

    in Guides

    Posted

    [ @Mohit1611 ]
    ---
    You should ask about this at: HELP section. Explain your problem and attach your script in there. So others can help you with this. It is not clear why you're mentioning "bypass execution list" here.
    ---

    0

    How do I dump non-unity games?

    in Help

    Posted

    [ @DanishBro ]
    ---
    LibNeon is not UE4 (Unreal Engine 4), it's usually named as "LibUE4.so". In UE4, you need to find GWorld & GNames, basically like a namespace which will hold in-game properties. Yes, you can technically dump UE4 using only Android (since IDA or Ghidra is Windows based), but you need to use Termux:

    ---
    It is prefered to use IDA Pro or Ghidra (You need some Computer with Linux OS or Windows) as it is more advanced, analyzing manually using Game Guardian Memory Viewer or Android Dissasembler is pain in the butt. Also, I'm not sure what "LibNeon" is, but you can try the same dumping steps and analyze it manually.
    ---

    0

    How to convert xapk or apks to apk

    in General Discussion

    Posted

    [ @XEKEX ]
    ---
    This is not the case with APKS since it is merging split apks into one, so the content will be bunch of apk. You can't just merge a bunch of apk into a single apk without signing it.
    ---
    The same with XAPK, the content would be Base.apk & the game OBB. You can just install them manually, base.apk using default android installer and save obb into OBB folder inside Internal Storage -> OBB (Make the folder if doesn't exist)
    ---

    0

    HWID Lock Script?

    in Help

    Posted

    [ @_insidious ]
    ---
    For the last couple of days, I found Universal pattern to find most ID on Google Play.

    • - Most UUID starts with "$" sign
    • - Hash starts with "AB-"
    • - Token starts with "CAMS"
    • - Long unique string often carries ":" on the front
    • - Cached memory usually starts with six "00", then the content comes after it.

    ---
    I've utilize most of that and come up with multiple pattern, save it as "tablet.lua" : 

    patterns =
{
	[1]= {
		[1]= {
			["pattern"] = "h 24",
			["init"] = 1,
			["ended"] = 37
		},
		["message"] = "Universal ID",
		["regex"] = "^[a-zA-Z0-9-]*$",
		["must"] = "",
		["flags"] = true
	},
	[2]= {
		[1]= {
			["pattern"] = "h 41 42 2D",
			["init"] = 0,
			["ended"] = 204
		},
		["message"] = "Universal Hash",
		["regex"] = "^[a-zA-Z0-9-_]*$",
		["must"] = "",
		["flags"] = true
	},
	[3]= {
		[1]= {
			["pattern"] = "h 43 41 4D 53",
			["init"] = 0,
			["ended"] = 208
		},
		["message"] = "Universal Header",
		["regex"] = "^(.*=)",
		["must"] = "^[a-zA-Z0-9-_=]*$",
		["flags"] = true
	},
	[4]= {
		[1]= {
			["pattern"] = "h 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 61 6E 64 72 6F 69 64 2E 67 6D 73",
			["init"] = 29,
			["ended"] = 65
		},
		[2]= {
			["pattern"] = "h 67 6D 73",
			["init"] = 10,
			["ended"] = 46
		},
		["message"] = "GMS UUID",
		["regex"] = "^[a-zA-Z0-9-]*$",
		["must"] = "-",
		["flags"] = true
	},
	[5]= {
		[1]= {
			["pattern"] = "h 70 68 65 6E 6F 74 79 70 65 5F 73 65 72 76 65 72 5F 74 6F 6B 65 6E",
			["init"] = 38,
			["ended"] = 246
		},
		["message"] = "Phenotype Server Token",
		["regex"] = "^(.*=)",
		["must"] = "^[a-zA-Z0-9-_=]*$",
		["flags"] = false
	}
}

    ---
    Now you can call the pattern from "tablet.lua" (save it on the same Directory!) into our main script: 

    app = gg.getTargetInfo().packageName
dofile("./tablet.lua")
options = {}
results = {}

function is_unique(datas, parent, flags)
	unique = false
	gg.clearResults()
	gg.searchNumber(datas["pattern"], gg.TYPE_BYTE, false, gg.SIGN_EQUAL, 0, -1, 0)
	result_count = gg.getResultsCount()
	if result_count > 0 then
		bases = gg.getResults(result_count)
		for _ = 1, result_count do
			raw_init = const(bases[_].address, datas["init"])
			raw_end = const(bases[_].address, datas["ended"])
			deciph = hexdecode(raw_end:gsub(raw_init, ""))
			regex = deciph:match(parent["regex"])
			must = false
			if regex ~= nil then
				if regex:match(parent["must"]) then
					must = true
				end
			end
			if regex ~= nil and must ~= false then
				unique = regex
				table.insert(results[parent["message"]], regex)
				if flags == true then
					break
				end
			end
		end
	end
	return unique
end

function const(addr, buffer)
	construct = ""
	current = {}
	for _ = 1, buffer do
		current[_] = {address = (addr - 1) + _, flags = gg.TYPE_BYTE}
	end
	for k, v in ipairs(gg.getValues(current)) do
		construct = construct .. string.format("%02X", v.value & 0xFF)
    end
	return construct
end

function hexdecode(hex)
   return (hex:gsub("%x%x", function(digits) return string.char(tonumber(digits, 16)) end))
end

function looper(datas, flags)
	pattern = false
	results[datas["message"]] = {}
	for key, value in ipairs(datas) do
		if type(key) == "number" then
			for ___ = 1, 2 do
				pattern = is_unique(value, datas, flags)
				if pattern ~= false then
					break
				end
			end
		end
		if pattern ~= false then
			break
		end
	end
end

function printer()
	flags = false
	for k in pairs(results) do
		if flags == true then
			break
		end
		for v in pairs(results[k]) do
			print(results)
			choice = gg.alert(k .. ': ' .. results[k][v], 'OK', 'Exit')
			if choice == 2 then
				flags = true
				break
			end
		end
	end
end

for k, v in ipairs(patterns) do
	table.insert(options, v["message"])
end

while true do
	choice = gg.choice({"Exit", "Search", "Printer"}, nil, "Selections:")
	if choice == 2 then
		choice = gg.choice(options, nil, "Patterns:")
		looper(patterns[choice], patterns[choice]['flags'])
	elseif choice == 3 then
		printer()
	else
		os.exit()
	end
end

    ---
    Using Universal pattern can take a while (even long time), but it can captures all possible unique ID.

    0

    How to convert xapk or apks to apk

    in General Discussion

    Posted · Edited by Xaviesz

    [ @DARK_DEMON_SCRIPTER ]
    ---
    I also suffer from that "waiting times". I often recompiles APK to make a cracked one, and it rocks into 2 hours of compile times. Alternative option is to use Modded MT Manager or GM Manager (Modded MT), it has: decompiles, recompiles, merge apks into one. Unfortunately, I wasn't able to use it because of bugs (crash upon runtime), so there's a chance it might works on your device.
    ---
    You can get MT Manager or GM Manager through Telegram, there's alot of them.

    0

    How to determine why speedhack does not work

    in Guides

    Posted

    [ @Ishaan77 ]
    ---
    It is interesting to see that Android Daemon aren't able to hook system framework:

    Quote

    > android-daemon: elf_hook32 failed open: '[anon:libc_malloc]' 2 [No such file or directory]
    > android-daemon: VM_FAIL 2: -1 13706000, 4, 14, Bad address
    > android-daemon: elf_hook32 [/system/framework/arm/boot.oat] baseOffset: 709aa000 - 709aa000 709aa000 0
    > android-daemon: VM_FAIL 2: -1 74006000, 4, 14, Bad address

    There's a lot of "Bad Address" mentioned which the Game Guardian couldn't find the correct address.
    --- 

    android-daemon: SH loaded
android-daemon: c 30097 1 0xd3932020 385
android-daemon: Reader started 30679
breakpoint: status(57f) WIFSTOPPED(1) WIFEXITED(0) WIFSIGNALED(0) WTERMSIG(127) WEXITSTATUS(5), WCOREDUMP(0) WSTOPSIG(5)
elf_hook32 failed open: '[anon:libc_malloc]'
VM_FAIL 2: -1 13706000, 4, 14, Bad address

    It looks like the SpeedHack is working fine for a while but then it is abruptly exitted by a breakpoint and being led to "Bad Address" again. I don't exactly know what causing this behavior since there's no mention of anything, I guess the logs isn't verbosed enough to show the footprint.
    ---

    Quote

    android-daemon: system_ out: setenforce: SELinux is disabled

    It is interesting that SELinux is already on Permissive, is there any different when you try to change the SELinux state through Termux: 

    su
setenforce 1 --Enforcing/Enable
setenforce 0 --Permissive/Disable

    You can try to play with both value (1 and 0) and then set the Game Guardian to works with SELinux:
    Game Guardian -> "Fix It" button -> "Work with SELinux"
    ---
    I can only offer some suggestion on why this could happen:
    > The game somehow have patch this, either through detection, then relocate the actual speedhack to another address.
    > If the game is online multiplayer, the server may enforce the actual value to the game while relocate the address.
    > Unwanted behavior of Game Guardian or SELinux that prevent accessing system framework.
    ---
    I can only judge based on the logs that you've provide. Either try to stay in the older version or find individual speedhack, since Game Guardian Speedhack is accelerating the entire game. More like player speedhack, etc.

    0

    Help me with this command

    in Help

    Posted · Edited by Xaviesz
    reference

    [ @SamePerson ]
    ---     

    if gg.isVisible(true) then
HMM = 1 --Also change "HMM" variable to 1
gg.setVisible(false) --Hide Game Guardian UI
end

    The script will try to Hide Game Guardian UI if it's being showed on the screen. It is also changing variable "HMM" to 1 if the UI is being showed. I'm not sure what's variable "HMM" being used for as you don't show us the full script. Perhaps you need to find something like: 

    if HMM ==

    or any reference to variable "HMM" to really see what's going on.
    ---
    I suggest you to send the script to my Private Message. I'm more than happy to help. Here's some reference:

    0

    Help me with this command

    in Help

    Posted · Edited by Xaviesz

    [ @SamePerson ]
    ---
    Most language are ordered from up to down and left to right. This is common concept that you should declare something before it's called. It includes function and variable. Consider moving all the function block to upper script (including global variable). Perhaps you should attach your script here so others can fix the problem.
    ---
    If your script is for personal use only, you can send the script through Direct Message. We can't fix all the errors from your script only based a few screenshots.

    1

    How do i hack lumber inc

    in Requests

    Posted

    [ @Kakapulvur ]
    ---
    This topic is incomplete. Please provide the following information:

    • - Provide the game's link
    • - Provide kinds of hack that you want
    • - Provide some screenshot, video or steps that you've tried, so we can understand more about the problem.

    ---

    0

    Fresh beginners help

    in Help

    Posted

    [ @Stillo ]
    ---
    It is normal. Libil2cpp or LibUE4 is popular because there's a lot reference to that, it is a library where the game stores many in-game datas. If your game doesn't have this, you would likely to find the value manually, differs to Libil2cpp.so; where there's many tools that allows you to see the game datas from that library.
    ---

    0

    HWID Lock Script?

    in Help

    Posted

    [ @everyone ]
    ---
    I have fixed the pattern to be applicable on most devices, tested on Emulators and Virtual Machine: 

    print("GMS ID:", is_unique("h 3A 24", 2, 38, "^[a-zA-Z0-9-]*$"))

    ---

    0

    HWID Lock Script?

    in Help

    Posted

    [ @MAARS ]
    ---
    Oh right. Finding json generated content on memory based on @XEKEX suggestion, only found these at runtime: 

    {"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":15,"pg-map-id":"8207912","r8-mode":"full","sha-1":"d0a9eb1e5efb08c60145b38f7ff5028013d0bbc1","version":"8.2.5-dev"}

{"packageName":"com.pubg.newstate","productId":"google.global.preorder.permanent.evcar","purchaseTime":1622560953876,"purchaseState":0,"purchaseToken":"elhfcoiikbmbgocondejdmgf.AO-J1OxvkT-wu3mT46MmpzmK5wGgq19l4jktOmwuRtyieslSRth-3YUi5S2S3rZ6YYlyy3AWCjl523MiI2A0Hlr2UHwXHX_syA"}

    Which nothing really unique.
    ---
    I have explore more directories from Google Play Store, which there's only quite amount of thing, unless you're planning to bounds the account with Google Account, there's a lot of them. 

    print("GMS ID:", is_unique("h 6E 3A 24", 3, 39, "^[a-zA-Z0-9-]*$"))

--Result:
Script ended:
GMS ID: 	2b00f672-c6f5-45ce-b515-a7f2fcdbd6d2

Script ended:
GMS ID: 	9d24361c-5eca-40a2-8f92-382c005a5795

    ---
    Well, that's the concept, I think it should be enough for someone to figure it out themself.

    0

    HWID Lock Script?

    in Help

    Posted

    [ @expensivedebris ]
    ---
    Mine also already grabs UUID from "ADID-CACHED-VALUE" :

    Quote

    Script ended:
    Ads Unique ID:     e087a7cb-b04f-4e5d-a527-f665a3a1625

    ---
    The different with @MAARS, he's merging the result of "gg.getTargetInfo()" -> Convert it's character into bytes with some hash key "4294967296" -> and the result is custom unique ID, it is not UUID though. Meanwhile, I'm getting the info purely from Memory which isn't really reliable (but the value is consistent).
    ---
    I might look into this and search some static value.

    0

    HWID Lock Script?

    in Help

    Posted · Edited by Xaviesz

    [ @_insidious ]
    ---
    It means that the pattern being searched is already flushed out of memory, thus resulting in "false" result. There's several ways to avoid this:

    • - Freeze the game first while searching the value.
    • - Perform with multiple pattern search, meaning if one value is non-existent, the script will perform another search with different pattern.
    • - You can do "something" inside the app/game to make the value appear again on memory. For example: you can do comment / download some apps on the playstore to spawn "gsf id" on memory. GSF ID is unique and it is bound to the device, formerly known as Android ID.

    ---
    In this case, I recommend to find a static value, usually only exist in Read-Only region of memory. Off course you can also use the @MAARS suggestion that use Package Naming, but doing it with memory, you can do more beyond that. For example, you can bounds the script to only work with certain in-game account, etc.
    ---
    In this case, I definitely recommends you to do some multiple pattern search (instead of one), if you're going to use this way. Memory is unreliable.

    0

    HWID Lock Script?

    in Help

    Posted · Edited by Xaviesz

    [ @XEKEX ]
    ---
    I have mention this above, looks like the OP is having a difficulty in finding one. So I will add more to the suggestion: 

    {"
["
{[
{{
},
],

    You can find the json generated using the pattern above.
    ---
    Another problem, Memory is often flushed once in a while, as OP Mention here:

    Quote

    this time worked all perfect... but in my nox, in my phone juts false

    There's several way to avoid this which I will explain it later.

    0

    HWID Lock Script?

    in Help

    Posted · Edited by Xaviesz
    remove print

    [ @_insidious ]
    ---
    Then you can change it with another ID from both location I mentioned earlier (or app generated ID on memory): Concept. You can use the code above as templates, don't be lazy.
    ---
    Since I don't have multiple device, I can only test it on Emulator with multiple instances. Here's the working one, choose between Google Play & Google Play Services: 

    function is_unique(headers, init, ends, pattern)
	unique = false
	gg.searchNumber(headers, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, 0, -1, 0)
	result_count = gg.getResultsCount()
	bases = gg.getResults(result_count)
	for _ = 1, result_count do
		raw_init = const(bases[_].address, init)
		raw_end = const(bases[_].address, ends)
		deciph = hexdecode(raw_end:gsub(raw_init, ""))
		if deciph:match(pattern) then
			unique = deciph
			break
		end
	end
	return unique
end

function const(addr, buffer)
	construct = ""
	current = {}
	for _ = 1, buffer do
		current[_] = {address = (addr - 1) + _, flags = gg.TYPE_BYTE}
	end
	for k, v in ipairs(gg.getValues(current)) do
		construct = construct .. string.format("%02X", v.value & 0xFF)
    end
	return construct
end

function hexdecode(hex)
   return (hex:gsub("%x%x", function(digits) return string.char(tonumber(digits, 16)) end))
end

app = gg.getTargetInfo().packageName

if app == "com.android.vending" then --Google Play Store
	--[shared_pref] finsky.xml
	print("Ads Unique ID:", is_unique("h 61 64 69 64 2D 63 61 63 68 65 64 2D 76 61 6C 75 65", 64, 99, "^[a-zA-Z0-9-]*$"))
elseif app == "com.google.android.gms" then --Google Play Services
	--[database] google_app_measurement.db
	print("Instance ID:", is_unique("h 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 61 6E 64 72 6F 69 64 2E 70 6C 61 79 2E 67 61 6D 65 73", 29, 61, "^[a-z0-9]*$"))
end

    ---
    I'm expecting some effort on your part and not just "this don't work, meh". Atleast ask me what parts that you don't understand.

    0

    HWID Lock Script?

    in Help

    Posted

    [ @_insidious ]
    ---
    I don't know what you're expecting, this is not some kind of algorithm or anything that should be made-up from scratch. The concept is really simple:

    • Initialization: script get the unique from memory -> reserve it to the server / pastebin / dispenser (server with dynamic address / ip) -> create some cache file to indicate the script is already initialized (avoid duplicate initialization)
    • Verification: script scrapping to the server -> parse the key from the server (per line) -> if the key exist, user can access the menu.

    ---
    Even though the user can intercept request that game guardian have made (to see the server address), the user can't do anything since the password is using unique id. In theory, you can also save it within the script (bundled inside), but I prefer to store it somewhere on the server or atleast pastebin. For initialization, you can get the unique ID from memory using this script: 

    function const(addr, buffer)
	construct = ""
	current = {}
	for _ = 1, buffer do
		current[_] = {address = (addr - 1) + _, flags = gg.TYPE_BYTE}
	end
	for k, v in ipairs(gg.getValues(current)) do
		construct = construct .. string.format("%02X", v.value & 0xFF)
    end
	return construct
end

function hexdecode(hex)
   return (hex:gsub("%x%x", function(digits) return string.char(tonumber(digits, 16)) end))
end

gg.searchNumber("h 67 63 6D 2D 72 65 67 69 73 74 72 61 74 69 6F 6E 2D 69 64 2D 6F 6E 2D 73 65 72 76 65 72", gg.TYPE_BYTE, false, gg.SIGN_EQUAL, 0, -1, 0)
result_count = gg.getResultsCount()
base_addr = gg.getResults(result_count)
for _ = 1, result_count do
	raw_init = const(base_addr[_].address, 47)
	raw_end = const(base_addr[_].address, 138)
	deciph = hexdecode(raw_end:gsub(raw_init, ""))
	if string.match(deciph, "^[a-zA-Z0-9-]*$") then
		break
	end
end

    ---
    If you're interested in some explanation, ask me.

    0

    HWID Lock Script?

    in Help

    Posted · Edited by Xaviesz

    [ @_insidious ]
    ---
    Are you refering to uuid that mentioned by @MAARS ? or using the way I did?
    ---
    As answers, perhaps you can start with Google Play Store itself. Since Google acquires Android, so Playstore will exist in most devices (excluding Custom ROM). Then, you can take some Token values or any values in general from /data/data/com.android.vending. For example: com.google.android.gcm.xml 

    <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <int name="appVersion" value="83621110" />
    <string name="regId">ffY2DJdZRw-cpaNyeWAwWj:APA91bHN7PMqL3vWendxHZ4eAH9Eq1j9hKzO47WA-qvhqYfj6m5LKCD9BLDELJ1gUg96GhmpsCaqRvAGhRvCVgxBBZNNyP1sleUcvco1WwQvvnMf-BD6lYzb-cFNoHYTRmc2YSVXmxNo</string>
</map>

    You can then later check if the "regId" is exist, by scanning it on memory.
    ---

    0
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept