kiynox

[ @DanishBro ] --- LibNeon is not UE4 (Unreal Engine 4), it's usually named as "LibUE4.so". In UE4, you need to find GWorld & GNames, basically like a namespace which will hold in-game properties. Yes, you can technically dump UE4 using only Android (since IDA or Ghidra is Windows based), but you need to use Termux: - MemDumper : to dump UE4 / any lib. - UE4 Tutorial : : Finding Offsets & Dumping Lib --- It is prefered to use IDA Pro or Ghidra (You need some Computer with Linux OS or Windows) as it is more advanced, analyzing manually using Game Guardian Memory Viewer or Android Dissasembler is pain in the butt. Also, I'm not sure what "LibNeon" is, but you can try the same dumping steps and analyze it manually. ---

[ @XEKEX ] --- This is not the case with APKS since it is merging split apks into one, so the content will be bunch of apk. You can't just merge a bunch of apk into a single apk without signing it. --- The same with XAPK, the content would be Base.apk & the game OBB. You can just install them manually, base.apk using default android installer and save obb into OBB folder inside Internal Storage -> OBB (Make the folder if doesn't exist) ---

[ @Mochaidj ] --- Parallel Space is considered deprecated by now, I suggest to use Virtual Machine instead: - VPhoneGaGa - F1 VM - x8Sandbox - VMOS Pro --- If you're insist in using Virtual Spaces, might try this instead of Parallel Space: - GSpace ---

[ @Bruh666 ] --- It is great to see that you're still on-going on this, dedicated stuff. Is there any chance to setup some github for preservation? ---

[ @_insidious ] --- For the last couple of days, I found Universal pattern to find most ID on Google Play. - Most UUID starts with "$" sign - Hash starts with "AB-" - Token starts with "CAMS" - Long unique string often carries ":" on the front - Cached memory usually starts with six "00", then the content comes after it. --- I've utilize most of that and come up with multiple pattern, save it as "tablet.lua" : patterns = { [1]= { [1]= { ["pattern"] = "h 24", ["init"] = 1, ["ended"] = 37 }, ["message"] = "Universal ID", ["regex"] = "^[a-zA-Z0-9-]*$", ["must"] = "", ["flags"] = true }, [2]= { [1]= { ["pattern"] = "h 41 42 2D", ["init"] = 0, ["ended"] = 204 }, ["message"] = "Universal Hash", ["regex"] = "^[a-zA-Z0-9-_]*$", ["must"] = "", ["flags"] = true }, [3]= { [1]= { ["pattern"] = "h 43 41 4D 53", ["init"] = 0, ["ended"] = 208 }, ["message"] = "Universal Header", ["regex"] = "^(.*=)", ["must"] = "^[a-zA-Z0-9-_=]*$", ["flags"] = true }, [4]= { [1]= { ["pattern"] = "h 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 61 6E 64 72 6F 69 64 2E 67 6D 73", ["init"] = 29, ["ended"] = 65 }, [2]= { ["pattern"] = "h 67 6D 73", ["init"] = 10, ["ended"] = 46 }, ["message"] = "GMS UUID", ["regex"] = "^[a-zA-Z0-9-]*$", ["must"] = "-", ["flags"] = true }, [5]= { [1]= { ["pattern"] = "h 70 68 65 6E 6F 74 79 70 65 5F 73 65 72 76 65 72 5F 74 6F 6B 65 6E", ["init"] = 38, ["ended"] = 246 }, ["message"] = "Phenotype Server Token", ["regex"] = "^(.*=)", ["must"] = "^[a-zA-Z0-9-_=]*$", ["flags"] = false } } --- Now you can call the pattern from "tablet.lua" (save it on the same Directory!) into our main script: app = gg.getTargetInfo().packageName dofile("./tablet.lua") options = {} results = {} function is_unique(datas, parent, flags) unique = false gg.clearResults() gg.searchNumber(datas["pattern"], gg.TYPE_BYTE, false, gg.SIGN_EQUAL, 0, -1, 0) result_count = gg.getResultsCount() if result_count > 0 then bases = gg.getResults(result_count) for _ = 1, result_count do raw_init = const(bases[_].address, datas["init"]) raw_end = const(bases[_].address, datas["ended"]) deciph = hexdecode(raw_end:gsub(raw_init, "")) regex = deciph:match(parent["regex"]) must = false if regex ~= nil then if regex:match(parent["must"]) then must = true end end if regex ~= nil and must ~= false then unique = regex table.insert(results[parent["message"]], regex) if flags == true then break end end end end return unique end function const(addr, buffer) construct = "" current = {} for _ = 1, buffer do current[_] = {address = (addr - 1) + _, flags = gg.TYPE_BYTE} end for k, v in ipairs(gg.getValues(current)) do construct = construct .. string.format("%02X", v.value & 0xFF) end return construct end function hexdecode(hex) return (hex:gsub("%x%x", function(digits) return string.char(tonumber(digits, 16)) end)) end function looper(datas, flags) pattern = false results[datas["message"]] = {} for key, value in ipairs(datas) do if type(key) == "number" then for ___ = 1, 2 do pattern = is_unique(value, datas, flags) if pattern ~= false then break end end end if pattern ~= false then break end end end function printer() flags = false for k in pairs(results) do if flags == true then break end for v in pairs(results[k]) do print(results) choice = gg.alert(k .. ': ' .. results[k][v], 'OK', 'Exit') if choice == 2 then flags = true break end end end end for k, v in ipairs(patterns) do table.insert(options, v["message"]) end while true do choice = gg.choice({"Exit", "Search", "Printer"}, nil, "Selections:") if choice == 2 then choice = gg.choice(options, nil, "Patterns:") looper(patterns[choice], patterns[choice]['flags']) elseif choice == 3 then printer() else os.exit() end end --- Using Universal pattern can take a while (even long time), but it can captures all possible unique ID.

[ @DARK_DEMON_SCRIPTER ] --- I also suffer from that "waiting times". I often recompiles APK to make a cracked one, and it rocks into 2 hours of compile times. Alternative option is to use Modded MT Manager or GM Manager (Modded MT), it has: decompiles, recompiles, merge apks into one. Unfortunately, I wasn't able to use it because of bugs (crash upon runtime), so there's a chance it might works on your device. --- You can get MT Manager or GM Manager through Telegram, there's alot of them.

[ @DARK_DEMON_SCRIPTER ] --- You can use: APKToolM, you can use the cracked one, it is paid. You can also use: SAI for APKS. --- For windows you can also use: SAP for APKS. ---

[ @Ishaan77 ] --- It is interesting to see that Android Daemon aren't able to hook system framework: There's a lot of "Bad Address" mentioned which the Game Guardian couldn't find the correct address. --- android-daemon: SH loaded android-daemon: c 30097 1 0xd3932020 385 android-daemon: Reader started 30679 breakpoint: status(57f) WIFSTOPPED(1) WIFEXITED(0) WIFSIGNALED(0) WTERMSIG(127) WEXITSTATUS(5), WCOREDUMP(0) WSTOPSIG(5) elf_hook32 failed open: '[anon:libc_malloc]' VM_FAIL 2: -1 13706000, 4, 14, Bad address It looks like the SpeedHack is working fine for a while but then it is abruptly exitted by a breakpoint and being led to "Bad Address" again. I don't exactly know what causing this behavior since there's no mention of anything, I guess the logs isn't verbosed enough to show the footprint. --- It is interesting that SELinux is already on Permissive, is there any different when you try to change the SELinux state through Termux: su setenforce 1 --Enforcing/Enable setenforce 0 --Permissive/Disable You can try to play with both value (1 and 0) and then set the Game Guardian to works with SELinux: Game Guardian -> "Fix It" button -> "Work with SELinux" --- I can only offer some suggestion on why this could happen: > The game somehow have patch this, either through detection, then relocate the actual speedhack to another address. > If the game is online multiplayer, the server may enforce the actual value to the game while relocate the address. > Unwanted behavior of Game Guardian or SELinux that prevent accessing system framework. --- I can only judge based on the logs that you've provide. Either try to stay in the older version or find individual speedhack, since Game Guardian Speedhack is accelerating the entire game. More like player speedhack, etc.

[ @SamePerson ] --- if gg.isVisible(true) then HMM = 1 --Also change "HMM" variable to 1 gg.setVisible(false) --Hide Game Guardian UI end The script will try to Hide Game Guardian UI if it's being showed on the screen. It is also changing variable "HMM" to 1 if the UI is being showed. I'm not sure what's variable "HMM" being used for as you don't show us the full script. Perhaps you need to find something like: if HMM == or any reference to variable "HMM" to really see what's going on. --- I suggest you to send the script to my Private Message. I'm more than happy to help. Here's some reference: isVisible setVisible

[ @SamePerson ] --- Most language are ordered from up to down and left to right. This is common concept that you should declare something before it's called. It includes function and variable. Consider moving all the function block to upper script (including global variable). Perhaps you should attach your script here so others can fix the problem. --- If your script is for personal use only, you can send the script through Direct Message. We can't fix all the errors from your script only based a few screenshots.

[ @Kakapulvur ] --- This topic is incomplete. Please provide the following information: - Provide the game's link - Provide kinds of hack that you want - Provide some screenshot, video or steps that you've tried, so we can understand more about the problem. ---

[ @Descobertas_Digitais ] --- Why I can't edit my own comment? I can't even edit my own typos. What should I do to get this feature? ---

[ @XEKEX ] --- Is there any special permission about having VIP+, Contributors, Modding Team, and Ascended? ---

[ @Stillo ] --- It is normal. Libil2cpp or LibUE4 is popular because there's a lot reference to that, it is a library where the game stores many in-game datas. If your game doesn't have this, you would likely to find the value manually, differs to Libil2cpp.so; where there's many tools that allows you to see the game datas from that library. ---

[ @everyone ] --- I have fixed the pattern to be applicable on most devices, tested on Emulators and Virtual Machine: print("GMS ID:", is_unique("h 3A 24", 2, 38, "^[a-zA-Z0-9-]*$")) ---

[ @MAARS ] --- Oh right. Finding json generated content on memory based on @XEKEX suggestion, only found these at runtime: {"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":15,"pg-map-id":"8207912","r8-mode":"full","sha-1":"d0a9eb1e5efb08c60145b38f7ff5028013d0bbc1","version":"8.2.5-dev"} {"packageName":"com.pubg.newstate","productId":"google.global.preorder.permanent.evcar","purchaseTime":1622560953876,"purchaseState":0,"purchaseToken":"elhfcoiikbmbgocondejdmgf.AO-J1OxvkT-wu3mT46MmpzmK5wGgq19l4jktOmwuRtyieslSRth-3YUi5S2S3rZ6YYlyy3AWCjl523MiI2A0Hlr2UHwXHX_syA"} Which nothing really unique. --- I have explore more directories from Google Play Store, which there's only quite amount of thing, unless you're planning to bounds the account with Google Account, there's a lot of them. print("GMS ID:", is_unique("h 6E 3A 24", 3, 39, "^[a-zA-Z0-9-]*$")) --Result: Script ended: GMS ID: 2b00f672-c6f5-45ce-b515-a7f2fcdbd6d2 Script ended: GMS ID: 9d24361c-5eca-40a2-8f92-382c005a5795 --- Well, that's the concept, I think it should be enough for someone to figure it out themself.

[ @expensivedebris ] --- Mine also already grabs UUID from "ADID-CACHED-VALUE" : --- The different with @MAARS, he's merging the result of "gg.getTargetInfo()" -> Convert it's character into bytes with some hash key "4294967296" -> and the result is custom unique ID, it is not UUID though. Meanwhile, I'm getting the info purely from Memory which isn't really reliable (but the value is consistent). --- I might look into this and search some static value.

[ @_insidious ] --- It means that the pattern being searched is already flushed out of memory, thus resulting in "false" result. There's several ways to avoid this: - Freeze the game first while searching the value. - Perform with multiple pattern search, meaning if one value is non-existent, the script will perform another search with different pattern. - You can do "something" inside the app/game to make the value appear again on memory. For example: you can do comment / download some apps on the playstore to spawn "gsf id" on memory. GSF ID is unique and it is bound to the device, formerly known as Android ID. --- In this case, I recommend to find a static value, usually only exist in Read-Only region of memory. Off course you can also use the @MAARS suggestion that use Package Naming, but doing it with memory, you can do more beyond that. For example, you can bounds the script to only work with certain in-game account, etc. --- In this case, I definitely recommends you to do some multiple pattern search (instead of one), if you're going to use this way. Memory is unreliable.

[ @XEKEX ] --- I have mention this above, looks like the OP is having a difficulty in finding one. So I will add more to the suggestion: {" [" {[ {{ }, ], You can find the json generated using the pattern above. --- Another problem, Memory is often flushed once in a while, as OP Mention here: There's several way to avoid this which I will explain it later.

[ @_insidious ] --- Then you can change it with another ID from both location I mentioned earlier (or app generated ID on memory): Concept. You can use the code above as templates, don't be lazy. --- Since I don't have multiple device, I can only test it on Emulator with multiple instances. Here's the working one, choose between Google Play & Google Play Services: function is_unique(headers, init, ends, pattern) unique = false gg.searchNumber(headers, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, 0, -1, 0) result_count = gg.getResultsCount() bases = gg.getResults(result_count) for _ = 1, result_count do raw_init = const(bases[_].address, init) raw_end = const(bases[_].address, ends) deciph = hexdecode(raw_end:gsub(raw_init, "")) if deciph:match(pattern) then unique = deciph break end end return unique end function const(addr, buffer) construct = "" current = {} for _ = 1, buffer do current[_] = {address = (addr - 1) + _, flags = gg.TYPE_BYTE} end for k, v in ipairs(gg.getValues(current)) do construct = construct .. string.format("%02X", v.value & 0xFF) end return construct end function hexdecode(hex) return (hex:gsub("%x%x", function(digits) return string.char(tonumber(digits, 16)) end)) end app = gg.getTargetInfo().packageName if app == "com.android.vending" then --Google Play Store --[shared_pref] finsky.xml print("Ads Unique ID:", is_unique("h 61 64 69 64 2D 63 61 63 68 65 64 2D 76 61 6C 75 65", 64, 99, "^[a-zA-Z0-9-]*$")) elseif app == "com.google.android.gms" then --Google Play Services --[database] google_app_measurement.db print("Instance ID:", is_unique("h 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 61 6E 64 72 6F 69 64 2E 70 6C 61 79 2E 67 61 6D 65 73", 29, 61, "^[a-z0-9]*$")) end --- I'm expecting some effort on your part and not just "this don't work, meh". Atleast ask me what parts that you don't understand.

[ @_insidious ] --- I don't know what you're expecting, this is not some kind of algorithm or anything that should be made-up from scratch. The concept is really simple: Initialization: script get the unique from memory -> reserve it to the server / pastebin / dispenser (server with dynamic address / ip) -> create some cache file to indicate the script is already initialized (avoid duplicate initialization) Verification: script scrapping to the server -> parse the key from the server (per line) -> if the key exist, user can access the menu. --- Even though the user can intercept request that game guardian have made (to see the server address), the user can't do anything since the password is using unique id. In theory, you can also save it within the script (bundled inside), but I prefer to store it somewhere on the server or atleast pastebin. For initialization, you can get the unique ID from memory using this script: function const(addr, buffer) construct = "" current = {} for _ = 1, buffer do current[_] = {address = (addr - 1) + _, flags = gg.TYPE_BYTE} end for k, v in ipairs(gg.getValues(current)) do construct = construct .. string.format("%02X", v.value & 0xFF) end return construct end function hexdecode(hex) return (hex:gsub("%x%x", function(digits) return string.char(tonumber(digits, 16)) end)) end gg.searchNumber("h 67 63 6D 2D 72 65 67 69 73 74 72 61 74 69 6F 6E 2D 69 64 2D 6F 6E 2D 73 65 72 76 65 72", gg.TYPE_BYTE, false, gg.SIGN_EQUAL, 0, -1, 0) result_count = gg.getResultsCount() base_addr = gg.getResults(result_count) for _ = 1, result_count do raw_init = const(base_addr[_].address, 47) raw_end = const(base_addr[_].address, 138) deciph = hexdecode(raw_end:gsub(raw_init, "")) if string.match(deciph, "^[a-zA-Z0-9-]*$") then break end end --- If you're interested in some explanation, ask me.

[ @_insidious ] --- Are you refering to uuid that mentioned by @MAARS ? or using the way I did? --- As answers, perhaps you can start with Google Play Store itself. Since Google acquires Android, so Playstore will exist in most devices (excluding Custom ROM). Then, you can take some Token values or any values in general from /data/data/com.android.vending. For example: com.google.android.gcm.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="appVersion" value="83621110" /> <string name="regId">ffY2DJdZRw-cpaNyeWAwWj:APA91bHN7PMqL3vWendxHZ4eAH9Eq1j9hKzO47WA-qvhqYfj6m5LKCD9BLDELJ1gUg96GhmpsCaqRvAGhRvCVgxBBZNNyP1sleUcvco1WwQvvnMf-BD6lYzb-cFNoHYTRmc2YSVXmxNo</string> </map> You can then later check if the "regId" is exist, by scanning it on memory. ---

[ @_insidious ] --- Sorry, I should've explain it better. Since processes sits under /proc, you can infact see your device information only through process memory, so you doesn't necessarily need to use some shell command or even accessing /proc externally. There's a lot of way to do this, the @MAARS approach is universally applicable since it's utilizing package naming, awesome stuff. You can also invoke some device properties through User-Agent (used when making a request), but as mentioned, it is easy to spoof, thus it's weak. --- Well, I usually liked the #1 option, which utilize game stored ID. You can explore /data/data/shared_prefs or /data/data/database of the game, and find some Unique ID that bounds to the device. For example: PUBGM has a file called "device_id.xml" which contain User ID and Device ID. The Device ID is unique, since the game generate it based on your Device. Then you can either scan it through memory or dumping it based on /proc/maps and parse it's content. --- For example in Minecraft, the device ID is stored inside /data/data/shared_prefs/com.mojang.minecraftpe_preferences, which will looks like: <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="com_mojang_file_storage">Ji0PKAQqaXELCUg0AyQwdBUXPTgKZyJ3cgQiBTMFOQk/ECF1TAkLelIyCHN6bVhaWyplBlcqIFoEOGR9OwABB3AaLyg1I3cpVBQSQDFFDwIQOAYoAzN5ew==</string> <string name="deviceId">ce78c99876d04dfe80312166d94a4229</string> <int name="correlationAttempts" value="8" /> </map> Which then it will be parsed by the game (you can find it in Memory) { "device": "ce78c99876d04dfe80312166d94a4229", --device id "branch": "r/19_u8", "build": "1.19.80.22", "commit": "059f41fd2fecb3b7c568aa89b088ea3d1baf5a96", "id": "c7a648a4-4158-443d-9cc9-16c2f04bc83b", "tags": { "experiments": "[]", "versionCode": "981908022" }, "begin": 1687328730, "flavor": "Publish", "crash": 0 } --- My point is: Memory is already exposing a lot, so you shouldn't need to use Shell or accessing root namespace.

[ @Kirill_000 ] --- It means that the global-metadata.dat is already flushed from memory. You need to relaunch the game to make it loaded again. ---

[ @_insidious ] --- Then you can use option number 2 & 3. Game Guardian installation is different device to device. If you really want it depends on HWID, you can poke anything inside /proc, especially /proc/cpuinfo. ---