ryanhn717

I actually just figure it out last night, even the game is hot fixed, all the field offsets are running normally in memory. Normally means we can get the correct field offsets like we do in other game without hotfix. So it not like what I mentioned above. the reason to "You will find it weird like most offset are the same" only simply because I used the "tools". If we check the field structure, we can get the correct offsets then.

Some update till now... I kept to learn the basic knowledge for IL2CPP and Unity 3D HOTFIX project. Which leads me to understand more about the hotfix process, especially when we are facing the CLR running mechanism, which exactly what I questioned using the HybridCLR method to hot update. It turns out that we can not dump the injected "hotfix.dll" file (this is the correct one, sy I mistype above) with memory offset. Cos all the function is runing on CLR timely. There is a simple way to figure it out whether it is using CLR by using the reverse lookup lua script to check the namespace: class: field etc. You will find it weird like most offset are the same. One solution (I am on this way now) Get the hotfix.dll out as what I mentioned above. Searching the right class, field, function etc. Which then can be used in GameGuardian hacking and Frida Hook. I am still learning how to reach the next steps.

My Purpose : Dumping the game to get the dump.cs, which including all class name, field, methods and the most important "offset" etc. So certain memory hack can be made (or script). My Question: When a game using hot-update, e.g. via HybridCLR , so normal-dump-method when we use the Il2CppDumper ( neither based on andriod or Windows, or using Zygisk etc) can not dump the FULL file out. Here normal-dump-method means below three methods: 1、extract game apk file and get " global-metadata.dat file" and "IL2cpp.so file", then dump. 2、Using GG in game memory to directly export the "global-metadata.dat memory" to ***** .bin file(then rename to global-metadata.dat) and "IL2cpp.so memory" to ***** . bin file, then dump. 3、Using GG in game memory via magic letter (464C457Fh - il2cpp / FAB11BAFh - metadata) to export the " global-metadata.dat file" and "IL2cpp.so file", then dump. We can not dump full, Because when game using hot-update, normally the "hotfix.dll" (e.g.) injected is separate from the original files, and new information which contained in the "hotfix.dll" is not in the original il2cpp.so file. It leads the result we can not get any useful info when we using normal-dump-method. One solution: Using GG in game memory via puting the DOS-PE header Letter " MZ "(magic head in decimal : 9460301 ) , and export all the C# DLL file to *****.bin file. Then using "get_dll_from_dumped_bin.exe" tool to convert all the *****.bin file you exported from the running game to *****.bin file. We can find the "hotfix.bin" (maybe different name) file. You can use Dnspy or other similar tool to check. All information we need is inside. MY FINALL QUESTION: After we get the "hotfix.bin" file, how can we dump it to get the dump.cs ? I mean how can we get the ingame memory class, filed, method and the most important offset ?

Really impressive ! Lesson 3 : Value put in utf16 as Ascii. One upper Dword control the value length. [First lesson in Game Guardian : Normal Xor encrytion (X4 ...X24; 3 or 4 lines encryption)///Second lesson in Game Guardian: Xor bitwise - hex - 2nd&3nd byte swapped] So About what Nofear said. An afterclass summary: Change gem value 600, then we got 3 numbers length, number 6, number 0, number 0 Looking into memory, we found these: Dword 6 (Value length in 2 bytes), 6 means the value is 3 numbers including "-" if needed. and if we want a result -999999 , that is 7 numbers length, so we need to change the 6 to 14. 0 (Idk this line'meaning in coding) 54 (ASCII means 6) in Byte 48 (ASCII means 0) in Byte 48 (ASCII means 0) in Byte Then happy changing. We want -999999, so we change Dword 6 to 14、 54 to 45 (45 ASCII means "-")、48 to 57 （57 ASCII means 9）， and we need more 9, so change below lines also. That what Nofear' vedio shows. A wonderful leasson here. Thanks so much. KEEP LEANING !

I solved it happy. Here is the process. Thanks to Game Guardian Forum, I learnt a lot. KEEP LEARNING !

Hi guys, I am recently working on hacking a single game, but it seems the game use very special encrytion similar to Xor, but far complex. I had some basic Xor knowledge like X4..X24 (address offset), or encrytion value near the Xor key. etc. But this time really confused me a lot. it seems using multi Xor ? maybe this ? A ^ B = a C ^ D = b a ^ b = 5000(real value e.g.) (After I find the value, change it directly, the game crash. Then I change the nearby value together, it works but detected as Cheat. I tried to find the Xor key nearby, but failed.) Here a short video shows you how it looks, Hope someone can help me out. Really appreciate!!! 20231113120956.mp4