Jump to content

saiaapiz

Ascended
  • Posts

    159
  • Joined

  • Last visited

  • Days Won

    7

Posts posted by saiaapiz

  1. Call Of Duty: Mobile Cheats !


    Features :-
    - Wallhack
    - Radar
    - Distance ESP
    - Aimlock
    - No Recoil
    - No Spread
    - Instant Fire
    - Much more coming soon !

    How to use :-
    - Execute aPizClient.
    - Use 'freemium' as username.
    - Select
    xCODM.
    - Toggle your desire cheats, and enjoy !

    Note : -
    - Make sure you hide GG to prevent from getting banned !
    - This script will outdated in
    3 days !

    For more information, checkout http://t.me/apizhax !


    Gameplay :-

    Spoiler

     

     


     

     


     

  2. Maybe this would be useful,
     

    function rwmem(Address, SizeOrBuffer)
    	assert(Address ~= nil, "[rwmem]: error, provided address is nil.")
    	_rw = {}
    	if type(SizeOrBuffer) == "number" then
    		_ = ""
    		for _ = 1, SizeOrBuffer do _rw[_] = {address = (Address - 1) + _, flags = gg.TYPE_BYTE} end
    		for v, __ in ipairs(gg.getValues(_rw)) do _ = _ .. string.format("%02X", __.value & 0xFF) end
    		return _
    	end
    	Byte = {} SizeOrBuffer:gsub("..", function(x) 
    		Byte[#Byte + 1] = x _rw[#Byte] = {address = (Address - 1) + #Byte, flags = gg.TYPE_BYTE, value = x .. "h"} 
    	end)
    	gg.setValues(_rw)
    end
    
    -- Usage:
    readedMem = rwmem(0xAABBCCDD, 128) -- Read 0xAABBCCDD with 128 size.
    rwmem(0xDDCCBBAA, readedMem) -- Write readedMem memory into 0xDDCCBBAA.

     

  3. Regview (ARMv7)


    Wanna debug your code ?
    But lazy to start remote debugging ?
    Use this, just put your address and ready2go !

    Use this, might usefull when you want to know the caller, encrypted pointer, anything inside register.

    - Features:

    • Dump Register
    • Write Register
    • Copy register to clipboard
    • Jump onto register

    Note: Only work on 32-Bit Arm Processes.

    Don't forget to leave , if it help you.

    Source: Github


     

  4. 6 hours ago, Enyby said:

    Also in GG present screenshot feature. Just tell user about that. Do not try move this functionality to script.

    75.0: Take a screenshot - GameGuardian (#2p4xqqav)

     

    Actually, i've seen some apps requesting for access to devices screen.
    I think maybe they would do remote screenshot, then manually find for hacking tool overlay.

     

    3 hours ago, Enyby said:

    For do something inside /data/app you need root right. Script never get root right. I explain why.

    So write text instructions, and show message to user. No other way.

    I wish you could filter any access that required root, give user a warning like you do in gg.makeRequest.
    That would scripting enviroment better.

  5. I wish @Enyby could add this, i think other scripter will need this too.

    • Control GG icon overlay visibility. We need this to hide GG from getting caught from screenshot.
    • Get 'Hide GameGuardian from game status'. Sometime user that uses script complain
      about game being crashed, or script has no effect on game.
    • Drawing abilities. xD
    • Access game data, such /data/data/<target app>. 
  6. 3 hours ago, Enyby said:

    To use these features, you need to be constantly connected to the process. then there cause a stop in the right place. Through a software or hardware breakpoint. And then watch the registers. There is another option with step by step run.
    This is how gdb works.
    GG does not constantly trace the process. GG connected, searched and disconnected. And that's all.

    Therefore, it cannot be a breakpoint debugger.
    And you can now write trampolines, through scripts, as you described it.

    And when gg ptrace process it is stop on random location so get registers is usually useless.

    If you try throw trap without ptrace process - it will be killed by system in most cases.

    If GG try ptrace all time process game can easly detect it. Also it is slow down game and have some other side effects.

    Also GG memory editor, not debugger. It is connect to random thread of execution. You trap can never be catched if you place it in wrong place. For example you trace thread1, but trap happens in thread2.

    You need handle all threads or procces died with uncatched trap. Handle all threads it is not easy. And so on.

    It is only few exists problem. Use gdb, where such problems already solved.

    I see, 

    There alot of work need to do. Handling, hiding, lot more thing to cover up.

    So i stayed with trampoline.

    Thank you.

  7. 9 minutes ago, NoFear said:

    Watch point? (Not break point)

    And it does back trace too?

    Just find it interesting GG is implementing debugging features when Enyby was/is firmly against it for the last couple years.

    Not watchpoint support.
    Backtrace ? I only can find LR (Address of current function caller.)

    I've created shellcode that save R0-R12, LR into stack. Then copy the stack address into my allocated region, so i can read it with script.

    ROM:00000000                 STMFD           SP!, {R0-R12,LR}
    ROM:00000004                 LDR             R0, =0xBBBBBBBB
    ROM:00000008                 STR             SP, [R0]
    ROM:0000000C
    ROM:0000000C isLocked                                ; CODE XREF: ROM:00000014j
    ROM:0000000C                 LDR             R0, =0
    ROM:00000010                 CMP             R0, #1
    ROM:00000014                 BNE             isLocked
    ROM:00000018                 LDMFD           SP!, {R0-R12,LR}
    ROM:0000001C                 LDR             PC, =0xAAAAAAAA
    ROM:0000001C ; ---------------------------------------------------------------------------
    ROM:00000020 _returnaddress  DCD 0xAAAAAAAA          ; DATA XREF: ROM:0000001Cr
    ROM:00000024 _stackaddress   DCD 0xBBBBBBBB          ; DATA XREF: ROM:00000004r
    ROM:00000028 _spinlockctl    DCD 0                   ; DATA XREF: ROM:isLockedr


    It work like this,
    Firstly, i hooked an address that contain interesting info.
    Then, i make it jump into this shellcode, After it jump..
    Shellcode will save R0-R12, LR into stack. then write the stack address at _stackaddress.
    this shellcode will wait for spinlock before continuing execution.

  8. 58 minutes ago, NoFear said:

    @saiaapiz

    Is this like debugging? Finding offset in lib to edit? Or not quite? I don't use the script. For I just use gdb to debug and get offsets.

    Yes, it look like when you setting up breakpoint with gdb, where you can view/change register in realtime.
     

    3 hours ago, Enyby said:

    I do not understand what happens here. Describe in detail.

    In short terms, can you add api for PTRACE_SETREGS and PTRACE_GETREGS into GG, So we can view register on any address.

     

    4 hours ago, NoFear said:

    This using that chainer script?

    I haven't tried using it yet. It gives offsets on lib file for modify register?

    Nope, Chainer was used to find pointer chain.

  9. 19 hours ago, Un_Known said:

    Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

    As next  instruction would always be at 0x4 from current address

    as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

    Idk, it just works.

    I didn't read hundred pages of arm documentation.

  10. Let me explain this real quick.

    How they load offset, and calculate address ?

    Explanation: 
    * PC = (Current Instruction Address + 0x8)
    
    00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
    00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
    00000008         MOV     R1, #0x1234; Move 0x1234 into R1
    0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
    00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
    00000014         ALIGN 0x10
    00000020 MyValue DCD 0x0
    00000024 Offset  DCD 0x14


    You can find lot of information here, The ARM instruction set

  11. 2 hours ago, Enyby said:

    Offset from PC in LDR location. Useless in any other place.

     

    Yep, Ida make we confuse by looking its value pointing directly to target address.

    Actually, true opcode look like this LDR R0, [PC, #0x4]

    Idk how to explain it, you can find arm opcode documentation on google. They describe how each instruction work.

    @Un_Known

  12. Quote

     

    Okk if  I change MOVLT to MOV

    and STRLT to STR

    then value will always be 2147483647 because it will bypass condition check 

    is it correct

     

    Yes, you're correct.

    Quote

    and plz elaborate this part =(dword_36BD38 - 0x19D86C)

    This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

    Quote

    What would be value in R3 register

    R3 is address of dword_36BD38

  13. 0000	LDR		R3, =(dword_36BD38 - 0x19D86C) -- Load offset to R3
    0004	ADD		R3, PC, R3  ; dword_36BD38 -- R3 = PC + Offset (R3)
    0008	CMP		R0, #0 -- Check if R0 value equal to 0
    000C	STR		R0, [R3] -- Store R0 value into R3 (R3 = dword_36BD38)
    0010	MOVLT	R2, #0x7FFFFFFF -- If R0 value less than 0, then put (0x7FFFFFFF) 2147483647 into R2.
    0014	STRLT	R2, [R3] -- If R0 value less than 0, then store R2 value which is 2147483647, into R3 (R3 = dword_36BD38)

    Conclusion is, if R0 value less than 0.. then put 2147483647 into bss:dword_36BD38.

    Anyway, if you not understand about the logic. F5 hotkey may come handy.

  14. 3 hours ago, nalcwap said:

    but how add?thanks

    ...
    
    -- main code
    gg.searchNumber("9904B8A0h", gg.TYPE_AUTO, false, gg.SIGN_EQUAL, 0, -1)
    
    -- Added Code !
    _resultCount = gg.getResultCount()
    if _resultCount > 0 then -- Check for result, before using value.
    	_result = gg.getResults(1) -- Get list no 1.
    	
    	_address = _result[1].address + 0xF0 -- Add 0xF0 at address list of no 1.
    
    	gg.alert(string.format("Original Address: 0x%X\nAddress With Offset 0xF0: 0x%X", 
    	_result[1].address, _address))
    	
    	-- Edit value on address that we added with offset before.
    	gg.setValues({{address = _address, flags = gg.TYPE_DWORD, value = 0x1}})
    end

     

    com.shinybox.smash.lua

  15. 3 hours ago, Enyby said:

    Executable bit not set:

    
    04000000-04005000 r--p 00000000 08:11 131304     /data/app/com.makingfun.mageandminions-1/lib/arm/libs3eMATSDK.so
    04005000-04006000 r--p 00004000 08:11 131304     /data/app/com.makingfun.mageandminions-1/lib/arm/libs3eMATSDK.so
    04006000-04007000 rw-p 00005000 08:11 131304     /data/app/com.makingfun.mageandminions-1/lib/arm/libs3eMATSDK.so
    
    04305000-05000000 ---p 00000000 00:00 0 
    05000000-059f7000 r--p 00000000 08:11 131305     /data/app/com.makingfun.mageandminions-1/lib/arm/libAPPmageandminions.so
    059f7000-05a00000 r--p 00000000 00:00 0 
    05a00000-05a22000 r--p 00a00000 08:11 131305     /data/app/com.makingfun.mageandminions-1/lib/arm/libAPPmageandminions.so
    05a22000-05a2e000 rw-p 00a22000 08:11 131305     /data/app/com.makingfun.mageandminions-1/lib/arm/libAPPmageandminions.so

    So it is not gg.REGION_CODE_APP

    So emulator just translate the binary just by reading it without setting executable bit ?

    Interesting.

    Thank you @Enyby for updating it.

  16. 35 minutes ago, Enyby said:

    It can load x86 lib. Even if it load arm lib, device is x86 and use binary arm translation.

    I've confirmed there only armv7 lib in apk, So it is forced to load arm lib.

    Then, arm lib should be loaded into memory. Idk why gg failed searching for it. Maybe loaded lib not marked as code app region ? 

  17. On 6/20/2019 at 7:15 PM, VortexInfinity said:

    Why cant the script work on emulator? Im just curious

    Maybe the way emulator handle memory is different from real device.

    @Enyby I'm sorry for tagging you, but please can you check it ? Idk why this happen, this script should work on emulator too since they load same shared library. But still same result, it failed.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.