Jump to content


  • Content Count

  • Donations

  • Joined

  • Last visited

  • Days Won


Everything posted by saiaapiz

  1. Thanks ! Really usefull feature to analyse script.
  2. I see, There alot of work need to do. Handling, hiding, lot more thing to cover up. So i stayed with trampoline. Thank you.
  3. Not watchpoint support. Backtrace ? I only can find LR (Address of current function caller.) I've created shellcode that save R0-R12, LR into stack. Then copy the stack address into my allocated region, so i can read it with script. ROM:00000000 STMFD SP!, {R0-R12,LR} ROM:00000004 LDR R0, =0xBBBBBBBB ROM:00000008 STR SP, [R0] ROM:0000000C ROM:0000000C isLocked ; CODE XREF: ROM:00000014↓j ROM:0000000C LDR R0, =0 ROM:00000010 CMP R0, #1 ROM:00000014 BNE isLocked ROM:00000018 LDMFD SP!, {R0-R12,LR} ROM:0000001C LDR PC, =0xAAAAAAAA ROM:0000001C ; --------------------------------------------------------------------------- ROM:00000020 _returnaddress DCD 0xAAAAAAAA ; DATA XREF: ROM:0000001C↑r ROM:00000024 _stackaddress DCD 0xBBBBBBBB ; DATA XREF: ROM:00000004↑r ROM:00000028 _spinlockctl DCD 0 ; DATA XREF: ROM:isLocked↑r It work like this, Firstly, i hooked an address that contain interesting info. Then, i make it jump into this shellcode, After it jump.. Shellcode will save R0-R12, LR into stack. then write the stack address at _stackaddress. this shellcode will wait for spinlock before continuing execution.
  4. Yes, it look like when you setting up breakpoint with gdb, where you can view/change register in realtime. In short terms, can you add api for PTRACE_SETREGS and PTRACE_GETREGS into GG, So we can view register on any address. Nope, Chainer was used to find pointer chain.
  5. Yep, u can change any value inside register.
  6. I wish enyby would add this feature into GG, so i can avoid compatibility issue with shellcode. We can get dynamic pointer by viewing its register, and make cheating more advanced.
  7. I've tried hacking this game too, which i stopping hacking cuz time consuming.. this game based on Corona Engine which all files can be pulled from *.car archive. Inside *.car archive there alot lua script handling how the games work. Maybe you should try to mod the apk.
  8. Read this, there also answer for question about PC + 8. https://azeria-labs.com/memory-instructions-load-and-store-part-4/
  9. Sorry, my bad. It only failed when i enabled 'Hide from game 4'. Latest GG work just fine.
  10. I see, so the problem was from GG after 76.1 ?
  11. When i tried to modified .text region on PUBG Mobile, GG was failed to alter its memory. Maybe they utilize like this technique https://github.com/changeofpace/Self-Remapping-Code or something else ? What do you think ?
  12. Idk, it just works. I didn't read hundred pages of arm documentation.
  13. Let me explain this real quick. How they load offset, and calculate address ? Explanation: * PC = (Current Instruction Address + 0x8) 00000000 LDR R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0. 00000004 ADD R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020) 00000008 MOV R1, #0x1234; Move 0x1234 into R1 0000000C STR R1, [R0]; Store R1:0x1234 value into R0:00000020 address. 00000010 BX LR; Jump into LR (LR is register that store address of this function caller.) 00000014 ALIGN 0x10 00000020 MyValue DCD 0x0 00000024 Offset DCD 0x14 You can find lot of information here, The ARM instruction set
  14. Yep, Ida make we confuse by looking its value pointing directly to target address. Actually, true opcode look like this LDR R0, [PC, #0x4] Idk how to explain it, you can find arm opcode documentation on google. They describe how each instruction work. @Un_Known
  15. Yes, you're correct. This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address. R3 is address of dword_36BD38
  16. 0000 LDR R3, =(dword_36BD38 - 0x19D86C) -- Load offset to R3 0004 ADD R3, PC, R3 ; dword_36BD38 -- R3 = PC + Offset (R3) 0008 CMP R0, #0 -- Check if R0 value equal to 0 000C STR R0, [R3] -- Store R0 value into R3 (R3 = dword_36BD38) 0010 MOVLT R2, #0x7FFFFFFF -- If R0 value less than 0, then put (0x7FFFFFFF) 2147483647 into R2. 0014 STRLT R2, [R3] -- If R0 value less than 0, then store R2 value which is 2147483647, into R3 (R3 = dword_36BD38) Conclusion is, if R0 value less than 0.. then put 2147483647 into bss:dword_36BD38. Anyway, if you not understand about the logic. F5 hotkey may come handy.
  17. saiaapiz

    G-presto hates me

    G-Presto can be bypass only on rooted device. I've bypass their detection within 5 click.
  18. View File Battleland Royal | ESP, Radar, ... Features: ○ ESP ○ Radar ○ Instant Pickup • If you like my script, Don't forget to ❤ it ! Submitter saiaapiz Submitted 06/25/2019 Category LUA scripts  
  19. Version 1.0.1


    Features: ○ ESP ○ Radar ○ Instant Pickup • If you like my script, Don't forget to ❤ it !
  20. ... -- main code gg.searchNumber("9904B8A0h", gg.TYPE_AUTO, false, gg.SIGN_EQUAL, 0, -1) -- Added Code ! _resultCount = gg.getResultCount() if _resultCount > 0 then -- Check for result, before using value. _result = gg.getResults(1) -- Get list no 1. _address = _result[1].address + 0xF0 -- Add 0xF0 at address list of no 1. gg.alert(string.format("Original Address: 0x%X\nAddress With Offset 0xF0: 0x%X", _result[1].address, _address)) -- Edit value on address that we added with offset before. gg.setValues({{address = _address, flags = gg.TYPE_DWORD, value = 0x1}}) end com.shinybox.smash.lua
  21. Its easy, copy all content on script you attached above. Then add a few line of code. 1. Get all listed items. 2. Get the address, and add offset. 3. gg.setValues
  22. So emulator just translate the binary just by reading it without setting executable bit ? Interesting. Thank you @Enyby for updating it.
  23. @VortexInfinity As i don't use emulator, i need you to provide this.
  24. I've confirmed there only armv7 lib in apk, So it is forced to load arm lib. Then, arm lib should be loaded into memory. Idk why gg failed searching for it. Maybe loaded lib not marked as code app region ?
  • Create New...