Jump to content

saiaapiz

Ascended
  • Content Count

    152
  • Donations

    $0.00 
  • Joined

  • Last visited

  • Days Won

    3

Everything posted by saiaapiz

  1. Maybe this would be useful, function rwmem(Address, SizeOrBuffer) assert(Address ~= nil, "[rwmem]: error, provided address is nil.") _rw = {} if type(SizeOrBuffer) == "number" then _ = "" for _ = 1, SizeOrBuffer do _rw[_] = {address = (Address - 1) + _, flags = gg.TYPE_BYTE} end for v, __ in ipairs(gg.getValues(_rw)) do _ = _ .. string.format("%02X", __.value & 0xFF) end return _ end Byte = {} SizeOrBuffer:gsub("..", function(x) Byte[#Byte + 1] = x _rw[#Byte] = {address = (Address - 1) + #Byte, flags = gg.TYPE_BYTE, value = x .. "h"} end) gg.setValues(_rw) end -- Usage: readedMem = rwmem(0xAABBCCDD, 128) -- Read 0xAABBCCDD with 128 size. rwmem(0xDDCCBBAA, readedMem) -- Write readedMem memory into 0xDDCCBBAA.
  2. Thanks, no plan yet for x86, maybe armv8 soon.
  3. View File Regview (ARMv7) Spent alot of time with debugging ? Breakpoint crashing ? blablabla xD ? Use this, might usefull when you want to know the caller, encrypted pointer, anything inside register. - Features: Dump register Copy register to clipboard Jump onto register Note: Only work on ARMv7. Don't forget to leave ❤, if it help you. Source: Github Submitter saiaapiz Submitted 10/02/2019 Category Tools  
  4. saiaapiz

    Regview (ARMv7)

    Version 1.1

    505 downloads

    Spent alot of time with debugging ? Breakpoint crashing ? blablabla xD ? Use this, might usefull when you want to know the caller, encrypted pointer, anything inside register. - Features: Dump register Copy register to clipboard Jump onto register Note: Only work on ARMv7. Don't forget to leave ❤, if it help you. Source: Github
  5. Yeah, im thinking about the same thing. Maybe they check for gg dex code ?
  6. Sound like rocket science to me xD Anyway thumbs up for giving explaination
  7. Actually, i've seen some apps requesting for access to devices screen. I think maybe they would do remote screenshot, then manually find for hacking tool overlay. I wish you could filter any access that required root, give user a warning like you do in gg.makeRequest. That would scripting enviroment better.
  8. I wish @Enyby could add this, i think other scripter will need this too. Control GG icon overlay visibility. We need this to hide GG from getting caught from screenshot. Get 'Hide GameGuardian from game status'. Sometime user that uses script complain about game being crashed, or script has no effect on game. Drawing abilities. xD Access game data, such /data/data/<target app>.
  9. Currently, only one way i know possible for that. Use 0 ~ 255 for unknown byte pattern. and add it with known pattern. So it will become 0~255;0~255;C8h;42h ...
  10. Thanks ! Really usefull feature to analyse script.
  11. I see, There alot of work need to do. Handling, hiding, lot more thing to cover up. So i stayed with trampoline. Thank you.
  12. Not watchpoint support. Backtrace ? I only can find LR (Address of current function caller.) I've created shellcode that save R0-R12, LR into stack. Then copy the stack address into my allocated region, so i can read it with script. ROM:00000000 STMFD SP!, {R0-R12,LR} ROM:00000004 LDR R0, =0xBBBBBBBB ROM:00000008 STR SP, [R0] ROM:0000000C ROM:0000000C isLocked ; CODE XREF: ROM:00000014↓j ROM:0000000C LDR R0, =0 ROM:00000010 CMP R0, #1 ROM:00000014 BNE isLocked ROM:00000018 LDMFD SP!, {R0-R12,LR} ROM:0000001C LDR PC, =0xAAAAAAAA ROM:0000001C ; --------------------------------------------------------------------------- ROM:00000020 _returnaddress DCD 0xAAAAAAAA ; DATA XREF: ROM:0000001C↑r ROM:00000024 _stackaddress DCD 0xBBBBBBBB ; DATA XREF: ROM:00000004↑r ROM:00000028 _spinlockctl DCD 0 ; DATA XREF: ROM:isLocked↑r It work like this, Firstly, i hooked an address that contain interesting info. Then, i make it jump into this shellcode, After it jump.. Shellcode will save R0-R12, LR into stack. then write the stack address at _stackaddress. this shellcode will wait for spinlock before continuing execution.
  13. Yes, it look like when you setting up breakpoint with gdb, where you can view/change register in realtime. In short terms, can you add api for PTRACE_SETREGS and PTRACE_GETREGS into GG, So we can view register on any address. Nope, Chainer was used to find pointer chain.
  14. Yep, u can change any value inside register.
  15. I wish enyby would add this feature into GG, so i can avoid compatibility issue with shellcode. We can get dynamic pointer by viewing its register, and make cheating more advanced.
  16. I've tried hacking this game too, which i stopping hacking cuz time consuming.. this game based on Corona Engine which all files can be pulled from *.car archive. Inside *.car archive there alot lua script handling how the games work. Maybe you should try to mod the apk.
  17. Read this, there also answer for question about PC + 8. https://azeria-labs.com/memory-instructions-load-and-store-part-4/
  18. Sorry, my bad. It only failed when i enabled 'Hide from game 4'. Latest GG work just fine.
  19. I see, so the problem was from GG after 76.1 ?
  20. When i tried to modified .text region on PUBG Mobile, GG was failed to alter its memory. Maybe they utilize like this technique https://github.com/changeofpace/Self-Remapping-Code or something else ? What do you think ?
  21. Idk, it just works. I didn't read hundred pages of arm documentation.
  22. Let me explain this real quick. How they load offset, and calculate address ? Explanation: * PC = (Current Instruction Address + 0x8) 00000000 LDR R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0. 00000004 ADD R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020) 00000008 MOV R1, #0x1234; Move 0x1234 into R1 0000000C STR R1, [R0]; Store R1:0x1234 value into R0:00000020 address. 00000010 BX LR; Jump into LR (LR is register that store address of this function caller.) 00000014 ALIGN 0x10 00000020 MyValue DCD 0x0 00000024 Offset DCD 0x14 You can find lot of information here, The ARM instruction set
  23. Yep, Ida make we confuse by looking its value pointing directly to target address. Actually, true opcode look like this LDR R0, [PC, #0x4] Idk how to explain it, you can find arm opcode documentation on google. They describe how each instruction work. @Un_Known
  24. Yes, you're correct. This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address. R3 is address of dword_36BD38
×
×
  • Create New...