Search the Community

Hello GameGuardian community! Today, I'm excited to share a video tutorial on discovering techniques for Android Unity Game Modding. This includes decompiling the il2cpp library, dumping classes, and editing memory addresses using Game Guardian, IDA Pro, and il2cppdumper for patching memory addresses in the libil2cpp library for any game. For illustration, I've used "Sniper Warrior: PvP Sniper" as an example. We'll specifically focus on the No Recoil Camera Hack in this tutorial. This is also an open collaboration for reverse engineering the game ''Sniper Warrior: PvP Sniper v0.0.3 build 19''. The goal is to find new techniques for identifying classes to edit and discovering new hacks for this game, continuously expanding our knowledge. You can watch the video below: Watch on YouTube: Watch on Vimeo: Download video from Google Drive: https://drive.google.com/file/d/1fROYs_0XCJsXMuex8amP-BSsINCp-BYL/view?usp=sharing Hey guys, I've already posted the template script. You can find it at this URL: Lua script template v0.0.0: Patching memory addresses in the libil2cpp library | by Phantom Combat Venue | example game :: Sniper Warrior: PvP Sniper v0.0.3 build 19 Last updated on Aug 29, 2023 (#14nagcf4) * You can download the game from: https://apkcombo.com/sniper-warrior-pvp-sniper/com.horus.sniper.warrior/download/apk * For jadx (Dex to Java decompiler), you can find it here: https://github.com/skylot/jadx/releases * If you need apktool, you can download it here: https://apktool.org/ , although it is not required for this method. I've included it to view the smali classes code. Download 7-zip from https://www.7-zip.org/download.html Download il2cppdumper from : https://github.com/Perfare/Il2CppDumper/releases Download Notepad++ from : https://notepad-plus-plus.org/downloads/ To download IDA Pro, visit https://hex-rays.com/ida-pro/ or reverse your own pro version Download VSCode from https://code.visualstudio.com/download Happy scripting! Your friend, Phantom Combat Venue. -- I will be truly happy if members reply to my post with new hacks or techniques to find more hacks. -- So, this is a challenge for you. -- Yes, you! Read my post.

View File Patcher Patcher Patcher is a game guardian library for patching memory address, it provides a simple interface and handle on/off state of patching. Installation Download the latest version of patcher from here and add it to your project. You can also load the latest version of Patcher from the cdn using the following code. local _, Patcher = pcall(load(gg.makeRequest("https://pastebin.com/raw/wz1sfmWF").content)) Usage Make sure to place the Patcher.lua file in the same directory as your script. local Patcher = require("Patcher") local il2cpp = Patcher.getBaseAddr("libil2cpp.so") local libunity = Patcher.getBaseAddr("libunity.so") local p = Patcher.new({ title = "Custom Title", }) p:add({ name = "Damage Multiplier", address = il2cpp + 0x18643A8, patch = "01 04 A0 E3 1E FF 2F E1r", }) p:add({ name = "HP Multiplier", address = libunity + 0x1864F88, patch = "01 04 A0 E3 1E FF 2F E1r" }) p:run() For more information about how to use the library, please check the repo Submitter MAARS Submitted 02/18/2023 Category Tools  

I wrote a script after looking at Work around with libil2cpp and GG using offset (#by5yarnv) (thanks to @TekMonts for awesome article) but it didn't work out as I thought, so I'm asking you a question. I find the offset value that I want to change through dnspy And I got the address and Hex code of the offset through HxD. local memFrom, memTo, lib, num, lim, results, src, ok = 0, -1, nil, 0, 32, {}, nil, false function name(n) if lib ~= n then lib = n local ranges = gg.getRangesList(lib) if #ranges == 0 then print("⚠ERROR: " .. lib .. " are not found!⚠") gg.toast("⚠ERROR: " .. lib .. " are not found!⚠") os.exit() else memFrom = ranges[1].start memTo = ranges[#ranges]["end"] end end end function hex2tbl(hex) local ret = {} hex:gsub( "%S%S", function(ch) ret[#ret + 1] = ch return "" end ) return ret end function original(orig) local tbl = hex2tbl(orig) local len = #tbl if len == 0 then return end local used = len if len > lim then used = lim end local s = "" for i = 1, used do if i ~= 1 then s = s .. ";" end local v = tbl[i] if v == "??" or v == "**" then v = "0~~0" end s = s .. v .. "r" end s = s .. "::" .. used gg.searchNumber(s, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, memFrom, memTo) if len > used then for i = used + 1, len do local v = tbl[i] if v == "??" or v == "**" then v = 256 else v = ("0x" .. v) + 0 if v > 127 then v = v - 256 end end tbl[i] = v end end local found = gg.getResultCount() results = {} local count = 0 local checked = 0 while true do if checked >= found then break end local all = gg.getResults(8) local total = #all local start = checked if checked + used > total then break end for i, v in ipairs(all) do v.address = v.address + myoffset end gg.loadResults(all) while start < total do local good = true local offset = all[1 + start].address - 1 if used < len then local get = {} for i = lim + 1, len do get[i - lim] = {address = offset + i, flags = gg.TYPE_BYTE, value = 0} end get = gg.getValues(get) for i = lim + 1, len do local ch = tbl[i] if ch ~= 256 and get[i - lim].value ~= ch then good = false break end end end if good then count = count + 1 results[count] = offset checked = checked + used else local del = {} for i = 1, used do del[i] = all[i + start] end gg.removeResults(del) end start = start + used end end end function replaced(repl) num = num + 1 local tbl = hex2tbl(repl) if src ~= nil then local source = hex2tbl(src) for i, v in ipairs(tbl) do if v ~= "??" and v ~= "**" and v == source[i] then tbl[i] = "**" end end src = nil end local cnt = #tbl local set = {} local s = 0 for _, addr in ipairs(results) do for i, v in ipairs(tbl) do if v ~= "??" and v ~= "**" then s = s + 1 set[s] = {["address"] = addr + i, ["value"] = v .. "r", ["flags"] = gg.TYPE_BYTE} end end end if s ~= 0 then gg.setValues(set) end ok = true end function HOME() A = gg.multiChoice( { "AutoaimDistance", "Exit" }, nil, "qwer098 Prototype" ) if A == nil then else if A[1] == true then AutoaimDistance() end if A[1] == true then os.exit() end end end function AutoaimDistance() gg.setRanges ( gg .REGION_CODE_APP | gg .REGION_C_DATA) name('libil2cpp.so') myoffset = 0x3175834 original('F4 4F BE A9 FD 7B 01 A9') replaced('7A 04 44 E3 1E FF 2F E1') gg.toast("Done!") end HOME() ...and I wrote the script, referencing the article above, and I ran it in the game. And here's the result. I don't think I found the wrong offset. Of course, I'll have to try something more diverse, but I don't think that offset was useless. And, there are too many unexpectedly searched values like 300k. (I don't know if this is wrong, do other scripts work this way too?) plus, the offset value is float, but in gg it's written as byte. If you have any tips on Hex Patch, please let me know. It's not easy..

A new major update of the game 'Night of the Full Moon' is coming out soon, which kinda caught my attention. I was able to mod an older version of the game (1.5.1.37), but that approach doesn't work for the newest version anymore (1.5.1.50). Here's my analysis: -The developers use their own anti-tamper solution called 'HProtect'. It (was?) responsible for decrypting the metadata, and it also force closed the game if any changes were detected. -They updated HProtect, and I wasn't able to figure out what it does now. -The metadata in the old version of the game was obviously obfuscated, but the one in the new version is not, since the 4 magic bytes are valid (I uploaded some screenshots). -The il2cpp.so binary seems to be valid and not encrypted at all. Things that I tried so far: -Using the zygisk il2cppdumper didn't work (dump.cs hasn't been created), but it did work with the old version of the game though. -Dumping via GameGuardian worked, but the output was identical to the file you get from the apk. -il2cppdumper gives me the "System.IO.EndOfStreamException: Unable to read beyond the end of the stream" error when trying to dump. -il2cppInspector says "could not verify the integrity of the metadata file or accurately identify the metadata sub-version" when selecting the metadata file. -Libdumper didn't work (also produced the identical output). I'm kinda lost at this point, it would be great if someone could help me out with this. Also, please let me know if I forgot to include something. Thanks in advance Metadata from the newest version.rar Metadata from the older version.rar Newest version of HProtect.rar Older version of HProtect.rar