Search the Community
Showing results for tags 'il2cpp'.
-
Hello GameGuardian community! Today, I'm excited to share a video tutorial on discovering techniques for Android Unity Game Modding. This includes decompiling the il2cpp library, dumping classes, and editing memory addresses using Game Guardian, IDA Pro, and il2cppdumper for patching memory addresses in the libil2cpp library for any game. For illustration, I've used "Sniper Warrior: PvP Sniper" as an example. We'll specifically focus on the No Recoil Camera Hack in this tutorial. This is also an open collaboration for reverse engineering the game ''Sniper Warrior: PvP Sniper v0.0.3 build 19''. The goal is to find new techniques for identifying classes to edit and discovering new hacks for this game, continuously expanding our knowledge. You can watch the video below: Watch on YouTube: Watch on Vimeo: Download video from Google Drive: https://drive.google.com/file/d/1fROYs_0XCJsXMuex8amP-BSsINCp-BYL/view?usp=sharing Hey guys, I've already posted the template script. You can find it at this URL: Lua script template v0.0.0: Patching memory addresses in the libil2cpp library | by Phantom Combat Venue | example game :: Sniper Warrior: PvP Sniper v0.0.3 build 19 Last updated on Aug 29, 2023 (#14nagcf4) * You can download the game from: https://apkcombo.com/sniper-warrior-pvp-sniper/com.horus.sniper.warrior/download/apk * For jadx (Dex to Java decompiler), you can find it here: https://github.com/skylot/jadx/releases * If you need apktool, you can download it here: https://apktool.org/ , although it is not required for this method. I've included it to view the smali classes code. Download 7-zip from https://www.7-zip.org/download.html Download il2cppdumper from : https://github.com/Perfare/Il2CppDumper/releases Download Notepad++ from : https://notepad-plus-plus.org/downloads/ To download IDA Pro, visit https://hex-rays.com/ida-pro/ or reverse your own pro version Download VSCode from https://code.visualstudio.com/download Happy scripting! Your friend, Phantom Combat Venue. -- I will be truly happy if members reply to my post with new hacks or techniques to find more hacks. -- So, this is a challenge for you. -- Yes, you! Read my post.
- 1 reply
-
- reverse engineering
- Android
- (and 9 more)
-
Version 2.4.1
646 downloads
Patcher Patcher is a game guardian library for patching memory address, it provides a simple interface and handle on/off state of patching. Installation Download the latest version of patcher from here and add it to your project. You can also load the latest version of Patcher from the cdn using the following code. local _, Patcher = pcall(load(gg.makeRequest("https://pastebin.com/raw/wz1sfmWF").content)) Usage Make sure to place the Patcher.lua file in the same directory as your script. local Patcher = require("Patcher") local il2cpp = Patcher.getBaseAddr("libil2cpp.so") local libunity = Patcher.getBaseAddr("libunity.so") local p = Patcher.new({ title = "Custom Title", }) p:add({ name = "Damage Multiplier", address = il2cpp + 0x18643A8, patch = "01 04 A0 E3 1E FF 2F E1r", }) p:add({ name = "HP Multiplier", address = libunity + 0x1864F88, patch = "01 04 A0 E3 1E FF 2F E1r" }) p:run() For more information about how to use the library, please check the repo -
Regarding the listening function on Gameguardian, my idea is to parse the symbol table of libil2cpp.so through the ELF file structure and parse out some il2cpp api functions in the native layer, such as il2cpp_method_get_name, and its ARM assembly segment is generally LDR X0, [X0,#0x18] ~A8 RET When many functions are called, the pointer of the function instance will be X0. When assembled by il2cpp_method_get_name, the function name string is read through the offset of 0x18. Then we modify the function flow. Since many called functions will execute the assembly of this API function, we can write a unique tag value and actively tag ourselves when the function passes by. Then we can monitor which functions are called by searching for this tag value. call LDR X10, [PC,#0xC] STR X10, [X0,#0x40] ~A8 RET 983466571 We use the LDR instruction to load the tag 983466571 into the useless register X10, and then use the STR instruction to write the tag value to 0x40 of X0 (the function pointer, which is also the first bit of the function structure). Then when the function is called, When this API is executed, it actively exposes itself by writing the STR mark so that I can monitor it. Of course, don’t forget to make up for it LDR X0, [X0,#0x18] ~A8 RET Otherwise it will cause the game to crash The above are some of Shenmi’s ideas, and the gglua tool with this function has been written and can be used.
-
Hi Guardians! Dark lord here aka "OREW" Sometimes after opening the APK path not all the files ia showing or the folder's are empty! Usually that happens when the app files are encrypted "Protected" To solve this problem we simply need to Decrypte The files using ApktoolM app After installing the app follow the instructions - Open The app - Select Applications from the menu - Select installed Applications - chose your app - one click on him to show the options - select Decompile or Decompile resources - Wait tell the process complete - exit - open files manger "usually MT" All The files are here including ilb metadata libil2cpp if the game using unreal engine.. And if the game using unreal engine.. then the rest us history Thx for reading in advance
-
1
-
- Tutoiral
- Show files
- (and 4 more)
-
Hi Guardians! Dark lord here aka "OREW" Usually libil2cpp File are encrypted (protected) and if the user want to dumb the file he needs PC, laptop etc.. Well that not anymore, idk if all thw people know about this but thx to Poko he provides modded version from the original il2CppDumperGUI, now let's talk about good stuff Package name : Il2CppDumperGUI.apk Version : v2.0.1 Info : Unity il2cpp reverse engineer The main idea of it is to decode il2cpp file to extract the address from it and disable the Anti-chaet.. Like: weapon address Damage address Speed address Resources address Anti-chaet event address etc... Change : v2.0.1 Android 10 crash fixed [#issue-1] Now resetting config automatically saved Multiple permission window fixed in android 11 or up App icon changed Support for android 12L & 13 Overall stability and bug fixes Note : And You need Package to extract the il2cpp and metadata if the Files are encrypted ApktoolM Download : OREW-2CD_GUI.apk And thx in advance
- 4 replies
-
1
-
- il2cpp
- il2cppdumper
- (and 4 more)
-
View File Patcher Patcher Patcher is a game guardian library for patching memory address, it provides a simple interface and handle on/off state of patching. Installation Download the latest version of patcher from here and add it to your project. You can also load the latest version of Patcher from the cdn using the following code. local _, Patcher = pcall(load(gg.makeRequest("https://pastebin.com/raw/wz1sfmWF").content)) Usage Make sure to place the Patcher.lua file in the same directory as your script. local Patcher = require("Patcher") local il2cpp = Patcher.getBaseAddr("libil2cpp.so") local libunity = Patcher.getBaseAddr("libunity.so") local p = Patcher.new({ title = "Custom Title", }) p:add({ name = "Damage Multiplier", address = il2cpp + 0x18643A8, patch = "01 04 A0 E3 1E FF 2F E1r", }) p:add({ name = "HP Multiplier", address = libunity + 0x1864F88, patch = "01 04 A0 E3 1E FF 2F E1r" }) p:run() For more information about how to use the library, please check the repo Submitter MAARS Submitted 02/18/2023 Category Tools
-
A new major update of the game 'Night of the Full Moon' is coming out soon, which kinda caught my attention. I was able to mod an older version of the game (1.5.1.37), but that approach doesn't work for the newest version anymore (1.5.1.50). Here's my analysis: -The developers use their own anti-tamper solution called 'HProtect'. It (was?) responsible for decrypting the metadata, and it also force closed the game if any changes were detected. -They updated HProtect, and I wasn't able to figure out what it does now. -The metadata in the old version of the game was obviously obfuscated, but the one in the new version is not, since the 4 magic bytes are valid (I uploaded some screenshots). -The il2cpp.so binary seems to be valid and not encrypted at all. Things that I tried so far: -Using the zygisk il2cppdumper didn't work (dump.cs hasn't been created), but it did work with the old version of the game though. -Dumping via GameGuardian worked, but the output was identical to the file you get from the apk. -il2cppdumper gives me the "System.IO.EndOfStreamException: Unable to read beyond the end of the stream" error when trying to dump. -il2cppInspector says "could not verify the integrity of the metadata file or accurately identify the metadata sub-version" when selecting the metadata file. -Libdumper didn't work (also produced the identical output). I'm kinda lost at this point, it would be great if someone could help me out with this. Also, please let me know if I forgot to include something. Thanks in advance Metadata from the newest version.rar Metadata from the older version.rar Newest version of HProtect.rar Older version of HProtect.rar
-
Hi Guardians! Dark lord here aka "OREW" I was trying to hack a specific game and I succeeded with dumping il2cpp.so And after searching for offset and so on i fiend these value's or whatever this $hit is // Fields private IUnitController _unitController; // 0xC [CompilerGeneratedAttribute] // RVA: 0x3BBE24 Offset: 0x3BBE24 VA: 0x3BBE24 private int <PlayerId>k__BackingField; // 0x10 [CompilerGeneratedAttribute] // RVA: 0x3BBE34 Offset: 0x3BBE34 VA: 0x3BBE34 private bool <DespawnOnLoad>k__BackingField; // 0x14 private static RaycastHit2D[] rayhit; // 0x0 private Collider2D[] _sharedHitColliders; // 0x18 private static int _sharedEnemiesLayer; // 0x4 private static int _sharedWildlifeLayer; // 0x8 private static int _sharedObstaclesLayer; // 0xC private static readonly int APPrepare; // 0x10 private static readonly int APShoot; // 0x14 private static readonly int APShootPerfect; // 0x18 private static readonly int APStand; // 0x1C private static readonly int APAttack; // 0x20 private static readonly int APUseSpear; // 0x24 private static readonly int APUseShield; // 0x28 private static readonly int APIdleness; // 0x2C private static readonly int APSpeed; // 0x30 [HeaderAttribute] // RVA: 0x3BBE44 Offset: 0x3BBE44 VA: 0x3BBE44 public float maxForce; // 0x1C public float maxError; // 0x20 public int minAttempts; // 0x24 public int maxAttempts; // 0x28 public float shootPrepTime; // 0x2C public float shootIntervalTime; // 0x30 public float shootCooldownTime; // 0x34 public float playerShootCooldownTime; // 0x38 public float playerAttackCooldownTime; // 0x3C public float shootCooldownWithKnightTime; // 0x40 public float shootRange; // 0x44 public float fleeRange; // 0x48 public float towerShootRange; // 0x4C [RangeAttribute] // RVA: 0x3BBE78 Offset: 0x3BBE78 VA: 0x3BBE78 public float perfectArrowProbability; // 0x50 [RangeAttribute] // RVA: 0x3BBE90 Offset: 0x3BBE90 VA: 0x3BBE90 public float dropInWaterProbability; // 0x54 [SerializeField] // RVA: 0x3BBEA8 Offset: 0x3BBEA8 VA: 0x3BBEA8 private GameObject pseudoTarget; // 0x58 private float _nextPlayerShootTime; // 0x5C private float _nextPlayerAttackTime; // 0x60 [HeaderAttribute] // RVA: 0x3BBEB8 Offset: 0x3BBEB8 VA: 0x3BBEB8 public float walkSpeed; // 0x64 public float runSpeed; // 0x68 public float coinPickupRange; // 0x6C public float maxPursueDistance; // 0x70 public float maxLead; // 0x74 public FloatRange borderHuntRange; // 0x78 [SerializeField] // RVA: 0x3BBEEC Offset: 0x3BBEEC VA: 0x3BBEEC [TimeOfDayAttribute] // RVA: 0x3BBEEC Offset: 0x3BBEEC VA: 0x3BBEEC private float returnToWallTime; // 0x80 public bool harmless; // 0x84 public Arrow arrowPrefab; // 0x88 public RuntimeAnimatorController hunterAnimator; // 0x8C public RuntimeAnimatorController soldierAnimator; // 0x90 [HeaderAttribute] // RVA: 0x3BBF1C Offset: 0x3BBF1C VA: 0x3BBF1C public AudioEmitter climbTowerSound; // 0x94 public AudioEmitter shootSound; // 0x98 public AudioEmitter buffedShootSound; // 0x9C public AudioEmitter meleeSound; // 0xA0 [HeaderAttribute] // RVA: 0x3BBF50 Offset: 0x3BBF50 VA: 0x3BBF50 public FloatRange distanceFromWall; // 0xA4 private FloatRange _distanceFromWallModified; // 0xAC private float _guardPos; // 0xB4 public FloatRange distanceFromKnight; // 0xB8 [HideInInspector] // RVA: 0x3BBF84 Offset: 0x3BBF84 VA: 0x3BBF84 public float knightFollowDistance; // 0xC0 protected CRPCHeader parentHeaderRef; // 0xC4 protected int _setGuardRPCIndex; // 0xC8 protected int _handleGuardSlotIndex; // 0xCC protected int _requestGuardSlotIndex; // 0xD0 protected int _embarkIndex; // 0xD4 protected int _absoluteFaceIndex; // 0xD8 protected int _archerBuffedIndex; // 0xDC protected int _hideStatusIndex; // 0xE0 protected int _sendCameraFocusRequest; // 0xE4 protected int _sendControllerIndex; // 0xE8 private Animator _animator; // 0xEC private Mover _mover; // 0xF0 private Rigidbody2D _rigidbody; // 0xF4 private SpriteRenderer _spriteRenderer; // 0xF8 private Wallet _wallet; // 0xFC private Wallet _originalWallet; // 0x100 private FixedTransform _fixedTransform; // 0x104 private Character _character; // 0x108 private Damageable _damageable; // 0x10C private PushablePusher _pusher; // 0x110 private Scanner _enemyScanner; // 0x114 private Scanner _wildlifeScanner; // 0x118 private Scanner _coinScanner; // 0x11C private float _cooldown; // 0x120 private float _lastGlobalScan; // 0x124 private AnimationSync _animSyncRef; // 0x128 private float _cooldownReduction; // 0x12C private float _avoidPortalRange; // 0x130 private Coin _targetCoin; // 0x134 private Formation _currentFormation; // 0x138 private GameObject _shootingTarget; // 0x13C private GameObject _huntingTarget; // 0x140 private GuardSlot _guardSlot; // 0x144 [CompilerGeneratedAttribute] // RVA: 0x3BBF94 Offset: 0x3BBF94 VA: 0x3BBF94 private bool <inGuardSlot>k__BackingField; // 0x148 [SerializeField] // RVA: 0x3BBFA4 Offset: 0x3BBFA4 VA: 0x3BBFA4 private Side _guardSide; // 0x14C private int _guardDepth; // 0x150 private Knight _knight; // 0x154 private bool _isWearingBannerColor; // 0x158 private bool _controllableSprinting; // 0x159 private IHaglet behaviour; // 0x15C private IHaglet shoot; // 0x160 private IHaglet attack; // 0x164 private PositionSync cachedPosSync; // 0x168 private Persistent persistent; // 0x16C [CompilerGeneratedAttribute] // RVA: 0x3BBFB4 Offset: 0x3BBFB4 VA: 0x3BBFB4 private bool <IsBuffed>k__BackingField; // 0x170 [CompilerGeneratedAttribute] // RVA: 0x3BBFC4 Offset: 0x3BBFC4 VA: 0x3BBFC4 private UnlockNewRulerStatue <newRulerStatue>k__BackingField; // 0x174 [CompilerGeneratedAttribute] // RVA: 0x3BBFD4 Offset: 0x3BBFD4 VA: 0x3BBFD4 private HelPuzzlePillar <helPuzzlePillar>k__BackingField; // 0x178 private Boat _boat; // 0x17C [HeaderAttribute] // RVA: 0x3BBFE4 Offset: 0x3BBFE4 VA: 0x3BBFE4 [SerializeField] // RVA: 0x3BBFE4 Offset: 0x3BBFE4 VA: 0x3BBFE4 private float shieldSpotRange; // 0x180 [SerializeField] // RVA: 0x3BC02C Offset: 0x3BC02C VA: 0x3BC02C private float shieldScanInterval; // 0x184 private NpcShieldUser _npcShieldUser; // 0x188 private Droppable targetShield; // 0x18C private Archer.AttackMode _desiredAttackMode; // 0x190 private Archer.AttackMode _attackMode; // 0x194 [SerializeField] // RVA: 0x3BC03C Offset: 0x3BC03C VA: 0x3BC03C private float _meleeAttackRange; // 0x198 [SerializeField] // RVA: 0x3BC04C Offset: 0x3BC04C VA: 0x3BC04C private float _meleeAttackPredictAheadTime; // 0x19C [SerializeField] // RVA: 0x3BC05C Offset: 0x3BC05C VA: 0x3BC05C private float _meleeCooldown; // 0x1A0 [SerializeField] // RVA: 0x3BC06C Offset: 0x3BC06C VA: 0x3BC06C private int _meleeDamage; // 0x1A4 [SerializeField] // RVA: 0x3BC07C Offset: 0x3BC07C VA: 0x3BC07C private int _meleeMaxHitsPerAttack; // 0x1A8 private Damageable _meleeTarget; // 0x1AC private bool _meleeAttackPlaying; // 0x1B0 [SerializeField] // RVA: 0x3BC08C Offset: 0x3BC08C VA: 0x3BC08C private Rect _hitBox; // 0x1B4 [HeaderAttribute] // RVA: 0x3BC09C Offset: 0x3BC09C VA: 0x3BC09C [SerializeField] // RVA: 0x3BC09C Offset: 0x3BC09C VA: 0x3BC09C private float _switchWeaponsButtonDuration; // 0x1C4 private bool _downKeyPressed; // 0x1C8 private bool _playerAttackModeChanged; // 0x1C9 private float _switchWeaponsTimer; // 0x1CC private float _arrowLength; // 0x1D0 private const int Stand = 1; private const int FollowKnight = 2; private const int GoToTower = 4; private const int GoToWall = 8; private const int Hunt = 16; private const int GrabCoin = 32; private const int Flee = 64; private const int Held = 128; private const int Grabbed = 256; private const int Inert = 512; private const int InFormation = 1024; private const int FreeRuler = 2048; private const int GrabShield = 4096; private const int SwitchWeapons = 8192; private const int GoToOfferingPillar = 16384; private const int PlayerControl = 32768; private static readonly Formation.UnitTypes[] FormationUnitType; // 0x34 And THIS one // Fields public int hitDamage; // 0xC public int perfectDamageMultiplier; // 0x10 public bool shouldOrientate; // 0x14 public bool canBounce; // 0x15 [HeaderAttribute] // RVA: 0x3BC0E4 Offset: 0x3BC0E4 VA: 0x3BC0E4 public bool isFireArrow; // 0x16 public int damagePerTick; // 0x18 public int damageTicks; // 0x1C public float damageDelayOffset; // 0x20 public float damageDelayTime; // 0x24 [HeaderAttribute] // RVA: 0x3BC118 Offset: 0x3BC118 VA: 0x3BC118 public AudioEmitter wallHitSound; // 0x28 public AudioEmitter groundHitSound; // 0x2C public AudioEmitter waterHitSound; // 0x30 [HeaderAttribute] // RVA: 0x3BC14C Offset: 0x3BC14C VA: 0x3BC14C public GameObject archer; // 0x34 private bool _orientToVelocity; // 0x38 private bool _has***; // 0x39 private Rigidbody2D _rigidbody; // 0x3C private Collider2D _collider; // 0x40 private TrailRenderer _trail; // 0x44 private bool _perfect; // 0x48 private NetworkSoftSimulator _softSim; // 0x4C private bool authorityActive; // 0x50 // Methods // RVA: 0xCB69A0 Offset: 0xCB69A0 VA: 0xCB69A0 private void Awake() { } // RVA: 0xCB6B0C Offset: 0xCB6B0C VA: 0xCB6B0C private void OnEnable() { } // RVA: 0xCB6BF0 Offset: 0xCB6BF0 VA: 0xCB6BF0 public void DropInWater() { } // RVA: 0xCB6CA0 Offset: 0xCB6CA0 VA: 0xCB6CA0 public void PerfectShot() { } // RVA: 0xCB6BA4 Offset: 0xCB6BA4 VA: 0xCB6BA4 private void EnableTrail() { } [IteratorStateMachineAttribute] // RVA: 0x3D1404 Offset: 0x3D1404 VA: 0x3D1404 // RVA: 0xCB6C28 Offset: 0xCB6C28 VA: 0xCB6C28 private IEnumerator DropInWaterInternal() { } // RVA: 0xCB6CAC Offset: 0xCB6CAC VA: 0xCB6CAC private void OnDestroy() { } // RVA: 0xCB6D28 Offset: 0xCB6D28 VA: 0xCB6D28 private void LateUpdate() { } // RVA: 0xCB6DF8 Offset: 0xCB6DF8 VA: 0xCB6DF8 private void OnCollisionEnter2D(Collision2D collision) { } // RVA: 0xCB7630 Offset: 0xCB7630 VA: 0xCB7630 private void OnTriggerEnter2D(Collider2D collider) { } // RVA: 0xCB6E34 Offset: 0xCB6E34 VA: 0xCB6E34 private void HitObject(GameObject target, bool physicalHit) { } // RVA: 0xCB766C Offset: 0xCB766C VA: 0xCB766C Slot: 4 public void HandleAuthorityChange(bool newAuthorityState) { } // RVA: 0xCB6A94 Offset: 0xCB6A94 VA: 0xCB6A94 Slot: 5 public void RegisterWithNetworkBoss() { } // RVA: 0xCB6CB0 Offset: 0xCB6CB0 VA: 0xCB6CB0 Slot: 6 public void DeregisterWithNetworkBoss() { } // RVA: 0xCB7674 Offset: 0xCB7674 VA: 0xCB7674 Slot: 7 public void ReceiveInitialise() { } // RVA: 0xCB7868 Offset: 0xCB7868 VA: 0xCB7868 Slot: 8 public void PostRecvStop() { } // RVA: 0xCB7874 Offset: 0xCB7874 VA: 0xCB7874 public void .ctor() { } } As you see the Walkspeed showing 0x64 .. Attack speed something like it to Wtf should i do with this?! And should someone explain to me what is the difference between RVA, VA, offset..? Aren't all them offset?! And i know how to search for the offset Xa>il2cpp> offset calculator, 0CB6CAC Thx in advance