Jump to content

Work around with libil2cpp and GG using offset


TekMonts
 Share

Recommended Posts

  • 1 month later...
On 11/12/2020 at 5:02 PM, TekMonts said:

Too many guys ask about GG and libil2cpp.so to working with gameguardian.

So I decided to make some guides to working around with it using offset.

Game: Call of duty - Mobile VN

Funtion to hack: Show enemy on radar

This game was protected from dumper, so I uses Il2CppInspector to inspect the lib.

Open up the Il2CppInspector.exe and drag the apk to the app GUI then wait a bit:

image.thumb.png.d12bdb800645e0f276ebd63598a21610.png

 

I exported the Json file to find the function and address, and I want to find where the function to show enemy on rada, I found this:

image.thumb.png.28f4e19dfa46f73b53544cadaa277d38.png

 


0x046C37F4 -- here is address holded the function get_ShowEnemyOnRadar()

 

So what should we do?

We can mod directly in libil2cpp.so, using the hock, create the app to call...

But here, I willshow you how to modify this function using GameGuardian

First, you need the function tohandle the lib, share on Internet and I just copy paste here:


local memFrom, memTo, lib, num, lim, results, src, ok = 0, -1, nil, 0, 32, {}, nil, false
function name(n)
    if lib ~= n then
        lib = n
        local ranges = gg.getRangesList(lib)
        if #ranges == 0 then
            print("⚠ERROR: " .. lib .. " are not found!⚠")
            gg.toast("⚠ERROR: " .. lib .. " are not found!⚠")
            os.exit()
        else
            memFrom = ranges[1].start
            memTo = ranges[#ranges]["end"]
        end
    end
end
function hex2tbl(hex)
    local ret = {}
    hex:gsub(
        "%S%S",
        function(ch)
            ret[#ret + 1] = ch
            return ""
        end
    )
    return ret
end
function original(orig)
    local tbl = hex2tbl(orig)
    local len = #tbl
    if len == 0 then
        return
    end
    local used = len
    if len > lim then
        used = lim
    end
    local s = ""
    for i = 1, used do
        if i ~= 1 then
            s = s .. ";"
        end
        local v = tbl[i]
        if v == "??" or v == "**" then
            v = "0~~0"
        end
        s = s .. v .. "r"
    end
    s = s .. "::" .. used
	
    gg.searchNumber(s, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, memFrom, memTo)
    if len > used then
        for i = used + 1, len do
            local v = tbl[i]
            if v == "??" or v == "**" then
                v = 256
            else
                v = ("0x" .. v) + 0
                if v > 127 then
                    v = v - 256
                end
            end
            tbl[i] = v
        end
    end
    local found = gg.getResultCount()

    results = {}
    local count = 0
    local checked = 0
    while true do
        if checked >= found then
            break
        end
        local all = gg.getResults(8)
        local total = #all
        local start = checked
        if checked + used > total then
            break
        end
        for i, v in ipairs(all) do
            v.address = v.address + myoffset
        end
        gg.loadResults(all)
        while start < total do
            local good = true
            local offset = all[1 + start].address - 1
            if used < len then
                local get = {}
                for i = lim + 1, len do
                    get[i - lim] = {address = offset + i, flags = gg.TYPE_BYTE, value = 0}
                end
                get = gg.getValues(get)
                for i = lim + 1, len do
                    local ch = tbl[i]
                    if ch ~= 256 and get[i - lim].value ~= ch then
                        good = false
                        break
                    end
                end
            end
            if good then
                count = count + 1
                results[count] = offset
                checked = checked + used
            else
                local del = {}
                for i = 1, used do
                    del[i] = all[i + start]
                end
                gg.removeResults(del)
            end
            start = start + used
        end
    end
end
function replaced(repl)
    num = num + 1
    local tbl = hex2tbl(repl)
    if src ~= nil then
        local source = hex2tbl(src)
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" and v == source[i] then
                tbl[i] = "**"
            end
        end
        src = nil
    end
    local cnt = #tbl
    local set = {}
    local s = 0
    for _, addr in ipairs(results) do
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" then
                s = s + 1
                set[s] = {["address"] = addr + i, ["value"] = v .. "r", ["flags"] = gg.TYPE_BYTE}
            end
        end
    end
    if s ~= 0 then
        gg.setValues(set)
    end
    ok = true
end

 

Now you need to call the function:


gg.setRanges ( gg .REGION_CODE_APP | gg .REGION_C_DATA) -- usally you only need this region
name('libil2cpp.so')									-- name the lib
myoffset = 0x046C37F4									-- offset you found
original('7F 45 4C 46 01 01 01 00')						-- begin hex, open the libil2cpp.so with HexView and find first 8 bytes of hex
replaced('01 00 A0 E3 1E FF 2F E1')						-- use arm to hex converter, convert "return true" to hex, see https://armconverter.com/?code=mov%20r0,%20%231%0Abx%20lr
gg.toast("Done!")

 

Put it in your lua and done, you're now can hack the radar using GG and libil2cpp.

Demo:

Screenshot_2020-11-12-17-42-09-837_com.tekmonts.virtualspace.thumb.jpg.0ca01654a8c10ccc6f414a91bb6a4376.jpg

 

Demo file: CODHack_Demo.lua

holy sht!! this is codm?

 

i m working on cod hack too. but i m very noob. but already made some simple hacks

 

you use telegram, sir?

Link to comment
Share on other sites

On 11/12/2020 at 5:02 PM, TekMonts said:

Too many guys ask about GG and libil2cpp.so to working with gameguardian.

So I decided to make some guides to working around with it using offset.

Game: Call of duty - Mobile VN

Funtion to hack: Show enemy on radar

This game was protected from dumper, so I uses Il2CppInspector to inspect the lib.

Open up the Il2CppInspector.exe and drag the apk to the app GUI then wait a bit:

image.thumb.png.d12bdb800645e0f276ebd63598a21610.png

 

I exported the Json file to find the function and address, and I want to find where the function to show enemy on rada, I found this:

image.thumb.png.28f4e19dfa46f73b53544cadaa277d38.png

 


0x046C37F4 -- here is address holded the function get_ShowEnemyOnRadar()

 

So what should we do?

We can mod directly in libil2cpp.so, using the hock, create the app to call...

But here, I willshow you how to modify this function using GameGuardian

First, you need the function tohandle the lib, share on Internet and I just copy paste here:


local memFrom, memTo, lib, num, lim, results, src, ok = 0, -1, nil, 0, 32, {}, nil, false
function name(n)
    if lib ~= n then
        lib = n
        local ranges = gg.getRangesList(lib)
        if #ranges == 0 then
            print("⚠ERROR: " .. lib .. " are not found!⚠")
            gg.toast("⚠ERROR: " .. lib .. " are not found!⚠")
            os.exit()
        else
            memFrom = ranges[1].start
            memTo = ranges[#ranges]["end"]
        end
    end
end
function hex2tbl(hex)
    local ret = {}
    hex:gsub(
        "%S%S",
        function(ch)
            ret[#ret + 1] = ch
            return ""
        end
    )
    return ret
end
function original(orig)
    local tbl = hex2tbl(orig)
    local len = #tbl
    if len == 0 then
        return
    end
    local used = len
    if len > lim then
        used = lim
    end
    local s = ""
    for i = 1, used do
        if i ~= 1 then
            s = s .. ";"
        end
        local v = tbl[i]
        if v == "??" or v == "**" then
            v = "0~~0"
        end
        s = s .. v .. "r"
    end
    s = s .. "::" .. used
	
    gg.searchNumber(s, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, memFrom, memTo)
    if len > used then
        for i = used + 1, len do
            local v = tbl[i]
            if v == "??" or v == "**" then
                v = 256
            else
                v = ("0x" .. v) + 0
                if v > 127 then
                    v = v - 256
                end
            end
            tbl[i] = v
        end
    end
    local found = gg.getResultCount()

    results = {}
    local count = 0
    local checked = 0
    while true do
        if checked >= found then
            break
        end
        local all = gg.getResults(8)
        local total = #all
        local start = checked
        if checked + used > total then
            break
        end
        for i, v in ipairs(all) do
            v.address = v.address + myoffset
        end
        gg.loadResults(all)
        while start < total do
            local good = true
            local offset = all[1 + start].address - 1
            if used < len then
                local get = {}
                for i = lim + 1, len do
                    get[i - lim] = {address = offset + i, flags = gg.TYPE_BYTE, value = 0}
                end
                get = gg.getValues(get)
                for i = lim + 1, len do
                    local ch = tbl[i]
                    if ch ~= 256 and get[i - lim].value ~= ch then
                        good = false
                        break
                    end
                end
            end
            if good then
                count = count + 1
                results[count] = offset
                checked = checked + used
            else
                local del = {}
                for i = 1, used do
                    del[i] = all[i + start]
                end
                gg.removeResults(del)
            end
            start = start + used
        end
    end
end
function replaced(repl)
    num = num + 1
    local tbl = hex2tbl(repl)
    if src ~= nil then
        local source = hex2tbl(src)
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" and v == source[i] then
                tbl[i] = "**"
            end
        end
        src = nil
    end
    local cnt = #tbl
    local set = {}
    local s = 0
    for _, addr in ipairs(results) do
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" then
                s = s + 1
                set[s] = {["address"] = addr + i, ["value"] = v .. "r", ["flags"] = gg.TYPE_BYTE}
            end
        end
    end
    if s ~= 0 then
        gg.setValues(set)
    end
    ok = true
end

 

Now you need to call the function:


gg.setRanges ( gg .REGION_CODE_APP | gg .REGION_C_DATA) -- usally you only need this region
name('libil2cpp.so')									-- name the lib
myoffset = 0x046C37F4									-- offset you found
original('7F 45 4C 46 01 01 01 00')						-- begin hex, open the libil2cpp.so with HexView and find first 8 bytes of hex
replaced('01 00 A0 E3 1E FF 2F E1')						-- use arm to hex converter, convert "return true" to hex, see https://armconverter.com/?code=mov%20r0,%20%231%0Abx%20lr
gg.toast("Done!")

 

Put it in your lua and done, you're now can hack the radar using GG and libil2cpp.

Demo:

Screenshot_2020-11-12-17-42-09-837_com.tekmonts.virtualspace.thumb.jpg.0ca01654a8c10ccc6f414a91bb6a4376.jpg

 

Demo file: CODHack_Demo.lua

holy sht!! this is codm?

 

i m working on cod hack too. but i m very noob. but already made some simple hacks

 

you use telegram, sir?

 

i understood almost everything but

 

"

original('7F 45 4C 46 01 01 01 00')

replaced('01 00 A0 E3 1E FF 2F E1')

"

 

this... what is this original & replaced value? how can i find this "original hex value"

Link to comment
Share on other sites

1 hour ago, nio04 said:

holy sht!! this is codm?

 

i m working on cod hack too. but i m very noob. but already made some simple hacks

 

you use telegram, sir?

 

i understood almost everything but

 

"

original('7F 45 4C 46 01 01 01 00')

replaced('01 00 A0 E3 1E FF 2F E1')

"

 

this... what is this original & replaced value? how can i find this "original hex value"

original('7F 45 4C 46 01 01 01 00')	-- begin hex of original file, open the libil2cpp.so with HexView and find first 8 bytes of hex
replaced('01 00 A0 E3 1E FF 2F E1')	-- use arm to hex converter, convert "return true" to hex, see https://armconverter.com/?code=mov%20r0,%20%231%0Abx%20lr   uses the arm code to hack directly, 01 00 A0 E3 1E FF 2F E1 =  mov r0, #1 bx lr = return true

 

Link to comment
Share on other sites

  • 2 weeks later...
On 11/12/2020 at 11:02 AM, TekMonts said:

Too many guys ask about GG and libil2cpp.so to working with gameguardian.

So I decided to make some guides to working around with it using offset.

Game: Call of duty - Mobile VN

Funtion to hack: Show enemy on radar

This game was protected from dumper, so I uses Il2CppInspector to inspect the lib.

Open up the Il2CppInspector.exe and drag the apk to the app GUI then wait a bit:

image.thumb.png.d12bdb800645e0f276ebd63598a21610.png

 

I exported the Json file to find the function and address, and I want to find where the function to show enemy on rada, I found this:

image.thumb.png.28f4e19dfa46f73b53544cadaa277d38.png

 


0x046C37F4 -- here is address holded the function get_ShowEnemyOnRadar()

 

So what should we do?

We can mod directly in libil2cpp.so, using the hock, create the app to call...

But here, I willshow you how to modify this function using GameGuardian

First, you need the function tohandle the lib, share on Internet and I just copy paste here:


local memFrom, memTo, lib, num, lim, results, src, ok = 0, -1, nil, 0, 32, {}, nil, false
function name(n)
    if lib ~= n then
        lib = n
        local ranges = gg.getRangesList(lib)
        if #ranges == 0 then
            print("⚠ERROR: " .. lib .. " are not found!⚠")
            gg.toast("⚠ERROR: " .. lib .. " are not found!⚠")
            os.exit()
        else
            memFrom = ranges[1].start
            memTo = ranges[#ranges]["end"]
        end
    end
end
function hex2tbl(hex)
    local ret = {}
    hex:gsub(
        "%S%S",
        function(ch)
            ret[#ret + 1] = ch
            return ""
        end
    )
    return ret
end
function original(orig)
    local tbl = hex2tbl(orig)
    local len = #tbl
    if len == 0 then
        return
    end
    local used = len
    if len > lim then
        used = lim
    end
    local s = ""
    for i = 1, used do
        if i ~= 1 then
            s = s .. ";"
        end
        local v = tbl[i]
        if v == "??" or v == "**" then
            v = "0~~0"
        end
        s = s .. v .. "r"
    end
    s = s .. "::" .. used
	
    gg.searchNumber(s, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, memFrom, memTo)
    if len > used then
        for i = used + 1, len do
            local v = tbl[i]
            if v == "??" or v == "**" then
                v = 256
            else
                v = ("0x" .. v) + 0
                if v > 127 then
                    v = v - 256
                end
            end
            tbl[i] = v
        end
    end
    local found = gg.getResultCount()

    results = {}
    local count = 0
    local checked = 0
    while true do
        if checked >= found then
            break
        end
        local all = gg.getResults(8)
        local total = #all
        local start = checked
        if checked + used > total then
            break
        end
        for i, v in ipairs(all) do
            v.address = v.address + myoffset
        end
        gg.loadResults(all)
        while start < total do
            local good = true
            local offset = all[1 + start].address - 1
            if used < len then
                local get = {}
                for i = lim + 1, len do
                    get[i - lim] = {address = offset + i, flags = gg.TYPE_BYTE, value = 0}
                end
                get = gg.getValues(get)
                for i = lim + 1, len do
                    local ch = tbl[i]
                    if ch ~= 256 and get[i - lim].value ~= ch then
                        good = false
                        break
                    end
                end
            end
            if good then
                count = count + 1
                results[count] = offset
                checked = checked + used
            else
                local del = {}
                for i = 1, used do
                    del[i] = all[i + start]
                end
                gg.removeResults(del)
            end
            start = start + used
        end
    end
end
function replaced(repl)
    num = num + 1
    local tbl = hex2tbl(repl)
    if src ~= nil then
        local source = hex2tbl(src)
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" and v == source[i] then
                tbl[i] = "**"
            end
        end
        src = nil
    end
    local cnt = #tbl
    local set = {}
    local s = 0
    for _, addr in ipairs(results) do
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" then
                s = s + 1
                set[s] = {["address"] = addr + i, ["value"] = v .. "r", ["flags"] = gg.TYPE_BYTE}
            end
        end
    end
    if s ~= 0 then
        gg.setValues(set)
    end
    ok = true
end

 

Now you need to call the function:


gg.setRanges ( gg .REGION_CODE_APP | gg .REGION_C_DATA) -- usally you only need this region
name('libil2cpp.so')									-- name the lib
myoffset = 0x046C37F4									-- offset you found
original('7F 45 4C 46 01 01 01 00')						-- begin hex, open the libil2cpp.so with HexView and find first 8 bytes of hex
replaced('01 00 A0 E3 1E FF 2F E1')						-- use arm to hex converter, convert "return true" to hex, see https://armconverter.com/?code=mov%20r0,%20%231%0Abx%20lr
gg.toast("Done!")

 

Put it in your lua and done, you're now can hack the radar using GG and libil2cpp.

Demo:

Screenshot_2020-11-12-17-42-09-837_com.tekmonts.virtualspace.thumb.jpg.0ca01654a8c10ccc6f414a91bb6a4376.jpg

 

Demo file: CODHack_Demo.lua

Any programs to do this on without pc?

Link to comment
Share on other sites

12 hours ago, NoctisRe said:

can you give me all command like "mov r0, #1 bx" or etc is usefully for hacking? 

Some return value, for other you can search on internet also.

https://pastebin.com/4DSkN8Fa

 

 

Some functions you can work with codm (old version)

https://pastebin.com/5JCxmPH8

Edited by TekMonts
Link to comment
Share on other sites

  • 4 weeks later...
On 1/9/2021 at 10:48 PM, TekMonts said:

Some return value, for other you can search on internet also.

https://pastebin.com/4DSkN8Fa

 

 

Some functions you can work with codm (old version)

https://pastebin.com/5JCxmPH8

🥰🥰😍😳😲 wow!! can you provide more codm offset with detail, plz???

 

i m also inspecting libil2cpp... and sometimes, i get same "function" (ex - recoil) 3/4 times with different offset. wondering, if i should edit them all...!?

 

plz, sir! if u could guide me something more info. about this... i will be grateful to you....

telegram @nio04

Link to comment
Share on other sites

  • 1 year later...
  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.