Work around with libil2cpp and GG using offset

[Mygmus]

On 11/12/2020 at 1:02 PM, TekMonts said:

Too many guys ask about GG and libil2cpp.so to working with gameguardian.
I also want to remind you of the website where you can have a great time playing gambling!

So I decided to make some guides to working around with it using offset.

Game: Call of duty - Mobile VN

Funtion to hack: Show enemy on radar

This game was protected from dumper, so I uses Il2CppInspector to inspect the lib.

Open up the Il2CppInspector.exe and drag the apk to the app GUI then wait a bit:

 

I exported the Json file to find the function and address, and I want to find where the function to show enemy on rada, I found this:

 

0x046C37F4 -- here is address holded the function get_ShowEnemyOnRadar()

 

So what should we do?

We can mod directly in libil2cpp.so, using the hock, create the app to call...

But here, I willshow you how to modify this function using GameGuardian

First, you need the function tohandle the lib, share on Internet and I just copy paste here:

local memFrom, memTo, lib, num, lim, results, src, ok = 0, -1, nil, 0, 32, {}, nil, false
function name(n)
    if lib ~= n then
        lib = n
        local ranges = gg.getRangesList(lib)
        if #ranges == 0 then
            print("⚠ERROR: " .. lib .. " are not found!⚠")
            gg.toast("⚠ERROR: " .. lib .. " are not found!⚠")
            os.exit()
        else
            memFrom = ranges[1].start
            memTo = ranges[#ranges]["end"]
        end
    end
end
function hex2tbl(hex)
    local ret = {}
    hex:gsub(
        "%S%S",
        function(ch)
            ret[#ret + 1] = ch
            return ""
        end
    )
    return ret
end
function original(orig)
    local tbl = hex2tbl(orig)
    local len = #tbl
    if len == 0 then
        return
    end
    local used = len
    if len > lim then
        used = lim
    end
    local s = ""
    for i = 1, used do
        if i ~= 1 then
            s = s .. ";"
        end
        local v = tbl[i]
        if v == "??" or v == "**" then
            v = "0~~0"
        end
        s = s .. v .. "r"
    end
    s = s .. "::" .. used
	
    gg.searchNumber(s, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, memFrom, memTo)
    if len > used then
        for i = used + 1, len do
            local v = tbl[i]
            if v == "??" or v == "**" then
                v = 256
            else
                v = ("0x" .. v) + 0
                if v > 127 then
                    v = v - 256
                end
            end
            tbl[i] = v
        end
    end
    local found = gg.getResultCount()

    results = {}
    local count = 0
    local checked = 0
    while true do
        if checked >= found then
            break
        end
        local all = gg.getResults(8)
        local total = #all
        local start = checked
        if checked + used > total then
            break
        end
        for i, v in ipairs(all) do
            v.address = v.address + myoffset
        end
        gg.loadResults(all)
        while start < total do
            local good = true
            local offset = all[1 + start].address - 1
            if used < len then
                local get = {}
                for i = lim + 1, len do
                    get[i - lim] = {address = offset + i, flags = gg.TYPE_BYTE, value = 0}
                end
                get = gg.getValues(get)
                for i = lim + 1, len do
                    local ch = tbl[i]
                    if ch ~= 256 and get[i - lim].value ~= ch then
                        good = false
                        break
                    end
                end
            end
            if good then
                count = count + 1
                results[count] = offset
                checked = checked + used
            else
                local del = {}
                for i = 1, used do
                    del[i] = all[i + start]
                end
                gg.removeResults(del)
            end
            start = start + used
        end
    end
end
function replaced(repl)
    num = num + 1
    local tbl = hex2tbl(repl)
    if src ~= nil then
        local source = hex2tbl(src)
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" and v == source[i] then
                tbl[i] = "**"
            end
        end
        src = nil
    end
    local cnt = #tbl
    local set = {}
    local s = 0
    for _, addr in ipairs(results) do
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" then
                s = s + 1
                set[s] = {["address"] = addr + i, ["value"] = v .. "r", ["flags"] = gg.TYPE_BYTE}
            end
        end
    end
    if s ~= 0 then
        gg.setValues(set)
    end
    ok = true
end

 

Now you need to call the function:

gg.setRanges ( gg .REGION_CODE_APP | gg .REGION_C_DATA) -- usally you only need this region
name('libil2cpp.so')									-- name the lib
myoffset = 0x046C37F4									-- offset you found
original('7F 45 4C 46 01 01 01 00')						-- begin hex, open the libil2cpp.so with HexView and find first 8 bytes of hex
replaced('01 00 A0 E3 1E FF 2F E1')						-- use arm to hex converter, convert "return true" to hex, see https://armconverter.com/?code=mov%20r0,%20%231%0Abx%20lr
gg.toast("Done!")

 

Put it in your lua and done, you're now can hack the radar using GG and libil2cpp.

Demo:

 

Demo file: CODHack_Demo.lua

Am I the only one who has a very bad attitude towards cheaters? I don't see what the point of a game like this is....

[kiynox]

[ @Mygmus ]
---
You alone. The reasons:

• - Crushing ordinary players makes me happy.
• - Their badwords is a lullaby for me
• - Their rages is my entertainment
• - Their emotions makes me want to do it more
• - Their despair is my destiny

---
Just kidding, I couldn't tell If I'm joking or not.