Jump to content
  • 0

How to decompile a game to make a script

winyeki19

Asked by winyeki19,

Question

winyeki19 Newbie

winyeki19

Posted
Posted

I learned that if you want to implement some functions with scripts, you need to decompile the game first.

There may be some errors in my description,but some decompilation results are attached: 

A  -369,098,634|ae029a6c|4|8a000223|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|8fea6c
B  -476,016,639|ae17a94c|4|e3a00000|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|a4f94c
C  -509,607,936|ae5b5324|4|1a000044|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|e8a324

In the Lua script, he looks like this(This script is used to modify health and attack power.): 

function a()
  skz({"libil2cpp.so"},{"0x28312c0"},{840043488,4})
  gg.toast("success")
end

function b()
  skz({"libil2cpp.so"},{"0x3889f4c"},{1384120352,4})
  gg.toast("success")
end

(skz() is a custom function. If you want to know more about it: 

function skz(so,offset,edit)
  function toast(a) gg.toast(a) gg.sleep(500)
  end
  if so[1][1] then
    if edit=='gg.TYPE_AUTO' or '127' or 'gg.TYPE_BYTE' or '1' or 'gg.TYPE_DOUBLE' or '64' or 'gg.TYPE_DWORD' or '4' or 'gg.TYPE_FLOAT' or '16' or 'gg.TYPE_QWORD' or '32' or 'gg.TYPE_WORD' or '2' or 'gg.TYPE_XOR' or '8' then
      gg.clearResults() gg.searchNumber(so[1][1],edit) local count=gg.getResultCount() local result=gg.getResults(count) gg.clearResults() local data={} local base=so[1][2] if(count>0)then for i,v in ipairs(result)do v.isUseful=true end for k=2,#so do local tmp={} local Offset=so[k][2]-base local num=so[k][1] for i,v in ipairs(result)do tmp[#tmp+1]={} tmp[#tmp]["address"]=v["address"]+Offset tmp[#tmp]["flags"]=v["flags"] end tmp=gg.getValues(tmp) for i,v in ipairs(tmp)do if(tostring(v["value"])~=tostring(num))then result[i].isUseful=false end end end for i,v in ipairs(result)do if(v.isUseful)then data[#data+1]=v["address"] end end if(#data>0)then local t={} local base=so[1][2] for i=1,#data do for k,w in ipairs(offset)do Offset=w[2]-base t[#t+1]={} t[#t]["address"]=data[i]+Offset t[#t]["flags"]=edit t[#t]["value"]=w[1] if(w[3]==true)then local item={} item[#item+1]=t[#t] item[#item].freeze=true gg.addListItems(item) end end end gg.setValues(t) toast("Open successfully") else toast("Secondary signature error") return false end else toast("No result of main signature search") return false end
    end
   else
    for k, v in pairs(offset) do
      offset[k]=tonumber(v:gsub("0x",""),16)
    end
    local ti = gg.getTargetInfo()
    local ranges = {}
    local t = gg.getRangesList('^/data/*.so*$')
    for i, v in pairs(t) do
      if v.type:sub(2, 2) == 'w' then
        table.insert(ranges, v)
      end
    end
    local S_list = ranges
    local t = {}
    local _A = nil
    _t = 4
    for i in pairs(S_list) do
      local _N = S_list[i]["internalName"]:gsub('^.*/', '')
      if so[1] == _N and so[2] == S_list[i].state then
        _A = S_list[i]
        break
      end
    end
    if _A then
      t[#t + 1] = {}
      t[#t]["address"] = _A["start"] + offset[1]
      t[#t]["flags"] = _t
      if #offset ~= 1 then
        for i = 2, #offset do
          local S = gg.getValues(t)
          t = {}
          for _ in pairs(S) do
            if not ti["x64"] then
              S[_]["value"] = S[_]["value"] & 0xFFFFFFFF
            end
            t[#t + 1] = {}
            t[#t]["address"] = S[_]["value"] + offset[i]
            t[#t]["flags"] = _t
          end
        end
        _A = t[#t]["address"]
      end
     else
      _A=gg.getRangesList(so[1])[1]
      if _A then
        _A=_A["start"]+offset[1]
       else
        _A=0
      end
    end
    if _A==0 then
      toast("So acquisition failed")
    end
    if edit then

      local edittt={}
      edittt[1]={}
      edittt[1]["address"]=_A
      edittt[1]["flags"]=edit[2]
      if edit[3] then
        edittt[1]["freeze"]=true
      end
      edittt[1]["value"]=edit[1]
      if edit[3] then
        gg.addListItems(edittt)
        return true
       else
        gg.setValues(edittt)
        return true
      end
     else
      return _A
    end
  end
end

This script is no longer useful. If anyone knows about decompiled games, please tell me something about this. I want to learn to write such a script. Thank you.

Link to comment
Share on other sites

3 answers to this question

Recommended Posts

MC874 Proficient

MC874

Posted
Posted
4 hours ago, winyeki19 said:

I learned that if you want to implement some functions with scripts, you need to decompile the game first.

There may be some errors in my description,but some decompilation results are attached: 

A  -369,098,634|ae029a6c|4|8a000223|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|8fea6c
B  -476,016,639|ae17a94c|4|e3a00000|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|a4f94c
C  -509,607,936|ae5b5324|4|1a000044|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|e8a324

In the Lua script, he looks like this(This script is used to modify health and attack power.): 

function a()
  skz({"libil2cpp.so"},{"0x28312c0"},{840043488,4})
  gg.toast("success")
end

function b()
  skz({"libil2cpp.so"},{"0x3889f4c"},{1384120352,4})
  gg.toast("success")
end

(skz() is a custom function. If you want to know more about it: 

function skz(so,offset,edit)
  function toast(a) gg.toast(a) gg.sleep(500)
  end
  if so[1][1] then
    if edit=='gg.TYPE_AUTO' or '127' or 'gg.TYPE_BYTE' or '1' or 'gg.TYPE_DOUBLE' or '64' or 'gg.TYPE_DWORD' or '4' or 'gg.TYPE_FLOAT' or '16' or 'gg.TYPE_QWORD' or '32' or 'gg.TYPE_WORD' or '2' or 'gg.TYPE_XOR' or '8' then
      gg.clearResults() gg.searchNumber(so[1][1],edit) local count=gg.getResultCount() local result=gg.getResults(count) gg.clearResults() local data={} local base=so[1][2] if(count>0)then for i,v in ipairs(result)do v.isUseful=true end for k=2,#so do local tmp={} local Offset=so[k][2]-base local num=so[k][1] for i,v in ipairs(result)do tmp[#tmp+1]={} tmp[#tmp]["address"]=v["address"]+Offset tmp[#tmp]["flags"]=v["flags"] end tmp=gg.getValues(tmp) for i,v in ipairs(tmp)do if(tostring(v["value"])~=tostring(num))then result[i].isUseful=false end end end for i,v in ipairs(result)do if(v.isUseful)then data[#data+1]=v["address"] end end if(#data>0)then local t={} local base=so[1][2] for i=1,#data do for k,w in ipairs(offset)do Offset=w[2]-base t[#t+1]={} t[#t]["address"]=data[i]+Offset t[#t]["flags"]=edit t[#t]["value"]=w[1] if(w[3]==true)then local item={} item[#item+1]=t[#t] item[#item].freeze=true gg.addListItems(item) end end end gg.setValues(t) toast("Open successfully") else toast("Secondary signature error") return false end else toast("No result of main signature search") return false end
    end
   else
    for k, v in pairs(offset) do
      offset[k]=tonumber(v:gsub("0x",""),16)
    end
    local ti = gg.getTargetInfo()
    local ranges = {}
    local t = gg.getRangesList('^/data/*.so*$')
    for i, v in pairs(t) do
      if v.type:sub(2, 2) == 'w' then
        table.insert(ranges, v)
      end
    end
    local S_list = ranges
    local t = {}
    local _A = nil
    _t = 4
    for i in pairs(S_list) do
      local _N = S_list[i]["internalName"]:gsub('^.*/', '')
      if so[1] == _N and so[2] == S_list[i].state then
        _A = S_list[i]
        break
      end
    end
    if _A then
      t[#t + 1] = {}
      t[#t]["address"] = _A["start"] + offset[1]
      t[#t]["flags"] = _t
      if #offset ~= 1 then
        for i = 2, #offset do
          local S = gg.getValues(t)
          t = {}
          for _ in pairs(S) do
            if not ti["x64"] then
              S[_]["value"] = S[_]["value"] & 0xFFFFFFFF
            end
            t[#t + 1] = {}
            t[#t]["address"] = S[_]["value"] + offset[i]
            t[#t]["flags"] = _t
          end
        end
        _A = t[#t]["address"]
      end
     else
      _A=gg.getRangesList(so[1])[1]
      if _A then
        _A=_A["start"]+offset[1]
       else
        _A=0
      end
    end
    if _A==0 then
      toast("So acquisition failed")
    end
    if edit then

      local edittt={}
      edittt[1]={}
      edittt[1]["address"]=_A
      edittt[1]["flags"]=edit[2]
      if edit[3] then
        edittt[1]["freeze"]=true
      end
      edittt[1]["value"]=edit[1]
      if edit[3] then
        gg.addListItems(edittt)
        return true
       else
        gg.setValues(edittt)
        return true
      end
     else
      return _A
    end
  end
end

This script is no longer useful. If anyone knows about decompiled games, please tell me something about this. I want to learn to write such a script. Thank you.

Hi! To Decompile in-game files is hard to do it manually. Libilcpp is a part of Unity library and there's  much tool around, thus; you're required to use PC to get into depth-area. Here's your starting point:

  • 1) To Decompile Libilcpp you're required to get Global Metadata first, it contains a vital cipher that allows you to decompile the library. You either can dump it manually from the game using Game Guardian / Cheat Engine or whatever your preference. However there's also several script to find it more easily, one of them is here: Hidden-global-metadatadat-searcher. More of them can be found on Download section.
  • 2) Make sure you got the Metadata intact without missing headers or fragment. Then you can take your Libilcpp along with Metadata together and use Il2CppDumper. A tool that comes in handy to put encrypted libilcpp from your game lib folder or you can dumping the libil2cpp.so first. The tools also supports for popular Reverse Engineering tools such as IDA Pro, Ghidra, etc.
  • 3) I really recommend to further Reverse Engineering the library inside IDA Pro as it can give you clear glances on how each function works and supports for a raw pseudocode. Remember that Decompiling isn't necessarily the same as Decrypting but it is more than enough to itter trough classes and etc.

I've made it sort as possible as i don't want it to clutter. The summary is;

  • 1) You can trough step-by-step mentioned above [Recommended]
  • 2) Dump Libil2cpp yourself but may missing portion of it
  • 3) Directly use IDA Pro but with encrypted string.
  • 4) Dump and Reverse it using IDA Pro for more better readings.

The choice are yours; dumping can give a risk of uncomplete files. Meanwhile, directly Reversing the library can give a risk of Encrypted string, make it hard to read/unreadable.
Good Luck..

Link to comment
Share on other sites
zolotov_official0 Explorer

zolotov_official0

Posted
Posted
7 hours ago, winyeki19 said:

  

A  -369,098,634|ae029a6c|4|8a000223|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|8fea6c
B  -476,016,639|ae17a94c|4|e3a00000|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|a4f94c
C  -509,607,936|ae5b5324|4|1a000044|0|0|0|0|r-xp|/data/data/com.vmos.pro/osimg/r/ot01/data/app/com.miHoYo.enterprise.NGHSoD-1/lib/arm/libil2cpp.so|e8a324

 

This is not the result of decompilation, you wrote the usual load lists for GG lol.

Link to comment
Share on other sites
winyeki19 Newbie

winyeki19

Posted
  • Author
Posted
11 hours ago, MainC said:

Hi! To Decompile in-game files is hard to do it manually. Libilcpp is a part of Unity library and there's  much tool around, thus; you're required to use PC to get into depth-area. Here's your starting point:

  • 1) To Decompile Libilcpp you're required to get Global Metadata first, it contains a vital cipher that allows you to decompile the library. You either can dump it manually from the game using Game Guardian / Cheat Engine or whatever your preference. However there's also several script to find it more easily, one of them is here: Hidden-global-metadatadat-searcher. More of them can be found on Download section.
  • 2) Make sure you got the Metadata intact without missing headers or fragment. Then you can take your Libilcpp along with Metadata together and use Il2CppDumper. A tool that comes in handy to put encrypted libilcpp from your game lib folder or you can dumping the libil2cpp.so first. The tools also supports for popular Reverse Engineering tools such as IDA Pro, Ghidra, etc.
  • 3) I really recommend to further Reverse Engineering the library inside IDA Pro as it can give you clear glances on how each function works and supports for a raw pseudocode. Remember that Decompiling isn't necessarily the same as Decrypting but it is more than enough to itter trough classes and etc.

I've made it sort as possible as i don't want it to clutter. The summary is;

  • 1) You can trough step-by-step mentioned above [Recommended]
  • 2) Dump Libil2cpp yourself but may missing portion of it
  • 3) Directly use IDA Pro but with encrypted string.
  • 4) Dump and Reverse it using IDA Pro for more better readings.

The choice are yours; dumping can give a risk of uncomplete files. Meanwhile, directly Reversing the library can give a risk of Encrypted string, make it hard to read/unreadable.
Good Luck..

Thank you for your advice. It will be very useful. I'll go and learn more

8 hours ago, zolotov_official0 said:

This is not the result of decompilation, you wrote the usual load lists for GG lol.

Thank you for your correction. I'll write it down

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to question listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept