About il2cpp Hex Patch via GG

[qwer098]

I wrote a script after looking at

Work around with libil2cpp and GG using offset (#by5yarnv)

(thanks to @TekMonts for awesome article)

but it didn't work out as I thought, so I'm asking you a question.

 

 

I find the offset value that I want to change through dnspy

 

And I got the address and Hex code of the offset through HxD.

 

 

local memFrom, memTo, lib, num, lim, results, src, ok = 0, -1, nil, 0, 32, {}, nil, false
function name(n)
    if lib ~= n then
        lib = n
        local ranges = gg.getRangesList(lib)
        if #ranges == 0 then
            print("⚠ERROR: " .. lib .. " are not found!⚠")
            gg.toast("⚠ERROR: " .. lib .. " are not found!⚠")
            os.exit()
        else
            memFrom = ranges[1].start
            memTo = ranges[#ranges]["end"]
        end
    end
end
function hex2tbl(hex)
    local ret = {}
    hex:gsub(
        "%S%S",
        function(ch)
            ret[#ret + 1] = ch
            return ""
        end
    )
    return ret
end
function original(orig)
    local tbl = hex2tbl(orig)
    local len = #tbl
    if len == 0 then
        return
    end
    local used = len
    if len > lim then
        used = lim
    end
    local s = ""
    for i = 1, used do
        if i ~= 1 then
            s = s .. ";"
        end
        local v = tbl[i]
        if v == "??" or v == "**" then
            v = "0~~0"
        end
        s = s .. v .. "r"
    end
    s = s .. "::" .. used
	
    gg.searchNumber(s, gg.TYPE_BYTE, false, gg.SIGN_EQUAL, memFrom, memTo)
    if len > used then
        for i = used + 1, len do
            local v = tbl[i]
            if v == "??" or v == "**" then
                v = 256
            else
                v = ("0x" .. v) + 0
                if v > 127 then
                    v = v - 256
                end
            end
            tbl[i] = v
        end
    end
    local found = gg.getResultCount()

    results = {}
    local count = 0
    local checked = 0
    while true do
        if checked >= found then
            break
        end
        local all = gg.getResults(8)
        local total = #all
        local start = checked
        if checked + used > total then
            break
        end
        for i, v in ipairs(all) do
            v.address = v.address + myoffset
        end
        gg.loadResults(all)
        while start < total do
            local good = true
            local offset = all[1 + start].address - 1
            if used < len then
                local get = {}
                for i = lim + 1, len do
                    get[i - lim] = {address = offset + i, flags = gg.TYPE_BYTE, value = 0}
                end
                get = gg.getValues(get)
                for i = lim + 1, len do
                    local ch = tbl[i]
                    if ch ~= 256 and get[i - lim].value ~= ch then
                        good = false
                        break
                    end
                end
            end
            if good then
                count = count + 1
                results[count] = offset
                checked = checked + used
            else
                local del = {}
                for i = 1, used do
                    del[i] = all[i + start]
                end
                gg.removeResults(del)
            end
            start = start + used
        end
    end
end
function replaced(repl)
    num = num + 1
    local tbl = hex2tbl(repl)
    if src ~= nil then
        local source = hex2tbl(src)
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" and v == source[i] then
                tbl[i] = "**"
            end
        end
        src = nil
    end
    local cnt = #tbl
    local set = {}
    local s = 0
    for _, addr in ipairs(results) do
        for i, v in ipairs(tbl) do
            if v ~= "??" and v ~= "**" then
                s = s + 1
                set[s] = {["address"] = addr + i, ["value"] = v .. "r", ["flags"] = gg.TYPE_BYTE}
            end
        end
    end
    if s ~= 0 then
        gg.setValues(set)
    end
    ok = true
end



function HOME()
    A =
        gg.multiChoice(
        {
            "AutoaimDistance",
            "Exit"
        },
        nil,
        "qwer098 Prototype"
    )
    if A == nil then
    else
        if A[1] == true then
            AutoaimDistance()
        end
		
		if A[1] == true then
            os.exit()
        end
		
	end	
end

function AutoaimDistance()

	gg.setRanges ( gg .REGION_CODE_APP | gg .REGION_C_DATA)
	name('libil2cpp.so')
	myoffset = 0x3175834
	original('F4 4F BE A9 FD 7B 01 A9')
	replaced('7A 04 44 E3 1E FF 2F E1')
	gg.toast("Done!")

end

HOME()

 

...and I wrote the script, referencing the article above, and I ran it in the game.

 

 

And here's the result.

 

I don't think I found the wrong offset. Of course, I'll have to try something more diverse, but I don't think that offset was useless.
And, there are too many unexpectedly searched values like 300k. (I don't know if this is wrong, do other scripts work this way too?)

plus, the offset value is float, but in gg it's written as byte.
If you have any tips on Hex Patch, please let me know. It's not easy..

[DARK_DEMON_SCRIPTER]

function Patch(lib, offset,hex)

gg.setVisible(false)

    local targetAddr = 0

    local hexStrCount = #hex:gsub(" ", "")

    if hexStrCount%2~=0 then return print("Check your hex again. Something wrong there") end 

    local hexCount = hexStrCount/2

    

    for i, v in ipairs(gg.getRangesList(lib)) do

        if v.type:sub(3,3) == "x" then targetAddr=v.start+offset break end 

    end

    local editHex = {}

    for i=1, hexCount do

        editHex[i] = {address=targetAddr+(i-1), flags=gg.TYPE_BYTE}

    end

    gg.loadResults(editHex)

    gg.getResults(hexCount)

local edit = "h"..hex

    gg.editAll(edit,1)

gg.clearResults()

end

 

--[[Use it as a code eg

Patch("libil2cpp.so",0X2345678,"ER 40 DE CA MO 1K QW") ]]

[qwer098]

@DARK_DEMON_SCRIPTER Thank you for your answer, but I'm still not sure, so I'm asking you a question again.
What was wrong with the first script I wrote was that I had to search for FLOAT, but the search range was BYTE.
... So I changed my search scope to FLOAT and tried running the script again, but this time I didn't get any search results.
What's the problem? There is no problem with offset and hex values.
And if possible, could you explain in more detail how to use the code you wrote?

[DARK_DEMON_SCRIPTER]

On 9/14/2022 at 1:58 PM, qwer098 said:

@DARK_DEMON_SCRIPTER Thank you for your answer, but I'm still not sure, so I'm asking you a question again.
What was wrong with the first script I wrote was that I had to search for FLOAT, but the search range was BYTE.
... So I changed my search scope to FLOAT and tried running the script again, but this time I didn't get any search results.
What's the problem? There is no problem with offset and hex values.
And if possible, could you explain in more detail how to use the code you wrote?

Idk about the first one

But most of the values in libil2cpp.so are edited in bytes so I checked how edit is being a done for libil2cpp.so and this is the result at the end and credits also goes to 

@Lover1500

 he helped me with scripting it

 

Sorry for late reply 

 

[HorridModz]

I know this is late, but this still hasn't been answered, so I'll explain:

Byte is correct. Do not search in float. The bytes represent the assembly code, which is what you are editing. Float is the data type the function returns.

The problem is that the hex code `F4 4F BE A9 FD 7B 01 A9` comes up more than once in the libil2cpp.so file. You need to copy more than 8 bytes, so the hex code is more specific and therefore less likely to repeat itself. Try copying 40 bytes instead of 8. For example, pretend that these are the 40 bytes:

 F4 4F BE A9 FD 7B 01 A9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

In this case, your new code would look like this:
 

original('F4 4F BE A9 FD 7B 01 A9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00')
replaced('7A 04 44 E3 1E FF 2F E1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00')