Speedhack diagnostics: Lib6.so not found in some games?

[bluechipps]

Just got a Pixel 6 Pro (android 13) fully rooted. I have been trying to figure out why speedhack doesn't load in half the games that it previously did on my S21. In fact I have never seen this issue before. All apps on my previous devices have always at least been able to load speed hack, regardless of whether it actually was usable.

So after comparing logcats and manifests for hours I think I found the key piece of evidence...

All the games where speed hack fails to load have an error loading Lib6.so which then appears to cancel the whole process.

I android-daemon: Copy lib cp: 2, No such file or directory; /data/app/~~J-0_r1PXs5n1rVD5Fh543w==/com.archison.randomadventureroguelike2-6KBlGC95XmqMSdujQWnywQ==/lib/arm64/_lib6.so; /data/user/0/com.zgifjxcwdghpyjtpjd/files/GG-kx3r/lib6.so

Here is a comparison of log where SH loads and is able to find Lib6.so vs a log that doesn't


Any suggestions on where go from here? I have tried to find Lib6.so even in the apps where it claims it was loaded from but that arm64 folder appears empty. I was thinking maybe I could manually create the file somehow ahead of time so that GG can find it. Is that worth a try?

Thanks

[bluechipps]

I found this thread that sounds similar.

libUE4.so error (#b6qeepyd)

Seems strange how there aren't many other people with this speed hack issue. Maybe it is fairly new?

So why would GG be expecting this Lib6.so file and then it not be there? Is that evidence of something other problem?

[MC874]

21 minutes ago, bluechipps said:

I found this thread that sounds similar.

libUE4.so error (#b6qeepyd)

Seems strange how there aren't many other people with this speed hack issue. Maybe it is fairly new?

So why would GG be expecting this Lib6.so file and then it not be there? Is that evidence of something other problem?

Hi @bluechipps, I can't really dive into the Issue since it's Paid Game. Are you sure it's Split Apk?

• - Split APK are reserving it's own Library inside split_config.[architecture].apk. So it's not inside the base.apk or the Application. Also, because of this, the main Library are no where to be found inside Lib folder but instead accessed via Services/Symlink. So, extracting the libs from split_config.[architecture].apk into libs folder accessed here: /data/app/com.archison.randomadventureroguelike2/lib/[architecture] or it's symlink to that in /data/data/com.archison.randomadventureroguelike2/lib would make it accessible for GG or other application (hooker). Not to mention that /data/user/ is also a symlink to /data/data/. So, it would explain why it's also looking up for lib6.so inside /data/user/0/com.zgifjxcwdghpyjtpjd
• - To fix this issue is to combine all the Split APK into a single APK using APKToolM. However this doesn't work if each split_apk has it's own signature.

[bluechipps]

5 hours ago, MC189 said:

Hi @bluechipps, I can't really dive into the Issue since it's Paid Game. Are you sure it's Split Apk?

• - Split APK are reserving it's own Library inside split_config.[architecture].apk. So it's not inside the base.apk or the Application. Also, because of this, the main Library are no where to be found inside Lib folder but instead accessed via Services/Symlink. So, extracting the libs from split_config.[architecture].apk into libs folder accessed here: /data/app/com.archison.randomadventureroguelike2/lib/[architecture] or it's symlink to that in /data/data/com.archison.randomadventureroguelike2/lib would make it accessible for GG or other application (hooker). Not to mention that /data/user/ is also a symlink to /data/data/. So, it would explain why it's also looking up for lib6.so inside /data/user/0/com.zgifjxcwdghpyjtpjd
• - To fix this issue is to combine all the Split APK into a single APK using APKToolM. However this doesn't work if each split_apk has it's own signature.

Thanks for the insight! Now I can investigate further along those lines. Also that was just a random game out of the dozens I tried with the same issue. I will find one that isn't paid as a better example.

One thing I still would like to understand though is, how come all these games do not have the same issue on my Galaxy S21? I kept all the games updated so the APKs must have been no different from the ones I am now installing on my Pixel 6 Pro right? Is it possible the play store is giving my pixel these split versions of APKs when it has other versions it gives to my S21? If so, could that possibly offer another solution, to somehow get the alternate versions of the APKs which aren't split or something? What do you think that's all about?

Thanks

[bluechipps]

Alright sorry but after more thorough investigation I must take back my Lib6.so theory. I have attached the relevant logcats for each game and named them as "loaded_" or "failed_". All of these games are free and fairly small in case anyone would like to cross check my results.

Below basically summarizes what is going on with the games in which speedhack is failing. I can only guess what all of it means but since it uses the term "breakpoint" maybe it sets up breakpoints to capture the spots where it will later inject into.

All the games where it says "Stop, but not at a breakpoint" never reach the "SH Loaded" message.

Any ideas what this could be caused by? I am happy to try anything that you think might help or that could narrow down the issue further. If I can't find a solution then I'll probably end up returning this Pixel 6 for whatever rootable device you guys recommend for avoiding headaches

failed_dreadrune.txt failed_eventhorizon.txt failed_hexquest.txt failed_reshero.txt loaded_bitdungeon3.txt loaded_cavefall.txt loaded_shatteredpixel.txt

[MC874]

Hi @bluechipps, I'm not an expert in this debugging field and also; I don't have the problem in hand:

• - Based on 'Breakpoint', we can't really sure if that's the exact problem but it can be the one trivia. GG sets breakpoint into Kernels, specificly time() function, to do Client-sided Speed-Hack. Altho it's related, we need to dive further into function side of the game or the kernel itself.
• - Also judging from WIF's, it returns a True value. It means the sys call / process that are called is stopped. As you can see from WIFSTOPPED(1).
• - It reminds me that SpeedHack is intended for 32-bit architecture (Altho, many x64 games can also use it). Probably try the Armeabi version of the game.
• - I'm afraid you're running the latest version of Android as it can be more problematic. On newer Android 11-13, introduces new Phantom processes, which limits the Access to Higher Permission. The behavior is: It will likely to stop the process if it's exceed high memory limit, Apps can't see the process side of another Apps, etc. It's been painful.

I can be wrong about my points. I think it also safe to say that: don't use newer Android version for Kernels / High Permission related activity. About returning the phone, I can't really say if it's the Phone faults but I've been biased towards Xiaomi/Infinix community for something related to Rooting. The community has been really great by being really active and also still provides Android 10.

Edited January 17, 2023 by MC189

[CmP]

20 hours ago, bluechipps said:

All the games where it says "Stop, but not at a breakpoint" never reach the "SH Loaded" message.

I confirm this observation, "Stop, but not a breakpoint" seems to be unintended result. The logs also contain some details about what goes wrong when this happens.

The first difference of interest is on the line that starts with "breakpoint:". "WSTOPSIG(5)" in logs with loaded SH means that process has been stopped because it received SIGTRAP signal, i.e. a breakpoint has been encountered. "WSTOPSIG(11)" in logs with failure, on the other hand, means that process has been stopped because it received SIGSEGV signal which is caused by invalid memory access.

The second difference of interest, that allows to understand what caused invalid memory access, is on the following line that starts with "aarch64:" and contains information about values in registers. In logs with loaded SH value in "pc" (program counter) register is some existing address in process memory, for example, 0x703142802c from "loaded_shatteredpixel.txt". In logs with failure it is different, value in "pc" register is not an existing address in process memory, since it is clearly too small for that (for example, 0x8be3f0 from "failed_dreadrune.txt").

One possible interpretation of the differences described above is that in cases of failure to load SH something (maybe injected code) for some reason causes jump to invalid address that, as has been mentioned, causes SIGSEGV.

Unfortunately, the logs by themselves don't allow to investigate further, that would most likely require using a debugger and would be significantly more complicated than analysis of logs.

[bluechipps]

Thanks for the breakdown guys. I am totally willing to accept that new devices are just out of luck most of the time, and that I probably shouldn't have went for such a new one if I cared so much about GG I am just surprised to not find more discussion on this topic since this is a very popular phone and on an 8 month old version of A13. Plenty of time for other people to experience the same issues right?

Oh well, I guess I should look into grabbing myself a device from a couple years ago at least. What's a solid choice around here for decent compatibility and performance? Straight forward root/unlock etc

[bluechipps]

Can you think of anything I could try on my device to maybe get around the problem somehow? Could I recompile apks? Maybe use virtual spaces even though I'm rooted? Modify some hardware flags to make it try and use different memory regions? Install a custom rom/kernel? I wonder why it thinks it should jump into invalid memory.

Anyway just thinking out loud,I have no clue if any of this is relevant. I am a mobile dev by day though so I am pretty good at debugging, but I am self-taught and my experience has rarely taken me any further than xcode and android studio. I wouldn't know where to start with debugging something I didn't write myself. Sounds like it might be closer to hacking than to debugging Might be over my head

[CmP]

Before you proceed to try different or modified apks of the games, consider checking structure of installed files of games for which SH loads and for which doesn't to see, whether there are any patterns there. Root folder to start checking and comparing from is game's folder (or rather sub-folder that includes package name) in /data/app.

[PaoloBello]

I got the same problem on my Oneplus device running Android 13, did you figure out a solution?