I need to find offset in il2cpp file

[OREW]

Hi Guardians! Dark lord here aka "OREW"

 

I was trying to hack a specific game and I succeeded with dumping il2cpp.so

And after searching for offset and so on i fiend these value's or whatever this $hit is

	// Fields
	private IUnitController _unitController; // 0xC
	[CompilerGeneratedAttribute] // RVA: 0x3BBE24 Offset: 0x3BBE24 VA: 0x3BBE24
	private int <PlayerId>k__BackingField; // 0x10
	[CompilerGeneratedAttribute] // RVA: 0x3BBE34 Offset: 0x3BBE34 VA: 0x3BBE34
	private bool <DespawnOnLoad>k__BackingField; // 0x14
	private static RaycastHit2D[] rayhit; // 0x0
	private Collider2D[] _sharedHitColliders; // 0x18
	private static int _sharedEnemiesLayer; // 0x4
	private static int _sharedWildlifeLayer; // 0x8
	private static int _sharedObstaclesLayer; // 0xC
	private static readonly int APPrepare; // 0x10
	private static readonly int APShoot; // 0x14
	private static readonly int APShootPerfect; // 0x18
	private static readonly int APStand; // 0x1C
	private static readonly int APAttack; // 0x20
	private static readonly int APUseSpear; // 0x24
	private static readonly int APUseShield; // 0x28
	private static readonly int APIdleness; // 0x2C
	private static readonly int APSpeed; // 0x30
	[HeaderAttribute] // RVA: 0x3BBE44 Offset: 0x3BBE44 VA: 0x3BBE44
	public float maxForce; // 0x1C
	public float maxError; // 0x20
	public int minAttempts; // 0x24
	public int maxAttempts; // 0x28
	public float shootPrepTime; // 0x2C
	public float shootIntervalTime; // 0x30
	public float shootCooldownTime; // 0x34
	public float playerShootCooldownTime; // 0x38
	public float playerAttackCooldownTime; // 0x3C
	public float shootCooldownWithKnightTime; // 0x40
	public float shootRange; // 0x44
	public float fleeRange; // 0x48
	public float towerShootRange; // 0x4C
	[RangeAttribute] // RVA: 0x3BBE78 Offset: 0x3BBE78 VA: 0x3BBE78
	public float perfectArrowProbability; // 0x50
	[RangeAttribute] // RVA: 0x3BBE90 Offset: 0x3BBE90 VA: 0x3BBE90
	public float dropInWaterProbability; // 0x54
	[SerializeField] // RVA: 0x3BBEA8 Offset: 0x3BBEA8 VA: 0x3BBEA8
	private GameObject pseudoTarget; // 0x58
	private float _nextPlayerShootTime; // 0x5C
	private float _nextPlayerAttackTime; // 0x60
	[HeaderAttribute] // RVA: 0x3BBEB8 Offset: 0x3BBEB8 VA: 0x3BBEB8
	public float walkSpeed; // 0x64
	public float runSpeed; // 0x68
	public float coinPickupRange; // 0x6C
	public float maxPursueDistance; // 0x70
	public float maxLead; // 0x74
	public FloatRange borderHuntRange; // 0x78
	[SerializeField] // RVA: 0x3BBEEC Offset: 0x3BBEEC VA: 0x3BBEEC
	[TimeOfDayAttribute] // RVA: 0x3BBEEC Offset: 0x3BBEEC VA: 0x3BBEEC
	private float returnToWallTime; // 0x80
	public bool harmless; // 0x84
	public Arrow arrowPrefab; // 0x88
	public RuntimeAnimatorController hunterAnimator; // 0x8C
	public RuntimeAnimatorController soldierAnimator; // 0x90
	[HeaderAttribute] // RVA: 0x3BBF1C Offset: 0x3BBF1C VA: 0x3BBF1C
	public AudioEmitter climbTowerSound; // 0x94
	public AudioEmitter shootSound; // 0x98
	public AudioEmitter buffedShootSound; // 0x9C
	public AudioEmitter meleeSound; // 0xA0
	[HeaderAttribute] // RVA: 0x3BBF50 Offset: 0x3BBF50 VA: 0x3BBF50
	public FloatRange distanceFromWall; // 0xA4
	private FloatRange _distanceFromWallModified; // 0xAC
	private float _guardPos; // 0xB4
	public FloatRange distanceFromKnight; // 0xB8
	[HideInInspector] // RVA: 0x3BBF84 Offset: 0x3BBF84 VA: 0x3BBF84
	public float knightFollowDistance; // 0xC0
	protected CRPCHeader parentHeaderRef; // 0xC4
	protected int _setGuardRPCIndex; // 0xC8
	protected int _handleGuardSlotIndex; // 0xCC
	protected int _requestGuardSlotIndex; // 0xD0
	protected int _embarkIndex; // 0xD4
	protected int _absoluteFaceIndex; // 0xD8
	protected int _archerBuffedIndex; // 0xDC
	protected int _hideStatusIndex; // 0xE0
	protected int _sendCameraFocusRequest; // 0xE4
	protected int _sendControllerIndex; // 0xE8
	private Animator _animator; // 0xEC
	private Mover _mover; // 0xF0
	private Rigidbody2D _rigidbody; // 0xF4
	private SpriteRenderer _spriteRenderer; // 0xF8
	private Wallet _wallet; // 0xFC
	private Wallet _originalWallet; // 0x100
	private FixedTransform _fixedTransform; // 0x104
	private Character _character; // 0x108
	private Damageable _damageable; // 0x10C
	private PushablePusher _pusher; // 0x110
	private Scanner _enemyScanner; // 0x114
	private Scanner _wildlifeScanner; // 0x118
	private Scanner _coinScanner; // 0x11C
	private float _cooldown; // 0x120
	private float _lastGlobalScan; // 0x124
	private AnimationSync _animSyncRef; // 0x128
	private float _cooldownReduction; // 0x12C
	private float _avoidPortalRange; // 0x130
	private Coin _targetCoin; // 0x134
	private Formation _currentFormation; // 0x138
	private GameObject _shootingTarget; // 0x13C
	private GameObject _huntingTarget; // 0x140
	private GuardSlot _guardSlot; // 0x144
	[CompilerGeneratedAttribute] // RVA: 0x3BBF94 Offset: 0x3BBF94 VA: 0x3BBF94
	private bool <inGuardSlot>k__BackingField; // 0x148
	[SerializeField] // RVA: 0x3BBFA4 Offset: 0x3BBFA4 VA: 0x3BBFA4
	private Side _guardSide; // 0x14C
	private int _guardDepth; // 0x150
	private Knight _knight; // 0x154
	private bool _isWearingBannerColor; // 0x158
	private bool _controllableSprinting; // 0x159
	private IHaglet behaviour; // 0x15C
	private IHaglet shoot; // 0x160
	private IHaglet attack; // 0x164
	private PositionSync cachedPosSync; // 0x168
	private Persistent persistent; // 0x16C
	[CompilerGeneratedAttribute] // RVA: 0x3BBFB4 Offset: 0x3BBFB4 VA: 0x3BBFB4
	private bool <IsBuffed>k__BackingField; // 0x170
	[CompilerGeneratedAttribute] // RVA: 0x3BBFC4 Offset: 0x3BBFC4 VA: 0x3BBFC4
	private UnlockNewRulerStatue <newRulerStatue>k__BackingField; // 0x174
	[CompilerGeneratedAttribute] // RVA: 0x3BBFD4 Offset: 0x3BBFD4 VA: 0x3BBFD4
	private HelPuzzlePillar <helPuzzlePillar>k__BackingField; // 0x178
	private Boat _boat; // 0x17C
	[HeaderAttribute] // RVA: 0x3BBFE4 Offset: 0x3BBFE4 VA: 0x3BBFE4
	[SerializeField] // RVA: 0x3BBFE4 Offset: 0x3BBFE4 VA: 0x3BBFE4
	private float shieldSpotRange; // 0x180
	[SerializeField] // RVA: 0x3BC02C Offset: 0x3BC02C VA: 0x3BC02C
	private float shieldScanInterval; // 0x184
	private NpcShieldUser _npcShieldUser; // 0x188
	private Droppable targetShield; // 0x18C
	private Archer.AttackMode _desiredAttackMode; // 0x190
	private Archer.AttackMode _attackMode; // 0x194
	[SerializeField] // RVA: 0x3BC03C Offset: 0x3BC03C VA: 0x3BC03C
	private float _meleeAttackRange; // 0x198
	[SerializeField] // RVA: 0x3BC04C Offset: 0x3BC04C VA: 0x3BC04C
	private float _meleeAttackPredictAheadTime; // 0x19C
	[SerializeField] // RVA: 0x3BC05C Offset: 0x3BC05C VA: 0x3BC05C
	private float _meleeCooldown; // 0x1A0
	[SerializeField] // RVA: 0x3BC06C Offset: 0x3BC06C VA: 0x3BC06C
	private int _meleeDamage; // 0x1A4
	[SerializeField] // RVA: 0x3BC07C Offset: 0x3BC07C VA: 0x3BC07C
	private int _meleeMaxHitsPerAttack; // 0x1A8
	private Damageable _meleeTarget; // 0x1AC
	private bool _meleeAttackPlaying; // 0x1B0
	[SerializeField] // RVA: 0x3BC08C Offset: 0x3BC08C VA: 0x3BC08C
	private Rect _hitBox; // 0x1B4
	[HeaderAttribute] // RVA: 0x3BC09C Offset: 0x3BC09C VA: 0x3BC09C
	[SerializeField] // RVA: 0x3BC09C Offset: 0x3BC09C VA: 0x3BC09C
	private float _switchWeaponsButtonDuration; // 0x1C4
	private bool _downKeyPressed; // 0x1C8
	private bool _playerAttackModeChanged; // 0x1C9
	private float _switchWeaponsTimer; // 0x1CC
	private float _arrowLength; // 0x1D0
	private const int Stand = 1;
	private const int FollowKnight = 2;
	private const int GoToTower = 4;
	private const int GoToWall = 8;
	private const int Hunt = 16;
	private const int GrabCoin = 32;
	private const int Flee = 64;
	private const int Held = 128;
	private const int Grabbed = 256;
	private const int Inert = 512;
	private const int InFormation = 1024;
	private const int FreeRuler = 2048;
	private const int GrabShield = 4096;
	private const int SwitchWeapons = 8192;
	private const int GoToOfferingPillar = 16384;
	private const int PlayerControl = 32768;
	private static readonly Formation.UnitTypes[] FormationUnitType; // 0x34

And THIS one

// Fields
	public int hitDamage; // 0xC
	public int perfectDamageMultiplier; // 0x10
	public bool shouldOrientate; // 0x14
	public bool canBounce; // 0x15
	[HeaderAttribute] // RVA: 0x3BC0E4 Offset: 0x3BC0E4 VA: 0x3BC0E4
	public bool isFireArrow; // 0x16
	public int damagePerTick; // 0x18
	public int damageTicks; // 0x1C
	public float damageDelayOffset; // 0x20
	public float damageDelayTime; // 0x24
	[HeaderAttribute] // RVA: 0x3BC118 Offset: 0x3BC118 VA: 0x3BC118
	public AudioEmitter wallHitSound; // 0x28
	public AudioEmitter groundHitSound; // 0x2C
	public AudioEmitter waterHitSound; // 0x30
	[HeaderAttribute] // RVA: 0x3BC14C Offset: 0x3BC14C VA: 0x3BC14C
	public GameObject archer; // 0x34
	private bool _orientToVelocity; // 0x38
	private bool _has***; // 0x39
	private Rigidbody2D _rigidbody; // 0x3C
	private Collider2D _collider; // 0x40
	private TrailRenderer _trail; // 0x44
	private bool _perfect; // 0x48
	private NetworkSoftSimulator _softSim; // 0x4C
	private bool authorityActive; // 0x50

	// Methods

	// RVA: 0xCB69A0 Offset: 0xCB69A0 VA: 0xCB69A0
	private void Awake() { }

	// RVA: 0xCB6B0C Offset: 0xCB6B0C VA: 0xCB6B0C
	private void OnEnable() { }

	// RVA: 0xCB6BF0 Offset: 0xCB6BF0 VA: 0xCB6BF0
	public void DropInWater() { }

	// RVA: 0xCB6CA0 Offset: 0xCB6CA0 VA: 0xCB6CA0
	public void PerfectShot() { }

	// RVA: 0xCB6BA4 Offset: 0xCB6BA4 VA: 0xCB6BA4
	private void EnableTrail() { }

	[IteratorStateMachineAttribute] // RVA: 0x3D1404 Offset: 0x3D1404 VA: 0x3D1404
	// RVA: 0xCB6C28 Offset: 0xCB6C28 VA: 0xCB6C28
	private IEnumerator DropInWaterInternal() { }

	// RVA: 0xCB6CAC Offset: 0xCB6CAC VA: 0xCB6CAC
	private void OnDestroy() { }

	// RVA: 0xCB6D28 Offset: 0xCB6D28 VA: 0xCB6D28
	private void LateUpdate() { }

	// RVA: 0xCB6DF8 Offset: 0xCB6DF8 VA: 0xCB6DF8
	private void OnCollisionEnter2D(Collision2D collision) { }

	// RVA: 0xCB7630 Offset: 0xCB7630 VA: 0xCB7630
	private void OnTriggerEnter2D(Collider2D collider) { }

	// RVA: 0xCB6E34 Offset: 0xCB6E34 VA: 0xCB6E34
	private void HitObject(GameObject target, bool physicalHit) { }

	// RVA: 0xCB766C Offset: 0xCB766C VA: 0xCB766C Slot: 4
	public void HandleAuthorityChange(bool newAuthorityState) { }

	// RVA: 0xCB6A94 Offset: 0xCB6A94 VA: 0xCB6A94 Slot: 5
	public void RegisterWithNetworkBoss() { }

	// RVA: 0xCB6CB0 Offset: 0xCB6CB0 VA: 0xCB6CB0 Slot: 6
	public void DeregisterWithNetworkBoss() { }

	// RVA: 0xCB7674 Offset: 0xCB7674 VA: 0xCB7674 Slot: 7
	public void ReceiveInitialise() { }

	// RVA: 0xCB7868 Offset: 0xCB7868 VA: 0xCB7868 Slot: 8
	public void PostRecvStop() { }

	// RVA: 0xCB7874 Offset: 0xCB7874 VA: 0xCB7874
	public void .ctor() { }
}

As you see the Walkspeed showing 0x64 ..

Attack speed something like it to

Wtf should i do with this?!

And should someone explain to me what is the difference between RVA, VA, offset..?

Aren't all them offset?!

And i know how to search for the offset

Xa>il2cpp> offset calculator, 0CB6CAC

 

Thx in advance

 

 

[nok1a]

On 2/3/2024 at 11:31 AM, OREW said:

And should someone explain to me what is the difference between RVA, VA, offset..?

Aren't all them offset?!

 

And i know how to search for the offset

 

Xa>il2cpp> offset calculator, 0CB6CAC

RVA is the offset from start of a file and RA is the offset from start of where the file was located in the process virtual memory. https://stackoverflow.com/questions/2170843/va-virtual-address-rva-relative-virtual-address

You can make sense of VA clearly when you dump the libraries with GG.

When searching for fields like Walkspeed at offset 0x64 you can use field offset searcher:

Field Offset Finder (#yyzay1k)

put name of the class the field belongs to and it's offset and data type and it will usually give you the value.

 

 

[OREW]

On 2/11/2024 at 11:24 AM, nok1a said:

RVA is the offset from start of a file and RA is the offset from start of where the file was located in the process virtual memory. https://stackoverflow.com/questions/2170843/va-virtual-address-rva-relative-virtual-address

You can make sense of VA clearly when you dump the libraries with GG.

When searching for fields like Walkspeed at offset 0x64 you can use field offset searcher:

Field Offset Finder (#yyzay1k)

put name of the class the field belongs to and it's offset and data type and it will usually give you the value.

 

 

Thx for replying and the explanation

 Well about RVA, VA i will look up to it more thx for the article

 

And for the field finder i have already did my test on the but nothing works

The given value is not what is required, there is an error, or it is not modifiable

[MC874]

Hi @OREW,

Quote

And for the field finder i have already did my test on the but nothing works

Have you tried: GGIL2CPP. Field is different from methods. You need to find the class objects (pointer) then add it with the field offset. Or you can just find the class name string -> pointer (Usually Cd) -> add field offset to each pointer and find if the value is correct with the current in-game values. There's might be multiple pointer because some old field instance/class object have not yet flushed/removed from memory.

Quote

The given value is not what is required, there is an error, or it is not modifiable

"Walkspeed" field is public, so it should be modifiable.

[OREW]

15 hours ago, MC874 said:

Hi @OREW,

Have you tried: GGIL2CPP. Field is different from methods. You need to find the class objects (pointer) then add it with the field offset. Or you can just find the class name string -> pointer (Usually Cd) -> add field offset to each pointer and find if the value is correct with the current in-game values. There's might be multiple pointer because some old field instance/class object have not yet flushed/removed from memory.

"Walkspeed" field is public, so it should be modifiable.

Interesting comment

Thx i will check it out