Offset with multiple values

[derbeyonder]

// RVA: 0xF91EE4 Offset: 0xF91EE4 VA: 0xF91EE4
    public SeafarerOffer CreateOffer(string itemId, int amount, int price, bool p_allianceOnly, bool post = True) { }

How can I change only "int price" value to 0 with the Offset?
If I change the Offset to 0, all other values in the Offset are also changed.

public class SeafarerOffer // TypeDefIndex: 13541
{
    // Fields
    public string id; // 0x10
    public string itemId; // 0x18
    public int amount; // 0x20
    public int price; // 0x24
    public string costItem; // 0x28
    public string status; // 0x30
    public string seller; // 0x38
    public string buyer; // 0x40
    public int voyage; // 0x48
    public long createdAt; // 0x50
    public bool autoBuy; // 0x58
    public int autobuyTime; // 0x5C
    public AuctionOffer.State tradeState; // 0x60
    public string trade_service_id; // 0x68
    public string errorType; // 0x70
    public bool allianceOnly; // 0x78
    public const string STATUS_AVALIABLE = "available";
    public const string STATUS_SOLD = "sold";
    public const string STATUS_DELETED = "deleted";

If I change the value of the Fields "public int price; // 0x24", it does not work.

Do I have to combine the Offset with the Fields?
If yes, how?

[MC874]

Hi @derbeyonder,

Quote

Do I have to combine the Offset with the Fields?

No, you don't have to. Just goto that method address and look for:

Find this instruction from the method:
mov [r1-r10], r3

Replace it with:
mov [r1-r10], #0

Since 'int price' is the 3rd parameter, it would likely that the value is saved on register r3. You can see it on Memory Viewer. If you didn't found it, the value might be on different register (from r1 to r10). Just test every single 'mov' instruction:

Search any 'mov' from the method:
mov [r1-r12], [r1-r10]

Replace it with:
mov [r1-r10], #0

If change all the mov from the method doesn't work, it is probably that the value is stored on some address and not on the register. If that's the case, look for any LDR instruction:

Find these instruction at the start of the method:
LDR [r1-r10], ...
LDRB [r1-r10], ...

and change it to:
MOV [r1-r10], #0

 

[derbeyonder]

2 hours ago, MC874 said:

No, you don't have to. Just goto that method address and look for:

I don't know how to do this. i just want to make a simple script. is this possible?

[derbeyonder]

9 hours ago, MC874 said:

Hi @derbeyonder,

No, you don't have to. Just goto that method address and look for:

Find this instruction from the method:
mov [r1-r10], r3

Replace it with:
mov [r1-r10], #0

Since 'int price' is the 3rd parameter, it would likely that the value is saved on register r3. You can see it on Memory Viewer. If you didn't found it, the value might be on different register (from r1 to r10). Just test every single 'mov' instruction:

Search any 'mov' from the method:
mov [r1-r12], [r1-r10]

Replace it with:
mov [r1-r10], #0

If change all the mov from the method doesn't work, it is probably that the value is stored on some address and not on the register. If that's the case, look for any LDR instruction:

Find these instruction at the start of the method:
LDR [r1-r10], ...
LDRB [r1-r10], ...

and change it to:
MOV [r1-r10], #0

 

i found it. what next?

[MC874]

Hi @derbeyonder,

Quote

i found it. what next?

Good, you're on the right track. You need to remember that method/function usually starts with 'PUSH' and ends with 'POP' or if you find another 'PUSH' it means that you're reaching another method/function. So, find any 'MOV' instruction beetween both 'PUSH', and make sure that it contains 'R3', something like this:

MOV ..., R3

and change the 'R3' to '#0'

[derbeyonder]

1 hour ago, MC874 said:

Hi @derbeyonder,

Good, you're on the right track. You need to remember that method/function usually starts with 'PUSH' and ends with 'POP' or if you find another 'PUSH' it means that you're reaching another method/function. So, find any 'MOV' instruction beetween both 'PUSH', and make sure that it contains 'R3', something like this:

MOV ..., R3

and change the 'R3' to '#0'

Thank you very much. It worked.

Next question:

1. Does the address I changed to #0 have an offset address in dump.cs? If not, how can I find the first 8 bytes of hex, from the address I changed with gameguardian, in libil2cpp.so file with a hex editor and change it to 00 00 A0 E3 1E FF 2F E1?

2.Or how can i make a simple gameguardian script? (I apologise for asking this question. I know how to make lua scripts. i have already made several lua scripts. but i can't figure out how to do it now. maybe i can figure it out later.)

[derbeyonder]

54 minutes ago, derbeyonder said:

2.Or how can i make a simple gameguardian script? (I apologise for asking this question. I know how to make lua scripts. i have already made several lua scripts. but i can't figure out how to do it now. maybe i can figure it out later.)

i have made script.

[derbeyonder]

3 hours ago, MC874 said:

MOV ..., R3

this is 64 bit. what do i have to find and change here?

[kiynox]

[ @derbeyonder ]
---

Quote

Does the address I changed to #0 have an offset address in dump.cs? 

It is function/method parameter, it's taking values from somewhere / field. It is likely that the value is from "public int price; // 0x24", so just change that instead.
---

Quote

If not, how can I find the first 8 bytes of hex, from the address I changed with gameguardian, in libil2cpp.so file with a hex editor and change it to 00 00 A0 E3 1E FF 2F E1?

What you're trying to do here? "00 00 A0 E3 1E FF 2F E1" is equivalent to:

mov r0, #0
bx lr

It is used for function/method that returns boolean/int/dword. It is not clear what "CreateOffer" method returns but I would say it is not returning anything, a void type method.
---

Quote

Or how can i make a simple gameguardian script?

Calculate the address that you've changed with the method address. In this case: 08938738 - 08938724 = 20 (decimal) or 14 (hex), so you would need to find method address first and add the offset to it:

base_address = 'do some logic here to find the method address from libil2cpp.so'
target_address = base_address + tonumber(20, 16)

---

[derbeyonder]

3 hours ago, kiynox said:

base_address = 'do some logic here to find the method address from libil2cpp.so'
target_address = base_address + tonumber(20, 16)

Offset: 0xF91EE4
this is the method offset address in libil2cpp.so
why is this address different in gameguardian (0DF91EE4)?

my working script:
base_address = '0x0DF91EE4'
target_address = base_address + tonumber(40)
gg.setValues({{address = target_address, flags = 4, value = "~A8 MOV W23, #0x1"}})

when i change base_address to 0xF91EE4, the script did not work.
when i change value = "~A8 MOV W23, #0x1" to "~A8 MOV W23, #0x0" i got en error (its's not important. i have no problem in game when i make #0x1)

[MC874]

Hi @derbeyonder,

Quote

why is this address different in gameguardian (0DF91EE4)?

It is not different, you're doing it incorrectly. As it's name, offset is displacement, so you need the first address where the libil2cpp is located:

lib_address = gg.getRangesList('libil2cpp.so')[1].start
method_address lib_address + 0x0DF91EE4

/*****************\

Quote

when i change value = "~A8 MOV W23, #0x1" to "~A8 MOV W23, #0x0" i got en error (its's not important. i have no problem in game when i make #0x1)

Try 'WZR', it is zero-point register, meaning the register value is always empty

MOV W23, WZR

Or try immediate value, I mean 0x0 is the same as #0

MOV W23, #0

Or you can enforce it by changing it's hex string to:

hF7031F2A
or
h17008052

/*****************\

[derbeyonder]

5 hours ago, MC874 said:

MOV W23, WZR

Thank you very much. Problem solved.

Game=Farmville 2 Contry Escape

Script Function=Sell Goods for 0 coin

Please note: When game version is updated, you must find and change method offset address in dump.cs

Script Code:

GVersion = '24.9.100'

if GVersion~=v.versionName then
print("This Script is for Game Version:\n"..GVersion.."\nYour Game Version is:\n"..v.versionName) 
gg.setVisible(true) os.exit() 
return
end

if gg.isVisible(true) then
gg.setVisible(false) end
v = gg.getTargetInfo()
if v.x64 then

lib_address = gg.getRangesList('libil2cpp.so')[1].start
method_address = lib_address + 0xF91EE4
base_address = method_address
target_address = base_address + tonumber(40)
gg.setValues({{address = target_address, flags = 4, value = "~A8 MOV W23, WZR"}})

else

lib_address = gg.getRangesList('libil2cpp.so')[1].start
method_address = lib_address + 0x938724
base_address = method_address
target_address = base_address + tonumber(20)
gg.setValues({{address = target_address, flags = 4, value = "~A MOV R9, #0"}})
end