Jump to content

Final squad coin hack help

Lohifui

By Lohifui,
in Requests

 Share

Recommended Posts

Lohifui Apprentice

Lohifui

Posted
Posted

Name of Game: final squad 

Play Store Link (If it's a paid app, the apk): https://play.google.com/store/apps/details?id=com.YEMA.FinalSquad

Version: 1.032

What cheat? Health, xp, gold...: gold , diamond values visible 

Have you tried cheating this game? What happened?: found gold value in dword but edited value while being offline gives error message "abnormality detected"

Comments: when clicking gold value, pressing goto in gg, I can see diamond value too, but editing it gives same error

Screenshot_20240411-091205.jpg

Screenshot_20240411-091146.jpg

Screenshot_20240411-091141.jpg

Link to comment
Share on other sites
MAARS Experienced

MAARS

Posted
Posted (edited)

Hi, your game is protected with CodeStage anti cheat, thankfully this is one of easy one to bypass.
First you will need to dump the game using Il2cppDumperGUI any or il2cpp dumper of your choice.
next you're going to look for CodeStage detection methods.
note those StartDetection methods, most have some overload if you want to be safe you will need to bypass them all, but it is rare that the game use them all, but better be safe than sorry.
so here is the list and overloads.
  

CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(); // 0x00818a3c
static CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(System.Action callback); // 0x00818ce8
CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetectionInternal(System.Action callback); // 0x00818b70
System.Void StartDetectionAutomatically(); // 0x00819058
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(); // 0x008190e0
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback); // 0x0081948c
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval); // 0x008194e4
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval, System.Byte maxFalsePositives); // 0x0081954c
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval, System.Byte maxFalsePositives, System.Int32 coolDown); // 0x008195c4
CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetectionInternal(System.Action callback, System.Single checkInterval, System.Byte falsePositives, System.Int32 shotsTillCooldown); // 0x008192dc
System.Void StartDetectionAutomatically(); // 0x00819a54
static System.Void StartDetection(); // 0x00818648
static System.Void StartDetection(System.Action<System.String> callback); // 0x008186b0
System.Void StartDetectionAutomatically(); // 0x008187e8

there is two way to bypass those.

1. you can just patch each of them using the "NOP RET/BX LR" opcode.
2. allocate memory page and replace and replace those method with there respective StopDetection, that mean when the game call StartDetection instead it will call StopDetection

 

Now for GEMS/XP/Gold/Health

Note at this stage since you have already bypassed the AntiCheat editing your stat wont trigger anything. but you need first to understand how ObscuredInt work.
note every obscure value you see on your screen is a fake value. you should not edit it directly but the edit the hidden value using the crypto key. Here bellow is what you need to remember about the structure.

  

public struct ObscuredInt
		[FieldOffset(Offset = "0x0")]
		private int currentCryptoKey;

		[FieldOffset(Offset = "0x4")]
		private int hiddenValue;

		[FieldOffset(Offset = "0xC")]
		private int fakeValue; (what you see on screen)

 

What you see on your screen is the fakeValue. to edit it you will need to edit the hidden value.
Here is how to. (note offset might varies depending on the game and version so you better have the latest dump and check the correct offset)

When you find an ObscureInt fakeValue. you need to go back into the base pointer so in this case: fakeValue.Address - 0xC which will bring you to currentCryptoKey copy the value of currentCryptoKey in (DWORD) then offset to currentCryptoKey.address + 0x4 this will bring you to the hiddenValue now to edit this to your desired value you need to perform XOR (exclusive OR) to your desired value using the currentCryptoKey as a key. you can do that inside gg, you type the value then apply the xor key

   

 

That it you are done. you can edit any ObscureInt using this method.

now specially for your game there are some vulnerabilities that i found you can exploit to edit your stat and in game money. there are some method likes:
  

public class game_manager : MonoBehaviour
	[Address(RVA = "0xA65A94", Offset = "0xA65A94", VA = "0xA65A94")]
	public void gem_plus(int gem)

	[Address(RVA = "0xA65890", Offset = "0xA65890", VA = "0xA65890")]
	public void gold_plus(int gold)

	[Address(RVA = "0xA64DFC", Offset = "0xA64DFC", VA = "0xA64DFC")]
	public void iron_plus(int iron)

All those share the almost the same structure so i will be giving an example only for gem_plus
image.thumb.png.6088d75291206f176593b4f2202e0534.png

In this de-compiled function gem_plus, you can see  that they are loading the value of the ObscureInt field 

public ObscuredInt gem_total; // 0x2CC

into the variable puVar1 which later on they add it value + param_2  which is the gem  parameter, to instantiate a new ObscureInt from that sum. the result of that sum will be stored into the register W0,  so all we have to do is just hijack this register and change the value to what we want. here is a video of how to do that.

This method do not trigger the anti cheat cause the game is writing legit value for us. also if you want to move large value you might want to explore the MOVZ instruction or you can allocate a memory page and spam multiple ADD instruction like this
add w0, w0, #500000000

add w0, w0, #500000000
add w0, w0, #500000000
add w0, w0, #500000000
add w0, w0, #500000000

....
Last thing for gems you will need to stay on the main screen like in the video when you start the game cause that function trigger only there.
I kinda like the game i might continue working on it and update this thread

Edited by MAARS
4
Link to comment
Share on other sites
DoDevil Collaborator

DoDevil

Posted
Posted (edited)
4 hours ago, MAARS said:

Hi, your game is protected with CodeStage anti cheat, thankfully this is one of easy one to bypass.
First you will need to dump the game using Il2cppDumperGUI any or il2cpp dumper of your choice.
next you're going to look for CodeStage detection methods.
note those StartDetection methods, most have some overload if you want to be safe you will need to bypass them all, but it is rare that the game use them all, but better be safe than sorry.
so here is the list and overloads.
  

CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(); // 0x00818a3c
static CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(System.Action callback); // 0x00818ce8
CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetectionInternal(System.Action callback); // 0x00818b70
System.Void StartDetectionAutomatically(); // 0x00819058
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(); // 0x008190e0
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback); // 0x0081948c
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval); // 0x008194e4
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval, System.Byte maxFalsePositives); // 0x0081954c
static CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetection(System.Action callback, System.Single interval, System.Byte maxFalsePositives, System.Int32 coolDown); // 0x008195c4
CodeStage.AntiCheat.Detectors.SpeedHackDetector StartDetectionInternal(System.Action callback, System.Single checkInterval, System.Byte falsePositives, System.Int32 shotsTillCooldown); // 0x008192dc
System.Void StartDetectionAutomatically(); // 0x00819a54
static System.Void StartDetection(); // 0x00818648
static System.Void StartDetection(System.Action<System.String> callback); // 0x008186b0
System.Void StartDetectionAutomatically(); // 0x008187e8

there is two way to bypass those.

1. you can just patch each of them using the "NOP RET/BX LR" opcode.
2. allocate memory page and replace and replace those method with there respective StopDetection, that mean when the game call StartDetection instead it will call StopDetection

 

Now for GEMS/XP/Gold/Health

Note at this stage since you have already bypassed the AntiCheat editing your stat wont trigger anything. but you need first to understand how ObscuredInt work.
note every obscure value you see on your screen is a fake value. you should not edit it directly but the edit the hidden value using the crypto key. Here bellow is what you need to remember about the structure.

  

public struct ObscuredInt
		[FieldOffset(Offset = "0x0")]
		private int currentCryptoKey;

		[FieldOffset(Offset = "0x4")]
		private int hiddenValue;

		[FieldOffset(Offset = "0xC")]
		private int fakeValue; (what you see on screen)

 

What you see on your screen is the fakeValue. to edit it you will need to edit the hidden value.
Here is how to. (note offset might varies depending on the game and version so you better have the latest dump and check the correct offset)

When you find an ObscureInt fakeValue. you need to go back into the base pointer so in this case: fakeValue.Address - 0xC which will bring you to currentCryptoKey copy the value of currentCryptoKey in (DWORD) then offset to currentCryptoKey.address + 0x4 this will bring you to the hiddenValue now to edit this to your desired value you need to perform XOR (exclusive OR) to your desired value using the currentCryptoKey as a key. you can do that inside gg, you type the value then apply the xor key

   

 

That it you are done. you can edit any ObscureInt using this method.

now specially for your game there are some vulnerabilities that i found you can exploit to edit your stat and in game money. there are some method likes:
  

public class game_manager : MonoBehaviour
	[Address(RVA = "0xA65A94", Offset = "0xA65A94", VA = "0xA65A94")]
	public void gem_plus(int gem)

	[Address(RVA = "0xA65890", Offset = "0xA65890", VA = "0xA65890")]
	public void gold_plus(int gold)

	[Address(RVA = "0xA64DFC", Offset = "0xA64DFC", VA = "0xA64DFC")]
	public void iron_plus(int iron)

All those share the almost the same structure so i will be giving an example only for gem_plus
image.thumb.png.6088d75291206f176593b4f2202e0534.png

In this de-compiled function gem_plus, you can see  that they are loading the value of the ObscureInt field 

public ObscuredInt gem_total; // 0x2CC

into the variable puVar1 which later on they add it value + param_2  which is the gem  parameter, to instantiate a new ObscureInt from that sum. the result of that sum will be stored into the register W0,  so all we have to do is just hijack this register and change the value to what we want. here is a video of how to do that.

This method do not trigger the anti cheat cause the game is writing legit value for us. also if you want to move large value you might want to explore the MOVZ instruction or you can allocate a memory page and spam multiple ADD instruction like this
add w0, w0, #500000000

add w0, w0, #500000000
add w0, w0, #500000000
add w0, w0, #500000000
add w0, w0, #500000000

....
Last thing for gems you will need to stay on the main screen like in the video when you start the game cause that function trigger only there.
I kinda like the game i might continue working on it and update this thread

look like i need to learn some thing new 🙂

Edit: after add gem to the game look like it's freeze until you restart so you can spend unlimited to get everything before close game 🙂

Edited by DoDevil
1
Link to comment
Share on other sites
Lohifui Apprentice

Lohifui

Posted
  • Author
Posted
On 4/12/2024 at 2:41 AM, MAARS said:

next you're going to look for CodeStage detection methods.

i dumed the game il2cpp , where to look for code, i am new to il2cpp any guide video or link to tutorial would be helpful

Link to comment
Share on other sites
Lohifui Apprentice

Lohifui

Posted
  • Author
Posted
On 4/12/2024 at 2:41 AM, MAARS said: 
CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector

Where should i be looking for that, i got all .dll loaded into "dnspy" but i cant find this, but i did find "mono security".

17129981059982301070447986057216.jpg

Link to comment
Share on other sites
Lohifui Apprentice

Lohifui

Posted
  • Author
Posted
On 4/12/2024 at 2:41 AM, MAARS said: 
CodeStage.AntiCheat.Detectors.ObscuredCheatingDetector StartDetection(); // 0x00818a3c
static

I did found something like this, but not exact codes or text, and i need help for

 

On 4/12/2024 at 2:41 AM, MAARS said:

you can just patch each of them using the "NOP RET/BX LR" opcode

I dont know how to do this or the next method.

Please help, i have come far from comfort and now i want to beat this anticheat

17129993118378004137581146340993.jpg

17129993336558301081283581993424.jpg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept