Jump to content

A beginner's guide to brave frontier modding with IDA Pro [PICS]

xXL3g3ndXx

By xXL3g3ndXx
in Tutorials

 Share

Recommended Posts

  • 1 year later...
  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

xXL3g3ndXx
xXL3g3ndXx

Introduction Starting as a legit player, I have been playing Brave Frontier for around 2 months. After that I got bored of the game and decided what exploits could be done to this game to get more fu

Optimum
Optimum

For non-rooted devices, the people will have to sign the apk first. Those are the steps I do when signing the apk.   1.All you have to do once you have done what you want with the libgame.so, move

AnonThanatos
AnonThanatos

Instruction to do nothing is a NOP ( No Operation ) HEX C0 46 or you can put 00 to make a byte not do anything.   like this [ 01 20 ] MOVS R0, #1 [ C0 46 ]NOP   or  [ 01 20 ] MOVS R0, #1 [ 00

Posted Images

Trolino Newbie

Trolino

Posted
Posted

Can someone explain why he chose R0 right away? Like i dont see R0 at all but he choses R0 right off the bat :/ Got me confused, im also a beginner modder and that threw me off.

Any mod or someone that can explain that real quick?

  • 5 months later...
  • 5 months later...
  • 2 months later...
shivam2002 Newbie

shivam2002

Posted
Posted

Very nice guide. Please post a guide on how to disable anticheat from libs.. Like in the libs of PUBG Mobile. I am waiting for this tutorial from so long😘

  • 2 years later...
HorridModz Rising Star

HorridModz

Posted
Posted

Thanks so much for the awesome tutorial, you made ida pro (a very overwhelming tool) seem easy to use and helped me mod a function with ida pro. I do have one question: I was confused on this line:

Quote

*Hint* You will need to use multipliers stated above to make your stats more than 255, thus needing at least 2 lines of instructions.

I am using arm64 (armv8), and my target function has four lines of code. For lines should be very comfortable for returning whatever value I want. However, I am kind of stuck on how. The Mul command looks like it doesn't exist in arm64.

  • 4 months later...
under_score Community Regular

under_score

Posted
Posted
On 11/10/2018 at 2:48 PM, Trolino said:

Can someone explain why he chose R0 right away? Like i dont see R0 at all but he choses R0 right off the bat 😕 Got me confused, im also a beginner modder and that threw me off.

Any mod or someone that can explain that real quick?

the return value of a function is always stored in r0

XEKEX Proficient

XEKEX

Posted
Posted (edited)

ALTERNATIVE MODDING 
after you load the lib in IDA pro (The game must have LIBC maybe not in some cases) connect ur phone with ur PC and download frida instrument in ur pc also vscode and adb ( go to youtube how to download frida / adb ) 
create a file in your workspace like "test.js"
in test.js write this basic hook code : 
 

Quote

function awaitForCondition(callback) {
  var i = setInterval(function () {
    var addr = Module.findBaseAddress('HERE U PUT THE LIB U WANT DON'T FORGET .SO');
      if (addr) {
          clearInterval(i);
          callback(+addr);
      }
  }, 0);
}
var lib = null;
Java.perform(function () {
    awaitForCondition(function (base) {
        lib = ptr(base);
        if (lib != null) {
        console.log(lib)
          }
    })
})

this code will hook the lib u put it and log it's base adress same as game guardian.
after that go to IDA pro and find what function u want to hook for example from this tutorial :  MonsterUnit::getMaxHP()

after u searched for the function click on it and copy this part :
hpzmwE3.thumb.png.ea6d5ffcbb15e7ff71f7707dc504374c.png



Go back to test.js and write this code : 
 

Quote


var str = DebugSymbol.getFunctionByName('_ZN10BattleUnit12getBaseMaxHPEv')
Interceptor.attach(str,{
  onEnter: function(args){
   // console.log('args 0: '+args[0])
  },
  onLeave: function(retval){
    //console.log('Return Value : '+retval)

  }
  })

What does this function is to log the R0 and the Return value of the function (you can change args[0] to any R1 .. R2 .. etc ) 
Finally : 
attach ur phone to ur pc via usb in terminal write adb devices to make sure adb is active 
then from vscode terminal write : frida -Uf the game bandlle name com.somthing -l .\test.js --no-pause
-U means usb f mean force 
-l means the file to inject 
--no-pause a parameter to frida to doesnt pause the game by default 
NOTE : the scipt only console log the values to change the args just make args[0] = the value u want (should be in hex 0x)
to change the return value : retval.replace(0xthe value u want in hex)
WHY FRIDA ?
* MOD the game realtime without changing the lib or game files
* You can change the SCRIPT while it's running
* You can Bypass root detection / SSL pinning from the game
* Undetected from server-side bc it clone the lib u hooked on the script and perform trampoline hook for all it's functions
* U just need a little javascript / py knowledge
Frida Repo ---> frida.re
A tuto found in youtube --> Tuto (in the tuto he use libil2cpp.so(debbugable = true) and the app should have libc in their lib file or frida won't work you can make it work by hooking java function instead of IDA use jadx note : MORE ADVANCED)
------------------------------------------------------
"From my experince with frida I hooked encrypt function in a game and from that hook I successfully decrypt all the data from requests and Hack the game server-side with burpsuite & frida 🙂 "

Edited by XEKEX
1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.