Jump to content

A beginner's guide to brave frontier modding with IDA Pro [PICS]


Recommended Posts

  • 1 year later...
Posted

Can someone explain why he chose R0 right away? Like i dont see R0 at all but he choses R0 right off the bat :/ Got me confused, im also a beginner modder and that threw me off.

Any mod or someone that can explain that real quick?

  • 5 months later...
  • 5 months later...
  • 2 months later...
Posted

Very nice guide. Please post a guide on how to disable anticheat from libs.. Like in the libs of PUBG Mobile. I am waiting for this tutorial from so long😘

  • 2 years later...
Posted

Thanks so much for the awesome tutorial, you made ida pro (a very overwhelming tool) seem easy to use and helped me mod a function with ida pro. I do have one question: I was confused on this line:

Quote

*Hint* You will need to use multipliers stated above to make your stats more than 255, thus needing at least 2 lines of instructions.

I am using arm64 (armv8), and my target function has four lines of code. For lines should be very comfortable for returning whatever value I want. However, I am kind of stuck on how. The Mul command looks like it doesn't exist in arm64.

  • 4 months later...
Posted
On 11/10/2018 at 2:48 PM, Trolino said:

Can someone explain why he chose R0 right away? Like i dont see R0 at all but he choses R0 right off the bat 😕 Got me confused, im also a beginner modder and that threw me off.

Any mod or someone that can explain that real quick?

the return value of a function is always stored in r0

Posted (edited)

ALTERNATIVE MODDING 
after you load the lib in IDA pro (The game must have LIBC maybe not in some cases) connect ur phone with ur PC and download frida instrument in ur pc also vscode and adb ( go to youtube how to download frida / adb ) 
create a file in your workspace like "test.js"
in test.js write this basic hook code : 

 

Quote

function awaitForCondition(callback) {
  var i = setInterval(function () {
    var addr = Module.findBaseAddress('HERE U PUT THE LIB U WANT DON'T FORGET .SO');
      if (addr) {
          clearInterval(i);
          callback(+addr);
      }
  }, 0);
}
var lib = null;
Java.perform(function () {
    awaitForCondition(function (base) {
        lib = ptr(base);
        if (lib != null) {
        console.log(lib)
          }
    })
})

this code will hook the lib u put it and log it's base adress same as game guardian.
after that go to IDA pro and find what function u want to hook for example from this tutorial : 
 MonsterUnit::getMaxHP()

after u searched for the function click on it and copy this part :
hpzmwE3.thumb.png.ea6d5ffcbb15e7ff71f7707dc504374c.png



Go back to test.js and write this code : 
 

Quote


var str = DebugSymbol.getFunctionByName('_ZN10BattleUnit12getBaseMaxHPEv')
Interceptor.attach(str,{
  onEnter: function(args){
   // console.log('args 0: '+args[0])
  },
  onLeave: function(retval){
    //console.log('Return Value : '+retval)

  }
  })

What does this function is to log the R0 and the Return value of the function (you can change args[0] to any R1 .. R2 .. etc ) 
Finally : 
attach ur phone to ur pc via usb in terminal write adb devices to make sure adb is active 
then from vscode terminal write : frida -Uf the game bandlle name com.somthing -l .\test.js --no-pause
-U means usb f mean force 
-l means the file to inject 
--no-pause a parameter to frida to doesnt pause the game by default 
NOTE : the scipt only console log the values to change the args just make args[0] = the value u want (should be in hex 0x)
to change the return value : retval.replace(0xthe value u want in hex)
WHY FRIDA ?
* MOD the game realtime without changing the lib or game files
* You can change the SCRIPT while it's running
* You can Bypass root detection / SSL pinning from the game
* Undetected from server-side bc it clone the lib u hooked on the script and perform trampoline hook for all it's functions
* U just need a little javascript / py 
knowledge
Frida Repo ---> frida.re
A tuto found in youtube --> Tuto (
in the tuto he use libil2cpp.so(debbugable = true) and the app should have libc in their lib file or frida won't work you can make it work by hooking java function instead of IDA use jadx note : MORE ADVANCED)

------------------------------------------------------
"From my experince with frida I hooked encrypt function in a game and from that hook I successfully decrypt all the data from requests and Hack the game server-side with burpsuite & frida 🙂 "

Edited by XEKEX

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.