Ted2

Paste binary ib cd/var/mobile Open terminal su Pass cd /var/mobile ldid -s "binaryname" Paste binary back to game, '777' it. Test..

Signing it? Or don't thin & sign it? Had the same prob but figured out I had to sign it. And not thin it lol

.text:000F4DA4 MOV R5, R1 to .text:000F4DA4 MOV R5, R0 will not decrease lives, so anyone knows why it does? I have seriously no idea what I am doing lol

oh well. this is a android game called Candy Crush Saga v1.0.6

why would that work? will try but.. edit: crashes the game.

Hahah np...

mshook on a android .so? and yes, I am sure. I tried playing a level and it says not enough lives I already tested it, I already told you the results so....

I'm here again... Someone told me to practice with an old version of Candy Crush because this would be "easy"... I thought this function is hackable: I did this: ; _DWORD __fastcall CSaveData::SetNumLives(CSaveData *__hidden this, int) EXPORT _ZN9CSaveData11SetNumLivesEi _ZN9CSaveData11SetNumLivesEi STMFD SP!, {R4-R6,LR} MOV R4, R0 LDR R6, [R0,#0x29C] --> LDR R6 [R7,#0x29C] MOV R5, R1 BL _ZN9CSaveData14GetNumMaxLivesEv ; CSaveData::GetNumMaxLives(void) CMP R6, R0 BLT loc_F4DC0 loc_F4DC0 STR R5, [R4,#0x29C] --> STR R7, [R4,#0x29C] LDMFD SP!, {R4-R6,PC} ; End of function CSaveData::SetNumLives(int) I though this would be it because the LDR function tells #0x29C and so does the STR function. Results: after playing one level it gave me a negative number of lives... any help?

Just saw the characters proof doesn't show the right picture. Will fix it when I get on my pc, I'm sorry.

Nice & thanks No problem, goodluck!

Thankyou for if its true.

oh. can you tell me some?

Yes.. but don't I need to understand the basics of changing functions before doing it on games which are 874887 times harder?

When I try that I don't even know what I have to search. I am trying to learn iDA Hacking....

I know. Flex 2 can do it too. I just want to learn it...

Hi, I am here again. Really want to learn IDA Game Hacking but still nothing is succesfull. This is the code: ; ShopViewController - (void)setEstoqueDeRetry:(int) ; void __cdecl -[ShopViewController setEstoqueDeRetry:](struct ShopViewController *self, SEL, int) __ShopViewController_setEstoqueDeRetry__ MOV R1, #(_OBJC_IVAR_$_ShopViewController.estoqueDeRetry - 0x50244) ; int estoqueDeRetry; ADD R1, PC ; int estoqueDeRetry; LDR R1, [R1] ; int estoqueDeRetry; STR R2, [R0,R1] BX LR I changed it to: ; ShopViewController - (void)setEstoqueDeRetry:(int) ; void __cdecl -[ShopViewController setEstoqueDeRetry:](struct ShopViewController *self, SEL, int) __ShopViewController_setEstoqueDeRetry__ MOV R1, #(_OBJC_IVAR_$_ShopViewController.estoqueDeRetry - 0x50244) ; int estoqueDeRetry; ADD R1, PC ; int estoqueDeRetry; LDR R7, [R1] ; int estoqueDeRetry; STR R7, [R0,R1] BX LR it does act like a NOP to me now :// any help..?

Hmm not working. Guess the function isn't hackable then?

Thanks & oh really? no mac version of it -__- damn that sucks

Lmao

Oh god, is that game even unity coded?

Don't get your question. I don't understand you either

Hey there A new tutorial for you guys. Today I'll show you how to hack unity games. The file you will hack of a unity game is here: apk-assets-bin-Data-Managed-Assembly-CSharp.dll What do we need? - Java SE v8 - .Net Reflector --> http://bit.ly/28YD3WW (Cracked version) - Reflexil to edit the functions easier --> http://reflexil.net/ OR http://bit.ly/28WgqC6 - The apk you want to hack, I use subway surfer for this version (I'll use a old version because Bluestacks can't handle a new version) - 7zip,winrar etc to unzip the .apk. - ZipSigner: https://play.google.com/store/apps/details?id=kellinwood.zipsigner2&hl=en Apk I use: http://bit.ly/292NcGK NOTE: Not any game is a unity game. Let's start! Okey, so.. Open the program .Net Reflector after you installed it. Load the Assembly-CSharp.dll in it. You find this file after you did unzip the apk in: assets-bin-Data-Managed-HERE I always remove all the other files on the left side using the "Delete/Del" button on your keyboard because they're anoying as f*ck. Once they're gone, open the file from the game in the program. Let's set up reflixil now. You've downloaded the reflexil file, you should've unzipped it. In reflector you see a option called "Tools", go to it, go to "Add-Ins" and now click on the "+" icon. Locate to your unzipped folder, and select "Reflexil.Reflector.AIO". Now go again to "Tools" and select Reflexil v2.0 It will look like this now: Now click the search button or "f3" button & now you have to turn on "Search Member" CTL + M OR: Okey, Let's search for some functions. There are multiply options of coure, but I'll call some here: Coins Gems Gold Diamonts Money Cash Currency get_'gold,coins etc' get_amountof'coins,keys,etc' isUnlocked isLocked isFree etc etc etc So, Subway Surfers does have allot features which can be hacked. Let's hack the coins, keys, boards & characters in this tutorial coins & keys are int value's & board & characters are boolean value's Let's search for 'coins'. I got ALLOT matches so do you, I will not show you a screenshot. Let's search for 'get_coins'. You got only a few matches, normaly when you find this match in a game you will hack it. I did it too, but it didn't had any effect so I won't waste your time by doing it. Let's search for 'get_amountof'. We got this: It seems very intresting to me, why? Well we got matches with keys & coins + the declaring type is 'PlayerInfo' in my opinion that's intresting. Let's double click 'get_amountOfCoins' we got this: So what now? Well, ALWAYS delete this OpCode 'Idfld'. You don't want that one loaded. Now, change Idarg.0 to 'idc.i4' by clicking right mouse button on Idarg.0 and click edit. It will look like this: NOTE: Change Operand type to Int32!!!! Click 'Update' and do the same for 'get_amountOfKeys' Now let's unlock the hoverboards. Search for: isUnlocked, no match you'll see. Search for isHoverboardUnlocked You got 2 matches, which one will you take? Well the one with declaring type 'HoverboardStickerManager' says this: See this: 'It says: return PlayerInfo.Instance.isHoverboardUnlocked(type);' Double click isHoverboardUnlocked because it says that's what it returns. WOW! You got ALLOT bullsh*t around there What do we want to do with the function? Return it to TRUE ofcourse! What do we do now? In this menu (see picture) we have to keep only 2 instructions, it doesn't matter which one. Just delete everything until you keep 2 instructions After deleting until there are 2 instructions, it will look like this (you may have other instructions): I got this, you can get totally something else. I'll explain you what this means anyways because we both need those instructions to hack it See the OpCode of both Idc.i4,0 --> FALSE ret ---> RETURN --> Offset of ret is '1' this means "TRUE" So it says: HoverboardUnlocked = FALSE = TRUE... hmmmm bleghhhh What to do now? Change the first instructions (Idc.i4.0) to Idc.i4.1 this means TRUE IF your second instruction is NOT 'ret' then change it to 'ret'. What it says now: HoverboardUnlocked = TRUE = TRUE Let's do the same for the Characters.. Search for 'isCharacterUnlocked' you may get more matches.I do only get one... It tells me it does return 'PlayerInfo.Instance.IsCollectionCompelete(type); Double Click isCollectionComplete. Delete all instructions until you keep 2 over Change the first instruction to 'Idc.i4.1' and change the second to 'ret' (RETURN) TIP: The Subway Surfers Tutorial is very anoying in my opinion. Search for: get_IsTutorialCompleted and return it to true like you did with the Hoverboards & Characters! Okey.. we're done. Save the Assembly-CSharp.dll How? Click 'Save as...' --> locate to the unzipped .apk-assets-bin-Data-Managed, it will tell you to save it as: Assembly-CSharp.Patched.dll but we want it as: Assembly-CSharp.dll It will ask if you want to overwrite, click yes. Locate to your unzipped .apk - select ALL files - make a .zip archive but rename the .zip to apk: Copy your .apk to your phone or to bluestacks, sign in it with zipsigner Zipsigner: https://play.google.com/store/apps/details?id=kellinwood.zipsigner2&hl=en Open ZipSigner find your .apk by clicking here: When you found it, click 'Sign The File' and wait. After it's done signing, locate it in your file manager & install it. Open it when it's done NOTE: If you don't like non serious people, skip the upcomming screenshot and go to one after it lol.. Moment of truth....... Silence please..... IS IT HACKED???! Kidding me, Bluestacks hates me: Let's open again -___- Ah I got it working. Coins & Keys: Characters: Hoverboards: Functions WE hacked: get_amountOfCoins get_amountOfKeys isHoverboardUnlocked isCharacterUnlocked some of you may did: get_isTutorialCompleted because I mentioned that one too. EXTRA isThemeUnlockedForCharacter isThemeSeen isThemeOwned isThemeActive get_DoubleScore get_ScoreMultiplier Declaring Type ´PlayerInfo´ are the most functions in to be hacked. Hope you learned something from this tutorial! Credits: xShadowGhostx

I see this: bool __cdecl -[CurrencyWallet spendValue:](struct CurrencyWallet *self, SEL, unsigned int) __text:00071F40 __CurrencyWallet_spendValue__ __text:00071F40 PUSH {R4,R7,LR} __text:00071F42 ADD R7, SP, #4 __text:00071F44 MOV R4, R0 __text:00071F46 MOV R0, #(_OBJC_IVAR_$_CurrencyWallet._quantity - 0x71F52) ; unsigned int _quantity; __text:00071F4E ADD R0, PC ; unsigned int _quantity; __text:00071F50 LDR R0, [R0] ; unsigned int _quantity; __text:00071F52 LDR R1, [R4,R0] __text:00071F54 CMP R1, R2 __text:00071F56 ITT CC __text:00071F58 MOVCC R0, #0 __text:00071F5A POPCC {R4,R7,PC} __text:00071F5C MOVW R3, #(:lower16:(selRef_notifyChanges - 0x71F6C)) __text:00071F60 SUBS R1, R1, R2 __text:00071F62 MOVT.W R3, #(:upper16:(selRef_notifyChanges - 0x71F6C)) __text:00071F66 STR R1, [R4,R0] __text:00071F68 ADD R3, PC ; selRef_notifyChanges __text:00071F6A MOV R0, R4 __text:00071F6C LDR R1, [R3] ; "notifyChanges" __text:00071F6E BLX.W _objc_msgSend __text:00071F72 MOV R0, #(selRef_persistQuantity - 0x71F7E) __text:00071F7A ADD R0, PC ; selRef_persistQuantity __text:00071F7C LDR R1, [R0] ; "persistQuantity" __text:00071F7E MOV R0, R4 __text:00071F80 BLX.W _objc_msgSend __text:00071F84 MOVS R0, #1 __text:00071F86 POP {R4,R7,PC} I assumed that after "__text:00071F56 ITT CC" something else started.. not sure tho...

Will check in a few minutes. Pc randomly turned off so have to load it again.