Jbro129

VirtualApp is like Parallel Space which allows you to launch apps from within a virtual environment which is inside of another app. I'm sure you have heard of VirtualXposed. You can use xposed modules and run apps within a virtual environment without root or xposed being present on your device. VirtualApp is very powerful framework and is what made my old PG3D Mod Menu Launcher possible. I discontinued my launcher a long time ago and I have been absent from the modding community and YouTube for a long time as well, I want to share some of my modding knowledge since a lot of what I know can't be found on any modding forum, which is why I decided to upload my project to Github. This isn't a tutorial. This is me showing how I managed to create my mod menu launcher so that anyone interested could use the code and/or techniques shared to create something themselves. Check it out here I hope you guys like it

Yes that is possible. BX LR the function. BX LR at the beginning of a void function would do what you are talking about private void function() { // nothing here } BX LR wont necessarily return anything, it will just end the function like above. Using BX LR at the very start of a void will do what you want. BX LR ARM Hex -> 1E FF 2F E1 Thumb Hex -> 70 47

I know a lot more conversions but some are hard to explain. Im glad you found this topic helpful

Check to see if you added hex in the libil2cpp.so instead of overwriting existing hex. That was one of my mistakes when I first started modding.

Thank you

I uploaded a video of this on Google Drive because I am too lazy to upload it unlisted to YouTube. :v Preview: https://drive.google.com/file/d/1BTqrBilqesIMh1frEA1Yg1-9Cw07dCsT/view?usp=sharing Info: Let me start off by somewhat explaining how I achieved this. We all know the legendary @shmoo (You better know him) and his amazing iOS modding tutorials. The crazy thing is that his best iOS tutorials (Instance variables and function pointers and Static Members and Multithreading) are extremely similar to how Android C++ works! @shmoo has some aimbot demo code that you can learn from on his Github. Below I posted a somewhat 'Starter kit' to help others who want to do something similar. Before using this make sure to check out Shmoo's tutorials for a general understanding. [hide]Check It Out On GitHub[/hide] Hopefully this is the start to more Android C++ Game Mods. Credits/Thanks: @Jbro129 (MEEE) @shmoo (Legendary)

You can use cpad with it. Cpad adds dummy offsets and hex so you can hide the real ones. It's not included it's optional. You can always use something like Stringer or allatori to obfuscate the offsets and hex. Please use your head.

Yes it patches which ever is in /data/data/(whichever)/lib/lib.so at the time

No, this can be added to the games files when used with APKTool. As long as the apk is compiled and signed afterwards it shouldnt need root

I hope this makes sense

I have been talking about this for awhile... HERE WE GO!!! I apologize if you do not understand a part of this, I am bad at explaining things... Features: Write hex to a specific lib.so (libil2cpp.so or others) at runtime. Mixed with CPAnitDumper it is harder for leechers to L E E C H Works on all types of android games (Unity etc) To Do: Video tutorial Write to multiple lib.so's Make instructions easier to understand Download: [Hidden Content] Beginning Tutorial: If you have not read @ZahirSher's tutorial on how to "How to add a Toast/Popup to your Android Mods" then read instructions 1 - 11. Once you have done this to your apk continue below. Download Code Above ^^^ Read the file "README.txt" in the zip file downloaded. In OnCreate inside the smali file paste the code said inside of the txt file downloaded (its inside of the two big lines). Change the text "/lib/libil2cpp.so" to your specific lib you want to write to. Unity is going to always be "/lib/libil2cpp.so". Others might be "/lib/libTerraria.so" or "/lib/libgameidk.so". Paste Inject.smali inside of the apps smali directory like this (create new folders if needed) - /smali/com/jbro129/androidinject/Inject.smali Writing To The Lib: Here is the base smali code to put inside Inject.smali from what you downloaded. const/16 v1, 0x1234 // the offset const-string/jumbo v2, "1EFF2FE1" // the hex invoke-static {v1, v2}, Lcom/jbro129/androidinject/Inject;->write(ILjava/lang/String;)V // write Inside of Inject.smali paste that code as many times as needed with your own offsets and hex. Rebuilding APK: "How to add a Toast/Popup to your Android Mods" instructions 13 - 17. Video Tutorial: Coming Soon! Credits: - @Jbro129 (me)

Im in the credits Yes I released this a long time ago

I am talking to @DiDA about me releasing it on iosgods. It can be used to help modders protect against leechers, but also could be used by the app creators to protect against the modders.

I look on eBay by putting the phone I want and the iOS version in the search. "iPhone 6 iOS 9.0.2" is an example. I would go down the list of jailbreakable iOS versions until I find one for a good price.

The software converts the dex into an encrypted library (a lib.so).

Depends *.so modding or dex modding? For binary modding CPAD is a good idea. For dex modding I have a special free software that I found that can protect the dex.

This is just a simple question but do when you hex edit the lib.so, do you write over existing hex or do you insert new hex? Sometimes when you paste inside of hex editor it inserts it instead of writing over existing.

Possible wrong version. What happens when you try to open it? Any popup or error?

What is the save file format? Is it a titanium backup? Helium backup? Or is it just a raw save file extracted from the game itself?

Thanks

Background I created a unity project on my computer and wrote simple C# to then convert to Arm through Unity's Il2cpp compiler. I have more complicated conversions but they would be pretty hard to explain. If you do want those conversions then make sure to comment below Example Conversions Force True: C# private bool True() { return true; } Force True: IDA Arm MOV R0, #1 BX LR hex -> 01 00 A0 E3 1E FF 2F E1 Force False: C# private bool False() { return false; } Force False: IDA Arm MOV R0, #0 BX LR hex -> 00 00 A0 E3 1E FF 2F E1 Force positive int: C# private int pInt() { return 999; } Force positive int: IDA Arm MOV R0, #999 BX LR hex -> E7 03 00 E3 1E FF 2F E1 Force Float: C# private float pFloat() { return 999f; } Force Float: IDA Arm MOV R0, #0x447A BX LR hex -> 7A 04 04 E3 1E FF 2F E1 // 447A <= 447A0000 Float Hexadecimal // Convert Int to Float here - https://babbage.cs.qc.cuny.edu/IEEE-754.old/Decimal.html // Convert Float to Int here - https://babbage.cs.qc.cuny.edu/IEEE-754.old/32bit.html You CANNOT use hexadecimals longer than 4 character long Working example => Movt r0, #447A (1000 int) Not-Working Example => Movt r0, #4479C (999 int) There is a way to use longer hexadecimal floating points with MOV and I plan on adding it in the future. Force Int or Float into a field: C# //float private void setFieldF() { fieldF = 1000F; } public float fieldF; //int private void setFieldI() { fieldI = 1000; } public int fieldI; Force Int or Float into a field: IDA Arm Get your field offset from your generated dump.cs from Il2CppDumper by Prefare. //float field MOV R1, #0x447A STR R1, [R0,#0x10] // replace "0x10" with your field offset inside of dump.cs BX LR hex -> 7A 14 04 E3 10 10 80 E5 1E FF 2F E1 //int field MOV R1, #1000 STR R1, [R0,#0x14] // replace "0x14" with your field offset inside of dump.cs BX LR hex -> FA 1F A0 E3 14 10 80 E5 1E FF 2F E1 Force Return with Parameters: C# // 1 Parameter private string Param1(string one) { return one; } //2 Parameters private int Param2(int one, int two) { return two; } //3 Parameters private int Param2(float one, float two, float three) { return three; } Force Return with Parameters: IDA Arm It does not matter if the function is string, int, or float, if the function is the same type as the parameter then it will be the same arm code regardless. //1 Parameter MOV R0, R1 BX LR hex -> 01 00 A0 E1 1E FF 2F E1 //2 Parameters MOV R0, R2 BX LR hex -> 02 00 A0 E1 1E FF 2F E1 //3 Parameters MOV R0, R3 BX LR hex -> 03 00 A0 E1 1E FF 2F E1 //if the function has more than 3 parameters then reolace the second "R" with said parameter number Example: 7 Parameters MOV R0, R7 BX LR hex -> 07 00 A0 E1 1E FF 2F E1 Example: 5 Parameters MOV R0, R5 BX LR hex -> 05 00 A0 E1 1E FF 2F E1 Force end an IEnumertor/IEnumerable: C# private IEnumerator setYielEnumerator() { yield break; } private IEnumerable setYieldEnumerable() { yield break; } Force end an IEnumertor/IEnumerable: IDA Arm Using BX LR to end an IEnumertor or IEnumerable is wrong. Go to dump.cs and find the IEnumertor or IEnumerable function Say for example dump.cs says this private IEnumerator setYielEnumerator(); // 0xOFFSET or private IEnumerable setYieldEnumerable(); // 0xOFFSET Find the "sealed class" that has the function name in the class name Example // Namespace: private sealed class <setYielEnumerator>c__Iterator0 : IEnumerator, IDisposable, IEnumerator`1<object> // TypeDefIndex: 1446 { // Fields internal object $current; // 0x8 internal bool $disposing; // 0xC internal int $PC; // 0x10 // Methods public void .ctor(); // 0xOFFSET public bool MoveNext(); // 0xOFFSET private object System.Collections.Generic.IEnumerator<object>.get_Current(); // 0xOFFSET private object System.Collections.IEnumerator.get_Current(); // 0xOFFSET public void Dispose(); // 0xOFFSET public void Reset(); // 0xOFFSET } // Namespace: private sealed class <setYieldEnumerable>c__Iterator1 : IEnumerable, IEnumerable`1<object>, IEnumerator, IDisposable, IEnumerator`1<object> // TypeDefIndex: 1447 { // Fields internal object $current; // 0x8 internal bool $disposing; // 0xC internal int $PC; // 0x10 // Methods public void .ctor(); // 0xOFFSET public bool MoveNext(); // 0xOFFSET private object System.Collections.Generic.IEnumerator<object>.get_Current(); // 0xOFFSET private object System.Collections.IEnumerator.get_Current(); // 0xOFFSET public void Dispose(); // 0xOFFSET public void Reset(); // 0xOFFSET private IEnumerator System.Collections.IEnumerable.GetEnumerator(); // 0xOFFSET private IEnumerator`1<object> System.Collections.Generic.IEnumerable<object>.GetEnumerator(); // 0xOFFSET } Go to the offset of MoveNext() public bool MoveNext(); // 0xOFFSET And write this in hex editor MOV R1, #0xFFFFFFFF STR R1, [R0,#0x10] MOV R0, #0 BX LR hex -> 00 10 E0 E3 10 10 80 E5 00 00 A0 E3 1E FF 2F E1 //same hex for both IEnumertor and IEnumerable Credits @Jbro129 for the tutorial Prefare for Il2CppDumper - Kienn, @Valeschi , @Earthiest and @DiDA for Armconverter.com

Making an il2cpp mod menu is in general a pain to make from the ground up. I know how and I will release a template at some point.

Check ids.xml and public.xml in res/values and look on line 296 in ids.xml and line 2026 in public.xml (The lines for each file is said in the apktool error pic you provided)

I am the type of person who cannot have a phone unrooted or not jailbroken.

You fixed it but the game loads up then crashes shortly after even when no patches are applied. https://drive.google.com/file/d/1t5sy3fqpHSgcNjgmGNxR7Uhi44hWMDlK/view?usp=sharing #import "writeData.h" #import <Foundation/Foundation.h> #import <UIKit/UIKit.h> #import <substrate.h> #define PLIST_PATH @"/var/mobile/Library/Preferences/com.jbro129.terrariamod.plist" inline bool GetPrefBool(NSString *key) { return [[[NSDictionary dictionaryWithContentsOfFile:PLIST_PATH] valueForKey:key] boolValue]; } %ctor { if(GetPrefBool(@"dev")) { writeData(0x0, 0x0); } else { writeData(0x0, 0x0); } if(GetPrefBool(@"craft")) { writeData(0x, 0x0); writeData(0x, 0x0); writeData(0x, 0x0); } else { writeData(0x, 0x0); writeData(0x, 0x0); writeData(0x, 0x0); } if(GetPrefBool(@"health")) { writeData(0x, 0x); writeData(0x, 0x); } else { writeData(0x, 0x); writeData(0x, 0x); } if(GetPrefBool(@"block")) { writeData(0x, 0x); } else { writeData(0x, 0x); } } %hook AppDelegate - (BOOL)application:(id)fp8 didFinishLaunchingWithOptions:(id)fp12 { UIAlertView *igcredits = [[UIAlertView alloc] initWithTitle:@"Terraria Mod Menu" message:@"Mod By Jbro129" delegate:self cancelButtonTitle:@"Continue" otherButtonTitles:@"Subscribe", nil]; [igcredits show]; [igcredits release]; return %orig(); } %new -(void)alertView:(UIAlertView *)alertView clickedButtonAtIndex:(NSInteger)buttonIndex { NSString *button = [alertView buttonTitleAtIndex:buttonIndex]; if([button isEqualToString:@"Subscribe"]) { [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"http://youtube.com/Jbro129"]]; } } %end I removed the offsets because I just dont like sharing offsets. That google drive link is a video I recorded display recorder.