marc726

I will! I don’t think im at a level where this is possible for me at the moment. Ill have to come back to this at another time when im more experienced.

Hi @Zahir could this be updated for 7.8.1? thank you!

ty

ty

ty

I've sat here looking at the screen trying to look at call trees for every function trying to find a solution. All I know is that the LIAPP function is not called by anything that the disassembler has found. fb_is_jailbroken shows as the only function in Frida that is triggered. Tried to trace the function but nada. I feel like DNSpy is giving a hint it involves public class TitleScene, however everything is obfuscated. I do not have enough experience to be trying my hand at this unfortunately.

Hi @Saitama would you mind updating for 7.8.0? Thank you. I've tried for over a week to understand. Made progress but every time I think I get the address for LIAPP it still gives me an error. 😪

Random Dice Defense

This is the message I get. I search for instances of "JP1" "Appguard" "shut down" "security policy" but no results except irrelevant results for the last two.

I'm so sorry I didn't see your reply! I tried to change address 006add08 to: mov x30,#0x0 ret since the complier showed no arguments for the ret function at 006add0c, I assume it returns the register at x30. As told here https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/RET I am still met with the LIAPP screen after about 15 seconds. I agree with the CheatDetection class and I'm going to eliminate any chance DNSpy can show me the answer. Also the game is Random Dice Defense.

Yea, NOP RET all functions in that class still gets LIAPP called on me. I'm honestly stumped. I'm guessing the check lies in the UnityFramework file somewhere. Frida points to fb_is_jailbroken C:\Users\%%%%\AppData\Local\Programs\Python\Python311\Scripts>frida-trace -U -i "*jail*" -n "Random Dice" Instrumenting... fb_is_jailbroken: Loaded handler at "C:\\Users\\%%%%\\AppData\\Local\\Programs\\Python\\Python311\\Scripts\\__handlers__\\UnityFramework\\fb_is_jailbroken.js" _Z24replaced_jailbreakStatusP11objc_objectP13objc_selectori: Loaded handler at "C:\\Users\\%%%%%\\AppData\\Local\\Programs\\Python\\Python311\\Scripts\\__handlers__\\zzzzzLiberty.dylib\\_Z24replaced_jailbreakStatusP11o_658fd25a.js" Started tracing 2 functions. Press Ctrl+C to stop. Process terminated and Ghidra shows ************************************************************** * FUNCTION * ************************************************************** bool __cdecl _fb_is_jailbroken(ID param_1, SEL param_2) bool w0:4 <RETURN> ID x0:8 param_1 SEL x1:8 param_2 undefined8 Stack[-0x10]:8 local_10 XREF[2]: 006adce8(W), 006add08(*) _fb_is_jailbroken XREF[2]: Entry Point(*), isJailBrokenDevice:005966fc(T), isJailBrokenDevice:005966fc(j) 006adce8 fd 7b bf a9 stp x29,x30,[sp, #local_10]! 006adcec fd 03 00 91 mov x29,sp 006adcf0 68 4d 02 d0 adrp x8,0x505b000 006adcf4 08 31 45 f9 ldr x8,[x8, #0xa60]=>DAT_0505ba60 = ?? 006adcf8 1f 05 00 b1 cmn x8,#0x1 006adcfc a1 00 00 54 b.ne LAB_006add10 LAB_006add00 XREF[1]: 006add24(j) 006add00 68 4d 02 d0 adrp x8,0x505b000 006add04 00 61 69 39 ldrb param_1,[x8, #0xa58]=>DAT_0505ba58 = ?? 006add08 fd 7b c1 a8 ldp x29=>local_10,x30,[sp], #0x10 006add0c c0 03 5f d6 ret LAB_006add10 XREF[1]: 006adcfc(j) 006add10 60 4d 02 d0 adrp param_1,0x505b000 006add14 00 80 29 91 add param_1=>DAT_0505ba60,param_1,#0xa60 = ?? 006add18 41 20 02 f0 adrp param_2,0x4ab8000 006add1c 21 40 02 91 add param_2=>PTR_LOOP_04ab8090,param_2,#0x90 = 048a0778 006add20 74 32 e3 94 bl __stubs::_dispatch_once undefined _dispatch_once() 006add24 f7 ff ff 17 b LAB_006add00 Decomplier shows bool _fb_is_jailbroken(ID param_1,SEL param_2) { if (DAT_0505ba60 != -1) { __stubs::_dispatch_once(&DAT_0505ba60,&PTR_LOOP_04ab8090); } return (bool)DAT_0505ba58; } which represents the entire function.

Unfortunately no known public bypass tweaks works at the moment. The only known bypass is on this site but I wanted to try my hand at it. I think I was able to narrow down the function to something called "_fb_is_jailbroken" thanks to Frida. My problem now is looking at the assembly and figuring out what's what, if there are other calls, etc. As for DNSpy, I have the feeling that it's not what I'm looking for. DNSpy does show a class "CheatingDetector" and it does have a function labeled "onDetectedThreatWithLIAPP()" but it doesn't help me outside of that. It's quite the headache for someone who doesn't have experience in assembly or reverse engineering 😪 Here's the list from DNSpy in case you were interested: using System; using Il2CppDummyDll; // Token: 0x02000A35 RID: 2613 [Token(Token = "0x2000A35")] public class CheatingDetector : ManagerSingleton<CheatingDetector> { // Token: 0x06004895 RID: 18581 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004895")] [Address(RVA = "0x1D67DFC", Offset = "0x1D67DFC", VA = "0x1D67DFC", Slot = "10")] protected override void Awake() { } // Token: 0x06004896 RID: 18582 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004896")] [Address(RVA = "0x1D67E50", Offset = "0x1D67E50", VA = "0x1D67E50")] public void onDetectedThreatWithLIAPP() { } // Token: 0x06004897 RID: 18583 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004897")] [Address(RVA = "0x1D67E58", Offset = "0x1D67E58", VA = "0x1D67E58")] public void OnCheaterDetected(int DBBABCBBDCBDBCDDBDDBCCB) { } // Token: 0x06004898 RID: 18584 RVA: 0x00010A10 File Offset: 0x0000EC10 [Token(Token = "0x6004898")] [Address(RVA = "0x1D6808C", Offset = "0x1D6808C", VA = "0x1D6808C")] public ValueTuple<bool, string> CheckCheat() { return default(ValueTuple<bool, string>); } // Token: 0x06004899 RID: 18585 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x6004899")] [Address(RVA = "0x1D68804", Offset = "0x1D68804", VA = "0x1D68804")] public void SaveChatBlockTime(string ACDABDBDABCCACBABDCDCDC, int BBDBBBDCBBDCCABCAACAABC) { } // Token: 0x0600489A RID: 18586 RVA: 0x00010A28 File Offset: 0x0000EC28 [Token(Token = "0x600489A")] [Address(RVA = "0x1D6839C", Offset = "0x1D6839C", VA = "0x1D6839C")] public ValueTuple<bool, bool> CheckReport(string ACDABDBDABCCACBABDCDCDC) { return default(ValueTuple<bool, bool>); } // Token: 0x0600489B RID: 18587 RVA: 0x00002050 File Offset: 0x00000250 [Token(Token = "0x600489B")] [Address(RVA = "0x1D68970", Offset = "0x1D68970", VA = "0x1D68970")] public CheatingDetector() { } }

Thanks

Hi all. I was wondering what the best way to find and address the AppGuard/LiAPP detection on a certain app. I was using a decompiler on the UnityFramework file and I also tried using DNSpy for the Assembly file. My issue is: 1. I can find a Class for “CheatDetector” in DNSpy using the assembly file that has a method for LIAPP but im not sure how to address it in the Live Offset program. I tried to NOP the offsets of the functions but nada. 2. I can also find instances in the UnityFramework file where it tries to find paths of common jailbroken thing such as Cydia. I'm not understanding which I should be addressing given that both show points of interest for detecting JB. Any help would be appreciated.

Hi@Zahir Would it be possible to get an update to this mod menu? It was updated again to 7.7.11. Sorry for the bother again