-
Posts
565 -
Joined
-
Last visited
Posts posted by ThePianoGuy
-
-
-
I want new iPhone
- 1
-
thanks
-
I want VIP because I want to get HULU account
- 1
-
thank you
-
Nice. That's was what i was looking for
-
On 20/3/2018 at 4:52 AM, Jbro129 said:
Depends
*.so modding or dex modding?
For binary modding CPAD is a good idea.
For dex modding I have a special free software that I found that can protect the dex.
I would like to know the software. PM me
-
-
-
@Kingbuff merry christmas
-
16 hours ago, Ted2 said:
mehh, like the console more
ok let's improve the console version lol
-
Requirements:
- Net Framework 4
- Windows 7 and aboveFeatures:
- Select files
- Rename files
- Set output directory.
- Set mode.
- Set registration offsets
- Auto fill up offset registrations after dump
- Drag and drop support
- Remember everything except registrations
- Logs saves on exit. It saves on your documents if tool is located in C drive.
- Works as same as original Il2CppDumperDownload:
MediafireHow to use:
This works as same as original Il2CppDumper but with more advanced features.Open .apk (Android) or .ipa (iOS) using 7-zip or Winrar.
Extract libil2cpp.so file from ARM or x86 folder (Android) or extract binary file that does not have a file extension (iOS)
Extract global-metadata.dat from \Data\Managed\Metadata\
Select binary file (.so file or iOS binary) and global-metadata.dat file.
Set your output directory
Rename the files if you want
Select your mode. If manual set, you need to imput offsets you found in the binary file.
Press start when you are ready
Credits:
Perfare Il2CppDumper
AndnixSH (GUI)- 6
- 2
-
updated to 1.41
-
-
51 minutes ago, QuasaR said:
Ok, but code injection mostly assumes it's a mov /add instruction and about R registers, not W or X and not an STR instructionlike in the following example (set_water)
The set_water is called from the following code:
Sorry but I'm not familiar with code injection. Please create a new thread to ask question. Thank you
-
19 hours ago, QuasaR said:
First of all, thank you very very much for this tutorial.
I was wondering if you have an example Tweak.xm for a game with how to hook the class functions.I have found the following info for the game I am trying to 'hack'
What I want is to display the current value (so I know I am in the right place) and then hook the set_ functions to set a new value.
I am hoping you can help me.
If you need more info please let me know[edit]
In my search of more tools I stumbled across something interesting.
https://github.com/nevermoe/unity_metadata_loader
This little tool lets you add the strings from the global*.dat file directly into IDA which makes searching easiere
If there is no class names in ida, you can't hook the class function. do code injection instead.
There are lot of tutorials in iosgods. Just search and search
Nevermoe's loader is unstable
-
On 24/9/2017 at 10:50 PM, oZarmo said:
how do you go about hacking a "IEnumerator"
Why do you want to hack IEnumerator? I don't think it's useful
-
thanks
-
As requested, here is the tutorial how to dump il2cpp of iOS Unity games. With Il2CppDumper, it will be much easier to find useful functions and offsets to hack. No need to waste your time debugging the game.
Requirements:
- ARM/ASM knowledge
- IDA hacking experience
- IDA Pro. Download link
- Notepad++. Download link
- Il2CppDumper (Windows). Download link
- Clutch or Rasticrac for jailbroken devices or visit appvn.com to download latest cracked free games
- Winrar or 7-zip to open .ipa file
Instructions:
Download Il2CppDumper released version by Perfare and extract the program
To open .ipa file, simply rename file extension to .zip and open it
If you are using 7-zip, right click -> 7-zip -> Open Archive to open .ipa file directly
Navigate to \Payload\<app or game name>.app\ and extract the big binary file that doesn't have file extension
Navigate to \Payload\iosfps.app\Data\Managed\Metadata\ and extract global-metadata.dat
32-bit:
Press 1 for 32-bit and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required pointers (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find,
As you used auto mode, the program will tell the pointers, but you do not need to know it if you have no idea what it is.
Skip 64-bit steps if you are working with 32-bit
64-bit:
Auto mode does not work on 64-bit binary yet. Here is dev's response
"I have to say, these same questions will make me feel that adding auto feature is a bad decision
We have to find 2 required offsets (CodeRegistration and MetadataRegistration) in IDA to dump. Open IDA Pro 64-bit (idaq64.exe), and disassemble the binary in 64-bit. Search function name InitFunc_1.
Above InitFunc_1, there is sub function that contains 2 pointers we need.
sub_100C46D8C ; DATA XREF: InitFunc_1+8o
ADRP X0, #unk_101D48FE8@PAGE
ADD X0, X0, #unk_101D48FE8@PAGEOFF
ADRP X1, #dword_101D948C8@PAGE
In Il2CppDumper, Press 2 for 64-bit and Press 1 for manual. Input your pointers:
Input CodeRegistration(X0): your first pointer
Input MetadataRegistration(X1): your second pointer
The dump.cs file should be created at the location where Il2CppDumper.exe is located
Open dump.cs with Notepad++ by right click and select Edit with Notepad++
Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.
launch Il2CppDumper.exe. It will open the dialog twice to select file. For ELF file or Mach-O file, select the binary file. For global-metadata.dat, select global-metadata.dat
It will ask you to select platform, 32-bit or 64-bit. Press 1 for 32-bit or press 2 for 64-bit. Now for Mode, Press 1 for manual and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required offsets (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find, and I haven't find out where to find 2 offsets in 64-bit binary yet. As you used auto mode, the program will tell the offsets, but you do not need to know it if you have no idea what it is.
The dump.cs file should be created at the location where Il2CppDumper.exe is located
Open dump.cs with Notepad++ by right click and select Edit with Notepad++
Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.
To search, click Search -> Find...
To find all keyword, click on Find All in Current Document
If you never seen C# code before, I'll explain a bit what the codes mean. I'm bad at explaining what these code means but I hope it goes well
This comment you see on top is just a list .dll files that are been converted into il2cpp
// Image 0: mscorlib.dll - 0
// Image 1: System.Security.dll - xxxx
…
// Image xx: Assembly-CSharp.dll - xxxx
The Assembly-CSharp.dll (Android users know this) is a game logic thing and it is what we looking for. The full code of "Assembly-CSharp.dll" thingy is always located somewhere at the bottom of the dumped file
This class body is like a group to make programmers easier to find codes. For example PlayerAntiHack class contains anti-hack code related.
// Namespace:
public class PlayerScript : MonoBehaviour // TypeDefIndex: 4303
{
}
In IDA you'll probarly see function names like
Player::Get_Gold…
Player::Get_Cash…
Player::Isbanned…
….
I'll bring this better details for you:
A class is a construct that enables you to create your own custom types by grouping together variables of other types, methods and events. A class is like a blueprint. It defines the data and behavior of a type. ... Unlike structs, classes support inheritance, a fundamental characteristic of object-oriented programming.
In the class, you'll see something like this:
// Fields
private int primaryWeaponIndex; // 0x10
private float minSpread; // 0x820
private float spread; // 0x824
private float visualSpread; // 0x828
….
Fields is not what we looking for so let's look into Methods.
// Methods
private int findNextAvailableWeapon(int currentWeaponIndex); // 1e704c
private bool IsLookingAtPlayer(PlayerScript player); // 1f3894
public bool HasBeenVisible(); // 1f2fa0
….
public int get_Gold_Example(); // 1a2b3c
public float float_example(); // 1a2b3d
….
This is what we looking for. These simple codes explains the name of the methods/functions, what type and the REAL IDA OFFSETS are written in the green commenented text.
public, private, protected etc, are access modifier. It's not important to know
static is a static modified to declare a static member. It's not important to know
int, float, double, boolean etc are data type.
If you look up the offset in IDA, you will see a sub_xxxxxx
Write down all useful functions + offsets you found inside the dumped .cs file and start writing your code injection.
Note: It is suggested that you disassemble the binary file and look up the offsets to see if there are enough spaces to replace the instructions to hack.
That's all. Good luck hacking iOS games!
Credits:
AndnixSH#
Perfare (Il2CppDumper https://github.com/Perfare/Il2CppDumper)
If you have any issues with Il2CppDumper, please report the issue at: https://github.com/Perfare/Il2CppDumper/issues/
- 11
- 2
- 1
- 2
-
My iPad 2 running 9.3.5, respring/crash when I do
./Clutch2 -b
or
./Clutch2 -d
How do i do? I have new iPad but it's not possible to jailbreak. Rasticrac does not work for me
-
Updated to 1.38
-
1 minute ago, TheArmKing said:
I'll bring this to you
Using Android Emulator?
Termux and GDB fully support x86, but Termux will not work on Kitkat 4.4.4 and below due to system limitation, so you have to use the following emulator that have Lollipop 5.0 ROM and above...
-
8 minutes ago, TheArmKing said:
WHat if you use nox ?
Read the guide. You are not blind
Only ask if you tried it or got stuck
- 1
-
I have found a new way to decrypt .dll and other files using Termux. In this tutorial, I'll show you how to decrypt an encrypted .dll file
Requirements:
- Rooted device or Emulator. ARM or x86.
- A powerful Android device: 1 GB RAM, 4 cores, 1.5 - 2.x GHz. If you have a low-end device, your device may freeze during dumping.
- Available free space of Internal storage or Sdcard: 2 GB
- Requires Android 5.0 and up. Works on Marshmallow 6.0.1. Termux will not work on 4.4.4 and below.
- Termux app. It is avaliable on Play Store
- Modified Winhex for Windows (free version will not work for this purpose).
Hidden Content
React or reply to this topic to see the hidden content & download link.Notes:
There is no need PIE patching. gdb 7.12 natively support Android 5.0 and upIf your device is running Kitkat 4.4.4 and below, please read my old tutorial:
Using Android Emulator?
Sorry, gdb gcore doesn't work with x86.Finding the package name of the app:
Find the package name of the app you're going to hack!
This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".
You can find it going (with your browser) to the Google Play website, looking for the game you have installed on your device and then copying what's next to "id=".See screenshot:
Alternatively, you can Install Package Name Viewer 2.0 from play store and you'll find the package name of any app you have installed on your device.
If your device is running Cyanogenmod/Lineage OS, you can go to Settings -> Apps and then you'll find the package name of any app you have installed on your device.
Termux setup and decryption:
Open Termux. It should be very similar to the following one:
Type the following commands:apt update
Update package infomation
apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies.apt install gdb tsu
Install both gdb and tsu
gdb is a process debugger
tsu is a root mode for Termux.Press the home button and launch the game. Let the game fully load.
Open multitask, and go back to Termux
Type the following commands:
su
Enter Superuser mode
Grant root access to enter superuser mode for your device when asked.dumpsys meminfo | grep com*
Show process listThis command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol). The package name of the game is always at top. Don't forget to write it down
exit
Exit Superuser modetsu
Enter root mode for Termuxgdb -pid <pid>
attach a process with gdb
Example:gdb -pid 12345
Hit return to continue when asked.
Do not worry about any warnings like these you may read in the Terminal app:
gcore <path>
save core fileExample:
gcore /sdcard/thegametodump
Type Y when asked
This will take 3-5 minutes. You device may freeze during dumping. Do not touch your device.
quit
quit gdb
And deattach the process when askedOr you can exit Termux session from notification
Connect your device to your computer and copy your dumped file, if the file does not appear, just create a folder and move the file. This way Windows should be able to see itRecover decrypted files using WinHex:
Open Winhex.exeFile -> Open... and select a dumped file
Tools -> Disk Tools -> File Recovery by Type
Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).
The file recover will now begin and, when it finished you'll get a message like this:
Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.
You can finally close WinHex.
Happy modding!
Credits:
AndnixSH
x-ways devs (Winhex program)
Fredrik (Termux app)- 15
- 1
- 5
- 1
- 3
- 2
arm64 contra return /魂斗罗-归来/ hack +3 god mod / damage /firespeed
in Coding Center
Posted
nice