ThePianoGuy

Hello dear community, Today, i will teach you how to mod x86 libs. x86 is not that hard to understand because the instruction are almost the same as ARM. In this tutorial, i mod the game called The Sandbox 2. You don't really need to mod x86 at all since I never heard any problem with ARM translating to x86, and it's too hard to change instruction without code caving. Just wanna make tutorial lol Now let's start modding. In this tutorial, I'll show you how to mod The Sandbox Evolution very easy in x86. First of all, you need IDA PRO and Hex Workshop installed on your computer. If you already have them installed, go to next step Open the APK file with WinRar and extract the lib folder (In case you want to mod both x86 and ARM) Open the x86 .so file in IDA. You will see the dialog box similar to the following: In x86, you don't need to change anything. MetaPC is fine. Click OK to disassemble the lib file, and let it fully load. After that, press CTRL + F, search "isElementUnlocked" and double click on the function to open it Remember the offset (9869E0) of first instruction. we need to use it later. Note: The offset will change each update. Open Hex Workshop or other hex editing program, and search the offset. I'm using Hex Workshop Here is the offset of isElementUnlocked The function isElementUnlocked is a boolean function, which means it can return true or false. If you want unlock everything, replace it with b8 01 00 00 00 c3, which will return true. True is: b8 01 00 00 00 (mov eax, 1) False is: b8 00 00 00 00 (mov eax, 0) And return is: c3 (retn) When you open the modded .so file in IDA, your modded instruction will look like: Isn't that easy? You can also do the same on hasBoughtPromoPack to unlock premium If you want to hack mana like 9999999, search getManaBalance and giveMana, and replace it with any values you want b8 7f 96 98 00 (mov eax, 9999999) c3 (ret) You can use online x86 Assembly to get raw hex https://defuse.ca/online-x86-assembler.htm#disassembly Open the APK with WinRAR and replace the modded .so file. Re-sign the APK, install it and run the game. [/IMG] Credits: AndnixSH# Tutorial updated (May 2018)

Note: This tutorial was created by xiaobaiyey and written in chinese. This tutorial is poorly translated from Google Translation but i have fixed some grammar to make it easier to understand. reviously I read an article by hook decrypting the encrypted dll Unity3D, recently new to dynamic, so they can try the next through IDA, the same as the shelling, dump the decrypted dll file, try the next, it really can, in here to share under Requirements: Tools: ida6.6 millet 2s Game: Monthly Dragon knife (just find a game) Enable USB-debugging in Developer Options Open lib in IDA: Unzip lib folder from the APK, drag the file libmono.so to IDA Several functions mainly in the upper and lower breakpoint (refer mono source ) mono_image_open_from_data_full mono_image_open_from_data mono_image_open_from_data_with_name In a decryption process can about these function View the final in front of a function call or mono_image_open_from_data_with_name, Enable Developer Options: If Developer Option does not show in settings, follow the steps below. 1. Open Settings > About 2. Then tap “Build number” seven times to enable Developer options.... 3. Go back to Settings menu and now you'll be able to see “Developer options” there. 4. Tap it and turn on USB Debugging Dynamic debugging: If the app has anti-debugging, you need to skip meals to debug, the following brief dynamic debugging Preparations (there are many online tutorials dynamic debugging) Get android_server file from IDA PRO 6.6\ida66\dbgsrv or download the file HERE! Push android_server file to the phone 1: adb push android_server /data/local/tmp/ 2: adb shell 3: cd /data/data/tmp/ 4: chmod 777 android_server 5: ./android_server Port Forwarding: adb forward tcp:23946 tcp:23946 Debug startup app: adb shell am start -D -n com.huiguan.qinglong.taiqi.dl/com.huiguan.qlyyd.UnityPlayerNativeActivity Check the app's PID: 1. adb shell 2. ps | grep dl Record the PID and Forwarding (pid can be seen in the ida) adb forward tcp:8700 jdwp:PID Setting ida (the main settings hostname: 127.0.0.1) and open the attach process (wait for the program to automatically break live, live off later) Run app (in the f9 at ifa) This time in the cmd window run jdb debugger: jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700 This time can be debugged Run app will break on the linker Then if the app is no anti-molestation: running directly f9 This window appears: same point Wait a moment, will end on Linker , directly connected to f9 op row If this window appears, select "yes (pass to app)" without waiting Many may appear behind all this window select yes and then run f9 Finally broken in the mono_image_open_from_data_with_name, method Loading is not the first time we want to skip dll If you can not read f5 look at the source code, source code demonstrate this direct f5, where he rewrote momo source int __fastcall mono_image_open_from_data_with_name (int a1, char * haystack, int a3, int a4, char a5, char * haystacka) Several key parameters // NT A1 read dll file offset address // Char * haystack, DLL file size // Char * haystacka , file name This time following the R1 register to see the encrypted DLL file address, indicating the DLL has not yet begun to decrypt, decryption may later. And laid down the road to change a single note of each register after a simple loop The dll decrypted This time it decrypted DLL in memory, This time it can have a dump, Check Register Window: Find R6 and R11 The entire file offset start R6 = 7B95304C End offset address R6 = R11 + 7B95304C + 3AF200 = 7BD0224C Use; dump dex scripts auto fp, dexAddress; fp = fopen ( "D:\\Test.dll", "wb"); for (dexAddress = 0x7B95304C; dexAddress < 0x7BD0224C; dexAddress ++) fputc (Byte(dexAddress), FP); Under run on ok Decryption out the effect, Attach the original dll and decrypted dll Credit: xiaobaiyey

Thanks! I don't know if it is better because i never tried it before, but GUI tool is much faster and quicker than the CMD version. I don't include wipe folder functions in my tool for security reason but i can include it if many users request it you can try. it should be better and faster. if you have any ideas, feel free to request features here

Requirements: Windows 7 or newer (This tool will not work for Windows XP) .NET Framework 4.5.2 or newer Java SE/JDK is required for decompile, compile, and sign APK. If you don't have Java installed, you can only use Zipalign or Install APK. Download and install Java SE/JDK now Features: 7z Compression-level 0-9 APK infomation with icon by aapt dump badging Background workers to get rid of lags Remember window position (SHIFT + Q to reset window position) Advanced log viewer, with .txt file selection Extract APK / Zip APK Switch between apksigner.jar by Google and signapk.jar by bootstraponline Quick help Full environment path support Adb process kill Apktool.jar version selections Decompile APK Compile APK Sign APK after compile Sign seletected APK (It will clone the selected APK, and sign it) Sign compiled APK (If you forgot to sign your compiled APK, you can sign it) SignAPK (signapk.jar v1.0) Remember path when closed (config will reset if EXE file was moved to somewere else) Framework installer (uses apktool.jar's commands) Logs tab Drag and drop file support Full options of decompile and compile Cancel button in waiting dialog box Clear logs when exit Allow path changes in textbox Java heap option. Default 512m ZipAlign Options to rename the apk file Options to select apktool version. Tooltips Enable/Disable check for updates Enable/Disable tips and ToolTips and more... How to use: Download .msi or zip file, If you download .msi, open it and simply install it. If you download portable version .zip, extract to the portable drive you like to. Launch APK Easy Tool, directory are automatically set Select the APK file you want to work with or drop the APK to perform an action Do some work and good luck You do not need to select APK and set the directory if you do drag and drop actions. Framework are for ROM developers and System App modder only It works the same way as the command line version Download links: Dropbox link Mediafire link Android File Host link Baidu link (For peoples who live in china that can't access any other websites above) Credits: Evildog1 (Creator of this tool) ibotpeaches (Creator of apktool.jar) Google (adb, aapt, apksigner and zipalign) bootstraponline (signapk) Igor Pavlov (7zip) Changelogs: 1.41 (2017-12-01) - Added News tab. It requires an internet connection - Added options to change path of signing keys .pem and .pk8 - Added donation button - Added Full APK Infomation. - Added options to select your own .pk8 and .pem file for signing - Improved apktool version check. - Fixed wrong directory when the program auto create them - Removed changelogs from the tool. You can see them in news and online - Removed WS_EX_COMPOSITED to get rid of some UI glitches. Weird UI drawing may occur but looks cool for me :). - Changed transparent BackColor to write to improve UI performance a bit - .NET framework target is 4.6 - Some UI changes - Some fixes Full changelogs Screenshots:

i want this

damn i'm late

im in

(deleted)

you mean that i should try ask Siri for that?

keep hacking. Gameloft already ruined MC5 by making it free, add limitations and annoyance ads

(deleted)

I know APple stopped signed iOS 9.1. My iPad 2 is running iOS 8.3 so is it possible to upgrade my iPad 2 from iOS 8.3 to 9.1?

free 2 play version of MC5 sucks and ruined the game so i want this hack

ok. too namy good games cost more than 30 so i would like to win Counter-Strike: Global Offensive

thanks. i want this

yeah

i wanna win big games like CoD. not small india games or ship war crap game.

i'm in

i want to have this to improve my english

i would like to have Battlefield like game named Homefront®: The Revolution

didn't iOSGods made a deb file that blocks iOSleecher first? just asking

3 of my accounts got banned so i want one

I was bored... I wonder what happen if i place other fingers on the home button while setting up Touch ID, so yeah... i just try it and it seems to work perfectly without creating more IDs! What i did was place the Thumb first, then Index finger, Middle finger, Ring Finger, Thumb, Index finger, Middle finger, Ring Finger, and repeat and repeat until the setup is finished. If it undo the fingerprint, place the same finger again until the device got it. I skipped Pinky because Touch ID failed to register during setup. Video proof coming soon. anyone had ever tried that?

Hi, At our school, we have found an iPad 4 that was not been used for almost 2 years. it was been updated to 9.3.1, because i requested to update all iPads in one via MDM (Mobile Device Management). They all forgot who was the owner and who logged in with their iCloud account. How do we do now? The warrant was expired. a teacher told me to try hack/jailbreak into it, but it's not possible on iOS 9.3.1 and without NAND exploit (NAND exploit that i can install CFW).