n1ce0n3

I'm sorry, I solved the issue. The topic can be closed now

Hi there, I'm currently trying to hack a pretty popular game (not going to tell the name of the game, though, it's pretty new and it has around a milion downloads on the play store ) 1. The game uses LUA, which is packed with some kind of a packer that renamed all the source files into its' hashed names. There's a ton of files like that. (pic1, pic2) The progress I have so far. The game uses LuaJIT-2.1.0-beta3 on top of lua5.1. If I got it right the game uses a 64-bit compiler, since LUA's header is 1B 4C 4A 02 0A, when I compile lua script with a 32bit version of luajit - the header is 1B 4C 4A 02 02, the 64 bit version gives me 1B 4C 4A 02 0A. Okay, so. Each of these files you can see in a screenshot is not just a LUA script. It is a lua script, which is compiled into LuaJIT with it's own name, after that that script gets zipped into a hashed name, but it keeps the lua extension. (e.g. config/Team.lua, becomes a ZIPPed archive "aa/aa70e1b8e38c140d2242f45bb58e2edf.lua". On top of that the zip archive gets XXTEA encrypted. Oh, forgot to mention that the game is built on cocos2d engine. I've managed to recover all the source files (using luajit decompiler doesn't give you the exact sources, but at least it gives you a readable file, which you can look through and actually figure what's going on there.) The problem is that if I modify a decompiled script - pack it the way it was originally packed, most of the times - it fails to work (I think it's because the decompiler doesn't give you the exact source code as it is originally written, since I've tried compilig for all of the architectures available, and most of the time - the game eitehr hangs when it gets to read that file - or doesn't load the section that I've modified like the file is corrupt or something) The game loads cocos2dlua.so library during the startup - and then it unloads the library, so that it doesn't remain in the proccesses' memory. As much as I've tried - I couldn't figure the addresses of the functions I wan. Also, the library has no exports, exports tab in IDA have a single entry, which is ".init_proc". I've located the LUA functions' names in IDA, but since I'm not super confident with IDA, I cannot figure how do I either hook any of these, or how to get their address. They are in the symbols table, but yet again, I have no idea how I can reach them. (pic) I've hooked fopen, fred, fwrite, fgets, fread and most of the other relevant native functions, but the most I could've gotten was the file name that gets loaded. TL:DR I've decompiled all of the games' sources (over 10k LUA files), and the only thing that is left to do is to somehow execute luaL_loadstring or luaL_loadfile on my own. I've spent quite some time on that and honestly I am out of ideas can I get what I'm trying to. I even tried pattern scanning the binary and all its' libraries to get either of the functions, basically, any lua function - had no success so far. I'll really appreciate any help I can get at this point. Feel free to reach me out messages so then we can get in touch via discord or any way you'll prefer. Thanks in advance. The game's binary is actually a "split installer" as they call it, it has both ARM and x86 libraries within it's content (even every lua script has another version of itself for another architecture). That prevents me from loading the binary manually into the process , since it gives me an error: Error: dlopen failed: "/data/local/tmp/libcocos2dlua.so" has unexpected e_machine: 183 (EM_AARCH64)

think outside of the box

If ur planning to release anything, feel free to hit me up, I'll share some offsets I'm patching myself when I play this game

It is actually somewhat possible to mess around using their API and the game's dump. Hehe

1

That depends. If you're using web dumper - you can disable that in the configuration (https://vimeo.com/659099435) If you're using local binaries - it should be configurable within the config.json

You can to disable DLL's building. This way you'll have just dump.cs to navigate, but most of the times it works for me.

Hi there guys, It's been a while since I did mod something for iOS, please, let me know what I'm doing wrong here. Below is the top of my Tweak.xm #import "Macros.h" /*********************************************************** INSIDE THE FUNCTION BELOW YOU'LL HAVE TO ADD YOUR SWITCHES! ***********************************************************/ void(*Load)(void *this_) = (void(*) (void *))getRealOffset("0x101D46508"); void(*ctor0)(void *this_) = (void(*) (void *))getRealOffset("0x101DFA0B4"); void(*ctor1)(void *this_) = (void(*) (void *))getRealOffset("0x101D4752C"); void(*ctor2)(void *this_) = (void(*) (void *))getRealOffset("0x101D475C0"); void(*ctor3)(void *this_) = (void(*) (void *))getRealOffset("0x10247B024"); void(*ctor4)(void *this_) = (void(*) (void *))getRealOffset("0x10247B610"); void(*ctor5)(void *this_) = (void(*) (void *))getRealOffset("0x101B75B94"); void(*ctor6)(void *this_) = (void(*) (void *))getRealOffset("0x101E26324"); void(*OnGui)(void *this_) = (void(*) (void *))getRealOffset("0x101D46B6C"); void (*oldBattle)(void *e); void onBattle(void *e){ if (e != NULL) { if ([switches isSwitchOn:NSSENCRYPT("onBattle")]) { ctor0(e); ctor1(e); ctor2(e); ctor3(e); ctor4(e); ctor5(e); ctor6(e); Load(e); OnGui(e); return oldBattle(e); } else return oldBattle(e); } } void setup() { [switches addSwitch:NSSENCRYPT("onBattle") description:NSSENCRYPT("onBattle") ]; HOOK(ENCRYPTOFFSET("0x101C6B714"), onBattle, oldBattle); } I'm not C guy, so I don't completely understand the 'void(*ctor5)(void *this_) = (void(*) (void *))getRealOffset("0x101B75B94");' structure, but it used to work pretty much like that in the old days. The mod menu I'm using is this one: https://github.com/joeyjurjens/iOS-Mod-Menu-Template-for-Theos It is mentioned in the repo's readme that A quick note before showing all the switch examples; You can and should encrypt offsets, hexes, c-strings and NSStrings. Below you can find the proper syntax per string-type. ENCRYPTOFFSET("0x10047FD90") However, the template tweak.xm doesn't have any "HOOK's" or getting void from an existing pointer into a variable (?not sure if that makes sense) Basically, what I'm trying to do is: There is a function, e.g. killAll with the address 0x1337FFFF and a Battle Update function on another address. First I need to get the killAll function from an address. Earlier, I would do something like that (void(*killAll)(void *instance) = (void (*)(void*))getRealOffset(0x1337FFFF); Nowadays, I'm not sure about these things and would love you to help me figure: 1.Whether that is going to work or not 2. Should I do getRealOffset(0x1337FFFF) or getRealOffset(ENCRYPTOFFSET("0x1337FFFF")); 3. Should I add the ENCRYPTOFFSET part in the HOOK at the very end of my code 4. Anything else I'm missing or doing wrong. Also, according to my logic - these two codes below should result in the same if ([switches isSwitchOn:NSSENCRYPT("onBattle")]) { ctor0(e); ctor1(e); ctor2(e); ctor3(e); ctor4(e); ctor5(e); ctor6(e); Load(e); OnGui(e); return oldBattle(e); } else return oldBattle(e); } or if ([switches isSwitchOn:NSSENCRYPT("onBattle")]) { ctor0(e); ctor1(e); ctor2(e); ctor3(e); ctor4(e); ctor5(e); ctor6(e); Load(e); OnGui(e); } return oldBattle(e); } Just wanted to make sure about the last one too. Thanks in advance

Upd: I was checking the dump from a wrong game, lol

Well, that actually makes some sense, I guess. Thanks for the tip.

I have Crash Reporter which gives me a syslog of the crash, but I never even thought about checking it after a crash like this. I don't think it will show anything relatively useful? Except for when the address is null?

I tried (!enemy) before adding (e && enemy == false), that crashed it too. that actually was a bad address, I've checked this by changing both of the functions body to return old_get and it still crashed. so I changed the addresses and it worked. (well it didn't work, but it didn't crash either)

Thanks, I guess its' just the address being wrong then. I'm using oddysey tho if I comment these out it works as intended https://codeshare.io/YLb90R

Since it's been a while - I forgot how to actually code stuff, could you please tell me how do properly I implement that? bool (*get_isEnemy)(void *instance) = (bool (*)(void *))getRealOffset(0x101FB0804); float (*old_getDamage)(void *e); float getDamage(void *e){ bool enemy = get_isEnemy(e); if (e && enemy == false) { return 9999.0f; } return old_getDamage(e); } /// HOOK(0xaddress, old_getDamage, getDamage); Currently that just crashes the game.