Help/Support How I turn this main.cpp into 'Damage and Defence multiplier'?

[Azuma tan 0]

Hello, dear friends! It's a pleasure to meet you all!

I'm new here and I need some help for my learning.

My question is about a main.cpp, how to basically run with 'Damage' and 'Defence' multiplier function (with the floating mod). It's possible to use hooking and hex in the same, one enable and the other disabled (to alternate)?

Please, if possible can you help me with the code below?

 

Note: The target offsets be like this:

The first below is the Damage.    

// Token: 0x17000D53 RID: 3411
    // (get) Token: 0x06003223 RID: 12835 RVA: 0x00010770 File Offset: 0x0000E970
    [Token(Token = "0x17000D53")]
    public int AttackPower
    {
        [Token(Token = "0x6003223")]
        [Address(RVA = "0xDF6200", Offset = "0xDF6200", VA = "0xCCDF6200")]
        get
        {
            return 0;
        }

The second below is Defence:

    // Token: 0x17000D54 RID: 3412
    // (get) Token: 0x06003224 RID: 12836 RVA: 0x00010788 File Offset: 0x0000E988
    [Token(Token = "0x17000D54")]
    public int DefencePower
    {
        [Token(Token = "0x6003224")]
        [Address(RVA = "0xDF6410", Offset = "0xDF6410", VA = "0xCCDF6410")]
        get
        {
            return 0;
        }
    }

 

 You have all my thanks!!!

Code:

/*

#include <list>
#include <vector>
#include <string.h>
#include <pthread.h>
#include <cstring>
#include <jni.h>
#include <unistd.h>
#include <fstream>
#include "Includes/obfuscate.h"
#include "KittyMemory/MemoryPatch.h"
#include "Includes/Logger.h"
#include "Includes/Utils.h"
#include "Menu.h"

#if defined(__aarch64__) //Compile for arm64 lib only
#include <And64InlineHook/And64InlineHook.hpp>
#else //Compile for armv7 lib only. Do not worry about greyed out highlighting code, it still works

#include <Substrate/SubstrateHook.h>
#include <Substrate/CydiaSubstrate.h>
#include <iostream>

#endif

// fancy struct for patches for kittyMemory
struct My_Patches {
    // let's assume we have patches for these functions for whatever game
    // like show in miniMap boolean function
    MemoryPatch Damage, Defence,  SliderDamage, SliderDefence, SliderArmor;
    // etc...
} hexPatches;

bool feature2 = false, attackpower = false, featureHookToggle = false, gem = false, defencepower = false;
int sliderValue = 1;
void *instanceBtn;
int slider = 1;


// Function pointer splitted because we want to avoid crash when the il2cpp lib isn't loaded.
// If you putted getAbsoluteAddress here, the lib tries to read the address without il2cpp loaded,
// will result in a null pointer which will cause crash
void (*get_gem)(void *instance, int amount);

//Target lib here
#define targetLibName OBFUSCATE("libil2cpp.so")


extern "C" {
JNIEXPORT void JNICALL
Java_uk_lgl_MainActivity_Toast(JNIEnv *env, jclass obj, jobject context) {
    MakeToast(env, context, OBFUSCATE("Modded by Yamasu"), Toast::LENGTH_LONG);
}


JNIEXPORT jobjectArray
JNICALL
Java_uk_lgl_modmenu_FloatingModMenuService_getFeatureList(JNIEnv *env, jobject activityObject) {
    jobjectArray ret;

    const char *features[] = {
            OBFUSCATE("Category_The Category"), //Not counted
            OBFUSCATE("Toggle_Damage"), //0 Case
            OBFUSCATE("Toggle_Defence"), //1 Case
            OBFUSCATE("SeekBar_DamageMT_1_100"), //2 Case
            OBFUSCATE("SeekBar_DamageHeX_1_100"), //3 Case
            OBFUSCATE("Toggle_AttackPower"), //4 Case
            OBFUSCATE("Slider_Damage"), //5 Case
            OBFUSCATE("Slider_Defence"), //6 Case
            OBFUSCATE("Slider_Armor"), //7 Case
            OBFUSCATE("Toggle_Gems"), //8 Case
            OBFUSCATE("Toggle_Gems"), //9 Case
            OBFUSCATE("Toggle_FeatureHook"), //10 Case
            OBFUSCATE("Toggle_Gems"), //11 Case
            OBFUSCATE("Toggle_DefencePower"), //12 Case
    };

    //Now you dont have to manually update the number everytime;
    int Total_Feature = (sizeof features / sizeof features[0]);
    ret = (jobjectArray)
            env->NewObjectArray(Total_Feature, env->FindClass(OBFUSCATE("java/lang/String")),
                                env->NewStringUTF(""));

    for (int i = 0; i < Total_Feature; i++)
        env->SetObjectArrayElement(ret, i, env->NewStringUTF(features[i]));

    pthread_t ptid;
    pthread_create(&ptid, NULL, antiLeech, NULL);

    return (ret);
}


JNIEXPORT void JNICALL
Java_uk_lgl_modmenu_Preferences_Changes(JNIEnv *env, jclass clazz, jobject obj,
                                        jint featNum, jstring featName, jint value,
                                        jboolean boolean, jstring str) {
    //Convert java string to c++
    const char *featureName = env->GetStringUTFChars(featName, 0);
    const char *TextInput;
    if (str != NULL)
        TextInput = env->GetStringUTFChars(str, 0);
    else
        TextInput = "On~Off";


    LOGD(OBFUSCATE("Feature name: %d - %s | Value: = %d | Bool: = %d | Text: = %s"), featNum,
         featureName, value,
         boolean, TextInput);



    //BE CAREFUL NOT TO ACCIDENTLY REMOVE break;

    switch (featNum) {
        case 0:
            feature2 = boolean;
            if (feature2) {
                hexPatches.Damage.Modify();
            } else {
                hexPatches.Damage.Restore();
            }
            break;
        case 1:
            feature2 = boolean;
            if (feature2) {
                hexPatches.Defence.Modify();
            } else {
                hexPatches.Defence.Restore();
            }
            break;
    }
    switch (value) {
        case 2:
            if (value >= 1) {
                sliderValue = value;  //no multiplication

            }
            break;
    }
    switch (value) {
        case 3 :
            if (value >= 1) {
                sliderValue = value * 99999;  // with multiplication does freeze the game

            }
            break;
    }
    switch (featNum) {
        case 4:
            attackpower = boolean;
            break;
    }
    switch (value) {
        case 5:
            hexPatches.SliderDamage = MemoryPatch::createWithHex(
                    targetLibName, string2Offset(
                            OBFUSCATE_KEY("0x15ED0C8", 't')),
                    OBFUSCATE(
                            "60 0A 0E E3 1E FF 2F E1"));
            hexPatches.SliderDamage.Modify();
            break;
        case 6:
            hexPatches.SliderDefence = MemoryPatch::createWithHex(
                    targetLibName, string2Offset(
                            OBFUSCATE_KEY("0x15ED148", 'b')),
                    OBFUSCATE(
                            "60 0A 0E E3 1E FF 2F E1"));
            hexPatches.SliderDefence.Modify();
            break;
        case 7:
            hexPatches.SliderArmor = MemoryPatch::createWithHex(
                    targetLibName, string2Offset(
                            OBFUSCATE_KEY("0x96D7B8", 'q')),
                    OBFUSCATE(
                            "60 0A 0E E3 1E FF 2F E1"));
            hexPatches.SliderArmor.Modify();
            break;
    }
    switch (value)
        case 8: {
            if (instanceBtn != NULL)
                get_gem(instanceBtn, 9999);
            MakeToast(env, obj, OBFUSCATE("Button pressed"), Toast::LENGTH_SHORT);

            break;
        }

    switch (featNum) {
        case 9:
            featureHookToggle = boolean;

            break;
    }
            switch (featNum) {
                case 10:
                    MakeToast(env, obj, TextInput, Toast::LENGTH_SHORT);
                    break;
            }
    switch (featNum) {
        case 11:
            gem  = boolean;
            break;
    }
    switch (featNum) {
        case 12:
            defencepower  = boolean;
            break;
    }

}


// Hooking example
int (*old_attack)(void *instance);
int attack(void *instance) {
    if (instance != NULL && attackpower) {
        return 9999;
    }
    return old_attack(instance);
}
int (*old_defence)(void *instance);
int defence(void *instance) {
    if (instance != NULL && defencepower) {
        return 9999;
    }
    return old_defence(instance);
}

double (*old_Attack)(void *instance);
double (AttackPower)(void *instance) {

    if (instance != NULL && sliderValue >
                            1) {                             //is true when slidervalue more than 1 and not null
        return (double) sliderValue;
    }
    old_Attack(instance);             // otherwise return to old value
}

//Toast
int (*old_gem)(void *instance);
int Gem(void *instance) {
    if (instance != NULL && gem) {
        return 9999;
    }
    return old_gem(instance);
}

// we will run our patches in a new thread so our while loop doesn't block process main thread
// Don't forget to remove or comment out logs before you compile it.

//KittyMemory Android Example: https://github.com/MJx0/KittyMemory/blob/master/Android/test/src/main.cpp
//Use ARM Converter to convert ARM to HEX: https://armconverter.com/
//Note: We use OBFUSCATE_KEY for offsets which is the important part xD

void *hack_thread(void *) {
    LOGI(OBFUSCATE("pthread called"));

    //Check if target lib is loaded
    do {
        sleep(1);
    } while (!isLibraryLoaded(targetLibName));

    LOGI(OBFUSCATE("%s has been loaded"), (const char *) targetLibName);


#if defined(__aarch64__) //Compile for arm64 lib only
    // New way to patch hex via KittyMemory without need to  specify len. Spaces or without spaces are fine
    //hexPatches.GodMode = MemoryPatch::createWithHex(targetLibName,
                                                    //string2Offset(OBFUSCATE_KEY("0x123456", '3')),
                                                    //OBFUSCATE("00 00 A0 E3 1E FF 2F E1"));
    //You can also specify target lib like this
    //hexPatches.GodMode2 = MemoryPatch::createWithHex("libtargetLibHere.so",
                                                     //string2Offset(OBFUSCATE_KEY("0x222222", 'g')),
                                                     //OBFUSCATE("00 00 A0 E3 1E FF 2F E1"));

    // Offset Hook example
    // A64HookFunction((void *) getAbsoluteAddress(targetLibName, string2Offset(OBFUSCATE_KEY("0x123456", 'l'))), (void *) get_BoolExample,
    //                (void **) &old_get_BoolExample);

    // Function pointer splitted because we want to avoid crash when the il2cpp lib isn't loaded.
    // See https://guidedhacking.com/threads/android-function-pointers-hooking-template-tutorial.14771/
    gem = (void(*)(void *,int))getAbsoluteAddress(targetLibName, 0x123456);

#else //Compile for armv7 lib only. Do not worry about greyed out highlighting code, it still works

    // New way to patch hex via KittyMemory without need to specify len. Spaces or without spaces are fine
    hexPatches.Damage = MemoryPatch::createWithHex(targetLibName,
                                                   string2Offset(OBFUSCATE_KEY("0x15ED0C8", 'g')),
                                                   OBFUSCATE("DC OF OF E3 1E FF 2F E1"));
    //You can also specify target lib like this
    hexPatches.Defence = MemoryPatch::createWithHex(targetLibName,
                                                    string2Offset(OBFUSCATE_KEY("0x15ED148", 'g')),
                                                    OBFUSCATE("DC OF OF E3 1E FF 2F E1"));

    hexPatches.SliderDamage = MemoryPatch::createWithHex(targetLibName,
                                                         string2Offset(
                                                                 OBFUSCATE_KEY("0x15ED0C8", 'g')),
                                                         OBFUSCATE("12 07 80 E3 1E FF 2F E1"));

    hexPatches.SliderDefence = MemoryPatch::createWithHex(targetLibName,
                                                          string2Offset(
                                                                  OBFUSCATE_KEY("0x15ED148", 'g')),
                                                          OBFUSCATE("12 07 80 E3 1E FF 2F E1"));

    hexPatches.SliderArmor = MemoryPatch::createWithHex(targetLibName,
                                                        string2Offset(
                                                                OBFUSCATE_KEY("0x96D7B8", 'g')),
                                                        OBFUSCATE("12 07 80 E3 1E FF 2F E1"));
    //Apply patches here if you don't use mod menu
    //hexPatches.GodMode.Modify();
    //hexPatches.GodMode2.Modify();

    // Offset Hook example
    MSHookFunction((void *) getAbsoluteAddress(targetLibName,
                   string2Offset(OBFUSCATE_KEY("0x1C8C8E0", '?'))),
                  (void *) get_gem, (void **) &old_gem);
    MSHookFunction((void *) getAbsoluteAddress(targetLibName,
                                               string2Offset(OBFUSCATE_KEY("0x1C8B70C", '?'))),
                   (void *) get_gem, (void **) &old_gem);


    // Symbol hook example (untested). Symbol/function names can be found in IDA if the lib are not stripped. This is not for il2cpp games
    MSHookFunction((void *) ("__unwind_"), (void *) get_gem, (void **) &old_gem);

    // Function pointer splitted because we want to avoid crash when the il2cpp lib isn't loaded.
    // See https://guidedhacking.com/threads/android-function-pointers-hooking-template-tutorial.14771/
    get_gem = (void (*)(void *, int)) getAbsoluteAddress(targetLibName, 0x1C8C8E0);
    get_gem = (void (*)(void *, int)) getAbsoluteAddress(targetLibName, 0x1C8B70C);

    LOGI(OBFUSCATE("Done"));

#endif

    return NULL;
}

//No need to use JNI_OnLoad, since we don't use JNIEnv
//We do this to hide OnLoad from disassembler
__attribute__((constructor))
void lib_main() {
    // Create a new thread so it does not block the main thread, means the game would not freeze
    pthread_t ptid;
    pthread_create(&ptid, NULL, hack_thread, NULL);
}

/*
JNIEXPORT jint JNICALL
JNI_OnLoad(JavaVM *vm, void *reserved) {
    JNIEnv *globalEnv;
    vm->GetEnv((void **) &globalEnv, JNI_VERSION_1_6);

    return JNI_VERSION_1_6;
}
 */
}

Updated September 2, 2022 by Azuma tan
More information about the target offsets, text correction