Help/Support (“Class”_Typeinfo;) hidden trying to hook

Wowowowww · October 2, 2022

Ok so the game is pocket ants very easy to modify with hex patches but now I’m trying to figure out if it’s possible with function pointers and stuff like that.

So I figured out a lot of useful fields (ints,floats,etc.)come from this class called Puntos problem is that in this game almost all fields from the other classes are just gameobjects,sprites,(basically no way to reference it as far as I know )

so I looked further via ida and I notice almost every class that related to changing values from Puntos had this thing called Puntos_info in it and which it did ADRP x20,#Puntos_info@page then ADD... @pageoff then it would have a tbnz that would go to another area where it loaded the(ldr x0,[x20 or another x2#]=Puntos_typeinfo) Puntos_typeinfo then did this Ldr w8,[x0,#0xe0] after this a cbnz which if not nz then it would return but if is z it call some like this j_1l2cpp_runtime_class_init_0 then loads Puntos_typeinfo again also I can’t figure out what this 0xe0 really I checked dump.cs and fake .dlls and nothing is here that relates to that

But Point is somehow Puntos is being referenced and I want to know if it’s possible to use it for function pointers so I can edit this useful field mostly the floats as it’s hard to edit them with arm64 without constantly crashing

more info : Puntos seems to be some obfuscate thing as from the functions in the class

and game uses unityframework

Saitama · October 2, 2022

// RVA: 0x1616D58 Offset: 0x1616D58 VA: 0x1616D58
public void ClaimDaily() { }

il2cpp:0000000001616E3C ADRP X22, #Puntos_TypeInfo@PAGE ; Puntos_TypeInfo
il2cpp:0000000001616E40 ADD X22, X22, #Puntos_TypeInfo@PAGEOFF ; Puntos_TypeInfo
il2cpp:0000000001616E44 LDR X0, [X22] ; Puntos_TypeInfo
il2cpp:0000000001616E48 LDR W8, [X0,#0xE0]
il2cpp:0000000001616E4C CBNZ W8, loc_1616E58
il2cpp:0000000001616E50 BL j__il2cpp_runtime_class_init_0
il2cpp:0000000001616E54 LDR X0, [X22] ; Puntos_TypeInfo
il2cpp:0000000001616E58
il2cpp:0000000001616E58 loc_1616E58 ; CODE XREF: Anniv2$$ClaimDaily+F4↑j
il2cpp:0000000001616E58 LDR X8, [X0,#0xB8]
il2cpp:0000000001616E5C LDR W9, [X8,#0x1A0]

X8 -> public class Puntos : MonoBehaviour // TypeDefIndex: 704
W9 -> public static int a2day; // 0x1A0

// RVA: 0x17D1F14 Offset: 0x17D1F14 VA: 0x17D1F14
public void ClaimQuest(int index) { }

il2cpp:00000000017D208C LDR X0, [X23] ; Puntos_TypeInfo
il2cpp:00000000017D2090 LDR W8, [X0,#0xE0]
il2cpp:00000000017D2094 CBNZ W8, loc_17D20A0
il2cpp:00000000017D2098 BL j__il2cpp_runtime_class_init_0
il2cpp:00000000017D209C LDR X0, [X23] ; Puntos_TypeInfo
il2cpp:00000000017D20A0
il2cpp:00000000017D20A0 loc_17D20A0 ; CODE XREF: Quests$$ClaimQuest+180↑j
il2cpp:00000000017D20A0 LDR X8, [X0,#0xB8]
il2cpp:00000000017D20A4 LDR X0, [X8,#0xC30]

X8 -> public class Puntos : MonoBehaviour // TypeDefIndex: 704
W9 -> public static List<Quest> misiones; // 0xC30

Class Puntos is looks like a static Singleton

Saitama · October 2, 2022

17D2BCC BL SaveData$$SaveQuests
17D2BCC -> 1F2003D5

17D1C3C BL SaveData$$SaveDailies
17D1C3C -> 1F2003D5

18E1F4C BL SaveData$$SaveSummerDaily
18E1F4C -> 1F2003D5

and after restart game u can again collect ur quest rewards

Updated October 2, 2022 by Saitama

Wowowowww · October 3, 2022

On 10/2/2022 at 2:17 PM, Saitama said:

// RVA: 0x1616D58 Offset: 0x1616D58 VA: 0x1616D58
public void ClaimDaily() { }

il2cpp:0000000001616E3C ADRP X22, #Puntos_TypeInfo@PAGE ; Puntos_TypeInfo
il2cpp:0000000001616E40 ADD X22, X22, #Puntos_TypeInfo@PAGEOFF ; Puntos_TypeInfo
il2cpp:0000000001616E44 LDR X0, [X22] ; Puntos_TypeInfo
il2cpp:0000000001616E48 LDR W8, [X0,#0xE0]
il2cpp:0000000001616E4C CBNZ W8, loc_1616E58
il2cpp:0000000001616E50 BL j__il2cpp_runtime_class_init_0
il2cpp:0000000001616E54 LDR X0, [X22] ; Puntos_TypeInfo
il2cpp:0000000001616E58
il2cpp:0000000001616E58 loc_1616E58 ; CODE XREF: Anniv2$$ClaimDaily+F4↑j
il2cpp:0000000001616E58 LDR X8, [X0,#0xB8]
il2cpp:0000000001616E5C LDR W9, [X8,#0x1A0]

X8 -> public class Puntos : MonoBehaviour // TypeDefIndex: 704
W9 -> public static int a2day; // 0x1A0

// RVA: 0x17D1F14 Offset: 0x17D1F14 VA: 0x17D1F14
public void ClaimQuest(int index) { }

il2cpp:00000000017D208C LDR X0, [X23] ; Puntos_TypeInfo
il2cpp:00000000017D2090 LDR W8, [X0,#0xE0]
il2cpp:00000000017D2094 CBNZ W8, loc_17D20A0
il2cpp:00000000017D2098 BL j__il2cpp_runtime_class_init_0
il2cpp:00000000017D209C LDR X0, [X23] ; Puntos_TypeInfo
il2cpp:00000000017D20A0
il2cpp:00000000017D20A0 loc_17D20A0 ; CODE XREF: Quests$$ClaimQuest+180↑j
il2cpp:00000000017D20A0 LDR X8, [X0,#0xB8]
il2cpp:00000000017D20A4 LDR X0, [X8,#0xC30]

X8 -> public class Puntos : MonoBehaviour // TypeDefIndex: 704
W9 -> public static List<Quest> misiones; // 0xC30

Class Puntos is looks like a static Singleton

Do you think its possible to use this static singleton with function pointers to modify the float fields? that’s really my main goal

Saitama · October 3, 2022

1 hour ago, Wowowowww said:

Do you think its possible to use this static singleton with function pointers to modify the float fields? that’s really my main goal

sure
il2cpp:0000000001616E58 LDR X8, [X0,#0xB8]
il2cpp:0000000001616E5C LDR W9, [X8,#0x1A0]

mov w28, 1
str w28,[X8,#0x1A0]

public static int a2day; // 0x1A0 == 1

also exist more easy way - i know thats is on forum exists
named like static bla bla bla dont remember