Tutorial H5GG Enhanced Menu Tutorial - JSPlug-in Advanced

vert. · August 28, 2023

hi

ada1016 · August 31, 2023

This is my game looks like

public class GWEconomyModel // TypeDefIndex: 9184
{
	public int LoyaltyBonusPerDay_Gold; // 0x288
}

and my plug-in code

try {
    script = initializeUnitySupport();
    aryObj = script.call("findUnityObjectOfType", ["$GWEconomyModel", true]);
    
    if (!aryObj) {
        alert("Cannot find object to cheat. Engine stopped.");
    } else if (aryObj.length == 0) {

          var GWEconomyModel = new UnityObject(aryObj[0])
          GWEconomyModel.loadFields(['DelveAttemptsPerDay'])
          var DelveAttemptsPerDay = new UnityObject(GWEconomyModel.DelveAttemptsPerDay)
          DelveAttemptsPerDay = 50

        //CharacterMotor.loadFields(['DelveAttemptsPerDay'])
        //var DelveAttemptsPerDay = aryObj[0].DelveAttemptsPerDay
        alert(aryObj.length)
        
    }

} catch (e) {
    //reset Unity Support
    gIl2cppInit = false;
    var script = initializeUnitySupport();
    alert("Unity support crashed and reset complete");
}

The result is app always crash at var GWEconomyModel = new UnityObject(aryObj[0])
the aryObj.length is always 0, but not able to load the field.

Can you correct my understand and educate how to fix this error?

Happy Secret · August 31, 2023

1 hour ago, ada1016 said:

This is my game looks like

public class GWEconomyModel // TypeDefIndex: 9184
{
	public int LoyaltyBonusPerDay_Gold; // 0x288
}

and my plug-in code

try {
    script = initializeUnitySupport();
    aryObj = script.call("findUnityObjectOfType", ["$GWEconomyModel", true]);
    
    if (!aryObj) {
        alert("Cannot find object to cheat. Engine stopped.");
    } else if (aryObj.length == 0) {

          var GWEconomyModel = new UnityObject(aryObj[0])
          GWEconomyModel.loadFields(['DelveAttemptsPerDay'])
          var DelveAttemptsPerDay = new UnityObject(GWEconomyModel.DelveAttemptsPerDay)
          DelveAttemptsPerDay = 50

        //CharacterMotor.loadFields(['DelveAttemptsPerDay'])
        //var DelveAttemptsPerDay = aryObj[0].DelveAttemptsPerDay
        alert(aryObj.length)
        
    }

} catch (e) {
    //reset Unity Support
    gIl2cppInit = false;
    var script = initializeUnitySupport();
    alert("Unity support crashed and reset complete");
}

The result is app always crash at var GWEconomyModel = new UnityObject(aryObj[0])
the aryObj.length is always 0, but not able to load the field.

Can you correct my understand and educate how to fix this error?

Have you try using Unity Static Analyser to see if you can find that object?

Normally we need to find one related on scene object that you can get object with Unity's Object.FindObjectOfType. Then use it as root to navigate to your desired object.

In my example, I do not directly use findUnityObjectOfType to reach ItemStat. Instead, I use Gameplay.m_ItemStat to connect Gameplay object (on scene) to ItemStat(not on scene). Then I can create Unity Object on ItemStat.

On scene is a logical one. You cannot guess if it is available especially for those virtual / intangible things.

Use Unity Static Analyser to test it out. If you can use Unity Static Analyser to directly retrieve object, that mean you can use get the object with findUnityObjectOfType.

Another note is, as whether on scene or not is important. So, be cautious on where you trigger to cheat...Some object only available on certain screen/scene. Say the some shop related object would only available when you open the shop UI in the game.

All in all, test it with Unity Static Analyser first...confirmed you can cheat the value you want before you try to prepare the cheat with JSPlug-in. Some games create lots of copy of a game value. You might not cheat the value if you modify the wrong one.

ada1016 · September 1, 2023

9 hours ago, Happy Secret said:

Have you try using Unity Static Analyser to see if you can find that object?

Normally we need to find one related on scene object that you can get object with Unity's Object.FindObjectOfType. Then use it as root to navigate to your desired object.

In my example, I do not directly use findUnityObjectOfType to reach ItemStat. Instead, I use Gameplay.m_ItemStat to connect Gameplay object (on scene) to ItemStat(not on scene). Then I can create Unity Object on ItemStat.

On scene is a logical one. You cannot guess if it is available especially for those virtual / intangible things.

Use Unity Static Analyser to test it out. If you can use Unity Static Analyser to directly retrieve object, that mean you can use get the object with findUnityObjectOfType.

Another note is, as whether on scene or not is important. So, be cautious on where you trigger to cheat...Some object only available on certain screen/scene. Say the some shop related object would only available when you open the shop UI in the game.

All in all, test it with Unity Static Analyser first...confirmed you can cheat the value you want before you try to prepare the cheat with JSPlug-in. Some games create lots of copy of a game value. You might not cheat the value if you modify the wrong one.

thanks @Happy Secret

Still much to learn.. I made a recording on what I am experiencing below and found two new things

1. I was able to locate GWEconomyModel as class in UA, but when I click, it always goes to something else (e.g GWGameState). Please see the clip at 17 second. What does this tells me? Please educate

2. I love your tutorial, but if possible, can you share what the code looks like at dump.cs that leads you made aware that instead of tracking GamePlay directly, it is Gameplay.m_ItemStat that you are interested? Wanted to learn you thinking path as well.

Thank you so much

Happy Secret · September 1, 2023

5 hours ago, ada1016 said:

1. I was able to locate GWEconomyModel as class in UA, but when I click, it always goes to something else (e.g GWGameState). Please see the clip at 17 second. What does this tells me? Please educate

Pink Color means it can be reached in one Hop, but not directly. For those can reach directly, it will be in Yellow.

In GWGameState, if you scroll down the field list, there is one row highlight in yellow. That is the field that point to GWEconomyModel. If the address there is not bill/0x0, click on it. It will bring you to the GWEconomyModel object view.

Try edit the gold value there by clicking on the 0x288 offset, it will bring up editor. Just put in the number you want. See if it work in game, try spending gold etc, if you conclude the cheat is working fine.

Go back to your script, use GWGameState as the base object to navigate to what you need

ada1016 · September 7, 2023

On 9/1/2023 at 2:07 PM, Happy Secret said:

Pink Color means it can be reached in one Hop, but not directly. For those can reach directly, it will be in Yellow.

In GWGameState, if you scroll down the field list, there is one row highlight in yellow. That is the field that point to GWEconomyModel. If the address there is not bill/0x0, click on it. It will bring you to the GWEconomyModel object view.

Try edit the gold value there by clicking on the 0x288 offset, it will bring up editor. Just put in the number you want. See if it work in game, try spending gold etc, if you conclude the cheat is working fine.

Go back to your script, use GWGameState as the base object to navigate to what you need

Thank you.. I had very weak sense of Unity Game development, sorry for my further more question....

Objective: change the remaining attempts of a dungen

from Dump.cs, I captured this

public class GWGameState : MonoBehaviour // TypeDefIndex: 9219

{

:

public int DelveAttempts { get; }

public int get_DelveAttempts() { }

:
}

my Plug.js code

try {
    script = initializeUnitySupport();
    //[STEP 2][MODIFY]Change the root object of interest, which should able to link to your other cheat object
    aryObj = script.call("findUnityObjectOfType", ["$GWGameState", true]);
    
    if (!aryObj || aryObj.length == 0) {
    }
    
    for (let i = 0; i < aryObj.length; i++) {    
        let GWGameState = new UnityObject(aryObj[i]);
        GWGameState.loadFields(['int32 DelveAttempts']);
        GWGameState.loadMethods(["int32 get_DelveAttempts()"]);
        GWGameState.DelveAttempts=5
        alert("GWGameState (" + aryObj[i].toString(16) + ") with UnityObject:" + GWGameState.DelveAttempts+"get_DelveAttempts="+GWGameState.get_DelveAttempts())
        GWGameState.loadFields(['int32 DelveAttempts']);
        alert(GWGameState.DelveAttempts)
        
    }


} catch (e) {
    //reset Unity Support
    gIl2cppInit = false;
    var script = initializeUnitySupport();
}

Result

GWGameState (0x13125ba80) with UnityObject: 5. get_DelveAttempts=3

Unity support crashed and reset completeTypeError: Attempting to change the setter of an unconfigurable property.

I believe I didn't change the object value at all, I just changed the object that I initiated, can you please educate ?

Happy Secret · September 7, 2023

2 hours ago, ada1016 said:

public int DelveAttempts { get; }

public int get_DelveAttempts() { }

You can see it only provide getter but there is no setter. That is why, you cannot change the Attempts. You need to find if there are other method allow you to change the Attempts.

Can you change attempts using Unity Object explorer or Unity Static Analyzer?

ada1016 · September 7, 2023

4 minutes ago, Happy Secret said:

You can see it only provide getter but there is no setter. That is why, you cannot change the Attempts. You need to find if there are other method allow you to change the Attempts.

Can you change attempts using Unity Object explorer or Unity Static Analyzer?

No, I cannot change via US Analyser as well. But I should be able to find the address and patch it. So.. if the value cannot be change by UA, it cannot be altered by plugin?

ada1016 · September 7, 2023

6 minutes ago, ada1016 said:

No, I cannot change via US Analyser as well. But I should be able to find the address and patch it. So.. if the value cannot be change by UA, it cannot be altered by plugin?

sorry, ,really interested in this but really got a lot to learn.

The more I play with this, the more unknown I realises.

Q:Is this script worked like one time thing? That, the script only get executed when the code path get there, and you have to run the script before it trigger. For some method that happened at battle, such as adjust mana when take damage, you cannot use this script as it does not work like a hook. Is this understand correct?

Q: if a method has game object in parameter, how do I loadMethods it?e.g.

public void AdjustPlayerMana(int playerIndex, int[] manaCollected, ref bool activateManaMatchTraits, bool collectedFromBoard = False, bool wasMatch = False, PuzzleTroop pAdjustmentCause) { }

thank you for your time.

Happy Secret · September 7, 2023

9 hours ago, ada1016 said:

No, I cannot change via US Analyser as well. But I should be able to find the address and patch it. So.. if the value cannot be change by UA, it cannot be altered by plugin?

Normally, if you cannot change value with Unity Static Analyzer, you would also can do simple memory patch with JSPlug-in.

However, you could try using method call.