- Ruby Red
- Matte Black
30 posts in this topic
Here's how to install iGameGuardian without "Initialisation Error". I figured I would make a tutorial because there isn't much out there.
React or reply to this topic to see the hidden content. More info
Well, hello everyone,
that's my first post ever in a forum, and i'd like to start with this trick that i found trying around to hack in game purchases.
After years of research to hack that F****ing SimCity Buildit, i found a way that worked for almost other 5 games like MegaPolis or Paradise Beach, I'm keeping trying with other games , plus, after you've read this tut you should be able to test it yourself at anytime with any game.
What are we going to need?
React or reply to this topic to see the hidden content. More info ----->
Atm i'm working to hack simcity for arm32 or lower devices so that everyone can have his city hacked.
Till now just money can be hacked using a gameguardian ios similar in arm32.
In this tutorial, I will just give a brief overview of some ARM64
You need to know ARMv7 first so this will be easier to understand.
Let's Get Started
So basically, instructions are the same, ARM64 has LDR, MOV, STR, etc., same from ARMv7.
You will notice ARM64 has different registers, instead of R0, for example, ARM64 uses X0, OR W0. You can hack it the same way as you would ARMv7.
This is ammo in the game Forward Assault. The highlighted instruction is what I hacked, SUB W8, W8, #1
Subtract 1 from W8 and put the value back into W8, simply NOP it.
You can hack the STR underneath it and instead of storing W8, change it to W20 or W29. It will result in making your ammo a very high number. why?
Because you silly goose, W20/W29 is the equivalent of R7. OR you can use X20/X29 if the function has X
But wait, are the W20/W29 both the same Father Nitro?
Well, I'm glad you asked, I was just about to get to that you eager mcbeaver. You see here, the 20 has a high value, but 29 has a even more higher value. Sometimes 29 can make it go too high it can go negative, so use 20 instead.
Now let's talk about Booleans in ARM64. In ARMv7, to make something return TRUE or FALSE, we simply change it to MOV R0, #1 OR MOV R0, #0
ARM64 is no different, it's just X instead. MOV X0, #0 or MOV X0, #1
Here is an example function. In case you didn't know, it's a BOOL since this function loads a byte, which have 0 or 1 value. So as you can see, this function gets my sexiness. Obviously, to hack it you will change it to MOV X0, #1 making it true, which it is.. This can NEVER be false :kappa:
So floats in ARM64 are similar in ARMv7, using FMOV instead of VMOV. So just hack the instruction the same way as you would in ARMv7.
You can change that FMOv S2, #0.5 to FMOV S2, #31.0.
Now it's time to discuss something else. As you make know in ARM7, sometimes we want to hack the beginning of a function and make it return a float value.
so we would do:
VMOV S0, #31.0
VMOV R0, S0
So father Nitro, is it the same in ARM64?
I know what you're thinking, you're thinking in ARM64 the equivalent would be:
FMOV S0, #31.0
FMOV X0, S0
WRONG! Do that and watch the game crash. In arm64 the second instruction isn't needed.
FMOV S0, #31.0
FMOV X0, S0
SO just replace the first 2 lines of the function with FMOV S0, #31.0 then RET that bad boy.
Now let me get into another example why ARM64 is bae.
This function is from Critical Ops, which gets the bounciness from the grenade. As you will see, it's a LDR, you can hack it and change it from LDR to FMOV. Yes, in ARM64 you can hack LDR functions to FMOV's. So to hack the function, you can replace the LDR S0, [X0,#0xA0]
with a FMOV S0, #31.0
This function made my grenades super bouncy, it was funny to troll in public matches. The grenades bounced like crazy!
In ARMv7 I found the same function, it was a LDR followed by a BX LR (RET). So to hack it, I tried many things, MOV R0, R7 and such but every time I threw a grenade it crashed. A VMOV S0, #31.0 VMOV R0, S0 BX LR wouldn't work since there isn't enough space. Unless you wanted to write your own code to the unused part of the binary and make the function branch there, which I'm not entirely sure would have worked since I never tried. So I just hacked it in ARM64 instead
That's it for this tutorial
EDIT: Forgot to mention, this tutorial was written specially for Amuyea
As requested, here is the tutorial how to dump il2cpp of iOS Unity games. With Il2CppDumper, it will be much easier to find useful functions and offsets to hack. No need to waste your time debugging the game.
Note: Il2CppDumper does not work on some games. Dumping 64-bit offsets may not work. Bug reported: https://github.com/Perfare/Il2CppDumper/issues/22
We hope djkaty (developer of Il2CppInspector) will also work with iOS dumping so we can use Il2CppInspector as an extra dumper, in case if Il2CppDumper doesn't work correctly
I will keep updating this thread if I found something new
- ARM/ASM knowledge
- IDA hacking experience
- IDA Pro. Download link
- Notepad++. Download link
- Il2CppDumper (Windows). Download link
- Clutch or Rasticrac for jailbroken devices or visit appvn.com to download latest cracked free games
- Winrar or 7-zip to open .ipa file
Download Il2CppDumper released version by Perfare and extract the program
To open .ipa file, simply rename file extension to .zip and open it
If you are using 7-zip, right click -> 7-zip -> Open Archive to open .ipa file directly
Navigate to \Payload\<app or game name>.app\ and extract the big binary file that doesn't have file extension
Navigate to \Payload\iosfps.app\Data\Managed\Metadata\ and extract global-metadata.dat
launch Il2CppDumper.exe. It will open the dialog twice to select file. For ELF file or Mach-O file, select the binary file. For global-metadata.dat, select global-metadata.dat
It will ask you to select platform, 32-bit or 64-bit. Press 1 for 32-bit or press 2 for 64-bit. Now for Mode, Press 1 for manual and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required offsets (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find, and I haven't find out where to find 2 offsets in 64-bit binary yet. As you used auto mode, the program will tell the offsets, but you do not need to know it if you have no idea what it is.
The dump.cs file should be created at the location where Il2CppDumper.exe is located
Open dump.cs with Notepad++ by right click and select Edit with Notepad++
Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.
To search, click Search -> Find...
To find all keyword, click on Find All in Current Document
If you never seen C# code before, I'll explain a bit what the codes mean. I'm bad at explaining what these code means but I hope it goes well
This comment you see on top is just a list .dll files that are been converted into il2cpp
// Image 0: mscorlib.dll - 0
// Image 1: System.Security.dll - xxxx
// Image xx: Assembly-CSharp.dll - xxxx
The Assembly-CSharp.dll (Android users know this) is a game logic thing and it is what we looking for. The full code of "Assembly-CSharp.dll" thingy is always located somewhere at the bottom of the dumped file
This class body is like a group to make programmers easier to find codes. For example PlayerAntiHack class contains anti-hack code related.
public class PlayerScript : MonoBehaviour // TypeDefIndex: 4303
In IDA you'll probarly see function names like
I'll bring this better details for you:
A class is a construct that enables you to create your own custom types by grouping together variables of other types, methods and events. A class is like a blueprint. It defines the data and behavior of a type. ... Unlike structs, classes support inheritance, a fundamental characteristic of object-oriented programming.
In the class, you'll see something like this:
private int primaryWeaponIndex; // 0x10
private float minSpread; // 0x820
private float spread; // 0x824
private float visualSpread; // 0x828
Fields is not what we looking for so let's look into Methods.
private int findNextAvailableWeapon(int currentWeaponIndex); // 1e704c
private bool IsLookingAtPlayer(PlayerScript player); // 1f3894
public bool HasBeenVisible(); // 1f2fa0
public int get_Gold_Example(); // 1a2b3c
public float float_example(); // 1a2b3d
This is what we looking for. These simple codes explains the name of the methods/functions, what type and the REAL IDA OFFSETS are written in the green commenented text.
public, private, protected etc, are access modifier. It's not important to know
static is a static modified to declare a static member. It's not important to know
int, float, double, boolean etc are data type.
If you look up the offset in IDA, you will see a sub_xxxxxx
Write down all useful functions + offsets you found inside the dumped .cs file and start writing your code injection.
Note: It is suggested that you disassemble the binary file and look up the offsets to see if there are enough spaces to replace the instructions to hack.
That's all. Good luck hacking iOS games!
Evildog1 A.K.A iAndroHacker (this tutorial)
Perfare (Il2CppDumper https://github.com/Perfare/Il2CppDumper)
Recently Browsing 0 members
No registered users viewing this page.
- Administrator |
- Global Moderator |
- Moderator |
- ViP Plus |
- ViP |
- Cheater |
- Modder |
- Novice Cheater |
- Rookie Modder |
- Contributor |
- GFX Team |
- Senior Member |
- Member |