Android Tutorial [IDA tutorial] How to mod x86 lib .so file (Updated)

ThePianoGuy · May 10, 2018

Hello dear community,

Today, i will teach you how to mod x86 libs. x86 is not that hard to understand because the instruction are almost the same as ARM. In this tutorial, i mod the game called The Sandbox 2.

You don't really need to mod x86 at all since I never heard any problem with ARM translating to x86, and it's too hard to change instruction without code caving. Just wanna make tutorial lol

Now let's start modding.

In this tutorial, I'll show you how to mod The Sandbox Evolution very easy in x86.

First of all, you need IDA PRO and Hex Workshop installed on your computer. If you already have them installed, go to next step

Open the APK file with WinRar and extract the lib folder (In case you want to mod both x86 and ARM)
Open the x86 .so file in IDA. You will see the dialog box similar to the following:

In x86, you don't need to change anything. MetaPC is fine. Click OK to disassemble the lib file, and let it fully load. After that, press CTRL + F, search "isElementUnlocked" and double click on the function to open it

Remember the offset (9869E0) of first instruction. we need to use it later.

Note: The offset will change each update.

Open Hex Workshop or other hex editing program, and search the offset. I'm using Hex Workshop

Here is the offset of isElementUnlocked

The function isElementUnlocked is a boolean function, which means it can return true or false. If you want unlock everything, replace it with b8 01 00 00 00 c3, which will return true.

True is:

b8 01 00 00 00 (mov eax, 1)

False is:

b8 00 00 00 00 (mov eax, 0)

And return is:

c3 (retn)

When you open the modded .so file in IDA, your modded instruction will look like:

Isn't that easy?

You can also do the same on hasBoughtPromoPack to unlock premium

If you want to hack mana like 9999999, search getManaBalance and giveMana, and replace it with any values you want

b8 7f 96 98 00 (mov eax, 9999999)
c3 (ret)

You can use online x86 Assembly to get raw hex
https://defuse.ca/online-x86-assembler.htm#disassembly

Open the APK with WinRAR and replace the modded .so file. Re-sign the APK, install it and run the game.

[/IMG]

Credits:
AndnixSH#

Tutorial updated (May 2018)

Updated May 10, 2018 by AndnixSH

Goggwell · August 13, 2016

Great tutorial!

CmakLove · August 13, 2016

Nice tuts lol

Updated August 16, 2016 by tcikotci

Infamous-Ash · August 13, 2016

another good tut wow

Updated August 13, 2016 by Infamous-Bluetooth

CmakLove · August 16, 2016

So what is MOV R0, R7 in x86 ??

ThePianoGuy · August 16, 2016

So what is MOV R0, R7 in x86 ??

there is no limitation of value in x86 so you don't have to think about MOV R0, R7 thing

99,999,999 value is

mov eax, 0x5f5e0ff = b8 ff e0 f5 05

max value is 0xffffffff = 4,294,967,295 , but it if max value is 2,147,384,687 for some games, the value will go negative or the game will crash

mov eax, 0xffffffff = b8 ff ff ff ff

i'm unsure if it works

Updated August 16, 2016 by evildog1

Rook · August 16, 2016

@@evildog1

Do we need a x86 to hex converter?

CmakLove · August 17, 2016

there is no limitation of value in x86 so you don't have to think about MOV R0, R7 thing

99,999,999 value is
mov eax, 0x5f5e0ff = b8 ff e0 f5 05
max value is 0xffffffff = 4,294,967,295 , but it if max value is 2,147,384,687 for some games, the value will go negative or the game will crash
mov eax, 0xffffffff = b8 ff ff ff ff
i'm unsure if it works

aight dude thanks ill let you know if this works

)