Help/Support How do you find methods to hack in obfuscated Unity games?

[tanis 4 iPhone Xs 12.0.1]

Hello,

I was wondering how you guys usually find the right method when working with Unity games with obfuscated code like Last Day On Earth.

I can easily dump che Mach-O binary with IDA and retrieve the method signatures with IL2CppDumper but then most of the game methods are obfuscated so they don't mean much. Are you actually running a live debugger on the device to find out the methods you want to play with or is there a better option?

Cheers!

 

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

Trial & error.

If it's obfuscated, most of the time classes are still shown & you can set breakpoints on random function which is still easier than hacking non unity games most of the time.

[tanis 4 iPhone Xs 12.0.1]

@Ted2 so you're basically breakpointing random stuff, which also means you're running a debugger to do that and not just working on code dumps. Makes sense but it's still quite hard to find what you want by trial & error with games like that with literally thousands of methods spread over hundreds of classes.

And they all look like:

    private void EONJCBOAAPK(PJDJJFIEOOL IBLBHFELIBH); // 0x1015CC800
    private void FKBFJFPFBKP(); // 0x1015CBAB4
    private void BLHADMBAKNP(); // 0x1015CCA28
 

And so forth. I thought someone developed a better way to handle that.

I also wonder how the developers can fix bugs when getting crash reports with obfuscated names.. there should be a decoding table either somewhere in the code or offline, but then again they would have to run something to extract the exact location in code and that sounds like a lot of work to do by hand.

 

[Ted2 39.1k iPhone 13 Pro 16.0 Donor]

9 minutes ago, tanis said:

@Ted2 so you're basically breakpointing random stuff, which also means you're running a debugger to do that and not just working on code dumps. Makes sense but it's still quite hard to find what you want by trial & error with games like that with literally thousands of methods spread over hundreds of classes.

And they all look like:

    private void EONJCBOAAPK(PJDJJFIEOOL IBLBHFELIBH); // 0x1015CC800
    private void FKBFJFPFBKP(); // 0x1015CBAB4
    private void BLHADMBAKNP(); // 0x1015CCA28
 

And so forth. I thought someone developed a better way to handle that.

I also wonder how the developers can fix bugs when getting crash reports with obfuscated names.. there should be a decoding table either somewhere in the code or offline, but then again they would have to run something to extract the exact location in code and that sounds like a lot of work to do by hand.

 

Those function you pasted, they are in a class. Most of the time Class names are still there

[tanis 4 iPhone Xs 12.0.1]

Correct, but without a debugger it's hard to find out if they're the correct ones just by looking at the disassembled code in IDA, which is what I usually do on non-jailbroken devices. It looks like the best option for obfuscated code is to do like you do and go with a debugger.