📖 Tutorial C++ Android and iOS Game Hacking MEGATHREAD

[PixelYT]

I decided to compile every C++ Android and iOS Game Hacking Tutorial that I find into one megathread. I will give credit to the creator of each tutorial and I will also specify which tutorial is Android and which is iOS.

This idea was partially inspired by Tiuu, Jbro129, and myself.
Something similar to this already exists on GitHub by Jbro129, but it isn't limited to just tutorials, it includes a wide variety of things.
There is also something similar to this made by Tiuu, but on an external forum.

Table of Contents
- Basic Hooking Tutorial (Android, Tiuu)
- How to modify Unity's Il2cpp String method's (Android, Tiuu)
- How to modify Set Methods in Unity's il2cpp (Android, Tiuu)
- How to hook IEnumerable methods in Unity's Il2cpp (Android, Tiuu)
- Vector3 Player Scale (Source Code) Il2cpp (Android, Tiuu)
- How to hook arrays in Unity's Il2cpp (Android, Toshiro)
- iOS & Android - Unity Source Code (Android & iOS, Tiuu)
- il2cpp Android Function Pointers Tutorial (Android, cryoatomizer)
- Get/Set Fields & Unlink Unity Functions (IL2CPP) (Android, Octowolve)
- Android Hooking instance variables - Fields (Android, cryoatomizer)
- Android Function Patching Tutorial (Android, cryoatomizer)
- Android Function Hooking Tutorial (Android, cryoatomizer)
- Android il2cpp Breakdown (Android, cryoatomizer)
- Name Spoofing and Other Vulnerabilities in Photon games | Android (Android, cryoatomizer)
- Telekill - Forward Assault v1.2003 (iOS Source) (iOS, SecretMyAss/Ted2)

I WILL KEEP ADDING MORE TUTORIALS TO THIS LIST

- Basic Hooking Tutorial (Android, Tiuu)
Hey guys, it's SliceCast here. This tutorial is for Advanced Modders who wants to step up their games to get better! Could be for newbies too.
I will show you some basics examples on how to hook a function.

Now let's say our Type Functions are (int, float, bool, double) and that we're doing a int/integer type.

//the void *instance is a self-created variable.
int (*old_Kills)(void *instance);
int Kills(void *instance) {
    //Check if instance is NULL to prevent CRASH
    if (instance != NULL)
    {
        return 99999; //Return how many value
    }
    //return the original value (this code isn't really needed if you have a toggle/switch)
    return old_Kills(instance);
}

Also make sure to call your hooks with MsHook or your mod won't work.
Example:

MsHookFunction((void*)getAbsoluteAddress(OFFSETS), (void*)Kills, (void**)&old_Kills);

Field Hooking with Class

void(*old_GameMode_Update)(void *instance);
void GameMode_Update(void *instance) {
    if(instance != NULL) {
        if (xpPerKill) { //if Toggle
            *(int *) ((uint64_t) instance + 0x30) = 5000;
        }
    }
    old_GameMode_Update(instance);
}

Call the GameMode Update with MSHook

MSHookFunction((void *)getAbsoluteAddress("libil2cpp.so", 0x00000), (void *) GameMode_Update, (void **) &old_GameMode_Update);

If it's a bool, then simple. Just return/put "true" or "false".

If it's a float, then return a 99.0 or whatever.

This is way better than Patching. We don't need to use Hex Values for hooking. Hooking is way better, you can return any value you want.



- How to modify Unity's Il2cpp String method's (Android, Tiuu)
I heard people wanted to modify strings such as Player Names, etc. It's pretty easy.

First of all, create a header and call it Strings which will look like "Strings.h".

Make sure to include "Strings.h" in your main.cpp files so to make sure the files inside strings are working.

Paste this code in your strings.h

#include "Utils.h" (Don't really need this if you're using LGL's or made your own.)
#include "Substrate/SubstrateHook.h"

typedef struct _monoString {
    void *klass;
    void *monitor;
    int length;
    char chars[1];

    int getLength() {
        return length;
    }

    char *getChars() {
        return chars;
    }
} monoString;

monoString *CreateMonoString(const char *str) {
    monoString *(*String_CreateString)(void *instance, const char *str) = (monoString *(*)(void *, const char *))getRealOffset(OFFSET;

    return String_CreateString(NULL, str);
}

So where do we get the offsets?

Well, basically you've dumped the game using il2cpp dumper or whatever tool you used right?
After the game is dumped, we now get "dummy dll's". Drag all the dummy dll's inside "dnspy".

If you want to use notepad++ or any other tools without dnspy, then use "dump.cs".

But I'll be using dnspy for this tutorial.

Now once you have opened them, search for a method called "CreateString".

There will be multiples CreateString functions.
How do we know which is which and which we'll use?

Easy. I'm just gonna say it.

We'll use the one called

public void CreateString (Sbyte)

We will only use CreateString with the only parameter of SBYTE only!

Now just use that offset and paste it in your strings.h

Now how do we use strings? How do we use it for player names, etc? Easy.

We are gonna make our own hooks. If you have never read my tutorial called "Basic Hooking Tutorial". I suggest you doing it since it's the only way, but there's many ways as well, but just focus on that.

Let's create our hooks!
This one is with toggles.

monoString* (*old_playername)(void *instance);
monoString* playername(void *instance) {
    if(instance!=NULL) {
        if (Toggle) { //not needed if you want to have it automatically on without a toggle.
            return CreateMonoString("SliceCast is Daddy!");
        }
    }
    return old_playername(instance); //don't really need it if you have a toggle.
}

This one is without toggles (only if you want it on automatically!)

monoString* (*old_playername)(void *instance);
monoString* playername(void *instance) {
    if(instance!=NULL) {
            return CreateMonoString("SliceCast is Daddy!");
    }
}

Now we call the hooks.

MSHookFunction((void*)getRealOffset(OFFSETS), playername, (void**)&old_playername);

Now that's all.

You can set methods as well, but I won't spoon-feed everyone one of you.

Credits ~ Octowolve and Slice Cast

- How to modify Set Methods in Unity's il2cpp (Android, Tiuu)
Hey guys, it's SliceCast. So people have been asking, "how do you modify a set method instead of using get?". It's simple, since I'm a nice person, I don't mind sharing this information for you newbies or advanced modders. Let's get started.

Wait, before we actually start anything...

You need to read this tutorial Basic Hooking Tutorial first BEFORE WE START! If you already know how to hook, then skip onto the set tutorial.

So get your set method, we're gonna make our set method a function pointer. We will be splitting this function pointer because when your lib is loaded sometimes, the libil2cpp isnt loaded already, but your lib doesn't know that and already tries to read the address which will result in a null pointer or crash. So here's how this will work.

void (*set_kills)(void *_instance, int AmountOfKills);

Now what were gonna do is use "set_kills" and paste it in our class hook which is get_ that we have made. All you need to do now is do "set_kills(instance, 999999);" without the parenthesis. It's really simple to do.

//the void *instance is a self-created variable.
int (*old_get_Kills)(void *instance);
int get_Kills(void *instance) {
    //Check if instance is NULL to prevent CRASH
    if (instance != NULL)
    {
        set_kills(instance, 999999); //Function Pointer mod
    }
    //return the original value (this code isn't really needed if you have a toggle/switch)
    return old_get_Kills(instance);
}

If this crashes, then you need to log the crashes and find out why.

It's pretty easy and simple. Last thing we need to do now is call the function pointer just like calling your MSHooks to make your mods work.

set_kills = (void (*)(void *, int))getRealOffset(OFFSET);

Credits to SliceCast & Octowolve.
Discord: Slicey#5894

- How to hook IEnumerable methods in Unity's Il2cpp (Android, Tiuu)
Hey guys, slice cast here again with another tutorial. I will show you how to hook an IEnumerable.

Let's say you found a method something like Username, Ban, Recoil, Reload, or whatever it is and it's an IEnumerable type. I don't really understand the concept of IEnumerable, but you can find out what it does by searching it.

Anyways let's get started.

We have this method like

private IEnumerator UnBanPlayer (string playerToKick)

Now if you scroll all the way down of the class, you will find something like this called
<UnbanPlayer>d__507>
Something like that.


We open that and we see some fields. One could say UserID or playername.

lets say we modify UserID and it's an integer/int type. So how do we modify it?

It's simple.

We're basically gonna hook this by calling the method with MoveNext().

//the void *instance is a self-created variable.
Void (*old_UnbanPlayer_MoveNext)(void *instance);
Void UnbanPlayer_MoveNext(void *instance) {
    //Check if instance is NULL to prevent CRASH
    if (instance != NULL)
    {
        *(int *) ((uint64_t)instance + 0x4C) = 18372819; //Return how many value
    }
    old_UnbanPlayer_MoveNext(instance);
}

Easy, now call your hooks using MSHook if using substrate.

MSHookFunction((void*)getAbsoluteAddress(OFFSETS), (void*)UnbanPlayer_MoveNext, (void**)&UnbanPlayer_MoveNext;

That's all for now, hope you enjoyed this tutorial.
If you're new to this and don't know how to do it, please don't come into the comment section and asking me for help. This is all the help you will get because I explained it for you since this is a tutorial after all. If you're a newbie, don't try the hard stuff.

- Vector3 Player Scale (Source Code) Il2cpp (Android, Tiuu)
Slice Cast here, with another tutorial. I will give out a source code of a Player Scale Mod that could work for many games. I don't mind showing you it, but its a simple code.

void PlayerScaleUp(void* myplayer) {
    Vector3 mysize = get_localScale(GetTransform(myplayer));
    Vector3 mysize2 = mysize + Vector3(0.5,0.5,0.5);
    set_localScale(GetTransform(myplayer), mysize2);
}

Get the transform from a players class or Unity's.

Edit: Since many people get errors and don't know what they're doing... You need to put your PlayerScaleUp code by putting it in your Update Hooks so the mod works.

- How to hook arrays in Unity's Il2cpp (Android, Toshiro)
First of all, you need a monoArray struct, which I will provide.

template <typename T>
struct monoArray
{
    void* klass;
    void* monitor;
    void* bounds;
    int   max_length;
    void* vector [1];
    int getLength()
    {
        return max_length;
    }
    T getPointer()
    {
        return (T)vector;
    }
};

Let's say you wanted to modify a Player List in a photon game, like getting other players?

When you use this Array, you need to make a hook for this.

monoArray<void *> *(*PhotonNetwork_get_OtherPlayers)() = (monoArray<void *> *(*)())il2cppAddress + 0x84EB8C;

To access players as an example, you can use this code to get a vector to the players.

auto photonplayers = PhotonNetwork_getOtherPlayers();

for (int i = 0; i < photonplayers->getLength(); ++i)
{
    auto photonplayer = photonplayers->getPointer()[i];
}

If whatever type the method is, change it if it's a void, int, bool, float, whatever it is.

- iOS & Android - Unity Source Code (Android & iOS, Tiuu)
Hello, I'm Slice Cast. This is just a source code that I took from Jbro129 & Shmoo's.

This contains structs and other useful stuff to hack 32 & 64 bit Unity games on Android & iOS.

So what does this Unity Source include?

It Includes:
•A struct to represent a native C# array
•A struct to represent a C# string
•A struct to represent a List
•A struct to represent a Dictionary
•A function to make a C# string from a C string
•A function to create a native C# array with a starting length
•Some functions to get/set real values of •Obscured types from Anti Cheat Toolkit (Anti-Cheat Toolkit v1 | Utilities Tools | Unity Asset Store)

Link: kp7742/UnityStuff

I think the monoString is outdated, for fully properly working strings, check my tutorial How to modify Unity's Il2cpp String method's

For Arrays How to hook arrays in Unity's Il2cpp

To use, clone Unity.h into your project folder and #include "Unity.h" in your cpp files.


Credits to KP for forking, Shmoo and Caoyin for making this header, and Jbro129 for helping me.

- il2cpp Android Function Pointers Tutorial (Android, cryoatomizer)
Game Name: Forward Assault
Anticheat: Codestage and a signature check.
How long you been coding/hacking? 1 year.
Coding Language: C++

This is a more in-depth version of Octo's tutorial on Function Pointers for android.

Things you need to follow this tutorial:
-Knowledge of C++
Octowolves template
Or
LGLS TEMPLATE
(if you prefer another template that's also fine of course)
-Basic knowledge on making mod menus for android
-A brain

Please don't ask me questions unrelated to this tutorial in the comments. If you want to learn about making menus for android, read the other threads in this section or get the f*ck out.

For this tutorial ill be using the game Forward Assault. No, I wont show you how to bypass the signature check that kicks you from the game, if you want to still test it, just play with bots instead of online. Code stage does nothing now days, so I wouldn't worry about it. Please don't go in the comments and say "iT dOeSnT KiCk mE fRoM tHe gAmE". The check could be removed at any time.

Alright, Alright, lets get to the tutorial.

So. You want to call a function in a game and use it. But how?

Well, its quite simple. We make a function pointer!

Dump the game with il2cpp Dumper, and open the dlls in dnspy. You can now search for functions. Thankfully, the game hasn't fully obfuscated everything, and there's a lot of instance variables and functions left to mess with.

Lets say we want to make unlimited ammo, and we don't have a function for the ammo amount? Well, there's this one function in dnspy that looks pretty interesting.

    [Address(RVA = "0x502C90", Offset = "0x502C90", VA = "0x502C90")]
    public void RefillAmmoInAllWeapons()
    {
    }

Judging by the function name, (obviously), this is called every time we reload, and it makes our ammo go back up to the max every time it is called.

So, how can we utilize this?

Again, Function Pointers.

To prevent us from having to split our function pointers into Outside and Inside our hook thread, We can make a function that stores our pointers and call the function in our thread.

void AttachFunctions(){
    //pointers go here
}

And call it like this:

void* hack_thread(void*) {
    do {
        sleep(1);
    } while (!isLibLoaded(soname));
    AttachFunctions();
    return NULL;
}

Now that we have made our work a tiny bit easier, we can now make our pointer.

Our pointer will go something like this:

(data type) *(*GuidedHacking)( (data type of parameter) *parametername) = ( (data type) *(*)( (parameter data type)*))getRealOffset(0x12345);

Following that example, we can now make a pointer for our function.

void *(*RefillAmmoInAllWeapons)(void *player) = (void *(*)(void *))getRealOffset(0x12345);

Don't forget to place the pointer in your AttachFunctions function that you used earlier.

But, we need a player to refill ammo on. Ours right?

Like so:

void(*old_PlayerUpdate)(void *instance);
void PlayerUpdate(void *instance)
{
    if(instance){
        if(get_isMine(instance)){
            MyPlayer = instance;
        } else {
                if (isUnlimitedAmmo) {
                    RefillAmmoInAllWeapons(MyPlayer);
                }
            }
        }
    }
    old_PlayerUpdate(instance);
}

And Hook your update:

MSHookFunction((void *) getRealOffset(0x12345), (void *)PlayerUpdate, (void **) &old_PlayerUpdate);

Now you can call functions in update, which is not only necessary for pointers, but for many other things as well.

Now if you tested it now, it wouldn't work, because its only being called once, which is when the Boolean is being set to true, but not the whole period of when its true. (I think, haven't tested it without the checks that I'm going to use).

To fix this, we have to check if our player is shooting and then call it.

If you search get_shooting in dnspy, you'll see a function in class "Player".

When you click on it, you'll see an obfuscated function, but that's alright, its still the same function. The game has broken obfuscation.

We now need to make a pointer to the get_shooting function.

bool (*get_shooting)(void *player) = (bool(*)(void*))getRealOffset(0x69BDD8);

Now that we have the pointer, we can call it as if it was a real function, and check if the player is shooting.

   if (isUnlimitedAmmo) {
       if (get_shooting(MyPlayer)) {
          RefillAmmoInAllWeapons(MyPlayer);
       }
}

Your update function should now look like this:

void PlayerUpdate(void *instance)
{
    if(instance){
        if(get_isMine(instance)){
            MyPlayer = instance;
        } else {

                if (isUnlimitedAmmo) {
                    if (get_shooting(MyPlayer)) {
                    RefillAmmoInAllWeapons(MyPlayer);
                    }
                }

            }

        }

    }

    old_PlayerUpdate(instance);

if you wanted to, you could use pointers to do other functions that make things easier like so:

Vector3 getplayerPosition(void *enemyObject){
    Vector3 out;
    void *transform = get_transform(enemyObject);
    get_position_Injected(transform, &out);
    return out;
}

This makes getting positions of things easier then using the raw pointer.

This is how we would use the function pointer without the "getplayerPosition" function.

Vector3 Sbenny = get_position_injected(get_transform(me->object));

But with the function, we can do this instead:

Vector3 GuidedHacking = getplayerPosition(me->object);

See? Way cleaner.

I highly advise you to learn function pointers as soon as you get comfortable with hooking. Function pointers expand the possibility of the things you can do, as you can use any function from the game as if it was your own. Function pointers are also necessary for "advanced" things, such as aimbot or esp. It opens a whole new realm of possibility, which is why I actively stress that people learn pointers as soon as they start hooking.

- Get/Set Fields & Unlink Unity Functions (IL2CPP) (Android, Octowolve)
So, bois, listen up. I have a new tutorial for ya.
In my function pointers tutorial for android I mentioned Im gonna make a tutorial on how to get/set fields.
Also I will explain how to unlink functions.
So we gonna do this now. But what do I mean with "Unlinking". Well Imagine we have a Character Class, this class has ann Update function. Nice. And this class also has a function something like this

private void Die();

but we dont wanna kill ourself when we hook the update function and just use it without any checks eh?

//This is a function pointer to the function private void Die
//Since this is a non-static function the first parameter is always the
//instance of the class (this)
void (*Character_Die)(void* instance) =  (void (*)(void*))getAbsoluteAddress("libIl2Cpp.so", 0x38E8168);

//Example hook for the update function in the Imaginary class Character
void(*old_Update)(void *instance);
void Update(void *instance) {
  //code comes here
Character_Die(instance);
}

But that would kill everyone and everything. Even you! yea not cool.

So by Unlinking it is ment to except yourself from it. or the enemy. So only a specific object gets to use it

So how would we do that now?

Well luckily we found a field (bool) that checks if its you:

private bool isMine; // 0x1D

BUT. its not in the same class. Actually its in the class CharacterAttributes
So we try to find an instance to this class. And UwU whats this. Our Character class has a field for CharacterAttributes!

private CharacterAttributes characterAttributes; // 0x1C

So we will use this instance to get the field in CharacterAttributes and check if is our character.

So how would that look like?

void (*Character_Die)(void* instance) =  (void (*)(void*))getAbsoluteAddress("libIl2Cpp.so", 0x38E8168);
void(*old_Update)(void *instance);
void Update(void *instance) {

  //get a pointer to the CharacterAttributes class
    void *getCharacterAttributes = *(void**)((uint64_t)instance + 0x1C);
    //check if valid pointer (not null)
    if(getCharacterAttributes){
        //get the bool from the field private bool isMine; //0x1D
        bool isMine = *(bool*)((uint64_t)getCharacterAttributes + 0x1D);
        //if its not ourself kill it
        if(!isMine){
            Character_Die(instance);
        }
    }

}

So now you successfully unlinked this carnage from yourself and everyone else dies except you. Damn....

Now, what if, you want to actually set a field?
Like we found a variable in the Character class that hold the value for the kills you made.

public int kills; //0x18

how we gonna set this? well its damn easy!

void(*old_Update)(void *instance);
void Update(void *instance) {
void *getCharacterAttributes = *(void**)((uint64_t)instance + 0x1C);
    //check if valid pointer (not null)
    if(getCharacterAttributes){
        //get the bool from the field private bool isMine; //0x1D
        bool isMine = *(bool*)((uint64_t)getCharacterAttributes + 0x1D);
        //we check if its us and then set the kills
        if(isMine){
            *(int*)((uint64_t)instance + 0x18) = 1337;
        }
     }
}

And what if the field is in another class? Well you do it like we did it with the boolean isMine. Simple
Well thats it for today. Hfgl on your journey =)

- Android Hooking instance variables - Fields (Android, cryoatomizer)
Game Name: Forward Assault
Anticheat: Codestage and a signature check.
How long you been coding/hacking? 1 year.
Coding Language: C++

So, after my previous Dumping Protected Games Tutorial , I decided to talk about hooking instance variables, also known as fields, as it was the second tutorial on the poll, getting 20% of the votes.

A lot of the time in games, youll see fields that are quite useful, some even more useful than the functions in the class itself.

Another great reason to use fields is because it takes less time than making a pointer.

For example:

There's a function for your fov, and an field for your fov.

Its easier to just use the field than the function.

If you didn't know already, instance variables and fields are the same thing, just different name. I will be referring to instance variables as fields throughout the rest of this tutorial.

Things you need to follow this tutorial:

• Knowledge of C++
• Basic Knowledge on making mod menus for android
• Knowledge on how to hook and using update
• DnSpy
• Android Studio
• Octowolves template
Or
• LGLS TEMPLATE

(if you prefer another template that's also fine of course)

• A brain

Assuming you have these things, lets move on to the tutorial.

So, you have found some useful fields, but how do you modify them?

You cant patch them, we have to hook them.

If you dumped the game and opened the dlls in dnspy, you can begin to realize that most of the game is obfuscated.

But, the fields are not. We can use this to our advantage.

public class FirstPersonMovement : MonoBehaviour

This class has some interesting things worth looking at.

public bool allowFly;

That is a field. We can modify it to true, to allow us to fly.

How do we do that?

Quite simple.

We can make an update to the Class, like this.

void(*old_FirstPersonMovementUpdate)(void *instance);
void FirstPersonMovementUpdate(void *instance) {


        }
    }
    old_FirstPersonMovementUpdate(instance);
}

Then insert an if statement, and modify the field.

How do I modify A Field?

You modify a field according to the template below:

*( (data type) *) ((uint64_t) (object) + 0x1C) = (return whatever you want) ;

The field is a bool, and we need it to be allowing fly to our instance in update. So our modification should look like this:

*(bool *) ((uint64_t) instance + 0x1C) = true;

Don't forget to insert it in an if statement.

Your update should now look like this:

void(*old_FirstPersonMovementUpdate)(void *instance); //this can also be done within the player update hook
void FirstPersonMovementUpdate(void *instance) {
        if (fly) {
            *(bool *) ((uint64_t) instance + 0x1C) = true;
    }
    old_FirstPersonMovementUpdate(instance);
}

Then, hook the update.

How? By finding the update function in the class. Usually called Update().

private void Update()

Found it, now hook your update with the offset of the function above.

MSHookFunction((void *) getRealOffset(0xB250E4), (void *)FirstPersonMovementUpdate, (void **) &old_FirstPersonMovementUpdate);

Then, you are pretty much done.

If you look in class "player"

public class Player : Photon.MonoBehaviour

Player is accessed by FirstPersonMovement, so you can also make an update to class player, and call your field stuff in there.


You can also use fields in functions, such as checking "IsMine" which is useful for aimbot/esp, because it can be used to exclude your own player from the others.

For example, class player has an ismine field, that can be used for checking things related to your own player.

public bool isMine;

We need to make a function that returns the ismine of a player.

bool isMine(void *player){
    return *(bool *)((uint64_t)player + 0x84);
}

Then, we can call it in an if statement to check if the player is ours, like so:

if(isMine(playerobject)){
    MyPlayer = playerobject;
}

You can also do numerous other things with fields inside functions, like checking a players health, or if they are alive.

I see some people sticking strictly to functions, not knowing that they could use fields to their advantage.

If you look in the right classes, you'll find VERY useful fields that you can use to your advantage. But not always.

Sorry if this was a bit of a short tutorial, my pc broke, and there really isn't anything complex, fields are very straight forward.

- Android Function Patching Tutorial (Android, cryoatomizer)
Game Name: Bullet Force
Anticheat: Codestage.
How long you been coding/hacking? 1 year.
Coding Language: C++

Things you need to follow this Function Patching tutorial:

• Knowledge of C++
• DnSpy
• Android Studio

• Octowolves template
Or
• LGLS TEMPLATE

(if you prefer another template that's also fine of course)

• A brain

Assuming you have these, you can keep on reading. If not, this tutorial is too advanced for you to understand and be able to apply the principles to other games.

I will be doing a cumulative open source cheat project for bullet force, and the download for the project will be available at the end of each tutorial. This series is going to be quite out of order, but it is what it is.

Please don't ask me questions unrelated to this tutorial in the comments. If you want to learn about making menus for android, read the other threads in this section or get the f*ck out.

I will provide a finished copy of the hooking tutorial with Octowolves template. It is your responsibility to update the offsets when needed, as I provide the function names already in this tutorial.

In this Android function patching tutorial I will be using Octowolves template to demonstrate.

Your first step in making the transition from patching the shared library to modifying it with a MOD Menu should be patching with a MOD Menu.

This is good for beginners, and generally easier to learn.

Lets get into the tutorial.

So, you probably just got into doing mod menus/modding libs directly. (I recommend modding games by patching the lib in a hex editor and messing with mono android games before messing with menus).

What Is Patching?

Patching involves returning hex codes/bytes to a function, making it much more limited to what you can do, but much less advanced and great for beginners.

Why Should I Learn Patching?

Patching is the first thing you should learn when you first begin making menus.

• Easy to learn

• Beginner Friendly

• Best starting point for making menus

Now that we know what patching is and why it is important to learn before anything else menu-wise, lets carry on with the tutorial.

So, I found an interesting function.

private void IncreaseGunRecoil()

This seems to decide if your recoil increases or not. Patching it to false or 0 will make us have no recoil.

Lets do some cleanup inside the main.cpp.

Remove every boolean, everything inside the patches struct.

Remove every case from every function.

Then, remove excess code and everything useless in your hack thread.

I've already done this, so here it is. A cleaned up version of main.cpp, ready to follow the tutorial.

#include <pthread.h>
#include <jni.h>
#include <memory.h>
#include <dlfcn.h>
#include <cstdio>
#include <cstdlib>

#include "Includes/Logger.h"
#include "Patching/Patch.h"
#include "Includes/Utils.h"

struct Patches{
}patch;


void* hack_thread(void*) {
    LOGI("I have been loaded. Mwuahahahaha");
    do {
        sleep(1);
    } while (!isLibraryLoaded(libName));
    LOGI("I found the il2cpp lib. Address is: %p", (void*)findLibrary(libName));



    return NULL;
}

jobjectArray getListFT(JNIEnv *env, jclass jobj){
    jobjectArray ret;
    int i;
    const char *features[]= {};
    int Total_Feature = (sizeof features / sizeof features[0]);
    ret= (jobjectArray)env->NewObjectArray(Total_Feature,
                                           env->FindClass("java/lang/String"),
                                           env->NewStringUTF(""));

    for(i=0;i<Total_Feature;i++) {
        env->SetObjectArrayElement(
                ret,i,env->NewStringUTF(features[i]));
    }
    return(ret);
}


void changeToggle(JNIEnv *env, jclass thisObj, jint number) {
    int i = (int) number;
    switch (i) {
        default:
            break;
    }
    return;
}


void init(JNIEnv * env, jclass obj, jobject thiz){
    pthread_t ptid;
    pthread_create(&ptid, NULL, hack_thread, NULL);
    MakeToast(env, thiz, "GuidedHacking.com - Do the ghb");
}

void changeSeekBar(JNIEnv *env, jclass clazz, jint i, jint seekbarValue) {
    int li = (int) i;
    switch (li) {
        default:
            break;
    }
    return;
}

void changeSpinner(JNIEnv *env, jclass clazz, jint i, jstring value) {
    int li = (int) i;
    switch (li) {
        default:
            break;
    }
}

void changeEditText(JNIEnv *env, jclass clazz, jint i, jstring value){
    int li = (int) i;
    switch (li){
        default:
            break;
    }
    return;
}

extern "C"
JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
    JNIEnv* env;
    if (vm->GetEnv(reinterpret_cast<void**>(&env), JNI_VERSION_1_6) != JNI_OK) {
        return JNI_ERR;
    }

    // Find your class. JNI_OnLoad is called from the correct class loader context for this to work.
    jclass c = env->FindClass("com/dark/force/NativeLibrary");
    if (c == nullptr) return JNI_ERR;

    // Register your class' native methods.
    static const JNINativeMethod methods[] = {
            {"changeEditText", "(ILjava/lang/String;)V", reinterpret_cast<void*>(changeEditText)},
            {"changeSeekBar", "(II)V", reinterpret_cast<void*>(changeSeekBar)},
            {"changeSpinner", "(ILjava/lang/String;)V", reinterpret_cast<void*>(changeSpinner)},
            {"changeToggle", "(I)V", reinterpret_cast<void*>(changeToggle)},
            {"getListFT", "()[Ljava/lang/String;", reinterpret_cast<void*>(getListFT)},
            {"init", "(Lcom/dark/force/MenuService;)V", reinterpret_cast<void*>(init)},
    };
    int rc = env->RegisterNatives(c, methods, sizeof(methods)/sizeof(JNINativeMethod));
    if (rc != JNI_OK) return rc;

    return JNI_VERSION_1_6;
}

You should be able to replace your main.cpp with the one I provided and carry on.

So, lets get to patching.

First, make a boolean.

bool isRecoil = false;

Then, we need to add a patch to our patches struct.

Locate this:

struct Patches{

}patch;

Lets add a patch to it inside the struct.

struct Patches{
    Patch *GunRecoil;
}patch;

All we have to do now is call the patch in our hack thread and use the correct set of bytes to patch it.

Heres a template for patching stuff when you call it in your hack thread.

patch.(your patch in struct) = Patch::Setup((void*)getAbsoluteAddress(0xOFFSET), (char*)"YOUR HEX CODES OR BYTES", (amount of digit sections (its usually 8)));

What Hex Code Should I use?

Heres a list I found on polarmods.

00 00 A0 E3 1E FF 2F E1 = False or number 0
01 00 A0 E3 1E FF 2F E1 = True or number 1
02 00 A0 E3 1E FF 2F E1 = Number 2
07 00 A0 E3 1E FF 2F E1 = Number 7
0A 00 A0 E3 1E FF 2F E1 = Number 10
0F 00 A0 E3 1E FF 2F E1 = Number 15
10 00 A0 E3 1E FF 2F E1 = Number 16
11 00 A0 E3 1E FF 2F E1 = Number 17
12 07 80 E3 1E FF 2F E1 = VALUE OF 12 Million or It can be used for health/ammo/armour/damage
DC 0F 00 E3 1E FF 2F E1 = VALUE 4060
DC OF OF E3 1E FF 2F E1 = VALUE 120000
01 00 A0 E3 1E FF 2F E1 = VALUE 1 Also = True used for bool
00 00 A0 E3 1E FF 2F E1 = Value 0 Also = False used for bool
01 0A A0 E3 1E FF 2F E1 = 1000
01 08 A0 E3 1E FF 2F E1 = 10000
01 02 A0 E3 1E FF 2F E1 = 10000000
C2 0A 64 60 00 00 00 02 = Speed Hack
01 04 A0 E3 1E FF 2F E1 = 1000000
0E 00 A0 E3 1E FF 2F E1 = Fire Rate
FF FF = Value of 65535 = Highest value 4 character hex code

For this function ill be using the first one in the list, so it wont apply gun recoil, therefore we will not have recoil.

Following the template above, lets call it in our hack thread.

patch.GunRecoil = Patch::Setup((void*)getAbsoluteAddress(0x4EE584), (char*)"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1", 8);

Your hack thread should now look like this:

void* hack_thread(void*) {
    LOGI("I have been loaded. Mwuahahahaha");
    do {
        sleep(1);
    } while (!isLibraryLoaded(libName));
    LOGI("I found the il2cpp lib. Address is: %p", (void*)findLibrary(libName));

    patch.GunRecoil = Patch::Setup((void*)getAbsoluteAddress(0x4EE584), (char*)"\x00\x00\xA0\xE3\x1E\xFF\x2F\xE1", 8);

    return NULL;
}

Now, lets actually make a toggle for the patch.

Locate the features section inside getListFT.

const char *features[]= {};

Add a new feature called whatever you want. I will simply call it "No Recoil"

const char *features[]= {"No Recoil"};

Once you've done that, locate your ChangeToggles function.

void changeToggle(JNIEnv *env, jclass thisObj, jint number) {
    int i = (int) number;
    switch (i) {
        default:
            break;
    }
    return;
}

Add a new case, and break after it.

case 0:

break;

Now, we need to apply the patch when the toggle is on by checking it inside your case.

Here is a template for the things you need to put inside your case:

 boolean = !boolean;
if (boolean) {
patch.(your patch inside the struct)->Apply();
} else {
patch.(your patch inside the struct)->Reset();
}

Following that template, lets apply that concept to our patch and boolean inside our case.

case 0:
isRecoil = !isRecoil;
if (isRecoil) {
patch.GunRecoil->Apply();
} else {
patch.GunRecoil->Reset();
}
break;

Done! If you implement the menu and turn on the toggle, you should have no recoil in game.

If I were you, I would take the time to learn how to mod mono games and mod il2cpp games by directly patching the binary before proceeding with anything menu related. Taking the slow steps helps in the long run.

- Android Function Hooking Tutorial (Android, cryoatomizer)
I'VE ALREADY POSTED THIS TUTORIAL HERE.

- Android il2cpp Breakdown (Android, cryoatomizer)
Game Name: Forward Assault
Anticheat: Codestage and a signature check.
How long you been coding/hacking? 1 year.
Coding Language: C++

So, after my previous Function Pointers Tutorial , I decided that a in-depth explanation of useful unity core-modules functions would be quite nice.

Since most of the good android games are il2cpp, and also because of the fact that il2cpp/mono games are the starting point for android cheat developing, I think it deserves a mini "documentation" on useful functions in the core-modules dll that you get after dumping the game.

Core-Module functions are very useful for a variety of things including:
Esp
Aimbot
Player Lists.

Those are some common ones, but there are a few more I will discuss in this thread.

Things you need to follow this tutorial:
-Knowledge of C++
Octowolves template
Or
LGLS TEMPLATE
(if you prefer another template that's also fine of course)
-Basic knowledge on making mod menus for android
-Know and be able to make Function Pointers
-A brain

Assuming you have these, move on to the documentation. If not, f*ck off, I don't need people who ask questions without even doing the required steps before following a tutorial.

Please don't ask me questions unrelated to this tutorial in the comments. If you want to learn about making menus for android, read the other threads in this section or get the f*ck out.

For this tutorial ill be using the game Forward Assault. No, I wont show you how to bypass the signature check that kicks you from the game, if you want to still test it, just play with bots instead of online. Code stage does nothing now days, so I wouldn't worry about it. Please don't go in the comments and say "iT dOeSnT KiCk mE fRoM tHe gAmE". The check could be removed at any time.

Alright, Alright, lets get to the tutorial.

Dump the game(ofc)

Load the dlls into dnspy and find UnityEngine.CoreModule.dll (it might be called something different, just look for core modules)

To further check if you are in the right dll, look for class Transform or Camera.

I will split this into sections related by class.

Section 1: Class Transform

Probably the most useful class imo.

private extern void get_position_injected(out Vector3 value);

This function lets you get the position of any object/transform.

Commonly used in esp and aimbot.

get_position (in the same class) is an alternate to this function.

Usage:

Make a Function Pointer

get_position_injected(enemyplayer);

Normally this wont work, you will have to get the position of a transform, using get_transform in class Componant.

Ill go over get_transform later in this tutorial, but incase you cant wait, you can make this function to get the position of a player using a transform.

Vector3 GetPlayerPosition(void *component){
    Vector3 out;
    void *transform = get_transform(component);
    get_position_Injected(transform, &out);
    return out;
}

With that function you can get the position of a player easier, instead of having to pass in get_position_injected and get_transform every time you need to get the position of something.

public void set_rotation(Quaternion value);

you can use this to set the rotation of your player to something else, for aimbot.

Usage:

Make a Function Pointer

Again, to use this, you also need to use get_transform from class componant, and get_main from class camera.

set_rotation(Component_get_transform(get_main()), customrotation);

If the game doesnt have an instance variable of your players rotation, this function is very useful.

private extern void set_localScale_injected(ref Vector3 value);

or

public void set_localScale(Vector3 value)

These 2 functions both work to change the size of a player. In some games you can shoot the big player, in some games you cant.

Usage:

Make a Function Pointer for the function

We can make a function that makes setting the scale to a player easier using get_transform.

void setScale(void *component, Vector3 scale) {
    void* transform = get_transform(component);
    set_localScale_Injected(transform, scale);
}

Then, to use this function, we need to call it in update, and set the scale of a player or object.

Like so:

void *MyPlayer;

void(*old_Update)(void *instance);
void Update(void *instance)
{
    if(instance){
        if(get_isMine(instance)){
            MyPlayer = instance;
        } else {
                if (isScale) {
                    setScale(instance, Vector3(40.0f, 40.0f, 40.0f));
                }
            }
        }
    }
    old_Update(instance);
}

Ive also excluded my player from getting scaled up, but if you want yours to be scaled up, feel free to remove the check.


Well, thats about it for class transform, but ill leave some honorable mentions for some more functions in it, but I wont be demonstrating their usage.

1. Lookat (aimbot)
2. Forward
3. Eulerangles

Section 2: Class Camera

Class Camera doesn't really contain a lot of player related things, but rather a lot of things useful for esp, or sometimes aimbot.

public static extern Camera get_main();

This is a function that gets your main camera, it can be used for things like aimbot with set_rotation, or getting your main camera for WorldToScreen in esp.

Usage for aimbot:

Make a Function Pointer

set_rotation(Component_get_transform(get_main()), customrotation);

Usage with esp will be covered later in this thread. If you need it for anything else, just call it as a function, it can fit anywhere.

public static extern Camera get_current();

An alternate to get_main, this function gets your current camera instead. This should only be used incase get_main isnt working. If both dont work, look for an instance to the camera in your players class.

public extern void set_fieldOfView(float value);

This function, for most games, sets your gun or camera fov. Commonly used if you cant find a field/different function to your players fov.

Usage:

Make a Function Pointer

set_fieldOfView(100.0f);

Honorable Mentions for this class:
get_projectionMatrix
get_worldToCameraMatrix

These 2 can be used to calculate your viewmatrix, for a custom WorldToScreen.

Section 3: Class Component

This class only has one actual "useful" function.

As mentioned earlier, when getting positions we must use get_transform.

public extern Transform get_transform();

Usage:

Make a Function Pointer

Vector3 guidedhacking = get_position(get_transform(enemyobject));

Or, plug it into a function to make getting our position easier, mentioned above in Section 1, function "get_position_injected".

Section 4: Class CharacterController

 public extern void set_radius(float value);

Credits: Unity Universal Noclip

Usage:

Make a Function Pointer

Get your character controller

set_radius(CharacterController, 100.0f);

Those are pretty much all the functions I've found to be useful, if you want a function added to this, comment or shoot me a pm, Ill add it as long as I find it of value, and give you credits.

I highly advise you to use or take a look at these functions when you come across an il2cpp game, (most of you probably still mess with them/ used to when you were learning), there are quite a few good il2cpp games out there for beginners and for experienced people. These functions save you quite a lot of time, and are almost necessary for things like aimbot or esp. Most of these functions are straight-forward to use, and should be pretty easy once you are comfortable with hooking and function pointers.

- Name Spoofing and Other Vulnerabilities in Photon games | Android (Android, cryoatomizer)
Game Name: Bullet Force
Anticheat: Codestage
How long you been coding/hacking? 1 year.
Coding Language: C++


Things you need to follow this tutorial:

• Knowledge of C++
• Basic Knowledge on making mod menus for android.
• Knowledge on how to hook and using update.
• Knowledge on how to make Function Pointers.
• DnSpy
• Android Studio

• Octowolves template
Or
• LGLS TEMPLATE

(if you prefer another template that's also fine of course)

• A brain

Assuming you have these, you can keep on reading. If not, this tutorial is too advanced for you to understand and be able to apply the principles to other games.

Please don't ask me questions unrelated to this tutorial in the comments. If you want to learn about making menus for android, read the other threads in this section or get the f*ck out.

For this tutorial ill be using the game Forward Assault. No, I wont show you how to bypass "codestage". Code stage does nothing now days, so I wouldn't worry about it(except in this game it prevents things like telekill). Please don't go in the comments and say "TeLeKiLl wOrKs FiNe". The game could remove codestage at any time (they have a history of removing things like obfuscation).

Alright, Alright, lets get to the tutorial.

First, we need an understanding of Photon and how it works.

What is Photon?

Photon is a way to make multiplayer games in unity using unity networking.

A lot of unity games use photon because it is easy to implement, and is stable.

It has a complete api, with things like matchmaking, and tons of tutorials on the internet on implementing it.

A problem that most devs are unaware of is that photon could be manipulated in some crazy ways, I've seen people go as far as spawn bots into games, or control other players through photon.

I wont be showing you all of that, but I will be showing you a few basic exploits.

Now that we know what photon is, lets get into some vulnerabilities with games using it.

I will split this into sections. I'm not too crazy about photon stuff, so I will only be discussing 3 vulnerabilities.

Section 1: Spoofing your name using Photon Functions

So, we need to find some good photon classes with name stuff.

public static class PhotonNetwork

internal class NetworkingPeer : LoadBalancingPeer, IPhotonPeerListener

public class PhotonPlayer : IComparable<PhotonPlayer>, IComparable<int>, IEquatable<PhotonPlayer>, IEquatable<int>

Both PhotonNetwork and NetworkingPeer have the function:

public static void set_playerName(string value)

This seemed to work for people that I know, but for whatever reason, it was buggy on my phone (you can still use it, just follow this tutorial with the other function). Instead, I use a function in photon player:

public void set_NickName(string value)

You can choose what function you want to use, for this ill be using the one from photonplayer, but all of the functions should work.

Now that we have our function, we need to modify the function to change/spoof our name.

Usage:

• Make a Function Pointer.

• We need to use a header that uses our createstring in il2cpp to modify strings.

Header:

typedef struct _monoString {
    void *klass;
    void *monitor;
    int length;
    char chars[1];

    int getLength() {
        return length;
    }

    char *getChars() {
        return chars;
    }
} monoString;

monoString *CreateMonoString(const char *str) {
    monoString *(*CreateString)(void *instance, const char *str);

    return CreateString(NULL, str);
}

Don't forget to split your pointer.

void Hooks() {
    CreateString = (monoString *(*)(void *, const char *))getAbsoluteAddress(OFFSET);
}

Wait, how do we find the offset for our CreateString?

How do I find my CreateString Offset?

Search CreateString in DnSpy. A few functions named the same should pop up with the type "string"

Go through each function named CreateString, until you find the function with only one parameter, named sbyte.

private unsafe string CreateString(sbyte* value)

As you can see, the function has one parameter, sbyte. Perfect.

The offset of that function is your CreateString Offset, input the offset in the header.

Now that we have gotten our header set up and ready to use, lets modify our name.

There are many ways to do it.

The first way is to hook get_NickName in class PhotonPlayer.

public string get_NickName()

Now, we need to hook it.

monoString *(*old_get_NickName)(void *instance);
monoString* get_NickName(void *instance) {
    if(instance!=NULL) {
        if (NameSpoofer) {
            //code here for Name Spoofer
        }
    }
    return old_get_NickName(instance);
}

So, to spoof our name, we need to overwrite the string it gets, by returning a new string.

So, we should return and create a new string to overwrite it.

return CreateMonoString("Guided Hacking");

Put that in your if statement, and your update should now look like this:

monoString *(*old_get_NickName)(void *instance);
monoString* get_NickName(void *instance) {
    if(instance!=NULL) {
        if (NameSpoofer) {
               return CreateMonoString("Guided Hacking");
        }
    }
    return old_get_NickName(instance);
}

now, lets finish hooking it in our thread.

MSHookFunction((void *) getRealOffset(0x123456), (void *)get_NickName, (void **) &old_get_NickName);

Done! It should work if you test it in game.

The second way to do it is by using set_NickName.

public void set_NickName(string value)

Usage:

• Make a Function Pointer.

• Find player class and make an update

• Call pointer in an if statement and set a monostring to it.

First, we must make our pointer.

void (*set_NickName) (monoString *name);

And call it in our hook thread.

set_NickName = (void *(*)(monoString *))getRealOffset(0x12345);

Done!

Our player class would generally be accessed by photonplayer.

public class PlayerScript : Photon.MonoBehaviour

This looks like our player class.

At first glance we see no function named "update" , but, turns out its renamed.

private void UpdateFast()

This is our update. We use this like we would with any other update. Make an update function and hook it.

void(*old_PlayerScript_UpdateFast)(void *player);
void PlayerScript_UpdateFast(void *player) {
    if(player != nullptr){
        if (NameSpoof) {
            //stuff goes here soon
        }
    }

    old_PlayerScript_UpdateFast(player);
}

Hook it in our hook thread:

MSHookFunction((void *) getRealOffset(0x12345), (void *)PlayerScript_UpdateFast, (void **) &old_PlayerScript_UpdateFast);

In our if statement, we need to call our pointer, and create a new string in it.

like:

set_NickName(CreateMonoString("Guided Hacking"));

Your update function should now look like this:

void(*old_PlayerScript_UpdateFast)(void *player);
void PlayerScript_UpdateFast(void *player) {
    if(player != nullptr){
        if (NameSpoof) {
            set_NickName(CreateMonoString("Guided Hacking"));
        }

    }
    old_PlayerScript_UpdateFast(player);

}

Thats pretty much it.

But how do I add color to the text?

Theres a site that can color your text.

Go here to generate color coded text.

Copy the bbcode and put it into notepad. Now replace all the [ with <, and all the ] with >.
Before:

Guided Hacking

After replacement:

<color=#FF0000>G</color><color=#EC0012>u</color><color=#DA0024>i</color><color=#C80036>d</color><color=#B60048>e</color><color=#A3005B>d</color> <color=#7F007F>H</color><color=#6D0091>a</color><color=#5B00A3>c</color><color=#4800B6>k</color><color=#3600C8>i</color><color=#2400DA>n</color><color=#1200EC>g</color>

You can customize the colors to what you want, gradients, rainbow colors, and random colors.

Section 2: Chat Spam

Chat spam involves simulating messages being sent in large amounts, to the point where if you type, it will get buried by the incoming messages, essentially nuking the chat.

So, we need to find a function that sends a message, and call it in update, so that it sends 60 messages a second.

public void SendChatMessage(string message, Color color)

This seems good.

Usage:

• Make a Function Pointer.

• Remove useless parameter (optional)

• Call it in update and create a string.

So, lets make a function pointer to it.

void (*SendChatMessage)(monoString *message, color color);

I don't really see a value in the color parameter, so I remove it, if you want to use it, then get a color header.

Here is the pointer without the color parameter:

void (*SendChatMessage)(monoString *message);

Dont forget to call it in your hook thread:

SendChatMessage = (void (*)(monoString *))getRealOffset(0x123456);

Now, we need to make our update and hook it (already presented earlier, scroll up).

We then need to call our pointer, and set a new string to it inside our if statement.

SendChatMessage(CreateMonoString("Guided Hacking"));

Final product:

void(*old_PlayerScript_UpdateFast)(void *player);
void PlayerScript_UpdateFast(void *player) {
    if(player != nullptr){
        if (ChatSpam) {
            SendChatMessage(CreateMonoString("Guided Hacking"));
        }

    }
    old_PlayerScript_UpdateFast(player);

}

How do I spam more than one message at a time?

Simple. We need to create a function that holds multiple strings in the order you want.

monoString StartChatSpam() {
    SendChatMessage(CreateMonoString("Guided Hacking"));
    SendChatMessage(CreateMonoString("Go do the GHB"));
    SendChatMessage(CreateMonoString("You should check out my other tutorials"));
}

In this exact order, the messages will be spammed, flooding the chat.

Now, all we need to do is call the function in update inside an if statement.

Your final update function should look like this:

void(*old_PlayerScript_UpdateFast)(void *player);
void PlayerScript_UpdateFast(void *player) {
    if(player != nullptr){
        if (ChatSpam) {
            StartChatSpam();
        }
    }
    old_PlayerScript_UpdateFast(player);
}

Now, you have more than one message being spammed.

Thats pretty much it.

Section 3: Removing spawn protection from other players.

Some photon games have an interesting function, that most of the time is used for checking when spawn protection can be active.

public bool get_isOwnerActive()

This checks if the person is active, commonly used in games with spawn protection.

All we have to do is hook it, and return true, so that the game thinks the person is active.

bool (*old_get_isOwnerActive)(void *instance);
bool get_isOwnerActive(void *instance) {
    if (instance != NULL) {
        if (SpawnKill) {
            return true;
        }
    }
    return old_get_isOwnerActive(instance);
}

Now, hook it in your hook thread.

MSHookFunction((void *) getRealOffset(0z123456), (void *)get_isOwnerActive, (void **) &old_get_isOwnerActive);

Now, you should be able to kill people off spawn, if the game uses the function for spawn protection checks.

Those are all the vulnerabilities I know, feel free to contact me about one that you feel should be added.

- Telekill - Forward Assault v1.2003 (iOS Source) (iOS, SecretMyAss/Ted2)
This is a very simple example & forward assault is the easiest game I did it on.
It can be modified to work on other games.

Note: This is iOS source code, it can be modified to work on Android with a few things. But I can't be bothered to also check this out on android.

// Don't worry to much about this, you just need this for location handling.
class Vector3 {
public:
  float x;
  float y;
  float z;
  Vector3() : x(0), y(0), z(0) {}
  Vector3(float x1, float y1, float z1) : x(x1), y(y1), z(z1) {}
  Vector3(const Vector3 &v);
  ~Vector3();
};
Vector3::Vector3(const Vector3 &v) : x(v.x), y(v.y), z(v.z) {}
Vector3::~Vector3() {}

/************************************************
Function pointers that will be used in this hack.
*************************************************/
//public Transform get_transform() ---> Class Component
void *(*Component_GetTransform)(void *component) = (void *(*)(void *))getRealOffset(0x101F84228);

//private void INTERNAL_set_position(Vector3 value) ---> Class Transform
void (*Transform_INTERNAL_set_position)(void *transform, Vector3 newPosition) = (void (*)(void *, Vector3))getRealOffset(0x101FAB724);

//private void INTERNAL_get_position(out Vector3 value) --> get the object of a transform
void (*Transform_INTERNAL_get_position)(void *transform, Vector3 *out) = (void (*)(void *, Vector3 *))getRealOffset(0x101FAB7D0);

/*****************************************************
Utility functions which will help us with some checks.
******************************************************/
// Utility function to get a players location.
Vector3 GetPlayerLocation(void *player) {
  Vector3 location;
  Transform_INTERNAL_get_position(Component_GetTransform(player), &location);

  return location;
}

// Utility function to get a players health
float GetPlayerHealth(void *player) {
  //private float FEHAJLBCGIN; // 0x1EC
  return *(float*)((uint64_t)player + 0x1EC);
}

// Utility function to check if a enemy is dead
bool isPlayerDead(void *player) {
  if(GetPlayerHealth(player) < 1) {
    return true;
  }

  return false;
}

// Utility function to get a players team number
int GetPlayerTeam(void *player) {
  //private int BMFGOOEECIC; // 0x210 --> Player
  return *(int*)((uint64_t)player + 0x210);
}

//Creating a null objects for enemy & my player. It will be asigned later inside the actual hook.
void *enemyPlayer = NULL;
void *myPlayer = NULL;

// Hook code
void(*old_Player_Update)(void *player);
void Player_Update(void *player) {

  //public bool isMine; // 0xCC
  bool isMine = *(bool*)((uint64_t)player + 0xCC);

  //getting my player
  if(isMine) {
    myPlayer = player;
  }

  // getting enemy player by checking whether the other players team is the same as mine
  if(myPlayer) {
    if(GetPlayerTeam(myPlayer) != GetPlayerTeam(player)) {
      enemyPlayer = player;
    }   
  }


  /*********************
    TELE KILL FEATURE
  **********************/

  // Checking if enemyPlayer object is not null
  if(enemyPlayer) {
    // checking if it's not dead, if it is enemyPlayer is NULL & it should look for a new one.
    if(!isPlayerDead(enemyPlayer)) {
      if([switches isSwitchOn:@"Teleport to Enemy"]) {
        Vector3 enemyLocation = GetPlayerLocation(enemyPlayer);
        // You can mod these values to your liking
        Transform_INTERNAL_set_position(Component_GetTransform(myPlayer), Vector3(enemyLocation.x, enemyLocation.y, enemyLocation.z - 1));
      }     
    } else {
      enemyPlayer = NULL;
      return;
    }
  }
  old_Player_Update(player);
}

//private void Update(); --> Class: Player (bigger one)
HOOK(0x101743A8C, Player_Update, old_Player_Update);

If you use this source in hacks, I'd appreciate actual credits.

 

[PixelYT]

Updated thread: Added a table of contents

 

[PixelYT]

And added a new tutorial

 

[StupidThree]

Thank you for the tutorial!! xD