๐Ÿ“– Tutorial Hacking Fields/Instance Variables and Hooking Tutorial in IL2CPP Games

Offline

PixelYT

Addicted Lv. 3
Member for 1 year
EXP
SB Cash
468
Gender
Male
Country
East Timor (see Timor-Leste)
*BEST VIEWED ON DESKTOP*

The Unity tool. I hate it. All it does is make people worse at hacking because no one is developing actual analysis skills anymore. Now all you have to do to make an awesome hack is to CTRL-F everything until you have 100 features. If you want to get good at something, take the hard route. I can't stress that enough. Anyway, when I first heard about it, I thought it just revealed method names and locations. I was surprised upon finding that not only does it reveal method names and their locations, it reveals class names, parameters, instance variables, and the location in memory where said instance variables can be found. I couldn't believe what was right in front of me because everyone was just taking advantage of visible methods and their locations.



This applies to non-Unity games as well. You just need to have knowledge of object oriented programming to really know how to take advantage of instance variables. I guess I could cover that in a later tutorial. Anyway, let's get started.



This tutorial pertains to iOS. Not the concepts, just the tutorial.




*****Get the Unity tool from here: Perfare/Il2CppDumper
*****Hooking template to hack like this on Android: Hooking Template to hack like this on Android






______________________________________________________________________________________________________________________________________________________________________________________
Instance Variables
1. Memory Layout


I went to make this absolutely clear. For example, this...
Code:
STR X3, [X0, #0x248]
...is telling the machine to store whatever X3 is holding (let's say ammo) in X0+0x248 (let's say X0 points to a Gun object). X0 contains the address of wherever the Gun object is held in memory. Let's say the address of the Gun object is 0x16fd27640. That means the machine is assigning whatever is at 0x16fd27640+0x248 to X3. That's why when you NOP a STR instruction, the value freezes. The machine can no longer update the value at the location of whatever you NOP'ed.

Let's look at an actual example involving arrays:
C++:
#include <stdio.h>
#include <malloc.h>
#include <conio.h>

int main(){
    int *a = (int *)malloc(sizeof(int)*4);

    free(a);

    _getch();
}
This program allocates some memory for an array of four integers, then frees that memory. _getch() forces the machine to wait for a letter to be pressed before it terminates the program.

Now I'll give the elements in this array some values:
C++:
#include <stdio.h>
#include <malloc.h>
#include <conio.h>

int main(){
    int *a = (int *)malloc(sizeof(int)*4);

    a[0] = 3;
    a[1] = 2;
    a[2] = 4;
    a[3] = 1;

    free(a);

    _getch();

      return 0;
}
The memory map of this array would be as follows:
Code:
    a[0]        a[1]        a[2]        a[3]
     3            2           4           1
But that's not all. Here's another equivalent way of writing the memory map:
Code:
    *(a+0)        *(a+1)        *(a+2)        *(a+3)
       3             2             4             1
This is the way we'll be able to get and set instance variables on various objects, but that is later down the line. Why does this work? Because when the compiler sees the [] operator, it translates it into pointer addition (as well as a dereference), which is exactly what we are doing by writing *(a+X). If you're still confused, hopefully this next part will clear this up. When we created the array of four ints, the machine allocated sixteen bytes space on the heap for it (as well as a pointer for it on the stack, but that isn't important for this tutorial). Why sixteen bytes? Because the size of an int on most machines is four, and we allocated memory for four ints. 4*4=16
:)
We can take a look at what the memory looks like where the array is located in Visual Studio's debugger:
1589990191509.png

The highlighted area is where the array is located. You can see the elements in the exact order as they were declared (3, 2, 4, 1) on the heap. Now we can use our newfound knowledge of memory layout to access and modify instance variables in iOS games.


2. The 'this' pointer

In C++, the 'this' pointer is best thought of as a hidden argument in every non-static function call. (Static methods do not need to be called with a class object) It references the current instance of its class. To better illustrate this concept, I have created a tiny class called Test. Also, take note that both of Test's instance variables(Also called Fields) are private, which means I cannot access them directly. Here is Test.h:
C++:
class Test {
private:
    int a; //(Fields/Instance Variables)
    int b;                  

public:
    Test();

    int getA() const;
    int getB() const;

    void setA(int newA);
    void setB(int newB);
};
Here is Test.cpp:
C++:
#include "Test.h"

//create a new Test object and set its instance variables to 5 and 8 respectively
Test::Test(){
    this->a = 5;
    this->b = 8;
}

int Test::getA() const {
    return this->a;
}

int Test::getB() const {
    return this->b;
}

void Test::setA(int newA){
    this->a = newA;
}

void Test::setB(int newB){
    this->b = newB;
}
See how I use the this pointer to get and set Test's instance variables? If I wanted to call setA, I would do this:
C++:
Test *t = new Test();

t.setA(100);
Obviously, in assembly, we don't have the luxury of syntax. In assembly, the call to setA would look like this:
Code:
setA(t, 100);
t is the this pointer. In assembly, the this pointer is always the first argument to any (non-static) function. For additional clarity, if I included this method in the Test class:
C++:
void Test::setAB(int newA, int newB){
    this->a = newA;
    this->b = newB;
}
and called setAB like this:
C++:
Test *t = new Test();

t.setAB(1000, 2000);
The function call in assembly would be setAB(t, 1000, 2000). No matter what type the function is, however many arguments it has, or whatever class it belongs to, the this pointer is always the first argument. If the method is static, there is simply no this pointer.


3. A "Hacky" Way of Getting and Setting Instance Variables

Recall our class called Test and the array example. In the array example, our array was located at 0xba5d38, with sixteen bytes of extra space for the four elements. This is no different with our Test class. Consider this code:
C++:
#include <stdio.h>
#include <malloc.h>
#include <conio.h>
#include "Test.h"

int main(){
    Test *t = new Test();

    _getch();

    return 0;
}
The machine created a pointer to our Test object on the stack and allocated the appropriate amount of memory on the heap for its instance variables. In the Test constructor, I set a and b to 5 and 8 for visibility. Let's take a look at our memory in Visual Studio's debugger:
1589990681330.png

You can see t's instance variables on the heap! Again, since an int is four bytes on most machines, there are eight byes of memory reserved for the two instance variables. And remember, they are private. When I try and directly access the instance variable "a", I get this error:
1589990708131.png


Fortunately for us, since C++ gives us complete control over our memory, we can access and modify a without a function through pointer arithmetic! Since a is our first instance variable, it is located where our Test object is located. b is located at our test object + 0x4, and so on if we had more instance variables. And remember, t is our this pointer. Consider this code:
C++:
int instanceVariableA = *(int *)(t + 0x0);
                         // 2     // 1
Don't be worried if this looks confusing. I'll explain this step by step. Just like with the array example, we can access data through pointer arithmetic. In the comments I've numbered each thing I am going to explain.

1. Since t is literally just the address to its location on the heap, this is also the address to its first instance variable. Also, throughout this entire tutorial I have been including "+ 0x0" for clarity. In your code you don't have to do this.
2. Cast whatever is at t + 0x0 to an int pointer and dereference it to access its value.

After all that, we have successfully grabbed t's instance variable a without a function. Remember that when a Test object is created, a is set to 5 and b is set to 8.
1589990992746.png

if I wanted to grab b, I would replace t + 0x0 with t + 0x4.

We can modify a in a similar manner in which we used to grab it. All we have to do is treat all of our pointer arithmetic and casting like a variable, and set it to whatever we want, like so:
C++:
*(int *)(t + 0x0) = 1000;
Let's see if this is successful:
1589991056350.png

Success! I call getA() to make sure that I actually did change a. Now Let's take a look at our memory on the heap:
1589991081920.png

Sure enough, the data at where a is located changed to 0xe803. But since the hex here is in little endian, 0xe803 is actually 0x03e8, which is 1000. We successfully modified a without calling a function. This will be extremely useful when making game hacks because we won't need to call a function that may or may not be present in the game itself every time we want to modify an instance variable. Everytime we call a function from the game, a little instability is added because we don't actually know how it works, and we want as much stability as possible.


4. Applying These Concepts to Game Hacks

Why did I use a program I wrote on my computer to illustrate these concepts? Because C++ on Windows is no different than C++ on iOS/Android. A program that counts from one to one hundred on Windows would do the exact same thing on your phone. Obviously, there are API differences, but we aren't dealing with that. Also, Visual Studio's debugger is great for showing memory. Anyway, let's say that I made a dump of some Unity game and the Player class looked like this:
C#:
public class Player : MonoBehaviour // TypeDefIndex: 5545
{
    // Fields
    private float health; // 0x18
    private int ammo; // 0x1c
      private float moveSpeed; // 0x20
      private bool isDead; // 0x24
      private Player playerLastDamaged; // 0x28
      private bool mine; // 0x30

    // Methods
    public void .ctor(); // 0x100093720
    private void Awake(); // 0x1000937A0
    private void Update(); // 0x1000938FC
    public void InitPlayer(); // 0x100094000
    public void OnDestroy(); // 0x100094AF0
}
(I made every Instance Variable(Fields) private as a proof of concept - it doesn't matter if something is public or private as shown in the last example)

While taking a look at this, you should notice the instance variable "playerLastDamaged" is eight bytes. This is fine. Size does not matter when grabbing instance variables. You should also notice there are no accessors or setters for any of the instance variables.

Notice the function called "Update". Any function called LateUpdate or Update is of massive use to you. Why? Because this is a non-static function that is called by Unity once per frame. If you have 60 FPS in a game, Update is being called 60 times a second. Why is this good? Think about it. We wouldn't want to get and set instance variables on a Player object that hasn't been updated for a while right? We need our most current Player object to modify, and what better way of getting it than hooking a function that is called 60 times every second? You all know how to hook a function with MSHookFunction. At least I hope so. In this example, I'm not going to show the call to MSHookFunction. Just imagine it is there. In this example, the game we are hacking is an online FPS. Everyone in the room is a Player object, and Update is called for each Player object. And for some reason, the game is so insecure that we can modify other people's instance variables non-visually. Here's how the barebones function hook would look:
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    Player_update(player);
}
Remember the previous examples. The first argument to any non-static function in assembly is the this pointer. It is best to name the this pointer the class name, because it is representing that class. We also have to use a void pointer (void *) because we don't actually have access to the Player class, only its objects. Because of this, the way we get and set instance variables will be a bit different. We also have to check if the player object isn't NULL to prevent crashes! Recall what you read about the this pointer. If the Player object is NULL, this is what the call to update would look like in C++:
C++:
NULL.Update();
And that doesn't make any sense, right?
:p


For this first example, we'll be giving ourselves infinite ammo, infinite health, and increased move speed, as well as making everyone else's health 1.0 and taking everyone else's ammo away.

Obviously we don't want to apply anything bad to ourselves, so we can make use of the mine instance variable. This boolean just tells us if this Player object belongs to me. To get this instance variable, we need to do this:
C++:
if(player != NULL){
    bool isMine = *(int *)((uint64_t)player + 0x30);
}
The one difference is casting the void pointer to uint64_t. We need to do this in order to perform pointer arithmetic on the player object. Also, a boolean in C and C++ just holds a 0 or a 1... which means we can substitute int for it.

So far, the Update hook looks like this:
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    if(player != NULL){
        bool isMine = *(int *)((uint64_t)player + 0x30);
    }

    Player_update(player);
}
Now that we have the mine instance variable, we can test to see if our Player object is indeed ours, and if it is, apply the hacks:
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    if(player != NULL){
        bool isMine = *(int *)((uint64_t)player + 0x30);

        if(isMine){
            //ammo
            *(int *)((uint64_t)player + 0x1c) = 999;

            //health
            *(float *)((uint64_t)player + 0x18) = 100.0f;

            //increased move speed, normal is 1.0f
            *(float *)((uint64_t)player + 0x20) = 5.0f;
        }
    }

    Player_update(player);
}
That's not all we want to do, though. We want to wreak havoc on other people so we need to take everyone's ammo away and make everyone have 1.0 health.
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    if(player != NULL){
        bool isMine = *(int *)((uint64_t)player + 0x30);

        if(isMine){
            //ammo
            *(int *)((uint64_t)player + 0x1c) = 999;

            //health
            *(float *)((uint64_t)player + 0x18) = 100.0f;

            //increased move speed, normal is 1.0f
            *(float *)((uint64_t)player + 0x20) = 5.0f;
        }
        else{
            //enemy ammo
            *(int *)((uint64_t)player + 0x1c) = 0;

            //enemy health
            *(float *)((uint64_t)player + 0x18) = 1.0;
        }
    }

    Player_update(player);
}
If you want to get more creative, you can make use of the "playerLastDamaged" instance variable to make a "freeze tag" hack. This hack will freeze the person you just shot, just like if you tag a person in freeze tag. Like before, we have to check if the player object is ours, and then we can access the playerLastDamaged instance variable.
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    if(player != NULL){
        bool isMine = *(int *)((uint64_t)player + 0x30);
    }

    Player_update(player);
}
Now we have to get the playerLastDamaged instance variable. Like I said before, size does not matter. You would access it just like any other instance variable. We also have to check if it isn't NULL.
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    if(player != NULL){
        bool isMine = *(int *)((uint64_t)player + 0x30);

        if(isMine){
            void *playerLastDamaged = *(void **)((uint64_t)player + 0x28);

            if(playerLastDamaged != NULL){
      
            }
        }
    }

    Player_update(player);
}
Now we have to set playerLastDamaged's moveSpeed instance variable to 0.0. Remember that playerLastDamaged is a Player object, so we have access to the Player instance variables. Again, we don't have access to the actual Player class, so we have to use a void pointer.
C++:
void (*Player_update)(void *player);

void _Player_update(void *player){
    if(player != NULL){
        bool isMine = *(int *)((uint64_t)player + 0x30);

        if(isMine){
            void *playerLastDamaged = *(void **)((uint64_t)player + 0x28);

            if(playerLastDamaged != NULL){
                //set person we just shot moveSpeed to 0.0 (0x20 holds the moveSpeed)
                *(float *)((uint64_t)playerLastDamaged + 0x20) = 0.0f;
            }
        }
    }

    Player_update(player);
}
And just like that, our freeze tag hack is complete! There you have it, two full fledged hacks that work by modifying instance variables! ALWAYS REMEMBER TO CHECK ALL POINTERS TO SEE IF THEY'RE NULL!!!!




Credits

- Shmoo from iOSGods
 
Last edited:
A

Ad Manager

Gourov

Venomous Gourovirus
YouTuber
๐Ÿ‘‹ Community Team
โœ” Approved Releaser
๐ŸŽฎ Mod Tester
Active User
Member for 1 year
SB Cash
69,264
Bouquet of Roses
Box of Chocolates (Valentine's Day LIMITED)
Box of Chocolates (Valentine's Day LIMITED)
Create Custom Title
Silver Coin (Limited Edition)
Bouquet of Roses
Gender
Male
Device
Nokia 3 - Android 9.0
Country
Bangladesh
Thanks a lot for these valuable information ๐Ÿ˜Š
 
Offline

PixelYT

Addicted Lv. 3
Member for 1 year
EXP
SB Cash
468
Gender
Male
Country
East Timor (see Timor-Leste)
Thanks for reading the tutorial :)
If you need help just ask me and I will help you or if you need another example of hacking like this then I will provide you one :)
 

Gourov

Venomous Gourovirus
YouTuber
๐Ÿ‘‹ Community Team
โœ” Approved Releaser
๐ŸŽฎ Mod Tester
Active User
Member for 1 year
SB Cash
69,264
Bouquet of Roses
Box of Chocolates (Valentine's Day LIMITED)
Box of Chocolates (Valentine's Day LIMITED)
Create Custom Title
Silver Coin (Limited Edition)
Bouquet of Roses
Gender
Male
Device
Nokia 3 - Android 9.0
Country
Bangladesh
Thanks for reading the tutorial :)
If you need help just ask me and I will help you or if you need another example of hacking like this then I will provide you one :)
Thanks a lot mate . This is a great help for newbies like us. I will ofc knock you if I need any help :love:
 
Offline

PixelYT

Addicted Lv. 3
Member for 1 year
EXP
SB Cash
468
Gender
Male
Country
East Timor (see Timor-Leste)
@Gourov Awesome! :)
Post automatically merged:

@RockingRivu I could do a video tutorial but really it would be the same thing just ask me what you are having problems with. and I don't have a mic so I don't know if it would help to make a video without my voice?

I will look into it and If I do make a video tutorial I will make sure to remind you and to also link the video tutorial here as soon as i post it
 
Change Language
EnglishFrenchGermanItalianPortugueseRussianSpanish
Please note this is still an English speaking community, so please keep writing in English only, thank you!
You can also help us improve the translations by clicking here.
Top