📖 Tutorial How to hack Unity Android Games when there's no Assembly-Csharp.dll (libil2cpp.so method)

[Legacy]

@AndroiDragon

Your Original HEX:

00 10 A0 E3 8C 7C F5 EA -> Two Instructions

First 4 bytes (First Instruction): 00 10 A0 E3 -> MOV R1, #0
Last 4 bytes (Second Instruction): 8C 7C F5 EA -> B #0xffd5f23c (Control is branching to other function/ code block)

Your Modified HEX:

10 0A 00 EE 8C 7C F5 EA -> Two Instructions

First 4 bytes (First Instruction): 10 0A 00 EE -> VMOV S0, R0 (You are moving the value of R0 into S0)
Last 4 bytes (Second Instruction): 8C 7C F5 EA -> B #0xffd5f23c (Same as Original)

Example:

MOVT R0, #0x44FA -> FA 04 44 E3
VMOV S0, R0 ->10 0A 00 EE
B #0xffd5f23c -> 8C 7C F5 EA

 

[Gourov]

@AndroiDragon you are not using IDA ?

 

[AndroiDragon]

@Legacy thank you Legacy for you help,

what I was trying was wrong /could never work ?
so instead of movin R0 it must be R1 ?
no wait, now i am confused, when i look at the example Oo

movt R1, #0x44FA -> FA1444E3
vmov S0, R1 -> 101A00EE
B #0xffd5f23c -> 8B7CF5EA

how would my string look like ?

[EDiT]
@Gourov hei,
No I am not using IDA. should I ? I have it.
I use NotePad++ to read/look into the Dump and then HxD/HexWorkShp or NETreflector when it's an dll

 

[Gourov]

@Legacy thank you Legacy for you help,

what I was trying was wrong /could never work ?
so instead of movin R0 it must be R1 ?
no wait, now i am confused, when i look at the example Oo

movt R1, #0x44FA -> FA1444E3
vmov S0, R1 -> 101A00EE
B #0xffd5f23c -> 8B7CF5EA

how would my string look like ?

[EDiT]
@Gourov hei,
No I am not using IDA. should I ? I have it.
I use NotePad++ to read/look into the Dump and then HxD/HexWorkShp or NETreflector when it's an dll

Use IDA and you can see those instructions and can understand code better.

 

[nestorishere]

I followed the instruction but no managed folder was created, only dummy DLL. Any suggestions?

 

[Legacy]

I followed the instruction but no managed folder was created, only dummy DLL. Any suggestions?

Because the game is made using a different method (known as il2cpp). What you need to do now is to load the desired library in IDA and use the dummy dlls as a reference to skim through your desired functions.

 

[nestorishere]

Thanks for pointing me in the right direction

 

[nestorishere]

I managed to load the library in IDA and ran the .json script from the dumper with it, however, i can't find the matching offset from the dummy dlls and the library to the .so when i open it with HxD, any advice? thanks

 

[Legacy]

@nestorishere Heres what you normally do to find the correct offset/function to mod:


- Refer to dnSpy -> Find your desired method/function. Note its offset.

- Paste the copied offset in IDA -> You can do so by pressing 'G' and pasting the offset you copied in a small window that pops up after pressing 'G'.

- Find the offset you think should be modded in IDA.

- Paste the offset in Hxd -> You can paste your offset in Hxd by pressing 'Ctrl+G' and pasting your offset.
Keep in mind that offset you copied should be free of any blank spaces and '0x's. For example, if the offset you copied is 0x56221, you should paste 56221 in Hxd.

 

[badreddine7]

i tried modding battleland royal . i've moded the damage so its always critical(by modifiying only one function called accuracyCritCheck -soomething like that-). the damage now is always critical .
But the game always put me in a server full of bots , and my friend see me that i'm dead (i also see them dead) but i'm not , i still can kill people , and the win and kills count in my statistics.
can someone explain to me what's wrong!

Post automatically merged: Aug 4, 2020

i tried modding battleland royal . i've moded the damage so its always critical(by modifiying only one function called accuracyCritCheck -soomething like that-). the damage now is always critical .
But the game always put me in a server full of bots , and my friend see me that i'm dead (i also see them dead) but i'm not , i still can kill people , and the win and kills count in my statistics.
can someone explain to me what's wrong!

 

[Legacy]

i tried modding battleland royal . i've moded the damage so its always critical(by modifiying only one function called accuracyCritCheck -soomething like that-). the damage now is always critical .
But the game always put me in a server full of bots , and my friend see me that i'm dead (i also see them dead) but i'm not , i still can kill people , and the win and kills count in my statistics.
can someone explain to me what's wrong!

These are just some methods the developers implement to punish cheaters. You need to find the mechanic that detects such modifications and disable it.

 

[badreddine7]

i've tried but i didn't succeed, mate

 

[Legacy]

i've tried but i didn't succeed, mate

I can help you in a more effcient way if you describe your problem in a more "expanded" manner with screenshots.

 

[badreddine7]

Thank you first.
in fact the game doesn't put me in a server full of bot , since when i hit ready at the same time my friend does (to team up in solo) we join the same server.
but the problem is that he see me moving against a wall (or moving like a bot) until the zone or someone kills me.
the same thing happens to me , i see all my friend dead outside the zone and not moving (or moving like a bot) while in fact they win the match and the win count in there stats . Another thing is that i see all people moving like a bot (they shoot at nowhere) (easy kill , so usually i get 11 kills out of 32 in the game) but rarely a good player shows up.
No matter how small the change in libil2cpp.so (not just modding the damage) the problem will occur.
The problem doesn't occur when i install the original apk .
my friend has the original apk. but when he install my modded apk , i see what he see , and win the game (in reality, we are dead ). but the good thing the win count at our stats as well.
(an information about the game : is that when someone leave the match he get replaced with a bot , i don't know if that could help)
if you need more clarifications about the problem give me you're discord .

Post automatically merged: Aug 6, 2020

I can help you in a more effcient way if you describe your problem in a more "expanded" manner with screenshots.

i thing it's a problem with signature verification

 

[Gourov]

Thank you first.
in fact the game doesn't put me in a server full of bot , since when i hit ready at the same time my friend does (to team up in solo) we join the same server.
but the problem is that he see me moving against a wall (or moving like a bot) until the zone or someone kills me.
the same thing happens to me , i see all my friend dead outside the zone and not moving (or moving like a bot) while in fact they win the match and the win count in there stats . Another thing is that i see all people moving like a bot (they shoot at nowhere) (easy kill , so usually i get 11 kills out of 32 in the game) but rarely a good player shows up.
No matter how small the change in libil2cpp.so (not just modding the damage) the problem will occur.
The problem doesn't occur when i install the original apk .
my friend has the original apk. but when he install my modded apk , i see what he see , and win the game (in reality, we are dead ). but the good thing the win count at our stats as well.
(an information about the game : is that when someone leave the match he get replaced with a bot , i don't know if that could help)
if you need more clarifications about the problem give me you're discord .

Post automatically merged: Aug 6, 2020

i thing it's a problem with signature verification

If its signature verification then you can try resigning and test.

 

[ZenoniaLvr]

Always wanted to try modding games, guess it's to complicate for me (I only know how to sort them and such.) But I'll come back to this post if ever I got started with it. This is helpful.

 

[Legacy]

if you need more clarifications about the problem give me you're discord .

If you are on Sbenny's discord server, you can easily find me there. I go by the same name on discord.

 

[badreddine7]

TAWILBOT#0512

 

[VizineBruin]

Is there a way to go from an offset in dump.cs to directly modifying in game guardian?

 

[candyman69]

where can I find libil2cpp.so I cant find it