๐Ÿ“– Tutorial How to hack Unity Android Games when there's no Assembly-Csharp.dll (libilc2pp.so method)

Legacy

โญ๐“›๐“ธ๐“ผ๐“ฝ ๐“ฒ๐“ท ๐““๐“ป๐“ฎ๐“ช๐“ถ๐“ผโญ
From the Hell
โœ” Approved Releaser
Verified 18+ user
Active User
EXP
Yesterday I find out that the range is not limited on 1-2000 but you can also return more high value as long as you have 2 bytes hex. Like you can return 4000 , 16000 , 32000 , 64000 , 128000 , 512000 and so on. Also possible to return like 4128 , 4256 , 4512 , 4640 and so on.
Yep heres the full list of:

Code:
1 = 0000803F
2 = 00000040
4 = 00008040
8 = 00000041
16 = 00008041
32 = 00000042
64 = 00008042
128 = 00000043
256 = 00008043
512 = 00000044
1024 = 00008044
2048 = 00000045
4096 = 00008045
8192 = 00000046
16384 = 00008046
32768 = 00000047
65536 = 00008047
131072 = 00000048
262144 = 00008048
524288 = 00000049
1048576 = 00008049
2097152 = 0000004A
4194304 = 0000804A
8388608 = 0000004B
16777216 = 0000804B
33554432 = 0000004C
67108864 = 0000804C
134217728 = 0000004D
268435456 = 0000804D
536870912 = 0000004E
1073741824 = 0000804E
-2147483648 = 000000CF
 
A

Ad Manager

Gourov

Venomous Gourovirus
YouTuber
๐Ÿ‘‹ Community Team
โœ” Approved Releaser
๐ŸŽฎ Mod Tester
Active User
Member for 1 year
Yep heres the full list of:

Code:
1 = 0000803F
2 = 00000040
4 = 00008040
8 = 00000041
16 = 00008041
32 = 00000042
64 = 00008042
128 = 00000043
256 = 00008043
512 = 00000044
1024 = 00008044
2048 = 00000045
4096 = 00008045
8192 = 00000046
16384 = 00008046
32768 = 00000047
65536 = 00008047
131072 = 00000048
262144 = 00008048
524288 = 00000049
1048576 = 00008049
2097152 = 0000004A
4194304 = 0000804A
8388608 = 0000004B
16777216 = 0000804B
33554432 = 0000004C
67108864 = 0000804C
134217728 = 0000004D
268435456 = 0000804D
536870912 = 0000004E
1073741824 = 0000804E
-2147483648 = 000000CF
Thanks a lot man it will help me a lot ๐Ÿ˜
 

Akee1224

Lurker Lv0๏ธโƒฃ
EXP
Hello,
I'm trying to figure out how to MOD a game that has the global metadata files but no lib folder or libil2cpp. The version is 2018.3.11
I'm wondering is there another way, another poster mentioned mono (dll) files and was wondering if you could do a tutorial on this?
Thank you for your help!!
 

Sbenny

A crazy scientist
Staff member
Admin
Elite Mod Squad โญ
โœ” Approved Releaser
Active User
If you're talking about split APK game files (.apks extension), the lib is usually in another .apk file inside that archive, holding all the libraries of the game.
 

Gourov

Venomous Gourovirus
YouTuber
๐Ÿ‘‹ Community Team
โœ” Approved Releaser
๐ŸŽฎ Mod Tester
Active User
Member for 1 year
Hello,
I'm trying to figure out how to MOD a game that has the global metadata files but no lib folder or libil2cpp. The version is 2018.3.11
I'm wondering is there another way, another poster mentioned mono (dll) files and was wondering if you could do a tutorial on this?
Thank you for your help!!
Try backing up the game with sai or LP and check whether it's APK or apks. If apks then as @Sbenny said,
If you're talking about split apk game files (.apks extension), the lib is usually in another .apk file inside that archive, holding all the libraries of the game.
Although I wander if the game last updated on 2018.3.11 then how come it's a apks tho. If I read that correctly apks was introduced on August 19.
 

Akee1224

Lurker Lv0๏ธโƒฃ
EXP
I'll check with LP but the game was updated a few days ago, it's ''Obey me'' but I used the way to check the unity version and this was shown?
1591606137549.png
 

Gourov

Venomous Gourovirus
YouTuber
๐Ÿ‘‹ Community Team
โœ” Approved Releaser
๐ŸŽฎ Mod Tester
Active User
Member for 1 year
I'll check with LP but the game was updated a few days ago, it's ''Obey me'' but I used the way to check the unity version and this was shown?
View attachment 58397
My bad... I thought it was updated on 2018. Well then it's for sure apks. :)
 

bestkings

Lurker Lv0๏ธโƒฃ
EXP
I have another question.
Is possible store value from this adress then use at other adress? Or at this adress make load value from other adress
Example in C#
C#:
public int AAA()
{
   set {AAA= 1;}
}

public int BBB()
{
   set {BBB = AAA;}
}
I need that because want show some hidden values to screen
Thanks
 
Last edited:

teterpeter

Lurker Lv0๏ธโƒฃ
EXP
thanks for the detailed tutorial.
Il2cppdumper seems to work fine, but i can not see any function content, also not in dump.cs. what is the reason for that?
 

Legacy

โญ๐“›๐“ธ๐“ผ๐“ฝ ๐“ฒ๐“ท ๐““๐“ป๐“ฎ๐“ช๐“ถ๐“ผโญ
From the Hell
โœ” Approved Releaser
Verified 18+ user
Active User
EXP
thanks for the detailed tutorial.
Il2cppdumper seems to work fine, but i can not see any function content, also not in dump.cs. what is the reason for that?
It can be a possibility that the lib is encrypted. You have to manually memory dump it, use game guardian to do so.
 

czoesq

Lurker Lv0๏ธโƒฃ
EXP
This may not be the right place to ask, but I'm trying to MOD My Singing Monsters: Dawn of Fire 2.3.1. It seems to use ARM64v8 instructions.

I tried to replace the getCoins() with example code (and then updated ARM64 code), however, it's a custom class I think (I don't know that much about unity code), so it kept freezing. It's in dump.cs as "public EntityStatic getCoins() { }" so I think it's looking for an EntityStatic return type, not int or long. Not sure how to structure that.

I was able to use IDA PRO to get to the offset of "public void SetCoins(long value) { } " and looked through the instructions. I learned that x0-x7 are often for arguments to the function, so I found a "MOV x20, x1" and replaced it with "Mov x20, #0xFFFF" and was able to get that many coins, success!

The game's better currency is Diamonds. Here's what IDA PRO says is in "public void SetDiamonds(long value) { }" though:

Code:
; __unwind {
.text:00000000008B5228 qword_8B5228    DCQ 0xE12FFF1EE3E004FF, 0xA9034FF4A90257F6, 0x910103FDA9047BFD
.text:00000000008B5228                                         ; CODE XREF: sub_8B50E8+D4โ†‘p
.text:00000000008B5228                                         ; sub_8B76AC+20โ†“p ...
.text:00000000008B5228                 DCQ 0x394DCEA8F000E4F5, 0xAA0003F3AA0103F4, 0xF000DA08370000E8
.text:00000000008B5228                 DCQ 0xB9400100F9420D08, 0x320003E8944709F2, 0xF9414268390DCEA8
.text:00000000008B5228                 DCQ 0xAA1F03E0B50000C8, 0x2A1F03E2AA1F03E1, 0x9442F8E8AA1F03E3
.text:00000000008B5228                 DCQ 0xF941B508D000DB88, 0x39442808F9400100, 0xB940BC0836000088
.text:00000000008B5228                 DCQ 0x9447610735000048, 0xBD471D0090009A08, 0x90009A089E220281
.text:00000000008B5228                 DCQ 0x1E201820AA1F03E0, 0xAA1F03E1BD471501, 0x9434D9921E2E1002
.text:00000000008B5228                 DCQ 0xF000DA099000DA48, 0xF9452129F947D508, 0xF94001164EA01C08
.text:00000000008B5228                 DCQ 0x9447F404F9400120, 0xF9435908F000DB28, 0xAA1603E2AA1303E1
.text:00000000008B5228                 DCQ 0xF9400103AA0003F5, 0xF000DAA8942B33A5, 0xF9449D089000DB69
.text:00000000008B5228                 DCQ 0xF9400117F9422129, 0x9447F3F6F9400120, 0xF945B108D000DBA8
.text:00000000008B5228                 DCQ 0xAA1703E2AA1303E1, 0xF9400103AA0003F6, 0xB000DAE8942B3C8F
.text:00000000008B5228                 DCQ 0xF9400100F940A908, 0x3600008839442808, 0x35000048B940BC08
.text:00000000008B5228                 DCQ 0xAA1F03E0944760D8, 0xAA1503E1AA1F03E4, 0xAA1403E3AA1603E2
.text:00000000008B5228                 DCQ 0x942B9F3D4EA81D00, 0xF9476108D000DA88, 0x1E2021001E2A1000
.text:00000000008B5228                 DCQ 0xF9400103320003E9, 0xAA0003E1321F07E8, 0xAA1F03E01A884122
.text:00000000008B5228                 DCQ 0xAA0003F4940EB764, 0x9447BD89B5000053, 0xA9447BFDF9014274
.text:00000000008B5228                 DCQ 0xA94257F6A9434FF4, 0x6CC523E9A9415FF8
.text:00000000008B53D0 ; ---------------------------------------------------------------------------
.text:00000000008B53D0                 RET
.text:00000000008B53D0 ; } // starts at 8B5228
And I'm kind of stuck from here. "public EntityStatic getDiamonds() { }" looks like this:

Code:
sub_DA9BB8                              ; CODE XREF: sub_8B5B80+ACโ†‘p
.text:0000000000DA9BB8                                         ; sub_8BFB08+148โ†‘p ...
.text:0000000000DA9BB8
.text:0000000000DA9BB8 var_10          = -0x10
.text:0000000000DA9BB8 var_s0          =  0
.text:0000000000DA9BB8
.text:0000000000DA9BB8 ; __unwind {
.text:0000000000DA9BB8                 STP             X20, X19, [SP,#-0x10+var_10]!
.text:0000000000DA9BBC                 STP             X29, X30, [SP,#0x10+var_s0]
.text:0000000000DA9BC0                 ADD             X29, SP, #0x10
.text:0000000000DA9BC4                 ADRP            X20, #[email protected]
.text:0000000000DA9BC8                 LDRB            W8, [X20,#[email protected]]
.text:0000000000DA9BCC                 MOV             X19, X0
.text:0000000000DA9BD0                 TBNZ            W8, #0, loc_DA9BEC
.text:0000000000DA9BD4                 ADRP            X8, #[email protected]
.text:0000000000DA9BD8                 LDR             X8, [X8,#[email protected]]
.text:0000000000DA9BDC                 LDR             W0, [X8]
.text:0000000000DA9BE0                 BL              sub_1A77A28
.text:0000000000DA9BE4                 MOV             W8, #1
.text:0000000000DA9BE8                 STRB            W8, [X20,#[email protected]]
.text:0000000000DA9BEC
.text:0000000000DA9BEC loc_DA9BEC                              ; CODE XREF: sub_DA9BB8+18โ†‘j
.text:0000000000DA9BEC                 LDR             X19, [X19,#0x180]
.text:0000000000DA9BF0                 CBNZ            X19, loc_DA9BF8
.text:0000000000DA9BF4                 BL              sub_1AA49D8
.text:0000000000DA9BF8 ; ---------------------------------------------------------------------------
.text:0000000000DA9BF8
.text:0000000000DA9BF8 loc_DA9BF8                              ; CODE XREF: sub_DA9BB8+38โ†‘j
.text:0000000000DA9BF8                 ADRP            X8, #[email protected]
.text:0000000000DA9BFC                 LDR             X8, [X8,#[email protected]]
.text:0000000000DA9C00                 MOV             X0, X19
.text:0000000000DA9C04                 LDR             X1, [X8]
.text:0000000000DA9C08                 LDP             X29, X30, [SP,#0x10+var_s0]
.text:0000000000DA9C0C                 LDP             X20, X19, [SP+0x10+var_10],#0x20
.text:0000000000DA9C10                 B               sub_11F3A6C
.text:0000000000DA9C10 ; } // starts at DA9BB8
.text:0000000000DA9C10 ; End of function sub_DA9BB8
I haven't found out what to hijack here to max out diamonds. Anyone have any guidance?
 

Legacy

โญ๐“›๐“ธ๐“ผ๐“ฝ ๐“ฒ๐“ท ๐““๐“ป๐“ฎ๐“ช๐“ถ๐“ผโญ
From the Hell
โœ” Approved Releaser
Verified 18+ user
Active User
EXP
How about you search for a function that effectively decreases the value of coins instead of directly modifying the getdiamonds function? You could change the decrease function to an increase one.
Post automatically merged:

This may not be the right place to ask, but I'm trying to MOD My Singing Monsters: Dawn of Fire 2.3.1. It seems to use ARM64v8 instructions.

I tried to replace the getCoins() with example code (and then updated ARM64 code), however, it's a custom class I think (I don't know that much about unity code), so it kept freezing. It's in dump.cs as "public EntityStatic getCoins() { }" so I think it's looking for an EntityStatic return type, not int or long. Not sure how to structure that.

I was able to use IDA PRO to get to the offset of "public void SetCoins(long value) { } " and looked through the instructions. I learned that x0-x7 are often for arguments to the function, so I found a "MOV x20, x1" and replaced it with "Mov x20, #0xFFFF" and was able to get that many coins, success!

The game's better currency is Diamonds. Here's what IDA PRO says is in "public void SetDiamonds(long value) { }" though:

Code:
; __unwind {
.text:00000000008B5228 qword_8B5228    DCQ 0xE12FFF1EE3E004FF, 0xA9034FF4A90257F6, 0x910103FDA9047BFD
.text:00000000008B5228                                         ; CODE XREF: sub_8B50E8+D4โ†‘p
.text:00000000008B5228                                         ; sub_8B76AC+20โ†“p ...
.text:00000000008B5228                 DCQ 0x394DCEA8F000E4F5, 0xAA0003F3AA0103F4, 0xF000DA08370000E8
.text:00000000008B5228                 DCQ 0xB9400100F9420D08, 0x320003E8944709F2, 0xF9414268390DCEA8
.text:00000000008B5228                 DCQ 0xAA1F03E0B50000C8, 0x2A1F03E2AA1F03E1, 0x9442F8E8AA1F03E3
.text:00000000008B5228                 DCQ 0xF941B508D000DB88, 0x39442808F9400100, 0xB940BC0836000088
.text:00000000008B5228                 DCQ 0x9447610735000048, 0xBD471D0090009A08, 0x90009A089E220281
.text:00000000008B5228                 DCQ 0x1E201820AA1F03E0, 0xAA1F03E1BD471501, 0x9434D9921E2E1002
.text:00000000008B5228                 DCQ 0xF000DA099000DA48, 0xF9452129F947D508, 0xF94001164EA01C08
.text:00000000008B5228                 DCQ 0x9447F404F9400120, 0xF9435908F000DB28, 0xAA1603E2AA1303E1
.text:00000000008B5228                 DCQ 0xF9400103AA0003F5, 0xF000DAA8942B33A5, 0xF9449D089000DB69
.text:00000000008B5228                 DCQ 0xF9400117F9422129, 0x9447F3F6F9400120, 0xF945B108D000DBA8
.text:00000000008B5228                 DCQ 0xAA1703E2AA1303E1, 0xF9400103AA0003F6, 0xB000DAE8942B3C8F
.text:00000000008B5228                 DCQ 0xF9400100F940A908, 0x3600008839442808, 0x35000048B940BC08
.text:00000000008B5228                 DCQ 0xAA1F03E0944760D8, 0xAA1503E1AA1F03E4, 0xAA1403E3AA1603E2
.text:00000000008B5228                 DCQ 0x942B9F3D4EA81D00, 0xF9476108D000DA88, 0x1E2021001E2A1000
.text:00000000008B5228                 DCQ 0xF9400103320003E9, 0xAA0003E1321F07E8, 0xAA1F03E01A884122
.text:00000000008B5228                 DCQ 0xAA0003F4940EB764, 0x9447BD89B5000053, 0xA9447BFDF9014274
.text:00000000008B5228                 DCQ 0xA94257F6A9434FF4, 0x6CC523E9A9415FF8
.text:00000000008B53D0 ; ---------------------------------------------------------------------------
.text:00000000008B53D0                 RET
.text:00000000008B53D0 ; } // starts at 8B5228
And I'm kind of stuck from here. "public EntityStatic getDiamonds() { }" looks like this:

Code:
sub_DA9BB8                              ; CODE XREF: sub_8B5B80+ACโ†‘p
.text:0000000000DA9BB8                                         ; sub_8BFB08+148โ†‘p ...
.text:0000000000DA9BB8
.text:0000000000DA9BB8 var_10          = -0x10
.text:0000000000DA9BB8 var_s0          =  0
.text:0000000000DA9BB8
.text:0000000000DA9BB8 ; __unwind {
.text:0000000000DA9BB8                 STP             X20, X19, [SP,#-0x10+var_10]!
.text:0000000000DA9BBC                 STP             X29, X30, [SP,#0x10+var_s0]
.text:0000000000DA9BC0                 ADD             X29, SP, #0x10
.text:0000000000DA9BC4                 ADRP            X20, #[email protected]
.text:0000000000DA9BC8                 LDRB            W8, [X20,#[email protected]]
.text:0000000000DA9BCC                 MOV             X19, X0
.text:0000000000DA9BD0                 TBNZ            W8, #0, loc_DA9BEC
.text:0000000000DA9BD4                 ADRP            X8, #[email protected]
.text:0000000000DA9BD8                 LDR             X8, [X8,#[email protected]]
.text:0000000000DA9BDC                 LDR             W0, [X8]
.text:0000000000DA9BE0                 BL              sub_1A77A28
.text:0000000000DA9BE4                 MOV             W8, #1
.text:0000000000DA9BE8                 STRB            W8, [X20,#[email protected]]
.text:0000000000DA9BEC
.text:0000000000DA9BEC loc_DA9BEC                              ; CODE XREF: sub_DA9BB8+18โ†‘j
.text:0000000000DA9BEC                 LDR             X19, [X19,#0x180]
.text:0000000000DA9BF0                 CBNZ            X19, loc_DA9BF8
.text:0000000000DA9BF4                 BL              sub_1AA49D8
.text:0000000000DA9BF8 ; ---------------------------------------------------------------------------
.text:0000000000DA9BF8
.text:0000000000DA9BF8 loc_DA9BF8                              ; CODE XREF: sub_DA9BB8+38โ†‘j
.text:0000000000DA9BF8                 ADRP            X8, #[email protected]
.text:0000000000DA9BFC                 LDR             X8, [X8,#[email protected]]
.text:0000000000DA9C00                 MOV             X0, X19
.text:0000000000DA9C04                 LDR             X1, [X8]
.text:0000000000DA9C08                 LDP             X29, X30, [SP,#0x10+var_s0]
.text:0000000000DA9C0C                 LDP             X20, X19, [SP+0x10+var_10],#0x20
.text:0000000000DA9C10                 B               sub_11F3A6C
.text:0000000000DA9C10 ; } // starts at DA9BB8
.text:0000000000DA9C10 ; End of function sub_DA9BB8
I haven't found out what to hijack here to max out diamonds. Anyone have any guidance?
Also execute the script.json generated by il2cppdumper in IDA so IDA loads all appropiate function names. That way you can see local variables better and also see which functions are being called inside the function you are looking for.
 
Change Language
EnglishFrenchGermanItalianPortugueseRussianSpanish
Please note this is still an English speaking community, so please keep writing in English only, thank you!
You can also help us improve the translations by clicking here.
Top