| View previous topic :: View next topic |
| Author |
Message |
icodeproductions
How do I cheat?
![]() Reputation: 0
Joined: 18 May 2013
Posts: 4
|
 Posted: Sat May 18, 2013 11:08 am Post subject: [unity 3d]Begone -Help with aob |
 |
|
Hi ,i am trying to hack a unity 3d game called begone.
I have successfully decompiled the source.
But my aob's dont seem to work .
For eg
my objective:player health should remain at 100 even after getting hit
| Code: |
object:Health
Method:OnEventPlayerDamage(class EventPlayerDamage e)
Here is the function
private void OnEventPlayerDamage(EventPlayerDamage e)
{
if (((e.victimId == this.playerId) && (this.GetHealth() > 0f)) && (Application.get_isEditor() || (BaseRoundMode.GetRoundState() == BaseRoundMode.RoundState.InProgress)))
{
this.SetHealth(this.GetHealth() - e.damage); <--------------------------------------------i tried to change 59 to 58 ,but nothing happens
if (base.get_enabled() && base.get_audio().get_enabled())
{
if (e.damageType == EventPlayerDamage.DamageTypes.Head)
{
base.get_audio().set_clip(this.headshot);
base.get_audio().set_pitch(1f);
base.get_audio().set_volume(1f);
base.get_audio().set_maxDistance(50f);
base.get_audio().Play();
}
else if (e.damage >= 10)
{
base.get_audio().set_clip(this.painBig);
base.get_audio().set_pitch(0.9f + ((((float) (e.damage - 0x19)) / 75f) * 0.2f));
base.get_audio().set_volume(0.9f);
base.get_audio().set_maxDistance(50f);
base.get_audio().Play();
}
else
{
base.get_audio().set_clip(this.painSmall);
base.get_audio().set_pitch(0.9f + ((((float) e.damage) / 25f) * 0.2f));
base.get_audio().set_volume(0.9f);
base.get_audio().set_maxDistance(50f);
base.get_audio().Play();
}
}
if ((this.playerId == PhotonHelper.localPlayer.playerId) && (this.GetHealth() <= 0f))
{
this.SetHealth(0f);
new EventDeath(this.playerId, e.attackerId, e.damageType, e.weaponType);
}
}
il code
IL_0038: /* 02 | */ ldarg.0
IL_0039: /* 02 | */ ldarg.0
IL_003a: /* 28 | (06)000C10 */ call instance float32 Health::GetHealth()
IL_003f: /* 03 | */ ldarg.1
IL_0040: /* 7B | (04)000EA9 */ ldfld int32 EventPlayerDamage::damage
IL_0045: /* 6B | */ conv.r4
IL_0046: /* 59 | */ sub
IL_0047: /* 28 | (06)000C11 */ call instance void Health::SetHealth(float32)
IL_004c: /* 02 | */ ldarg.0
IL_004d: /* 28 | (0A)00011A */ call instance bool [UnityEngine]UnityEngine.Behaviour::get_enabled()
IL_0052: /* 39 | 42010000 */ brfalse IL_0199
IL_0057: /* 02 | */ ldarg.0
/* 03 | */ ldarg.1
IL_0001: /* 7B | (04)000EAB */ ldfld int32 EventPlayerDamage::victimId
IL_0006: /* 02 | */ ldarg.0
IL_0007: /* 7B | (04)000DF8 */ ldfld int32 Health::playerId
IL_000c: /* 3B | 01000000 */ beq IL_0012
IL_0011: /* 2A | */ ret
IL_0012: /* 02 | */ ldarg.0
IL_0013: /* 28 | (06)000C10 */ call instance float32 Health::GetHealth()
IL_0018: /* 22 | 00000000 */ ldc.r4 0.0
IL_001d: /* 43 | C5010000 */ ble.un IL_01e7
IL_0022: /* 28 | (0A)0001F7 */ call bool [UnityEngine]UnityEngine.Application::get_isEditor()
IL_0027: /* 3A | 0C000000 */ brtrue IL_0038
IL_002c: /* 28 | (06)000D59 */ call valuetype BaseRoundMode/RoundState BaseRoundMode::GetRoundState()
IL_0031: /* 18 | */ ldc.i4.2
IL_0032: /* 3B | 01000000 */ beq IL_0038
IL_0037: /* 2A | */ ret
|
my aob:
7b ?? ?? ?? ?? 02 7b ?? ?? ?? ?? 3b ?? ?? ?? ?? 2a 02 28 ?? ?? ?? ?? 22 ?? ?? ?? ?? 43 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3a ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 3b ?? ?? ?? ?? 2a 02 02 28 ?? ?? ?? ?? 03 7b ?? ?? ?? ?? 6b 59 28 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 02
Any help would be appreciated
Probably am in the wrong section of the code ..am lost here
Just in case anyone wishes to check the begone source here are the files
mediafire .c om /?gyhaa19hg7gg131
_________________
learning to re.... |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Sat May 18, 2013 2:27 pm Post subject: |
|
|
Did you recompile this to a binary after changing or do you use ce?
If ce, it's possible the IL code has already been compiled to native code before your edit.
Perhaps it will reload it if you start a whole new game, but you may have to search for the native generated code with an aob and edit it there
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
icodeproductions
How do I cheat?
![]() Reputation: 0
Joined: 18 May 2013
Posts: 4
|
| Posted: Sun May 19, 2013 1:38 am Post subject: |
|
|
Thanks for replying darkbyte i am using ce, but how do i search for the native generated code with an aob and edit it there.I have uploaded all the decompiled dll files to mediafire if you want to have a look.
aren't Unity3d games suppose to be like flashgames ? i have a few working aob's by someone else but i cant find the corrsponding hex codes in the source of the game.sorry for my english
here is the url of the game
n +p +l+ a+ y . c o m (remove the plus signs)
_________________
learning to re.... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Sun May 19, 2013 3:07 am Post subject: |
|
|
Yes, it's like flash and there it is also the same as .net sometimes (it also generates native code, sometimes)
You could try editing the metadata or peheader and tell it to not use the JITer to generate native code, but it will be slow.
Instead try using the debugger. Find your health, then get hurt. You will find the native code. Now make an aob scan of this so you'll find it next time and then edit it in assembler
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
icodeproductions
How do I cheat?
![]() Reputation: 0
Joined: 18 May 2013
Posts: 4
|
| Posted: Mon May 20, 2013 1:14 am Post subject: |
|
|
| Dark Byte wrote: | Yes, it's like flash and there it is also the same as .net sometimes (it also generates native code, sometimes)
You could try editing the metadata or peheader and tell it to not use the JITer to generate native code, but it will be slow.
Instead try using the debugger. Find your health, then get hurt. You will find the native code. Now make an aob scan of this so you'll find it next time and then edit it in assembler |
thanks for the info i will now try to find the health ..but its a strange memory construct ...somehow that simple 4 bytes search wont work with the game.i will keep you updated on my findings ...am really new at this, so don't mind me asking so many questions
i have used redgate for decompling the source.could you shed some light on which debugger to use
_________________
learning to re.... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Mon May 20, 2013 3:36 am Post subject: |
|
|
as you can see here:
| Code: |
call instance void Health::SetHealth(float32)
|
That means that SetHealth (and probably the health variable itself) is a float32
In CE that is just "Float" (not 4 byte)
You could try CE's debugger. Once you have found the health and added it to the list rightclick it and choose "Find out what writes to this address"
You will most likely get inside the "SetHealth" function then, and from there you might be able to backtrack to the function that only does it for the player, or just do a code injection there and check right there if it's the player or not
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
icodeproductions
How do I cheat?
![]() Reputation: 0
Joined: 18 May 2013
Posts: 4
|
| Posted: Mon May 20, 2013 11:46 am Post subject: |
|
|
| Dark Byte wrote: | as you can see here:
| Code: |
call instance void Health::SetHealth(float32)
|
That means that SetHealth (and probably the health variable itself) is a float32
In CE that is just "Float" (not 4 byte)
You could try CE's debugger. Once you have found the health and added it to the list rightclick it and choose "Find out what writes to this address"
You will most likely get inside the "SetHealth" function then, and from there you might be able to backtrack to the function that only does it for the player, or just do a code injection there and check right there if it's the player or not |
darkybyte the health is enrypted i cant seem to find out the addresses by doing a float search ,please help
_________________
learning to re.... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Mon May 20, 2013 11:55 am Post subject: |
|
|
Check out health::setHealth and check how it's stored.
(Or else just try changed/unchanged scans)
Also, I noticed this game is a multiplayer game, so I doubt it's possible to change your health (not on your computer)
something else you could try is disable the JIT and optimization using some kind of flag (e.g a .ini with the same name as the assembly)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
icodeproductions
How do I cheat?
![]() Reputation: 0
Joined: 18 May 2013
Posts: 4
|
| Posted: Mon May 20, 2013 12:23 pm Post subject: |
|
|
| Dark Byte wrote: | Check out health::setHealth and check how it's stored.
(Or else just try changed/unchanged scans)
Also, I noticed this game is a multiplayer game, so I doubt it's possible to change your health (not on your computer)
something else you could try is disable the JIT and optimization using some kind of flag (e.g a .ini with the same name as the assembly) |
public void SetHealth(float newHealth)
{
this.health = UnityHelper.MemorySetter(newHealth, 0x61, 7);
}
| Code: | .method public hidebysig instance void SetHealth(float32 newHealth) cil managed
// SIG: 20 01 01 0C
{
// Method begins at RVA 0x475d8
// Code size 16 (0x10)
.maxstack 8
IL_0000: /* 02 | */ ldarg.0
IL_0001: /* 03 | */ ldarg.1
IL_0002: /* 1F | 61 */ ldc.i4.s 97
IL_0004: /* 1D | */ ldc.i4.7
IL_0005: /* 28 | (06)0011CC */ call float32 UnityHelper::MemorySetter(float32,
int32,
int32)
IL_000a: /* 7D | (04)000DF9 */ stfld float32 Health::health
IL_000f: /* 2A | */ ret
} // end of method Health::SetHealth
|
this is a aob i found on a youtube video and it works
d9 5e 24 83 ec 0c
change d8 5e 24 83 ec 0c
my health does not change when i get hit....
everything is client sided ..i am having difficulty because i know i am way out of my depth ..please analyze it..
_________________
learning to re.... |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
