Cheat Engine

bacontaskmaster · How do I cheat? Reputation: 0 Joined: 23 May 2020 Posts: 3

So i have an interesting issue.

I used Mono's capabilities to find a class i am interested in. It contains some values, and some pointers and i found the exact instance i want to dissect.

I got a static pointer to the class instance, and copied it to make some direct references to the containing data i need. And that a pointer to a Dictionary that is String, Object. And i know the object is a struct with 2 int's from other reverse engineering efforts.

However, due to how dictionaries work, i can't really get the data from the dictionary. It looks like the strings are not even present in memory at all (instead they are probably stored as hashcodes in this dictionary?)

I found thought Mono dissector the layout of this dictionary. Which should clue me in on where the data is. It seems like the fields do not have the proper offsets.

I made an effort to try and figure out through the pointer that i KNOW is a dictionary like this, in which order or at what offset the different values might be. But since i know the "count" and none of the values actually reflect the count as i expect it to be, and the pointers are even harder to confirm. I do not know where to go from here.

How does one dissect this?
And why does Mono dissector not find the proper offsets for these fields on it's own?

panraven · Posted: Mon May 25, 2020 11:39 am Post subject:

The dictionary should work like:

bacontaskmaster · How do I cheat? Reputation: 0 Joined: 23 May 2020 Posts: 3

Ok, so buckets are not going to help me if i understand you correctl. But an ENTRIES things, should be an array of "Entry" types, which should just be a chain of all the entries in a linear-ish way.

Again the Mono dissector tells me this contains:
hashcode (int32)
next (int32)
key (int32 or String?, TKey)
value (Struct(int32,int32), TValue)

Which are basically the actual container values to set up the content of the buckets, no?

But since i can not find the strings i know it had as input in any of the pointers from the dictionary, i assume the Key's are not actually found as strings since CE can't find the string or i can't find a reference to a string.

If i understood you correctly. could the offsets of the parameters change per statup of the app as well? That would kinda ruin the party as well.

EDIT: Forgot to mention that this is all originally C# code that got IL2CPP treatment. It's a C# dictionary, not a C++ variant or whatever, if that was no unclear.

panraven · Posted: Mon May 25, 2020 5:33 pm Post subject:

No, you probably right, if you found the VALUE your own way.

Using Pointer probably still not reliable, but if the structure is known, you may find it.

Try a decompiler like dnspy, justdecompile. If it is not il2cpp, the source can be reveal, even il2cpp should be possible if you familiar with some advance debug tool.
Btw, the version I check for Dictionary use Link (linked-list) instead of buckers (as name), so the internal structure may be different in different version of unity.

Then it need programming, using Lua may be a bit better controlled than using assembler (should be still posible in il2cpp?), given that all operation is read only (so thread safe?)

eg. not sure in your version, the bool TryGetValue(Key, out ptr ^Value) function may be what you interested .

Yet, the VALUE found may be obsolete when the item changed.

bacontaskmaster · How do I cheat? Reputation: 0 Joined: 23 May 2020 Posts: 3

Ok, so i think i got a bit lucky. Due to how this dictionary was used. All values were always at a fixed offset of the definition of the Dictionary.

They initialize it, then fill it, and before they re-fill it they Clear() it. Causing the actual elements to just be a little further in memory than expected, but seemingly at a fixed offset in a fixed order. So that works for me! It was all just 1 pointer away and it didn't spot it.

Thanks for helping out!