├── .gitattributes ├── .gitignore ├── Logging.h ├── PVZ2ExampleMod.cpp ├── PVZ2ExampleMod.h ├── PVZ2ExampleMod.sln ├── PvZ2 └── Board.h ├── README.md ├── SexyTypes.h ├── deps ├── lib │ └── armeabi-v7a │ │ ├── libc++_shared.so │ │ └── libsubstrate.so └── smali │ └── com │ └── loadLib │ ├── libLoader$1.smali │ └── libLoader.smali ├── hook.vcxproj ├── hook.vcxproj.filters ├── memUtils.cpp ├── memUtils.h └── pch.h /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /Logging.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Useful for filtering logcat 4 | #define LIB_TAG "PVZ2ExampleMod" 5 | 6 | #define LOGI(...) ((void)__android_log_print(ANDROID_LOG_INFO, LIB_TAG, __VA_ARGS__)) 7 | #define LOGW(...) ((void)__android_log_print(ANDROID_LOG_WARN, LIB_TAG, __VA_ARGS__)) -------------------------------------------------------------------------------- /PVZ2ExampleMod.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "memUtils.h" 8 | #include "PVZ2ExampleMod.h" 9 | #include "SexyTypes.h" 10 | #include "PvZ2/Board.h" 11 | 12 | 13 | #pragma region Alias to ID 14 | 15 | class ZombieAlmanac 16 | { 17 | public: 18 | void* vftable; 19 | std::map m_aliasToId; 20 | }; 21 | 22 | class PlantNameMapper 23 | { 24 | public: 25 | void* vftable; 26 | std::map m_aliasToId; 27 | }; 28 | 29 | #define FIRST_FREE_ZOMBIE_ID 441 30 | #define FIRST_FREE_PLANT_ID 185 31 | 32 | std::vector g_modPlantTypenames; 33 | std::vector g_modZombieTypenames; 34 | 35 | #define REGISTER_PLANT_TYPENAME(typename) \ 36 | g_modPlantTypenames.push_back(typename); \ 37 | 38 | #define REGISTER_ZOMBIE_TYPENAME(typename) \ 39 | g_modZombieTypenames.push_back(typename); \ 40 | 41 | typedef ZombieAlmanac* (*ZombieAlmanacCtor)(ZombieAlmanac*); 42 | ZombieAlmanacCtor oZombieAlmanacCtor = NULL; 43 | 44 | void* hkCreateZombieTypenameMap(ZombieAlmanac* a1) 45 | { 46 | // Let the game create the original alias->id map 47 | ZombieAlmanac* obj = oZombieAlmanacCtor(a1); 48 | // Now add our own zombie aliases to it 49 | // (mod aliases can be registered with the REGISTER_ZOMBIE_TYPENAME macro) 50 | for (int iter = 0; iter < g_modZombieTypenames.size(); iter++) 51 | { 52 | obj->m_aliasToId[g_modZombieTypenames[iter]] = FIRST_FREE_ZOMBIE_ID + iter; 53 | } 54 | 55 | return obj; 56 | } 57 | 58 | typedef PlantNameMapper* (*PlantNameMapperCtor)(PlantNameMapper*); 59 | PlantNameMapperCtor oPlantNameMapperCtor = NULL; 60 | 61 | void* hkCreatePlantNameMapper(PlantNameMapper* self) 62 | { 63 | // Same deal with the ZombieAlamanc::ctor hook 64 | PlantNameMapper* obj = oPlantNameMapperCtor(self); 65 | for (int iter = 0; iter < g_modPlantTypenames.size(); iter++) 66 | { 67 | obj->m_aliasToId[g_modPlantTypenames[iter]] = FIRST_FREE_PLANT_ID + iter; 68 | } 69 | 70 | return obj; 71 | } 72 | 73 | #pragma endregion 74 | 75 | #pragma region Mummy Memory Fix 76 | 77 | // The original function is broken for some reason. We don't need it 78 | uint oCamelZombieFunc = NULL; 79 | 80 | typedef void(*camelMinigameModuleFunc)(int, int, int); 81 | camelMinigameModuleFunc cmmFunc = (camelMinigameModuleFunc)getActualOffset(0x797494); 82 | 83 | void hkCamelZombieFunc(int a1, int a2, int a3) 84 | { 85 | // Redirect call to some function in CamelMinigameModule 86 | // This fixes the crash when camels are rising from the ground 87 | cmmFunc(a1, a2, a3); 88 | } 89 | 90 | #pragma endregion 91 | 92 | #pragma region Piano Zombie List 93 | 94 | typedef bool (*initZombiePianoList)(int, int); 95 | initZombiePianoList oInitZombiePianoList = NULL; 96 | 97 | std::vector* g_pianoList = NULL; 98 | bool g_pianoListInitialized = false; 99 | 100 | bool hkInitZombiePianoList(int a1, int a2) 101 | { 102 | // This function is called every frame when a piano zombie is on screen 103 | // So this global bool is needed to prevent wasting a massive amount of cpu time 104 | if (!g_pianoListInitialized) 105 | { 106 | bool orig = oInitZombiePianoList(a1, a2); 107 | 108 | uint ptrAddr = getActualOffset(0x1CE922C); // address of piano zombie's list in memory 109 | g_pianoList = reinterpret_cast*>(ptrAddr); 110 | 111 | // @todo: add this to piano zombie's props instead? 112 | g_pianoList->clear(); 113 | g_pianoList->push_back("cowboy"); 114 | g_pianoList->push_back("cowboy_armor1"); 115 | g_pianoList->push_back("cowboy_armor2"); 116 | g_pianoList->push_back("cowboy_armor4"); 117 | g_pianoList->push_back("pirate_gargantuar"); 118 | 119 | g_pianoListInitialized = true; 120 | } 121 | return oInitZombiePianoList(a1, a2); 122 | } 123 | 124 | #pragma endregion 125 | 126 | #pragma region Board Zoom 127 | 128 | int gWidth = 0; 129 | int gHeight = 0; 130 | 131 | enum AspectRatio 132 | { 133 | Letterbox, 134 | Widescreen, 135 | Ultrawide, 136 | }; 137 | 138 | AspectRatio GetAspectRatio() 139 | { 140 | float ratio = (float)gWidth / (float)gHeight; 141 | if (ratio <= 1.4f) 142 | { 143 | return Letterbox; 144 | } 145 | else if (ratio >= 1.41f && ratio <= 1.85f) 146 | { 147 | return Widescreen; 148 | } 149 | else if (ratio >= 1.86f) 150 | { 151 | return Ultrawide; 152 | } 153 | } 154 | 155 | typedef void(*ReinitForSurfaceChange)(int, int, int, int, int); 156 | ReinitForSurfaceChange oRFSC = nullptr; 157 | 158 | void HkReinitForSurfaceChange(int thisptr, int a2, int width, int height, int a5) 159 | { 160 | gWidth = width; 161 | gHeight = height; 162 | return oRFSC(thisptr, a2, width, height, a5); 163 | } 164 | 165 | typedef void* (*boardCtor)(void*); 166 | boardCtor oBoardCtor = NULL; 167 | 168 | void* hkBoardCtor(Board* board) 169 | { 170 | oBoardCtor(board); 171 | 172 | board->m_lawnRect.mX = 200; //200 173 | board->m_lawnRect.mY = 160; //160 174 | 175 | switch (GetAspectRatio()) 176 | { 177 | case Letterbox: 178 | { 179 | board->m_lawnRect.mWidth = 576; //576 180 | board->m_lawnRect.mHeight = 500; //380 181 | break; 182 | } 183 | case Widescreen: 184 | { 185 | board->m_lawnRect.mWidth = 576; //576 186 | board->m_lawnRect.mHeight = 450; //380 187 | break; 188 | } 189 | case Ultrawide: 190 | { 191 | board->m_lawnRect.mX = 450; 192 | board->m_lawnRect.mY = 160; 193 | board->m_lawnRect.mWidth = 576; //576 194 | board->m_lawnRect.mHeight = 525; //380 195 | break; 196 | } 197 | } 198 | 199 | return board; 200 | } 201 | 202 | #pragma endregion 203 | 204 | #pragma region Dumb Hardcoded Immunities (Healer/Magician) 205 | 206 | // we don't need to save a pointer to the original functions 207 | uint dispose; 208 | 209 | void hkMagicianHealerConditionFunc(int a1, int condition) 210 | { 211 | // Hardcoded immunity checks would go here 212 | return; 213 | } 214 | 215 | bool hkMagicianHealerImmuneToShrink(int a1) 216 | { 217 | // true = immune to shrinking 218 | return false; 219 | } 220 | 221 | bool hkMagicianInitializeFamilyImmunities(int a1, int64_t a2) 222 | { 223 | typedef bool(*zFamilyFunc)(int); 224 | zFamilyFunc func = (zFamilyFunc)getActualOffset(0x8C70A0); // function 93 in Zombie's vftable 225 | return func(a1); 226 | } 227 | 228 | #pragma endregion 229 | 230 | __attribute__((constructor)) 231 | // This is automatically executed when the lib is loaded 232 | // Run your initialization code here 233 | void libPVZ2ExampleMod_main() 234 | { 235 | LOGI("Initializing %s", LIB_TAG); 236 | // New, easier to manage way of adding typenames to the plant/zombie name mapper 237 | REGISTER_PLANT_TYPENAME("funny_tomato"); 238 | 239 | REGISTER_ZOMBIE_TYPENAME("steam"); 240 | 241 | // Function hooks 242 | PVZ2HookFunction(0x105123C, (void*)hkCreateZombieTypenameMap, (void**)&oZombieAlmanacCtor, "ZombieAlmanac::ZombieAlamanc"); 243 | PVZ2HookFunction(0xD994B8, (void*)hkCreatePlantNameMapper, (void**)&oPlantNameMapperCtor, "PlantNameMapper::PlantNameMapper"); 244 | PVZ2HookFunction(0x7942BC, (void*)hkCamelZombieFunc, (void**)&oCamelZombieFunc, "CamelZombie::vftable_func_0xEC"); 245 | PVZ2HookFunction(0x890108, (void*)hkInitZombiePianoList, (void**)&oInitZombiePianoList, "ZombiePiano::getTypenameList"); 246 | PVZ2HookFunction(0x127415C, (void*)HkReinitForSurfaceChange, (void**)&oRFSC, "ReinitForSurfaceChanged"); 247 | PVZ2HookFunction(0x71A004, (void*)hkBoardCtor, (void**)&oBoardCtor, "Board::Board"); 248 | PVZ2HookFunction(0x884B6C, (void*)hkMagicianHealerImmuneToShrink, (void**)&dispose, "ZombieCarnieMagician::IsImmuneToShrink"); 249 | PVZ2HookFunction(0x881C4C, (void*)hkMagicianHealerImmuneToShrink, (void**)&dispose, "ZombieRomanHealer::IsImmuneToShrink"); 250 | PVZ2HookFunction(0x86CCAC, (void*)hkMagicianHealerConditionFunc, (void**)&dispose, "ZombieCarnieMagician::ConditionFunc"); 251 | PVZ2HookFunction(0x84EAA0, (void*)hkMagicianHealerConditionFunc, (void**)&dispose, "ZombieRomanHealer::ConditionFunc"); 252 | PVZ2HookFunction(0x86CCC0, (void*)hkMagicianInitializeFamilyImmunities, (void**)&dispose, "ZombieRomanHealer::InitializeFamilyImmunities"); 253 | 254 | LOGI("Finished initializing"); 255 | } -------------------------------------------------------------------------------- /PVZ2ExampleMod.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class hook 4 | { 5 | public: 6 | const char * getPlatformABI(); 7 | hook(); 8 | ~hook(); 9 | }; 10 | 11 | -------------------------------------------------------------------------------- /PVZ2ExampleMod.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.8.34330.188 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hook", "hook.vcxproj", "{B46C95EB-3ECF-4358-8A84-919FD88A5339}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|ARM.Build.0 = Debug|ARM 22 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|ARM64.ActiveCfg = Debug|ARM64 23 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|ARM64.Build.0 = Debug|ARM64 24 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|x64.ActiveCfg = Debug|x64 25 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|x64.Build.0 = Debug|x64 26 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|x86.ActiveCfg = Debug|x86 27 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Debug|x86.Build.0 = Debug|x86 28 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|ARM.ActiveCfg = Release|ARM 29 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|ARM.Build.0 = Release|ARM 30 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|ARM64.ActiveCfg = Release|ARM64 31 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|ARM64.Build.0 = Release|ARM64 32 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|x64.ActiveCfg = Release|x64 33 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|x64.Build.0 = Release|x64 34 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|x86.ActiveCfg = Release|x86 35 | {B46C95EB-3ECF-4358-8A84-919FD88A5339}.Release|x86.Build.0 = Release|x86 36 | EndGlobalSection 37 | GlobalSection(SolutionProperties) = preSolution 38 | HideSolutionNode = FALSE 39 | EndGlobalSection 40 | GlobalSection(ExtensibilityGlobals) = postSolution 41 | SolutionGuid = {1B80D02E-0D4B-48C7-B4E7-A99B0E26A2B2} 42 | EndGlobalSection 43 | EndGlobal 44 | -------------------------------------------------------------------------------- /PvZ2/Board.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define GRID_TILE_WIDTH 64.0f 4 | 5 | #define BOARD_START_POS 232.0f 6 | #define BOARD_END_POS 776.0f 7 | 8 | class Board 9 | { 10 | public: 11 | char pad_0000[148]; //0x0000 12 | int m_columnCount; //0x0094 13 | int m_rowCount; //0x0098 14 | char pad_009C[676]; //0x009C 15 | Rect m_lawnRect; //0x0340 16 | }; -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **Example Mod for PvZ2** 2 | 3 | # Credits 4 | 5 | [Smali lib loader](https://github.com/joeyjurjens/Android-Hooking-Template) by **joeyjurjens** 6 | 7 | # What is this? 8 | 9 | Example Mod is an example of how function hooking (using [Cydia Substrate](http://www.cydiasubstrate.com/)) can be utilized in PvZ2. All of the addresses and function definitions are from PvZ2 9.4.1's ARM-v7a lib. 10 | 11 | Update 1/10/2025: I've seen people perpetuating the myth that code injection is "unstable" - it's not. The only way for code injection to become unstable is if the code you inject is buggy. 12 | Please don't let this myth deter you from potentially using code injection in your mod. 13 | 14 | # Current Features 15 | 16 | * Adding new internal Plant IDs 17 | * Adding new internal Zombie IDs 18 | * Mummy Memory crash fix 19 | 20 | # Build Instructions 21 | 22 | ### Prerequisites 23 | * Android Studio 24 | * Android Substrate SDK for Android Studio (see: [Android Substrate SDK](http://www.cydiasubstrate.com/id/73e45fe5-4525-4de7-ac14-6016652cc1b8/)) 25 | * Android C++ for Visual Studio 2022 26 | 27 | After you have all the prerequisites above, simply clone the repo and open the solution in Visual Studio 2022. To build the lib, you'll need to change some of the local paths in the project: 28 | 29 | * C/C++ 30 | * * Additional Include Directories: Change the substrate path to the root directory of the substrate path on your computer. 31 | 32 | * Linker 33 | * * Additional Library Directories: Change the substrate lib path to the path of the **\lib\armeabi** directory in your substrate folder. 34 | 35 | Now you should be able to build the lib. Before attempting a build, make sure the config is set to Debug ARM and not Debug x64 or anything else. 36 | 37 | ### APK Integration 38 | 39 | * Build the lib and copy the resulting lib to the **lib\armeabi-v7a** folder in your APK. 40 | * Delete the **arm64-v8a** folder in the lib folder. 41 | * Copy both of the libs in this repo's **deps\lib\armeabi-v7a** folder to the **lib\armeabi-v7a** folder in your APK. 42 | * Copy the **smali** folder in this repo's **deps** folder and paste it into the root of your APK. This will automatically place the files where they need to go. 43 | * Rebuild your APK, install it, and play. Your custom code will be injected into PvZ2 as soon as the app is opened. 44 | -------------------------------------------------------------------------------- /SexyTypes.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | typedef std::string SexyString; 6 | 7 | typedef uint8_t byte; 8 | typedef unsigned short ushort; 9 | typedef unsigned int uint; 10 | typedef unsigned long ulong; 11 | 12 | struct SexyVector3 13 | { 14 | float mX, mY, mZ; 15 | 16 | SexyVector3(float x, float y, float z) 17 | { 18 | mX = x; 19 | mY = y; 20 | mZ = z; 21 | } 22 | }; 23 | 24 | struct Rect 25 | { 26 | int mX, mY, mWidth, mHeight; 27 | }; -------------------------------------------------------------------------------- /deps/lib/armeabi-v7a/libc++_shared.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BreakfastBrainz2/PVZ2ExampleMod/8a232c3796eb315a409102d182689f36922ab385/deps/lib/armeabi-v7a/libc++_shared.so -------------------------------------------------------------------------------- /deps/lib/armeabi-v7a/libsubstrate.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BreakfastBrainz2/PVZ2ExampleMod/8a232c3796eb315a409102d182689f36922ab385/deps/lib/armeabi-v7a/libsubstrate.so -------------------------------------------------------------------------------- /deps/smali/com/loadLib/libLoader$1.smali: -------------------------------------------------------------------------------- 1 | .class final Lcom/loadLib/libLoader$1; 2 | .super Ljava/lang/Object; 3 | .source "libLoader.java" 4 | 5 | # interfaces 6 | .implements Ljava/lang/Runnable; 7 | 8 | 9 | # annotations 10 | .annotation system Ldalvik/annotation/EnclosingMethod; 11 | value = Lcom/JvRuit/Ldr;->loadLib()V 12 | .end annotation 13 | 14 | .annotation system Ldalvik/annotation/InnerClass; 15 | accessFlags = 0x8 16 | name = null 17 | .end annotation 18 | 19 | 20 | # direct methods 21 | .method constructor ()V 22 | .locals 0 23 | 24 | .prologue 25 | .line 14 26 | invoke-direct {p0}, Ljava/lang/Object;->()V 27 | 28 | return-void 29 | .end method 30 | 31 | 32 | # virtual methods 33 | .method public run()V 34 | .locals 1 35 | 36 | .prologue 37 | const-string/jumbo v0, "c++_shared" 38 | 39 | invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V 40 | .line 17 41 | const-string/jumbo v0, "substrate" 42 | 43 | invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V 44 | 45 | const-string/jumbo v0, "PVZ2ExampleMod" 46 | 47 | invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V 48 | 49 | .line 18 50 | return-void 51 | .end method 52 | -------------------------------------------------------------------------------- /deps/smali/com/loadLib/libLoader.smali: -------------------------------------------------------------------------------- 1 | .class public Lcom/loadLib/libLoader; 2 | .super Landroid/app/Activity; 3 | .source "libLoader.java" 4 | 5 | 6 | # direct methods 7 | .method public constructor ()V 8 | .locals 0 9 | 10 | .prologue 11 | .line 12 12 | invoke-direct {p0}, Landroid/app/Activity;->()V 13 | 14 | return-void 15 | .end method 16 | 17 | .method public static loadLib()V 18 | .locals 4 19 | 20 | .prologue 21 | .line 14 22 | new-instance v0, Landroid/os/Handler; 23 | 24 | invoke-direct {v0}, Landroid/os/Handler;->()V 25 | 26 | new-instance v1, Lcom/loadLib/libLoader$1; 27 | 28 | invoke-direct {v1}, Lcom/loadLib/libLoader$1;->()V 29 | 30 | const-wide/16 v2, 0x1 31 | 32 | invoke-virtual {v0, v1, v2, v3}, Landroid/os/Handler;->postDelayed(Ljava/lang/Runnable;J)Z 33 | 34 | .line 20 35 | return-void 36 | .end method 37 | -------------------------------------------------------------------------------- /hook.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | ARM 7 | 8 | 9 | Release 10 | ARM 11 | 12 | 13 | Debug 14 | ARM64 15 | 16 | 17 | Release 18 | ARM64 19 | 20 | 21 | Debug 22 | x64 23 | 24 | 25 | Release 26 | x64 27 | 28 | 29 | Debug 30 | x86 31 | 32 | 33 | Release 34 | x86 35 | 36 | 37 | 38 | {b46c95eb-3ecf-4358-8a84-919fd88a5339} 39 | Android 40 | PVZ2ExampleMod 41 | 14.0 42 | Android 43 | 3.0 44 | PVZ2ExampleMod 45 | 46 | 47 | 48 | DynamicLibrary 49 | true 50 | Clang_5_0 51 | 52 | 53 | DynamicLibrary 54 | false 55 | Clang_5_0 56 | 57 | 58 | DynamicLibrary 59 | true 60 | Clang_5_0 61 | c++_shared 62 | 63 | 64 | DynamicLibrary 65 | false 66 | Clang_5_0 67 | c++_shared 68 | 69 | 70 | DynamicLibrary 71 | true 72 | Clang_5_0 73 | 74 | 75 | DynamicLibrary 76 | false 77 | Clang_5_0 78 | 79 | 80 | DynamicLibrary 81 | true 82 | Clang_5_0 83 | 84 | 85 | DynamicLibrary 86 | false 87 | Clang_5_0 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | Use 113 | pch.h 114 | C:\Users\brekko\AppData\Local\Android\Sdk\extras\saurikit\cydia_substrate;%(AdditionalIncludeDirectories) 115 | 116 | 117 | C:\Users\brekko\AppData\Local\Android\Sdk\extras\saurikit\cydia_substrate\lib\armeabi;%(AdditionalLibraryDirectories) 118 | 119 | 120 | 121 | 122 | Use 123 | pch.h 124 | 125 | 126 | 127 | 128 | Use 129 | pch.h 130 | 131 | 132 | 133 | 134 | Use 135 | pch.h 136 | 137 | 138 | 139 | 140 | Use 141 | pch.h 142 | 143 | 144 | 145 | 146 | Use 147 | pch.h 148 | 149 | 150 | 151 | 152 | Use 153 | pch.h 154 | $(ProjectDir)include;C:\Users\brekko\AppData\Local\Android\Sdk\extras\saurikit\cydia_substrate;%(AdditionalIncludeDirectories) 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | %(SharedLibrarySearchPath) 164 | 165 | 166 | C:\Users\brekko\AppData\Local\Android\Sdk\extras\saurikit\cydia_substrate\lib\armeabi;%(AdditionalLibraryDirectories) 167 | substrate;%(LibraryDependencies) 168 | 169 | 170 | 171 | 172 | Use 173 | pch.h 174 | $(ProjectDir)include;C:\Users\brekko\AppData\Local\Android\Sdk\extras\saurikit\cydia_substrate;%(AdditionalIncludeDirectories) 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | %(SharedLibrarySearchPath) 184 | 185 | 186 | C:\Users\brekko\AppData\Local\Android\Sdk\extras\saurikit\cydia_substrate\lib\armeabi;%(AdditionalLibraryDirectories) 187 | substrate;%(LibraryDependencies) 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | -------------------------------------------------------------------------------- /hook.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /memUtils.cpp: -------------------------------------------------------------------------------- 1 | #include "memUtils.h" 2 | #include "Logging.h" 3 | 4 | #include 5 | 6 | uint g_libAddress = NULL; 7 | 8 | uint getLibraryAddress(const char* libName) { 9 | FILE* fp = fopen("/proc/self/maps", "rt"); 10 | if (fp == NULL) { 11 | perror("fopen"); 12 | return 0; 13 | } 14 | 15 | uint addr = 0; 16 | char line[1024]; 17 | 18 | while (fgets(line, sizeof(line), fp) != NULL) { 19 | if (strstr(line, libName) != NULL) { 20 | addr = strtoul(line, NULL, 16); 21 | LOGI("%s at 0x%x", libName, addr); 22 | break; 23 | } 24 | } 25 | 26 | fclose(fp); 27 | return addr; 28 | } 29 | 30 | uint getActualOffset(uint offset) 31 | { 32 | if (g_libAddress == 0) 33 | { 34 | g_libAddress = getLibraryAddress("libPVZ2.so"); 35 | } 36 | return g_libAddress + offset; 37 | } 38 | 39 | void PVZ2HookFunction(uint offset, void* replace, void** result, const char* funcName) 40 | { 41 | MSHookFunction((void*)getActualOffset(offset), replace, result); 42 | LOGI("Hooked %s", funcName); 43 | } -------------------------------------------------------------------------------- /memUtils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include "Logging.h" 6 | 7 | extern uint g_libAddress; 8 | // Get base address of a library (.so) loaded in memory. 9 | uint getLibraryAddress(const char* libName); 10 | // Get actual offset of address inside libPVZ2.so 11 | uint getActualOffset(uint offset); 12 | // Hook a function in libPVZ2 13 | void PVZ2HookFunction(uint offset, void* replace, void** result, const char* funcName); -------------------------------------------------------------------------------- /pch.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include "SexyTypes.h" 10 | --------------------------------------------------------------------------------