├── Bs ├── V11 │ └── libcorescript.js ├── V12 │ ├── libmrvitalik.script.js │ └── retrobrawl.script.js ├── V18 │ └── v18-debug.js ├── V22 │ └── debug22test.js ├── V27 │ ├── libgg.script27.269.1.so │ └── v27.js ├── V28 │ └── libv28infinity.js ├── V29 │ └── libsctest.js ├── V31 │ └── 31.96.js ├── V33 │ └── 33.118.js ├── V35 │ └── 35.js ├── V36 │ ├── 36_218_debug_button_d-1.so │ └── v36.218.js └── V39 │ └── libmeow.so └── README.md /Bs/V11/libcorescript.js: -------------------------------------------------------------------------------- 1 | const base = Module.findBaseAddress("libg.so"); 2 | const readPtr = Module.findExportByName('libc.so', 'read'); 3 | 4 | 5 | const connect = Interceptor.attach(Module.findExportByName(null, 'getaddrinfo'), { 6 | onEnter: function(args) { 7 | this.path = args[0].readUtf8String(); 8 | if (this.path === base.add(0x055AD86).readUtf8String()) { 9 | this.z = args[0] = Memory.allocUtf8String("127.0.0.1"); 10 | } 11 | } 12 | }); 13 | 14 | var buf; 15 | var check = 0; 16 | 17 | const reader = Interceptor.attach(readPtr, { 18 | onEnter: function(args) { 19 | if(args[2] == 32) { 20 | check = 1; 21 | buf = args[1]; 22 | } 23 | }, 24 | onLeave: function(args) { 25 | if(check == 1) { 26 | Memory.writeByteArray(buf, [0xBB, 0x14, 0xD6, 0xFD, 0x2B, 0x7C, 0x98, 0x23, 0xEA, 0xED, 0xB4, 0x33, 0x8C, 0xB7, 0x23, 0x7F, 0x61, 0xE4, 0x22, 0xD2, 0x3C, 0x49, 0x77, 0xF7, 0x4A, 0xDA, 0x05, 0x27, 0x02, 0xC0, 0xC6, 0x2D]); 27 | check = 0; 28 | } 29 | } 30 | }); 31 | -------------------------------------------------------------------------------- /Bs/V12/libmrvitalik.script.js: -------------------------------------------------------------------------------- 1 | var cache = { 2 | modules: {}, 3 | options: {} 4 | }; 5 | 6 | const base = Module.findBaseAddress("libg.so"); 7 | const readPtr = Module.findExportByName('libc.so', 'read'); 8 | const ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 9 | const inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 10 | 11 | function setup() { 12 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 13 | onEnter: function(args) { 14 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 15 | var host = Memory.allocUtf8String(cache.options.redirectHost); 16 | Memory.writeInt(args[1].add(4), inet_addr(host)); 17 | } 18 | } 19 | }); 20 | 21 | var buf; 22 | var check = 0; 23 | var lfd; 24 | 25 | const openf = Interceptor.attach(Module.findExportByName("libc.so", "open"), { 26 | onEnter: function(args) { 27 | this.r = (Memory.readUtf8String(args[0]) == "/dev/urandom"); 28 | }, 29 | onLeave: function(retval) { 30 | if(this.r) { 31 | lfd = retval.toInt32(); 32 | } 33 | } 34 | }); 35 | 36 | const reader = Interceptor.attach(readPtr, { 37 | onEnter: function(args) { 38 | if(lfd == args[0].toInt32() && args[2] == 32) { 39 | check = 1; 40 | buf = args[1]; 41 | } 42 | }, 43 | onLeave: function(args) { 44 | if(check == 1) { 45 | Memory.writeByteArray(buf, [0xBB, 0x14, 0xD6, 0xFD, 0x2B, 0x7C, 0x98, 0x23, 0xEA, 0xED, 0xB4, 0x33, 0x8C, 0xB7, 0x23, 0x7F, 0x61, 0xE4, 0x22, 0xD2, 0x3C, 0x49, 0x77, 0xF7, 0x4A, 0xDA, 0x05, 0x27, 0x02, 0xC0, 0xC6, 0x2D]); 46 | check = 0; 47 | } 48 | } 49 | }); 50 | } 51 | 52 | rpc.exports = { 53 | init: function(stage, options) { 54 | cache.options = options || {}; 55 | setup(); 56 | } 57 | }; 58 | -------------------------------------------------------------------------------- /Bs/V12/retrobrawl.script.js: -------------------------------------------------------------------------------- 1 | //this is a script written entirely by me from scratch. Since RetroBrawl team decided to kick me out, I decided to make this script open source. 2 | 3 | var cache = { 4 | modules: {}, 5 | options: {} 6 | }; 7 | 8 | var csvFiles = [ 9 | "csv_logic/cards.csv", 10 | "csv_logic/characters.csv", 11 | "csv_logic/skills.csv", 12 | "csv_logic/projectiles.csv", 13 | "csv_logic/area_effects.csv", 14 | "csv_logic/items.csv", 15 | "csv_logic/maps.csv", 16 | "csv_logic/skins.csv", 17 | "csv_logic/tiles.csv" 18 | ]; 19 | 20 | const base = Module.findBaseAddress('libg.so'); 21 | const readPtr = Module.findExportByName('libc.so', 'read'); 22 | const malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 23 | const ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 24 | const inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 25 | const fopen = new NativeFunction(Module.findExportByName('libc.so', 'fopen'), 'pointer', ['pointer', 'pointer']); 26 | 27 | var wait = false; 28 | var ServerConnection = base.add(0x7D2B88).readU8(); 29 | 30 | 31 | function init() { 32 | checkPackageName('com.devbs.retrobrawl'); 33 | checkSignature('308203673082024fa00302010202043bc36e87300d06092a864886f70d01010b050030643110300e0603550406130730303030303030310f300d06035504081306527573736961310f300d060355040713064d6f73636f77310e300c060355040a13054465564273310e300c060355040b13054465564273310e300c060355040313054465564273301e170d3231303232373139323832355a170d3438303731353139323832355a30643110300e0603550406130730303030303030310f300d06035504081306527573736961310f300d060355040713064d6f73636f77310e300c060355040a13054465564273310e300c060355040b13054465564273310e300c06035504031305446556427330820122300d06092a864886f70d01010105000382010f003082010a0282010100dd6e1ff1176cc170409faa72c43bfb89619af888c5899a5bce12a61444e841f0853c971bd0f5d2a1b6c1748e59cb46c6abec1dcacda8efa8488d60a4f8332873019644d810673b14118946b1bc2789a78108070af91b9b39693ba1753b64b3f815c5b615121f67c1ba8aa33de6c7ac0204e216d08438b78c645211408bbf53e5a60adcb31040a81ad401e4278c6fefcf5bdd62226ca975ba84ce66d7176f1d2b3a45fd4c2d15c2862a4f599c51492078534cb800ffd306dd01c6dbf69787a0092023df9596114e760a0890ec07d6f98b19c9eb1f58395f2361d924eee867d966eb933994c7fd09faeb0e4d214942709d1954b470bf7fdf22107dbcc9397f65490203010001a321301f301d0603551d0e04160414225e45a50e9ef8f53caf2841353f848a300b42e3300d06092a864886f70d01010b05000382010100890bd66cab965264a5528042f884fb8ab67739c033deb52f2b7f04d2422f17c8f18d466e81c5099cb9739c247133ec6775ca02aa6a4d953e0c702a02d4270e21e4c36853a831a37327cafbdb21de53a4171c8ab95b564a1f27b823e67002abe09124a5075ce96727ecc8492a4ebba0f24daacd41c2068576d75d01f143176afd330e091b09ac737516827896d303e7cf8126bfb508e5ce4137276f03311c1792f83ce1c20b17e30374c0c2f7fe6cbad5f252c047464989c4e0180c57ad7ffdf9de6dea54997df7321384da775c7772eb3e2a6385674b264ba38d54ec5f1ad75f44655cea5180eb735fa43002f2cef2f2f34c94e79a40c43edb0a86de751f3fea'); 34 | checkFilesInUpdate(); 35 | setKeyVersion(7); 36 | toast('Private server created by RetroBrawl team.\nVK: https://vk.com/retro_brawl'); 37 | connect(); 38 | replaceKey(); 39 | fixer(); 40 | } 41 | 42 | function checkPackageName(packageName) { 43 | if (getPackageName() != packageName) { 44 | exit(); 45 | } 46 | } 47 | 48 | function getPackageName() { 49 | var packagename = ''; 50 | Java.perform(function(argument) { 51 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 52 | packagename = context.getPackageName(); 53 | }); 54 | return packagename; 55 | } 56 | 57 | function setKeyVersion(version) { 58 | base.add(0x60DD88).writeU16(version); 59 | } 60 | 61 | function getSignature() { 62 | var signature = ''; 63 | Java.perform(function() { 64 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 65 | var packageInfo = context.getPackageManager().getPackageInfo(getPackageName(), 64).signatures.value[0].toCharsString(); 66 | signature = packageInfo; 67 | }); 68 | return signature; 69 | } 70 | 71 | function checkSignature(signature) { 72 | if (getSignature() != signature) { 73 | exit(); 74 | } 75 | } 76 | 77 | function checkFilesInUpdate() { 78 | for (var i = 0; i < csvFiles.length; i++) { 79 | var path = '/data/data/' + getPackageName() + '/update/' + csvFiles[i]; 80 | var pFile = fopen(createStringPtrFromJSString(path), createStringPtrFromJSString("rb")); 81 | if (pFile.toInt32() != 0) { 82 | exit(); 83 | } 84 | } 85 | } 86 | 87 | function exit() { 88 | Java.scheduleOnMainThread(() => { 89 | Java.use("java.lang.System").exit(0); 90 | }); 91 | }; 92 | 93 | function toast(toastText) { 94 | Java.perform(function() { 95 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 96 | 97 | Java.scheduleOnMainThread(function() { 98 | var toast = Java.use("android.widget.Toast"); 99 | toast.makeText(context, Java.use("java.lang.String").$new(toastText), 1).show(); 100 | }); 101 | }); 102 | } 103 | 104 | function connect() { 105 | Interceptor.attach(Module.findExportByName(null, 'getaddrinfo'), { 106 | onEnter: function (args) { 107 | this.path = args[0].readUtf8String(); 108 | if (this.path === 'game.brawlstarsgame.com') { 109 | this.z = args[0] = Memory.allocUtf8String(cache.options.redirectHost); 110 | } 111 | } 112 | }); 113 | } 114 | 115 | function replaceKey() { 116 | var buf; 117 | var check = 0; 118 | 119 | const reader = Interceptor.attach(readPtr, { 120 | onEnter: function(args) { 121 | if(this.returnAddress.equals(base.add(0x1715B0)) && args[2] == 32) { 122 | check = 1; 123 | buf = args[1]; 124 | } 125 | }, 126 | onLeave: function(args) { 127 | if(check == 1) { 128 | Memory.writeByteArray(buf, [0x85, 0x98, 0x0a, 0xb6, 0x07, 0x5c, 0xc1, 0x97, 0xab, 0x8d, 0xe0, 0xfa, 0xba, 0x3c, 0x69, 0x96, 0x82, 0xb4, 0x59, 0x97, 0x93, 0x65, 0x43, 0x51, 0x44, 0x48, 0x2f, 0x5e, 0xba, 0xe8, 0x21, 0x45]); 129 | check = 0; 130 | } 131 | } 132 | }); 133 | } 134 | 135 | function fixer() { 136 | Interceptor.attach(Module.findExportByName("libg.so", "glEnable"), { 137 | onEnter: function(args) { 138 | if (this.returnAddress.equals(base.add(0x1cce2c)) && wait !== true) { 139 | wait = true; 140 | checkFilesInUpdate(); 141 | checkServerConnection() 142 | fixProfile(); 143 | } 144 | } 145 | }); 146 | } 147 | 148 | function fixProfile() { 149 | Interceptor.replace(base.add(0x24DB58), new NativeCallback(function(a1) { 150 | return null; 151 | }, "pointer", ["pointer"])); 152 | } 153 | 154 | function checkServerConnection() { 155 | var serverConnectionUpdate = Interceptor.attach(base.add(0x21167C), { 156 | onEnter: function(args) { 157 | ServerConnection = base.add(0x7D2B88).readU8(); 158 | if (ServerConnection === 0) { 159 | wait = false; 160 | checkFilesInUpdate(); 161 | serverConnectionUpdate.detach(); 162 | Interceptor.revert(base.add(0x24DB58)); 163 | } 164 | } 165 | }); 166 | } 167 | 168 | function createStringPtrFromJSString(message) { 169 | var charPtr = malloc(message.length + 1); 170 | Memory.writeUtf8String(charPtr, message); 171 | return charPtr 172 | } 173 | 174 | rpc.exports = { 175 | init: function(stage, options) { 176 | cache.options.redirectHost = 'retrobrawl.devbs.xyz'; 177 | init(); 178 | } 179 | }; 180 | -------------------------------------------------------------------------------- /Bs/V18/v18-debug.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | console.log("Da"); 8 | const base = Process.findModuleByName('libg.so').base; 9 | const SERVER_CONNECTION = 0xA2B454; 10 | const PTHREAD_COND_WAKE_RETURN = 0x6108AA + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x14161C; 12 | const SELECT_RETURN = 0xB7060; 13 | const POINTER_SIZE = 4; 14 | const WAKEUP_RETURN_ARRAY = [0x889ac, 0x122af8, 0x1a29d0, 0x49d004, 0x52bdb0, 0x53efb4]; 15 | const DEBUG_MENU_CTOR = 0x3A6E70; 16 | const STAGE_ADD_CHILD = 0x36D3A8; 17 | const STAGE_ADDRESS = 0xA2B360; 18 | const ADD_FILE = 0x3A3C84; 19 | const ascdebugsc = 0x9E4F2E; 20 | const DEBUG_MENU_UPDATE_PTR = 0x10DDC4; 21 | const EFFECT_PREVIEW_CTOR = 0x451328; 22 | const EFFECT_PREVIEW_UPDATE_PTR = 0x21F71C; 23 | 24 | var Login = 0; 25 | 26 | const StageAdd = new NativeFunction(base.add(STAGE_ADD_CHILD), 'void', ['pointer', 'pointer']); 27 | const AddFile = new NativeFunction(base.add(ADD_FILE), 'int', ['pointer', 'pointer', 'int', 'int', 'int', 'int']); 28 | const DebugMenuCtor = new NativeFunction(base.add(DEBUG_MENU_CTOR), 'pointer', ['pointer']); 29 | const EffectPreviewCtor = new NativeFunction(base.add(EFFECT_PREVIEW_CTOR), 'pointer', ['pointer']); 30 | const DebugMenuUpdate = new NativeFunction(base.add(DEBUG_MENU_UPDATE_PTR), "int", ["pointer", "float"]); 31 | const EffectPreviewUpdate = new NativeFunction(base.add(EFFECT_PREVIEW_UPDATE_PTR), "int", ["pointer", "float"]); 32 | //libc native functions 33 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 34 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 35 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 36 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 37 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 38 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 39 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 40 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 41 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 42 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 43 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 44 | 45 | function toast(toastText) { 46 | Java.perform(function() { 47 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 48 | 49 | Java.scheduleOnMainThread(function() { 50 | var toast = Java.use("android.widget.Toast"); 51 | toast.makeText(context, Java.use("java.lang.String").$new(toastText), 1).show(); 52 | }); 53 | }); 54 | } 55 | 56 | var Message = { 57 | _getByteStream: function(message) { 58 | return message.add(8); 59 | }, 60 | _getVersion: function(message) { 61 | return Memory.readInt(message.add(4)); 62 | }, 63 | _setVersion: function(message, version) { 64 | Memory.writeInt(message.add(4), version); 65 | }, 66 | _getMessageType: function(message) { 67 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 68 | }, 69 | _encode: function(message) { 70 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 71 | }, 72 | _decode: function(message) { 73 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 74 | }, 75 | _free: function(message) { 76 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 77 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 78 | } 79 | }; 80 | var ByteStream = { 81 | _getOffset: function(byteStream) { 82 | return Memory.readInt(byteStream.add(16)); 83 | }, 84 | _getByteArray: function(byteStream) { 85 | return Memory.readPointer(byteStream.add(28)); 86 | }, 87 | _setByteArray: function(byteStream, array) { 88 | Memory.writePointer(byteStream.add(28), array); 89 | }, 90 | _getLength: function(byteStream) { 91 | return Memory.readInt(byteStream.add(20)); 92 | }, 93 | _setLength: function(byteStream, length) { 94 | Memory.writeInt(byteStream.add(20), length); 95 | } 96 | }; 97 | var Buffer = { 98 | _getEncodingLength: function(buffer) { 99 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 100 | }, 101 | _setEncodingLength: function(buffer, length) { 102 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 103 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 104 | Memory.writeU8(buffer.add(4), length & 0xFF); 105 | }, 106 | _setMessageType: function(buffer, type) { 107 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 108 | Memory.writeU8(buffer.add(1), type & 0xFF); 109 | }, 110 | _getMessageVersion: function(buffer) { 111 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 112 | }, 113 | _setMessageVersion: function(buffer, version) { 114 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 115 | Memory.writeU8(buffer.add(6), version & 0xFF); 116 | }, 117 | _getMessageType: function(buffer) { 118 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 119 | } 120 | }; 121 | var MessageQueue = { 122 | _getCapacity: function(queue) { 123 | return Memory.readInt(queue.add(4)); 124 | }, 125 | _get: function(queue, index) { 126 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 127 | }, 128 | _set: function(queue, index, message) { 129 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 130 | }, 131 | _count: function(queue) { 132 | return Memory.readInt(queue.add(8)); 133 | }, 134 | _decrementCount: function(queue) { 135 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 136 | }, 137 | _incrementCount: function(queue) { 138 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 139 | }, 140 | _getDequeueIndex: function(queue) { 141 | return Memory.readInt(queue.add(12)); 142 | }, 143 | _getEnqueueIndex: function(queue) { 144 | return Memory.readInt(queue.add(16)); 145 | }, 146 | _setDequeueIndex: function(queue, index) { 147 | Memory.writeInt(queue.add(12), index); 148 | }, 149 | _setEnqueueIndex: function(queue, index) { 150 | Memory.writeInt(queue.add(16), index); 151 | }, 152 | _enqueue: function(queue, message) { 153 | pthread_mutex_lock(queue.sub(4)); 154 | var index = MessageQueue._getEnqueueIndex(queue); 155 | MessageQueue._set(queue, index, message); 156 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 157 | MessageQueue._incrementCount(queue); 158 | pthread_mutex_unlock(queue.sub(4)); 159 | }, 160 | _dequeue: function(queue) { 161 | var message = null; 162 | pthread_mutex_lock(queue.sub(4)); 163 | if (MessageQueue._count(queue)) { 164 | var index = MessageQueue._getDequeueIndex(queue); 165 | message = MessageQueue._get(queue, index); 166 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 167 | MessageQueue._decrementCount(queue); 168 | } 169 | pthread_mutex_unlock(queue.sub(4)); 170 | return message; 171 | } 172 | }; 173 | 174 | function setupMessaging() { 175 | cache.wakeUpReturnArray = []; 176 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 177 | cache.wakeUpReturnArray.push(base.add(WAKEUP_RETURN_ARRAY[i])); 178 | } 179 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 180 | cache.selectReturn = base.add(SELECT_RETURN); 181 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 182 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 183 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 184 | cache.recvQueue = cache.messaging.add(60); 185 | cache.sendQueue = cache.messaging.add(84); 186 | cache.state = cache.messaging.add(212) 187 | cache.loginMessagePtr = cache.messaging.add(216); 188 | 189 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 190 | 191 | cache.sendMessage = function (message) { 192 | Message._encode(message); 193 | var byteStream = Message._getByteStream(message); 194 | var messagePayloadLength = ByteStream._getOffset(byteStream); 195 | var messageBuffer = malloc(messagePayloadLength + 7); 196 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 197 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 198 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 199 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 200 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 201 | free(messageBuffer); 202 | //Message._free(message); 203 | }; 204 | 205 | function onWakeup() { 206 | console.log("WAKE UP!!"); 207 | var message = MessageQueue._dequeue(cache.sendQueue); 208 | while (message) { 209 | var messageType = Message._getMessageType(message); 210 | console.log(messageType) 211 | if (messageType === 10100) { 212 | message = Memory.readPointer(cache.loginMessagePtr); 213 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 214 | Login = 1; 215 | } 216 | cache.sendMessage(message); 217 | message = MessageQueue._dequeue(cache.sendQueue); 218 | 219 | } 220 | } 221 | 222 | function shelly() { 223 | var updater = Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 224 | onEnter: function(args) { 225 | DebugMenuUpdate(cache.dptr, 20); 226 | } 227 | }); 228 | 229 | } 230 | 231 | function onReceive() { 232 | var headerBuffer = malloc(7); 233 | libc_recv(cache.fd, headerBuffer, 7, 256); 234 | var messageType = Buffer._getMessageType(headerBuffer); 235 | 236 | if (messageType >= 20000) { 237 | if (messageType === 20104) { //LoginOk 238 | Memory.writeInt(cache.state, 5); 239 | } 240 | if (messageType === 24101) { 241 | setTimeout(function() { 242 | if (cache.debugOpened != true) { 243 | cache.debugOpened = true; 244 | cache.dptr = malloc(500); 245 | DebugMenuCtor(cache.dptr); 246 | StageAdd(base.add(STAGE_ADDRESS).readPointer(), cache.dptr); 247 | shelly(); 248 | } 249 | }, 2000); 250 | } 251 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 252 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 253 | free(headerBuffer); 254 | var messageBuffer = malloc(payloadLength); 255 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 256 | var message = cache.createMessageByType(cache.messageFactory, messageType); 257 | Message._setVersion(message, messageVersion); 258 | var byteStream = Message._getByteStream(message); 259 | ByteStream._setLength(byteStream, payloadLength); 260 | if (payloadLength) { 261 | var byteArray = malloc(payloadLength); 262 | memmove(byteArray, messageBuffer, payloadLength); 263 | ByteStream._setByteArray(byteStream, byteArray); 264 | } 265 | Message._decode(message); 266 | // logMessage(message); 267 | MessageQueue._enqueue(cache.recvQueue, message); 268 | free(messageBuffer); 269 | } 270 | } 271 | 272 | 273 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 274 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 275 | return pthread_cond_signal(a1); 276 | } 277 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 278 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 279 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 280 | onWakeup(); 281 | return 0; 282 | } 283 | } 284 | return pthread_cond_signal(a1); 285 | }, 'int', ['pointer'])); 286 | 287 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 288 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 289 | if (this.returnAddress.equals(cache.selectReturn)) { 290 | onReceive(); 291 | } 292 | return r; 293 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 294 | } 295 | 296 | 297 | const adder = Interceptor.attach(base.add(ADD_FILE), { 298 | onEnter: function(args) { 299 | adder.detach(); 300 | AddFile(args[0], base.add(ascdebugsc), -1, -1, -1, -1); 301 | toast("Debug Loaded!!"); 302 | } 303 | }); 304 | 305 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 306 | onEnter: function(args) { 307 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 308 | cache.fd = args[0].toInt32(); 309 | var host = Memory.allocUtf8String("127.0.0.1"); 310 | Memory.writeInt(args[1].add(4), inet_addr(host)); 311 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 312 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 313 | setupMessaging(); 314 | } 315 | } 316 | }); 317 | -------------------------------------------------------------------------------- /Bs/V22/debug22test.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | const base = Module.findBaseAddress("libg.so"); 8 | 9 | // global constants 10 | const SERVER_CONNECTION = 0xA079B8; 11 | const NEW_OPERATOR = 0x643F54 + 1; 12 | const WAKEUP_RETURN_ARRAY = [0x464ac, 0xcacb0, 0xd1114, 0x3811a0, 0x4cd6d0, 0x4e2f78]; 13 | const PTHREAD_COND_WAKE_RETURN = 0x61691b; 14 | const CREATE_MESSAGE_BY_TYPE = 0x1f1aa8; // 'createMessageByType' function address // 30000 15 | const SELECT_RETURN = 0x3ae540; // x-ref select function 16 | const ON_RECEIVE = 0x54E730; // Messaging::onReceive subslave address. 17 | const POINTER_SIZE = 4; 18 | const ANTON_XUI_DEBUG_1 = 0x110E34; 19 | const GET_MOVIECLIP = 0x31F8BC; 20 | const fResourceManagerGetMovieClip = new NativeFunction(base.add(GET_MOVIECLIP), 'pointer', ['pointer', 'pointer']); 21 | const SET_MOVIE_CLIP = 0x2252BC; 22 | const stage_offset = 0xA0900C; 23 | const STAGE_DROCHILD = 0x16ED1C; 24 | const fStageDrochild = new NativeFunction(base.add(STAGE_DROCHILD), 'void', ['pointer', 'pointer']); 25 | 26 | const BUTTON_SETMOVIECLIP = 0x398210; 27 | 28 | const STRING_CTOR = 0x2FBCBC; 29 | 30 | const IS_DEV = 0x200934; // LogicVersion::isDev 31 | const IS_PROD = 0x4BD0DC; // LogicVersion::isProd 32 | 33 | const HOMEPAGE_STARTGAME = 0x277388; 34 | const ADD_VISION_UPDATE = 0x438FA4; 35 | 36 | const GAMEBUTTON_CTOR = 0x799D8; 37 | 38 | const SET_TEXT = 0xDE8A4; 39 | const REMOVE_CHILD = 0x61A40; 40 | 41 | // global lib calls 42 | const StringCtor = new NativeFunction(base.add(STRING_CTOR), 'void', ['pointer', 'pointer']); 43 | const ButtonSetClip = new NativeFunction(base.add(BUTTON_SETMOVIECLIP), 'void', ['pointer', 'pointer', 'bool']); 44 | const GameButtonCtor = new NativeFunction(base.add(GAMEBUTTON_CTOR), 'void', ['pointer']); 45 | const fSetText = new NativeFunction(base.add(SET_TEXT), 'void', ['pointer', 'pointer', 'bool']); 46 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 47 | const free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 48 | const adudkactor = new NativeFunction(base.add(ANTON_XUI_DEBUG_1), 'void', ['pointer']); 49 | const pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 50 | const pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 51 | const pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 52 | const select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 53 | const memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 54 | const ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 55 | const inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 56 | const libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 57 | const libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 58 | const libc_close = new NativeFunction(Module.findExportByName('libc.so', 'close'), 'int', ['int']); 59 | const setmovieclip = new NativeFunction(base.add(SET_MOVIE_CLIP), 'void', ['pointer', 'pointer', 'bool']); 60 | const setXY = 0x90460; 61 | const fSetXY = new NativeFunction(base.add(setXY), 'void', ['pointer', 'float', 'float']); 62 | const fRemoveChild = new NativeFunction(base.add(REMOVE_CHILD), 'void', ['pointer', 'pointer']); 63 | 64 | 65 | // logic helpers 66 | const Message = { 67 | _getByteStream: function(message) { 68 | return message.add(8); 69 | }, 70 | _getVersion: function(message) { 71 | return Memory.readInt(message.add(4)); 72 | }, 73 | _setVersion: function(message, version) { 74 | Memory.writeInt(message.add(4), version); 75 | }, 76 | _getMessageType: function(message) { 77 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 78 | }, 79 | _encode: function(message) { 80 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 81 | }, 82 | _decode: function(message) { 83 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 84 | }, 85 | _free: function(message) { 86 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 87 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 88 | } 89 | }; 90 | const ByteStream = { 91 | _getOffset: function(byteStream) { 92 | return Memory.readInt(byteStream.add(16)); 93 | }, 94 | _getByteArray: function(byteStream) { 95 | return Memory.readPointer(byteStream.add(28)); 96 | }, 97 | _setByteArray: function(byteStream, array) { 98 | Memory.writePointer(byteStream.add(28), array); 99 | }, 100 | _getLength: function(byteStream) { 101 | return Memory.readInt(byteStream.add(20)); 102 | }, 103 | _setLength: function(byteStream, length) { 104 | Memory.writeInt(byteStream.add(20), length); 105 | } 106 | }; 107 | const Buffer = { 108 | _getEncodingLength: function(buffer) { 109 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 110 | }, 111 | _setEncodingLength: function(buffer, length) { 112 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 113 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 114 | Memory.writeU8(buffer.add(4), length & 0xFF); 115 | }, 116 | _setMessageType: function(buffer, type) { 117 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 118 | Memory.writeU8(buffer.add(1), type & 0xFF); 119 | }, 120 | _getMessageVersion: function(buffer) { 121 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 122 | }, 123 | _setMessageVersion: function(buffer, version) { 124 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 125 | Memory.writeU8(buffer.add(6), version & 0xFF); 126 | }, 127 | _getMessageType: function(buffer) { 128 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 129 | } 130 | }; 131 | const MessageQueue = { 132 | _getCapacity: function(queue) { 133 | return Memory.readInt(queue.add(4)); 134 | }, 135 | _get: function(queue, index) { 136 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 137 | }, 138 | _set: function(queue, index, message) { 139 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 140 | }, 141 | _count: function(queue) { 142 | return Memory.readInt(queue.add(8)); 143 | }, 144 | _decrementCount: function(queue) { 145 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 146 | }, 147 | _incrementCount: function(queue) { 148 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 149 | }, 150 | _getDequeueIndex: function(queue) { 151 | return Memory.readInt(queue.add(12)); 152 | }, 153 | _getEnqueueIndex: function(queue) { 154 | return Memory.readInt(queue.add(16)); 155 | }, 156 | _setDequeueIndex: function(queue, index) { 157 | Memory.writeInt(queue.add(12), index); 158 | }, 159 | _setEnqueueIndex: function(queue, index) { 160 | Memory.writeInt(queue.add(16), index); 161 | }, 162 | _enqueue: function(queue, message) { 163 | pthread_mutex_lock(queue.sub(4)); 164 | var index = MessageQueue._getEnqueueIndex(queue); 165 | MessageQueue._set(queue, index, message); 166 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 167 | MessageQueue._incrementCount(queue); 168 | pthread_mutex_unlock(queue.sub(4)); 169 | }, 170 | _dequeue: function(queue) { 171 | var message = null; 172 | pthread_mutex_lock(queue.sub(4)); 173 | if (MessageQueue._count(queue)) { 174 | var index = MessageQueue._getDequeueIndex(queue); 175 | message = MessageQueue._get(queue, index); 176 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 177 | MessageQueue._decrementCount(queue); 178 | } 179 | pthread_mutex_unlock(queue.sub(4)); 180 | return message; 181 | } 182 | }; 183 | 184 | const HostPatcher = { 185 | init: function() { 186 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 187 | onEnter: function(args) { 188 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 189 | cache.fd = args[0].toInt32(); 190 | var host = Memory.allocUtf8String(HostPatcher.redirectAddress); 191 | Memory.writeInt(args[1].add(4), inet_addr(host)); 192 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 193 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 194 | Messaging.init(); 195 | } 196 | } 197 | }); 198 | } 199 | }; 200 | 201 | const DebugPatcher = { 202 | enableIsDev: function() { 203 | Interceptor.replace(cache.base.add(IS_PROD), new NativeCallback(function() { 204 | return 0; 205 | }, 'int', [])); 206 | 207 | Interceptor.replace(cache.base.add(IS_DEV), new NativeCallback(function() { 208 | return 1; 209 | }, 'int', [])); 210 | }, 211 | revert: function() { 212 | Interceptor.revert(cache.base.add(IS_PROD)); 213 | Interceptor.revert(cache.base.add(IS_DEV)); 214 | Interceptor.flush(); 215 | } 216 | }; 217 | 218 | const OfflineBattlePatcher = { 219 | init: function() { 220 | OfflineBattlePatcher.startGame = Interceptor.attach(cache.base.add(HOMEPAGE_STARTGAME), { 221 | onEnter(args) { 222 | args[3] = ptr(3); 223 | } 224 | }); 225 | 226 | OfflineBattlePatcher.viewerCountFaker = Interceptor.attach(cache.base.add(ADD_VISION_UPDATE), { 227 | onEnter(args) { 228 | args[1].add(92).writeInt(args[1].add(80).readInt()); 229 | } 230 | }); 231 | }, 232 | deinit: function() { 233 | if (OfflineBattlePatcher.startGame) OfflineBattlePatcher.startGame.detach(); 234 | if (OfflineBattlePatcher.viewerCountFaker) OfflineBattlePatcher.viewerCountFaker.detach(); 235 | } 236 | } 237 | 238 | function getOffsets() { 239 | cache.wakeUpReturnArray = []; 240 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 241 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 242 | } 243 | cache.pthreadReturn = cache.base.add(PTHREAD_COND_WAKE_RETURN); 244 | cache.serverConnection = Memory.readPointer(cache.base.add(SERVER_CONNECTION)); 245 | cache.selectReturn = cache.base.add(SELECT_RETURN); 246 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 247 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 248 | cache.recvQueue = cache.messaging.add(60); 249 | cache.sendQueue = cache.messaging.add(84); 250 | cache.state = cache.messaging.add(212); 251 | cache.loginMessagePtr = cache.messaging.add(216); 252 | 253 | cache.newOperator = new NativeFunction(cache.base.add(NEW_OPERATOR), 'pointer', ['int']); 254 | cache.createMessageByType = new NativeFunction(cache.base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 255 | } 256 | 257 | function createStringPtr(message) { 258 | var charPtr = malloc(message.length + 1); 259 | Memory.writeUtf8String(charPtr, message); 260 | return charPtr 261 | } 262 | 263 | function createStringObject(mmmdmskads) { 264 | var land = createStringPtr(mmmdmskads); 265 | let pesocheck = malloc(128); 266 | StringCtor(pesocheck, land); 267 | return pesocheck; 268 | } 269 | 270 | const nextCameraMode = new NativeFunction(base.add(0x1482E0), 'void', []); 271 | 272 | function debug_init(land) { // jejka 273 | let dbutton = malloc(700); 274 | GameButtonCtor(dbutton); 275 | let peskov = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_button")); 276 | ButtonSetClip(dbutton, peskov, 1); 277 | fSetXY(dbutton, 30, 560); 278 | 279 | fStageDrochild(base.add(stage_offset).readPointer(), dbutton); 280 | fSetText(dbutton, createStringObject("D"), 1); 281 | 282 | let debug = malloc(700); 283 | adudkactor(debug); 284 | let pesok = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu")); 285 | //console.log(pesok.toInt32()); 286 | setmovieclip(debug, pesok, 0); 287 | fSetXY(debug, 800, 0); 288 | fStageDrochild(base.add(stage_offset).readPointer(), debug); 289 | 290 | cache.addGemsButton = malloc(700); 291 | GameButtonCtor(cache.addGemsButton); 292 | 293 | let peschanik = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 294 | //console.log(peschanik.toInt32()); 295 | ButtonSetClip(cache.addGemsButton, peschanik, 1); 296 | fSetXY(cache.addGemsButton, 1000, 80); 297 | 298 | let haccers = malloc(700); 299 | GameButtonCtor(haccers); 300 | let peskovik = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 301 | ButtonSetClip(haccers, peskovik, 1); 302 | fSetXY(haccers, 1000, 140); 303 | 304 | fStageDrochild(base.add(stage_offset).readPointer(), haccers); 305 | fSetText(haccers, createStringObject("Add Resources"), 1); 306 | 307 | let perdoon = malloc(700); 308 | GameButtonCtor(perdoon); 309 | let danillnull = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 310 | ButtonSetClip(perdoon, danillnull, 1); 311 | fSetXY(perdoon, 1000, 200); 312 | 313 | fStageDrochild(base.add(stage_offset).readPointer(), perdoon); 314 | fSetText(perdoon, createStringObject("Maintenance Test Message"), 1); 315 | 316 | let xeontop = malloc(700); 317 | GameButtonCtor(xeontop); 318 | let nullnull = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 319 | ButtonSetClip(xeontop, nullnull, 1); 320 | fSetXY(xeontop, 1000, 260); 321 | 322 | fStageDrochild(base.add(stage_offset).readPointer(), xeontop); 323 | fSetText(xeontop, createStringObject("War Map Preview"), 1); 324 | 325 | let dudkaxui = malloc(700); 326 | GameButtonCtor(dudkaxui); 327 | let nullnullnull = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 328 | ButtonSetClip(dudkaxui, nullnullnull, 1); 329 | fSetXY(dudkaxui, 1000, 320); 330 | 331 | fStageDrochild(base.add(stage_offset).readPointer(), dudkaxui); 332 | fSetText(dudkaxui, createStringObject("Next Theme"), 1); 333 | 334 | let dudkaxuii = malloc(700); 335 | GameButtonCtor(dudkaxuii); 336 | let nullnullnulll = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 337 | ButtonSetClip(dudkaxuii, nullnullnulll, 1); 338 | fSetXY(dudkaxuii, 1000, 380); 339 | 340 | fStageDrochild(base.add(stage_offset).readPointer(), dudkaxuii); 341 | fSetText(dudkaxuii, createStringObject("Next Camera Mode"), 1); 342 | 343 | let dudkaxuiii = malloc(700); 344 | GameButtonCtor(dudkaxuiii); 345 | let nullnullnullll = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 346 | ButtonSetClip(dudkaxuiii, nullnullnullll, 1); 347 | fSetXY(dudkaxuiii, 1000, 440); 348 | 349 | fStageDrochild(base.add(stage_offset).readPointer(), dudkaxuiii); 350 | fSetText(dudkaxuiii, createStringObject("Reset Account"), 1); 351 | 352 | let latency = malloc(700); 353 | GameButtonCtor(latency); 354 | let tests = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 355 | ButtonSetClip(latency, tests, 1); 356 | fSetXY(latency, 1000, 500); 357 | 358 | fStageDrochild(base.add(stage_offset).readPointer(), latency); 359 | fSetText(latency, createStringObject("Latency Test Request"), 1); 360 | 361 | let perda = malloc(700); 362 | GameButtonCtor(perda); 363 | let danillsuka = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_button")); 364 | ButtonSetClip(perda, danillsuka, 1); 365 | fSetXY(perda, 915, 20); 366 | 367 | fStageDrochild(base.add(stage_offset).readPointer(), perda); 368 | fSetText(perda, createStringObject("Debug "), 1); 369 | 370 | let perdim = malloc(700); 371 | GameButtonCtor(perdim); 372 | let danillsukai = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_button")); 373 | ButtonSetClip(perdim, danillsukai, 1); 374 | fSetXY(perdim, 1010, 20); 375 | 376 | fStageDrochild(base.add(stage_offset).readPointer(), perdim); 377 | fSetText(perdim, createStringObject("Menu"), 1); 378 | 379 | fStageDrochild(base.add(stage_offset).readPointer(), cache.addGemsButton); 380 | fSetText(cache.addGemsButton, createStringObject("Add Gems"), 1); 381 | let aopened = true; 382 | cache.buttonInterceptor = Interceptor.attach(base.add(0x360CDC), { 383 | onEnter(args) { 384 | //console.log("jekla"); 385 | if (args[0].toInt32() == cache.addGemsButton.toInt32()) { 386 | //console.log("lol"); 387 | sendCustomMessage(10777); 388 | } 389 | else if (args[0].toInt32() == haccers.toInt32()) { 390 | //console.log("pon"); 391 | sendCustomMessage(10666); 392 | } 393 | else if (args[0].toInt32() == perdoon.toInt32()) { 394 | //console.log("Perdoon Activated"); 395 | sendCustomMessage(22228); 396 | } 397 | else if (args[0].toInt32() == xeontop.toInt32()) { 398 | //console.log("War map 22288828282 Activated"); 399 | sendCustomMessage(10999); 400 | } 401 | else if (args[0].toInt32() == dudkaxui.toInt32()) { 402 | //console.log("ponos"); 403 | sendCustomMessage(10000); 404 | } 405 | else if (args[0].toInt32() == dudkaxuiii.toInt32()) { 406 | //console.log("lol"); 407 | sendCustomMessage(10166); 408 | } 409 | else if (args[0].toInt32() == latency.toInt32()) { 410 | //console.log("vzlom latency"); 411 | sendCustomMessage(10656); 412 | } 413 | else if (args[0].toInt32() == dudkaxuii.toInt32()) { 414 | //console.log("camernik"); 415 | nextCameraMode(); 416 | } 417 | else if (args[0].toInt32() == dbutton.toInt32()) { 418 | //console.log("toggler"); 419 | if (aopened) { 420 | close_debug(); 421 | } 422 | else if (!aopened){ 423 | //console.log("dudka tech!"); 424 | fRemoveChild(base.add(stage_offset).readPointer(), dbutton); 425 | cache.buttonInterceptor.detach(); 426 | debug_init(false); 427 | } 428 | } 429 | } 430 | }); 431 | 432 | function close_debug() { 433 | aopened = false; 434 | 435 | fRemoveChild(base.add(stage_offset).readPointer(), cache.addGemsButton); 436 | fRemoveChild(base.add(stage_offset).readPointer(), debug); 437 | fRemoveChild(base.add(stage_offset).readPointer(), haccers); 438 | fRemoveChild(base.add(stage_offset).readPointer(), perdoon); 439 | fRemoveChild(base.add(stage_offset).readPointer(), perda); 440 | fRemoveChild(base.add(stage_offset).readPointer(), perdim); 441 | fRemoveChild(base.add(stage_offset).readPointer(), xeontop); 442 | fRemoveChild(base.add(stage_offset).readPointer(), dudkaxui); 443 | fRemoveChild(base.add(stage_offset).readPointer(), dudkaxuii); 444 | fRemoveChild(base.add(stage_offset).readPointer(), dudkaxuiii); 445 | fRemoveChild(base.add(stage_offset).readPointer(), latency); 446 | 447 | free(cache.addGemsButton); 448 | free(haccers); 449 | free(perdoon); 450 | free(perda); 451 | free(perdim); 452 | free(xeontop); 453 | free(dudkaxui); 454 | free(dudkaxuii); 455 | free(dudkaxuiii); 456 | free(latency); 457 | free(debug); 458 | } 459 | 460 | if (land) close_debug(); 461 | 462 | } 463 | 464 | function sendCustomMessage(type) { 465 | var messageBuffer = cache.newOperator(7); 466 | Buffer._setEncodingLength(messageBuffer, 0); 467 | Buffer._setMessageType(messageBuffer, type); 468 | Buffer._setMessageVersion(messageBuffer, 0); 469 | libc_send(cache.fd, messageBuffer, 7, 0); 470 | free(messageBuffer); 471 | } 472 | 473 | const addfile = new NativeFunction(base.add(0x25A654), 'void', ['pointer', 'pointer', 'int', 'int', 'int', 'int']); 474 | 475 | function podload() { 476 | var lop = Interceptor.attach(base.add(0x25A654), { 477 | onEnter(args) { 478 | lop.detach(); 479 | addfile(args[0], createStringPtr("sc/debug.sc"), -1, -1, -1, -1); 480 | //console.log("loaded suka"); 481 | } 482 | }); 483 | } 484 | 485 | function fixer() { 486 | let l = Interceptor.attach(Module.findExportByName('libc.so', 'close'), { 487 | onEnter(args) { 488 | if (args[0].toInt32() == cache.fd) { 489 | l.detach(); 490 | //console.log("disconnector322"); 491 | OfflineBattlePatcher.deinit(); 492 | 493 | cache.buttonInterceptor.detach(); 494 | 495 | Interceptor.revert(cache.base.add(ON_RECEIVE)); 496 | DebugPatcher.revert(); 497 | 498 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 499 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 500 | 501 | Interceptor.flush(); 502 | } 503 | } 504 | }); 505 | } 506 | 507 | const Messaging = { 508 | init: function() { 509 | getOffsets(); 510 | 511 | Messaging.send = function (message) { 512 | Message._encode(message); 513 | var byteStream = Message._getByteStream(message); 514 | var messagePayloadLength = ByteStream._getOffset(byteStream); 515 | var messageBuffer = cache.newOperator(messagePayloadLength + 7); 516 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 517 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 518 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 519 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 520 | 521 | if (Message._getMessageType(message) == 10101) { 522 | //console.log("voloski"); 523 | Interceptor.replace(cache.base.add(ON_RECEIVE), new NativeCallback(function(){ 524 | //console.log("tevh"); 525 | }, 'void', [])); 526 | } 527 | 528 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 529 | free(messageBuffer); 530 | //Message._free(message); 531 | } 532 | 533 | Messaging.wakeup = function() { 534 | var message = MessageQueue._dequeue(cache.sendQueue); 535 | while (message) { 536 | var messageType = Message._getMessageType(message); 537 | if (messageType === 10100) { 538 | message = Memory.readPointer(cache.loginMessagePtr); 539 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 540 | } 541 | Messaging.send(message); 542 | message = MessageQueue._dequeue(cache.sendQueue); 543 | } 544 | } 545 | 546 | Messaging.onReceive = function() { 547 | var headerBuffer = cache.newOperator(7); 548 | var r = libc_recv(cache.fd, headerBuffer, 7, 256); 549 | 550 | if (r == 0) { 551 | //console.log("disconnected tcc"); 552 | 553 | OfflineBattlePatcher.deinit(); 554 | 555 | Interceptor.revert(cache.base.add(ON_RECEIVE)); 556 | DebugPatcher.revert(); 557 | 558 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 559 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 560 | 561 | Interceptor.flush(); 562 | 563 | libc_close(cache.fd); 564 | 565 | return; 566 | } 567 | 568 | var messageType = Buffer._getMessageType(headerBuffer); 569 | if (messageType === 20104) { 570 | Memory.writeInt(cache.state, 5); 571 | fixer(); 572 | DebugPatcher.enableIsDev(); 573 | OfflineBattlePatcher.init(); 574 | } 575 | else if (messageType === 28282) { 576 | debug_init(true); 577 | //console.log("Dev Account DETECTED! Debug Menu called"); 578 | } 579 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 580 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 581 | free(headerBuffer); 582 | var messageBuffer = cache.newOperator(payloadLength); 583 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 584 | var message = cache.createMessageByType(cache.messageFactory, messageType); 585 | Message._setVersion(message, messageVersion); 586 | var byteStream = Message._getByteStream(message); 587 | ByteStream._setLength(byteStream, payloadLength); 588 | if (payloadLength) { 589 | var byteArray = cache.newOperator(payloadLength); 590 | memmove(byteArray, messageBuffer, payloadLength); 591 | ByteStream._setByteArray(byteStream, byteArray); 592 | } 593 | Message._decode(message); 594 | // logMessage(message); 595 | MessageQueue._enqueue(cache.recvQueue, message); 596 | free(messageBuffer); 597 | } 598 | 599 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 600 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 601 | return pthread_cond_signal(a1); 602 | } 603 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 604 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 605 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 606 | Messaging.wakeup(); 607 | return 0; 608 | } 609 | } 610 | return pthread_cond_signal(a1); 611 | }, 'int', ['pointer'])); 612 | 613 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 614 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 615 | if (this.returnAddress.equals(cache.selectReturn)) { 616 | Messaging.onReceive(); 617 | } 618 | return r; 619 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 620 | } 621 | }; 622 | 623 | // startup 624 | rpc.exports = { 625 | init: function(stage, options) { 626 | Interceptor.detachAll(); 627 | cache.base = Process.findModuleByName('libg.so').base; 628 | HostPatcher.redirectAddress = "127.0.0.1" // ip here 629 | HostPatcher.init(); 630 | podload(); 631 | } 632 | }; 633 | -------------------------------------------------------------------------------- /Bs/V27/libgg.script27.269.1.so: -------------------------------------------------------------------------------- 1 | var cache = { 2 | modules: {}, 3 | options: {} 4 | }; 5 | 6 | const base = Process.findModuleByName('libg.so').base; 7 | 8 | const SERVER_CONNECTION = 0xC09140; 9 | const PTHREAD_COND_WAKE_RETURN = 0x7B1326 + 8 + 1; 10 | const WAKEUP_RETURN_ARRAY = [0xCE58C, 0xED038, 0xF7C78, 0x2DBF0C, 0x43A4C8, 0x44EF10]; 11 | const CREATE_MESSAGE_BY_TYPE = 0x60FCC0; 12 | const SELECT_RETURN = 0x1F1894; 13 | const POINTER_SIZE = 4; 14 | 15 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 16 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 17 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 18 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 19 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 20 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 21 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 22 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 23 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 24 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 25 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 26 | 27 | function toast(toastText) { 28 | Java.perform(function() { 29 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 30 | Java.scheduleOnMainThread(function() { 31 | Java.use("android.widget.Toast").makeText(context, Java.use("java.lang.String").$new(toastText), 1).show(); 32 | }); 33 | }); 34 | } 35 | 36 | var Message = { 37 | _getByteStream: function(message) { 38 | return message.add(8); 39 | }, 40 | _getVersion: function(message) { 41 | return Memory.readInt(message.add(4)); 42 | }, 43 | _setVersion: function(message, version) { 44 | Memory.writeInt(message.add(4), version); 45 | }, 46 | _getMessageType: function(message) { 47 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 48 | }, 49 | _encode: function(message) { 50 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 51 | }, 52 | _decode: function(message) { 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 54 | }, 55 | _free: function(message) { 56 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 57 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 58 | } 59 | }; 60 | 61 | var ByteStream = { 62 | _getOffset: function(byteStream) { 63 | return Memory.readInt(byteStream.add(16)); 64 | }, 65 | _getByteArray: function(byteStream) { 66 | return Memory.readPointer(byteStream.add(28)); 67 | }, 68 | _setByteArray: function(byteStream, array) { 69 | Memory.writePointer(byteStream.add(28), array); 70 | }, 71 | _getLength: function(byteStream) { 72 | return Memory.readInt(byteStream.add(20)); 73 | }, 74 | _setLength: function(byteStream, length) { 75 | Memory.writeInt(byteStream.add(20), length); 76 | } 77 | }; 78 | 79 | var Buffer = { 80 | _getEncodingLength: function(buffer) { 81 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 82 | }, 83 | _setEncodingLength: function(buffer, length) { 84 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 85 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 86 | Memory.writeU8(buffer.add(4), length & 0xFF); 87 | }, 88 | _setMessageType: function(buffer, type) { 89 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 90 | Memory.writeU8(buffer.add(1), type & 0xFF); 91 | }, 92 | _getMessageVersion: function(buffer) { 93 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 94 | }, 95 | _setMessageVersion: function(buffer, version) { 96 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 97 | Memory.writeU8(buffer.add(6), version & 0xFF); 98 | }, 99 | _getMessageType: function(buffer) { 100 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 101 | } 102 | }; 103 | 104 | var MessageQueue = { 105 | _getCapacity: function(queue) { 106 | return Memory.readInt(queue.add(4)); 107 | }, 108 | _get: function(queue, index) { 109 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 110 | }, 111 | _set: function(queue, index, message) { 112 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 113 | }, 114 | _count: function(queue) { 115 | return Memory.readInt(queue.add(8)); 116 | }, 117 | _decrementCount: function(queue) { 118 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 119 | }, 120 | _incrementCount: function(queue) { 121 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 122 | }, 123 | _getDequeueIndex: function(queue) { 124 | return Memory.readInt(queue.add(12)); 125 | }, 126 | _getEnqueueIndex: function(queue) { 127 | return Memory.readInt(queue.add(16)); 128 | }, 129 | _setDequeueIndex: function(queue, index) { 130 | Memory.writeInt(queue.add(12), index); 131 | }, 132 | _setEnqueueIndex: function(queue, index) { 133 | Memory.writeInt(queue.add(16), index); 134 | }, 135 | _enqueue: function(queue, message) { 136 | pthread_mutex_lock(queue.sub(4)); 137 | var index = MessageQueue._getEnqueueIndex(queue); 138 | MessageQueue._set(queue, index, message); 139 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 140 | MessageQueue._incrementCount(queue); 141 | pthread_mutex_unlock(queue.sub(4)); 142 | }, 143 | _dequeue: function(queue) { 144 | var message = null; 145 | pthread_mutex_lock(queue.sub(4)); 146 | if (MessageQueue._count(queue)) { 147 | var index = MessageQueue._getDequeueIndex(queue); 148 | message = MessageQueue._get(queue, index); 149 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 150 | MessageQueue._decrementCount(queue); 151 | } 152 | pthread_mutex_unlock(queue.sub(4)); 153 | return message; 154 | } 155 | }; 156 | 157 | function setupMessaging() { 158 | cache.base = Module.findBaseAddress("libg.so"); 159 | cache.wakeUpReturnArray = []; 160 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 161 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 162 | } 163 | 164 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 165 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 166 | cache.selectReturn = base.add(SELECT_RETURN); 167 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 168 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 169 | cache.recvQueue = cache.messaging.add(60); 170 | cache.sendQueue = cache.messaging.add(84); 171 | cache.state = cache.messaging.add(208); 172 | cache.loginMessagePtr = cache.messaging.add(212); 173 | 174 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 175 | 176 | cache.sendMessage = function (message) { 177 | Message._encode(message); 178 | var byteStream = Message._getByteStream(message); 179 | var messagePayloadLength = ByteStream._getOffset(byteStream); 180 | var messageBuffer = malloc(messagePayloadLength + 7); 181 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 182 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 183 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 184 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 185 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 186 | free(messageBuffer); 187 | //Message._free(message); 188 | }; 189 | 190 | function onWakeup() { 191 | var message = MessageQueue._dequeue(cache.sendQueue); 192 | 193 | while (message) { 194 | var messageType = Message._getMessageType(message); 195 | if (messageType === 10100) { 196 | message = Memory.readPointer(cache.loginMessagePtr); 197 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 198 | } 199 | cache.sendMessage(message); 200 | message = MessageQueue._dequeue(cache.sendQueue); 201 | } 202 | } 203 | 204 | function onReceive() { 205 | var headerBuffer = malloc(7); 206 | libc_recv(cache.fd, headerBuffer, 7, 256); 207 | var messageType = Buffer._getMessageType(headerBuffer); 208 | 209 | if (messageType >= 20000) { 210 | if (messageType === 20104) { //LoginOk 211 | Memory.writeInt(cache.state, 5); 212 | } 213 | 214 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 215 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 216 | free(headerBuffer); 217 | var messageBuffer = malloc(payloadLength); 218 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 219 | var message = cache.createMessageByType(cache.messageFactory, messageType); 220 | Message._setVersion(message, messageVersion); 221 | var byteStream = Message._getByteStream(message); 222 | ByteStream._setLength(byteStream, payloadLength); 223 | 224 | if (payloadLength) { 225 | var byteArray = malloc(payloadLength); 226 | memmove(byteArray, messageBuffer, payloadLength); 227 | ByteStream._setByteArray(byteStream, byteArray); 228 | } 229 | 230 | Message._decode(message); 231 | MessageQueue._enqueue(cache.recvQueue, message); 232 | free(messageBuffer); 233 | } 234 | } 235 | 236 | Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 237 | onEnter: function(args) { 238 | onWakeup(); 239 | } 240 | }); 241 | 242 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 243 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 244 | if (this.returnAddress.equals(cache.selectReturn)) { 245 | onReceive(); 246 | } 247 | return r; 248 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 249 | } 250 | 251 | function setup() { 252 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 253 | onEnter: function(args) { 254 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 255 | cache.fd = args[0].toInt32(); 256 | var host = Memory.allocUtf8String("127.0.0.1"); 257 | Memory.writeInt(args[1].add(4), inet_addr(host)); 258 | setupMessaging(); 259 | toast("Server By OBJECT_TEAM"); 260 | } 261 | } 262 | }); 263 | } 264 | 265 | setup(); -------------------------------------------------------------------------------- /Bs/V27/v27.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | const base = Process.findModuleByName('libg.so').base; 7 | console.log("Da"); 8 | 9 | const SERVER_CONNECTION = 0xC09140; 10 | const PTHREAD_COND_WAKE_RETURN = 0x7B1326 + 8 + 1; 11 | const WAKEUP_RETURN_ARRAY = [0xCE58C, 0xED038, 0xF7C78, 0x2DBF0C, 0x43A4C8, 0x44EF10]; 12 | const CREATE_MESSAGE_BY_TYPE = 0x60FCC0; 13 | const SELECT_RETURN = 0x1F1894; 14 | const POINTER_SIZE = 4; 15 | 16 | var Login = 0; 17 | //libc native functions 18 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 19 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 20 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 21 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 22 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 23 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 24 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 25 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 26 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 27 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 28 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 29 | 30 | 31 | 32 | 33 | var Message = { 34 | _getByteStream: function(message) { 35 | return message.add(8); 36 | }, 37 | _getVersion: function(message) { 38 | return Memory.readInt(message.add(4)); 39 | }, 40 | _setVersion: function(message, version) { 41 | Memory.writeInt(message.add(4), version); 42 | }, 43 | _getMessageType: function(message) { 44 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 45 | }, 46 | _encode: function(message) { 47 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 48 | }, 49 | _decode: function(message) { 50 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 51 | }, 52 | _free: function(message) { 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 54 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 55 | } 56 | }; 57 | var ByteStream = { 58 | _getOffset: function(byteStream) { 59 | return Memory.readInt(byteStream.add(16)); 60 | }, 61 | _getByteArray: function(byteStream) { 62 | return Memory.readPointer(byteStream.add(28)); 63 | }, 64 | _setByteArray: function(byteStream, array) { 65 | Memory.writePointer(byteStream.add(28), array); 66 | }, 67 | _getLength: function(byteStream) { 68 | return Memory.readInt(byteStream.add(20)); 69 | }, 70 | _setLength: function(byteStream, length) { 71 | Memory.writeInt(byteStream.add(20), length); 72 | } 73 | }; 74 | var Buffer = { 75 | _getEncodingLength: function(buffer) { 76 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 77 | }, 78 | _setEncodingLength: function(buffer, length) { 79 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 80 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 81 | Memory.writeU8(buffer.add(4), length & 0xFF); 82 | }, 83 | _setMessageType: function(buffer, type) { 84 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 85 | Memory.writeU8(buffer.add(1), type & 0xFF); 86 | }, 87 | _getMessageVersion: function(buffer) { 88 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 89 | }, 90 | _setMessageVersion: function(buffer, version) { 91 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 92 | Memory.writeU8(buffer.add(6), version & 0xFF); 93 | }, 94 | _getMessageType: function(buffer) { 95 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 96 | } 97 | }; 98 | var MessageQueue = { 99 | _getCapacity: function(queue) { 100 | return Memory.readInt(queue.add(4)); 101 | }, 102 | _get: function(queue, index) { 103 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 104 | }, 105 | _set: function(queue, index, message) { 106 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 107 | }, 108 | _count: function(queue) { 109 | return Memory.readInt(queue.add(8)); 110 | }, 111 | _decrementCount: function(queue) { 112 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 113 | }, 114 | _incrementCount: function(queue) { 115 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 116 | }, 117 | _getDequeueIndex: function(queue) { 118 | return Memory.readInt(queue.add(12)); 119 | }, 120 | _getEnqueueIndex: function(queue) { 121 | return Memory.readInt(queue.add(16)); 122 | }, 123 | _setDequeueIndex: function(queue, index) { 124 | Memory.writeInt(queue.add(12), index); 125 | }, 126 | _setEnqueueIndex: function(queue, index) { 127 | Memory.writeInt(queue.add(16), index); 128 | }, 129 | _enqueue: function(queue, message) { 130 | pthread_mutex_lock(queue.sub(4)); 131 | var index = MessageQueue._getEnqueueIndex(queue); 132 | MessageQueue._set(queue, index, message); 133 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 134 | MessageQueue._incrementCount(queue); 135 | pthread_mutex_unlock(queue.sub(4)); 136 | }, 137 | _dequeue: function(queue) { 138 | var message = null; 139 | pthread_mutex_lock(queue.sub(4)); 140 | if (MessageQueue._count(queue)) { 141 | var index = MessageQueue._getDequeueIndex(queue); 142 | message = MessageQueue._get(queue, index); 143 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 144 | MessageQueue._decrementCount(queue); 145 | } 146 | pthread_mutex_unlock(queue.sub(4)); 147 | return message; 148 | } 149 | }; 150 | 151 | function setupMessaging() { 152 | cache.base = Module.findBaseAddress("libg.so"); 153 | cache.wakeUpReturnArray = []; 154 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 155 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 156 | } 157 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 158 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 159 | cache.selectReturn = base.add(SELECT_RETURN); 160 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 161 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 162 | cache.recvQueue = cache.messaging.add(60); 163 | cache.sendQueue = cache.messaging.add(84); 164 | cache.state = cache.messaging.add(208); 165 | cache.loginMessagePtr = cache.messaging.add(212); 166 | 167 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 168 | 169 | cache.sendMessage = function (message) { 170 | Message._encode(message); 171 | var byteStream = Message._getByteStream(message); 172 | var messagePayloadLength = ByteStream._getOffset(byteStream); 173 | var messageBuffer = malloc(messagePayloadLength + 7); 174 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 175 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 176 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 177 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 178 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 179 | free(messageBuffer); 180 | //Message._free(message); 181 | }; 182 | 183 | function onWakeup() { 184 | console.log("WAKE UP!!"); 185 | var message = MessageQueue._dequeue(cache.sendQueue); 186 | while (message) { 187 | var messageType = Message._getMessageType(message); 188 | console.log(messageType) 189 | if (messageType === 10100) { 190 | message = Memory.readPointer(cache.loginMessagePtr); 191 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 192 | Login = 1; 193 | } 194 | cache.sendMessage(message); 195 | message = MessageQueue._dequeue(cache.sendQueue); 196 | 197 | } 198 | } 199 | 200 | function onReceive() { 201 | var headerBuffer = malloc(7); 202 | libc_recv(cache.fd, headerBuffer, 7, 256); 203 | var messageType = Buffer._getMessageType(headerBuffer); 204 | 205 | if (messageType >= 20000) { 206 | if (messageType === 20104) { //LoginOk 207 | Memory.writeInt(cache.state, 5); 208 | } 209 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 210 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 211 | free(headerBuffer); 212 | var messageBuffer = malloc(payloadLength); 213 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 214 | var message = cache.createMessageByType(cache.messageFactory, messageType); 215 | Message._setVersion(message, messageVersion); 216 | var byteStream = Message._getByteStream(message); 217 | ByteStream._setLength(byteStream, payloadLength); 218 | if (payloadLength) { 219 | var byteArray = malloc(payloadLength); 220 | memmove(byteArray, messageBuffer, payloadLength); 221 | ByteStream._setByteArray(byteStream, byteArray); 222 | } 223 | Message._decode(message); 224 | // logMessage(message); 225 | MessageQueue._enqueue(cache.recvQueue, message); 226 | free(messageBuffer); 227 | } 228 | } 229 | 230 | Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 231 | onEnter: function(args) { 232 | onWakeup(); 233 | } 234 | }); 235 | 236 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 237 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 238 | if (this.returnAddress.equals(cache.selectReturn)) { 239 | onReceive(); 240 | } 241 | return r; 242 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 243 | } 244 | function setup() { 245 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 246 | onEnter: function(args) { 247 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 248 | cache.fd = args[0].toInt32(); 249 | console.log("Suka connecting...."); 250 | var host = Memory.allocUtf8String("127.0.0.1"); 251 | Memory.writeInt(args[1].add(4), inet_addr(host)); 252 | setupMessaging(); 253 | } 254 | } 255 | }); 256 | } 257 | -------------------------------------------------------------------------------- /Bs/V28/libv28infinity.js: -------------------------------------------------------------------------------- 1 | // this script have a debug menu 2 | // global cache 3 | var cache = { 4 | modules: {}, 5 | options: {} 6 | }; 7 | 8 | const base = Process.findModuleByName('libg.so').base; 9 | 10 | const SERVER_CONNECTION = 0xC1BCC8; 11 | const PTHREAD_COND_WAKE_RETURN = 0x7B775E + 8 + 1; 12 | const CREATE_MESSAGE_BY_TYPE = 0x4F9F00; 13 | const WAKEUP_RETURN_ARRAY = [0x2D1EA4, 0x2D30B8, 0x33F098, 0x4B6B58]; // 34D268 - Unk 14 | const SELECT_RETURN = 0xCCFA4; 15 | const POINTER_SIZE = 4; 16 | const stage_offset = 0xC1AE80; 17 | const STAGE_ADD_CHILD = 0x210634; 18 | const StageAdd = new NativeFunction(base.add(STAGE_ADD_CHILD), 'void', ['pointer', 'pointer']); 19 | const ADD_FILE = 0x39C100; 20 | const AddFile = new NativeFunction(base.add(ADD_FILE), 'int', ['pointer', 'pointer', 'int', 'int', 'int', 'int', 'int']); 21 | const STAGE_REMOVE_CHILD = 0x219CF8; 22 | const StageRemove = new NativeFunction(base.add(STAGE_REMOVE_CHILD), 'void', ['pointer', 'pointer']); 23 | const STRING_CTOR = 0x449D88; 24 | const StringCtor = new NativeFunction(base.add(STRING_CTOR), 'pointer', ['pointer', 'pointer']); 25 | const SET_TEXT = 0x574840; 26 | const fSetText = new NativeFunction(base.add(SET_TEXT), 'pointer', ['pointer', 'pointer']); 27 | const START_GAME = 0x41C8D4; 28 | 29 | var Login = 0; 30 | 31 | //libc native functions 32 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 33 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 34 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 35 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 36 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 37 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 38 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 39 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 40 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 41 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 42 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 43 | 44 | 45 | var Message = { 46 | _getByteStream: function(message) { 47 | return message.add(8); 48 | }, 49 | _getVersion: function(message) { 50 | return Memory.readInt(message.add(4)); 51 | }, 52 | _setVersion: function(message, version) { 53 | Memory.writeInt(message.add(4), version); 54 | }, 55 | _getMessageType: function(message) { 56 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 57 | }, 58 | _encode: function(message) { 59 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 60 | }, 61 | _decode: function(message) { 62 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 63 | }, 64 | _free: function(message) { 65 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 66 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 67 | } 68 | }; 69 | var ByteStream = { 70 | _getOffset: function(byteStream) { 71 | return Memory.readInt(byteStream.add(16)); 72 | }, 73 | _getByteArray: function(byteStream) { 74 | return Memory.readPointer(byteStream.add(28)); 75 | }, 76 | _setByteArray: function(byteStream, array) { 77 | Memory.writePointer(byteStream.add(28), array); 78 | }, 79 | _getLength: function(byteStream) { 80 | return Memory.readInt(byteStream.add(20)); 81 | }, 82 | _setLength: function(byteStream, length) { 83 | Memory.writeInt(byteStream.add(20), length); 84 | } 85 | }; 86 | var Buffer = { 87 | _getEncodingLength: function(buffer) { 88 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 89 | }, 90 | _setEncodingLength: function(buffer, length) { 91 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 92 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 93 | Memory.writeU8(buffer.add(4), length & 0xFF); 94 | }, 95 | _setMessageType: function(buffer, type) { 96 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 97 | Memory.writeU8(buffer.add(1), type & 0xFF); 98 | }, 99 | _getMessageVersion: function(buffer) { 100 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 101 | }, 102 | _setMessageVersion: function(buffer, version) { 103 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 104 | Memory.writeU8(buffer.add(6), version & 0xFF); 105 | }, 106 | _getMessageType: function(buffer) { 107 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 108 | } 109 | }; 110 | var MessageQueue = { 111 | _getCapacity: function(queue) { 112 | return Memory.readInt(queue.add(4)); 113 | }, 114 | _get: function(queue, index) { 115 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 116 | }, 117 | _set: function(queue, index, message) { 118 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 119 | }, 120 | _count: function(queue) { 121 | return Memory.readInt(queue.add(8)); 122 | }, 123 | _decrementCount: function(queue) { 124 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 125 | }, 126 | _incrementCount: function(queue) { 127 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 128 | }, 129 | _getDequeueIndex: function(queue) { 130 | return Memory.readInt(queue.add(12)); 131 | }, 132 | _getEnqueueIndex: function(queue) { 133 | return Memory.readInt(queue.add(16)); 134 | }, 135 | _setDequeueIndex: function(queue, index) { 136 | Memory.writeInt(queue.add(12), index); 137 | }, 138 | _setEnqueueIndex: function(queue, index) { 139 | Memory.writeInt(queue.add(16), index); 140 | }, 141 | _enqueue: function(queue, message) { 142 | pthread_mutex_lock(queue.sub(4)); 143 | var index = MessageQueue._getEnqueueIndex(queue); 144 | MessageQueue._set(queue, index, message); 145 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 146 | MessageQueue._incrementCount(queue); 147 | pthread_mutex_unlock(queue.sub(4)); 148 | }, 149 | _dequeue: function(queue) { 150 | var message = null; 151 | pthread_mutex_lock(queue.sub(4)); 152 | if (MessageQueue._count(queue)) { 153 | var index = MessageQueue._getDequeueIndex(queue); 154 | message = MessageQueue._get(queue, index); 155 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 156 | MessageQueue._decrementCount(queue); 157 | } 158 | pthread_mutex_unlock(queue.sub(4)); 159 | return message; 160 | } 161 | }; 162 | 163 | function offlinector() { 164 | Interceptor.attach(base.add(START_GAME), { 165 | onEnter(args) { 166 | args[3] = ptr(3); 167 | } 168 | }); 169 | } 170 | 171 | function setupMessaging() { 172 | cache.wakeUpReturnArray = []; 173 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 174 | cache.wakeUpReturnArray.push(base.add(WAKEUP_RETURN_ARRAY[i])); 175 | } 176 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 177 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 178 | cache.selectReturn = base.add(SELECT_RETURN); 179 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 180 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 181 | cache.recvQueue = cache.messaging.add(60); 182 | cache.sendQueue = cache.messaging.add(84); 183 | cache.state = cache.messaging.add(208); 184 | cache.loginMessagePtr = cache.messaging.add(212); 185 | 186 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 187 | 188 | cache.sendMessage = function (message) { 189 | Message._encode(message); 190 | var byteStream = Message._getByteStream(message); 191 | var messagePayloadLength = ByteStream._getOffset(byteStream); 192 | var messageBuffer = malloc(messagePayloadLength + 7); 193 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 194 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 195 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 196 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 197 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 198 | free(messageBuffer); 199 | Interceptor.replace(base.add(0x214B10), new NativeCallback(function() { 200 | return 0; 201 | }, 'int', [])); 202 | //Message._free(message); 203 | }; 204 | 205 | function onWakeup() { 206 | var message = MessageQueue._dequeue(cache.sendQueue); 207 | while (message) { 208 | var messageType = Message._getMessageType(message); 209 | console.log(messageType) 210 | if (messageType === 10100) { 211 | message = Memory.readPointer(cache.loginMessagePtr); 212 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 213 | Login = 1; 214 | } 215 | cache.sendMessage(message); 216 | message = MessageQueue._dequeue(cache.sendQueue); 217 | 218 | } 219 | } 220 | 221 | function onReceive() { 222 | var headerBuffer = malloc(7); 223 | libc_recv(cache.fd, headerBuffer, 7, 256); 224 | var messageType = Buffer._getMessageType(headerBuffer); 225 | 226 | if (messageType >= 20000) { 227 | if (messageType === 20104) { //LoginOk 228 | Memory.writeInt(cache.state, 5); 229 | offlinector(); 230 | } 231 | if (messageType === 22228) { 232 | createDebugButton(); 233 | } 234 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 235 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 236 | free(headerBuffer); 237 | var messageBuffer = malloc(payloadLength); 238 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 239 | var message = cache.createMessageByType(cache.messageFactory, messageType); 240 | Message._setVersion(message, messageVersion); 241 | var byteStream = Message._getByteStream(message); 242 | ByteStream._setLength(byteStream, payloadLength); 243 | if (payloadLength) { 244 | var byteArray = malloc(payloadLength); 245 | memmove(byteArray, messageBuffer, payloadLength); 246 | ByteStream._setByteArray(byteStream, byteArray); 247 | } 248 | Message._decode(message); 249 | // logMessage(message); 250 | MessageQueue._enqueue(cache.recvQueue, message); 251 | free(messageBuffer); 252 | } 253 | } 254 | 255 | const wakeup = Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 256 | onEnter: function(args) { 257 | onWakeup(); 258 | //setTimeout(reAttach, 100); 259 | } 260 | }); 261 | 262 | function reAttach() { 263 | const wake = Interceptor.attach(base.add(0x8428FA + 1), { 264 | onEnter: function(args) { 265 | wake.detach(); 266 | onWakeup(); 267 | setTimeout(reAttach, 100); 268 | } 269 | }); 270 | } 271 | 272 | function unlocker() { 273 | Login = 0; 274 | attachTo(); 275 | } 276 | 277 | /*Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 278 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 279 | return pthread_cond_signal(a1); 280 | } 281 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 282 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 283 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 284 | onWakeup(); 285 | return 0; 286 | } 287 | } 288 | return pthread_cond_signal(a1); 289 | }, 'int', ['pointer']));*/ 290 | 291 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 292 | onEnter: function(args) { 293 | onReceive(); 294 | } 295 | }); 296 | } 297 | 298 | const adder = Interceptor.attach(base.add(ADD_FILE), { 299 | onEnter: function(args) { 300 | adder.detach(); 301 | AddFile(args[0], strPtr("sc/debug.sc"), -1, -1, -1, -1, 0); 302 | } 303 | }); 304 | 305 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 306 | onEnter: function(args) { 307 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 308 | cache.fd = args[0].toInt32(); 309 | var host = Memory.allocUtf8String("185.105.90.122"); 310 | Memory.writeInt(args[1].add(4), inet_addr(host)); 311 | Memory.writeU16(args[1].add(2), ntohs(parseInt(4444))); 312 | setupMessaging(); 313 | } 314 | } 315 | }); 316 | 317 | function strPtr(message) { 318 | var charPtr = malloc(message.length + 1); 319 | Memory.writeUtf8String(charPtr, message); 320 | return charPtr 321 | } 322 | 323 | function createStringObject(mmmdmskads) { 324 | var land = strPtr(mmmdmskads); 325 | let pesocheck = malloc(128); 326 | StringCtor(pesocheck, land); 327 | return pesocheck; 328 | } 329 | 330 | function sendDebugAction(action) { 331 | var messageBuffer = malloc(7 + 4); 332 | Buffer._setEncodingLength(messageBuffer, 4); 333 | Buffer._setMessageType(messageBuffer, 10777); 334 | Buffer._setMessageVersion(messageBuffer, 0); 335 | messageBuffer.add(7).writeInt(action); 336 | libc_send(cache.fd, messageBuffer, 7 + 4, 0); 337 | free(messageBuffer); 338 | } 339 | 340 | const CumButton = new NativeFunction(base.add(0xEE428), 'int', []); 341 | 342 | function createDebugButton() { 343 | let btn = malloc(300); 344 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(btn); 345 | let movieClip = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_button"), 1); 346 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(btn, movieClip); 347 | 348 | StageAdd(base.add(stage_offset).readPointer(), btn); 349 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(btn, 30, 560); 350 | fSetText(btn, createStringObject("D")); 351 | 352 | let debug = malloc(300); 353 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(debug); 354 | let movieCliper = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_menu"), 1); 355 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(debug, movieCliper); 356 | 357 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(debug, 700, 0); 358 | 359 | let close = malloc(300); 360 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(close); 361 | let movieCliperrrrrr = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_button"), 0); 362 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(close, movieCliperrrrrr); 363 | 364 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(close, 965, 60); 365 | fSetText(close, createStringObject("Close")); 366 | 367 | let pop = malloc(300); 368 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(pop); 369 | let movieCliperrrrrrr = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_menu_button"), 1); 370 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(pop, movieCliperrrrrrr); 371 | 372 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(pop, 800, 0); 373 | fSetText(pop, createStringObject("Debug Menu")); 374 | 375 | let cummode = malloc(300); 376 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(cummode); 377 | let movieCliperr = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_menu_item"), 0); 378 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(cummode, movieCliperr); 379 | 380 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(cummode, 860, 100); 381 | fSetText(cummode, createStringObject("Next Camera Mode")); 382 | 383 | cache.buttonInterceptor = Interceptor.attach(base.add(0x46DB0C), { 384 | onEnter(args) { 385 | if (args[0].toInt32() == btn.toInt32()) { 386 | StageAdd(base.add(stage_offset).readPointer(), debug); 387 | StageAdd(base.add(stage_offset).readPointer(), cummode); 388 | StageAdd(base.add(stage_offset).readPointer(), close); 389 | StageAdd(base.add(stage_offset).readPointer(), pop); 390 | } 391 | if (args[0].toInt32() == close.toInt32()) { 392 | StageRemove(base.add(stage_offset).readPointer(), debug); 393 | StageRemove(base.add(stage_offset).readPointer(), close); 394 | StageRemove(base.add(stage_offset).readPointer(), cummode); 395 | StageRemove(base.add(stage_offset).readPointer(), pop); 396 | } 397 | if (args[0].toInt32() == cummode.toInt32()) { 398 | CumButton(); 399 | } 400 | } 401 | }); 402 | } 403 | -------------------------------------------------------------------------------- /Bs/V29/libsctest.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | // global constants //TODO: update addresses! 8 | var SERVER_CONNECTION = 0xC86D10; //found by "Locale is null, needed by GameSCIDManag" UPDATED! 9 | var PTHREAD_COND_WAKE_RETURN = 0x80E5A2 + 8 + 1; 10 | var CREATE_MESSAGE_BY_TYPE = 0x4A7EE4; 11 | var POINTER_SIZE = 4; 12 | 13 | // global lib calls 14 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 15 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 16 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 17 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 18 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 19 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 20 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 21 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 22 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 23 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 24 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 25 | 26 | // injection method 27 | function onLoad(name, callback) { 28 | Java.perform(function() { 29 | var System = Java.use('java.lang.System'); 30 | var Runtime = Java.use('java.lang.Runtime'); 31 | var SystemLoad_2 = System.loadLibrary.overload('java.lang.String'); 32 | var VMStack = Java.use('dalvik.system.VMStack'); 33 | SystemLoad_2.implementation = function(library) { 34 | try { 35 | if (Runtime.getRuntime().loadLibrary0) { 36 | Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library); 37 | } else { 38 | Runtime.getRuntime().loadLibrary(library, VMStack.getCallingClassLoader()); 39 | } 40 | if(name === 'lib' + library + '.so') { 41 | callback(); 42 | } 43 | } catch(error) { 44 | } 45 | }; 46 | }); 47 | } 48 | 49 | // logic helpers 50 | var Message = { 51 | _getByteStream: function(message) { 52 | return message.add(8); 53 | }, 54 | _getVersion: function(message) { 55 | return Memory.readInt(message.add(4)); 56 | }, 57 | _setVersion: function(message, version) { 58 | Memory.writeInt(message.add(4), version); 59 | }, 60 | _getMessageType: function(message) { 61 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 62 | }, 63 | _encode: function(message) { 64 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 65 | }, 66 | _decode: function(message) { 67 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 68 | }, 69 | _free: function(message) { 70 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 71 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 72 | } 73 | }; 74 | var ByteStream = { 75 | _getOffset: function(byteStream) { 76 | return Memory.readInt(byteStream.add(16)); 77 | }, 78 | _getByteArray: function(byteStream) { 79 | return Memory.readPointer(byteStream.add(28)); 80 | }, 81 | _setByteArray: function(byteStream, array) { 82 | Memory.writePointer(byteStream.add(28), array); 83 | }, 84 | _getLength: function(byteStream) { 85 | return Memory.readInt(byteStream.add(20)); 86 | }, 87 | _setLength: function(byteStream, length) { 88 | Memory.writeInt(byteStream.add(20), length); 89 | } 90 | }; 91 | var Buffer = { 92 | _getEncodingLength: function(buffer) { 93 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 94 | }, 95 | _setEncodingLength: function(buffer, length) { 96 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 97 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 98 | Memory.writeU8(buffer.add(4), length & 0xFF); 99 | }, 100 | _setMessageType: function(buffer, type) { 101 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 102 | Memory.writeU8(buffer.add(1), type & 0xFF); 103 | }, 104 | _getMessageVersion: function(buffer) { 105 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 106 | }, 107 | _setMessageVersion: function(buffer, version) { 108 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 109 | Memory.writeU8(buffer.add(6), version & 0xFF); 110 | }, 111 | _getMessageType: function(buffer) { 112 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 113 | } 114 | }; 115 | var MessageQueue = { 116 | _getCapacity: function(queue) { 117 | return Memory.readInt(queue.add(4)); 118 | }, 119 | _get: function(queue, index) { 120 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 121 | }, 122 | _set: function(queue, index, message) { 123 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 124 | }, 125 | _count: function(queue) { 126 | return Memory.readInt(queue.add(8)); 127 | }, 128 | _decrementCount: function(queue) { 129 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 130 | }, 131 | _incrementCount: function(queue) { 132 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 133 | }, 134 | _getDequeueIndex: function(queue) { 135 | return Memory.readInt(queue.add(12)); 136 | }, 137 | _getEnqueueIndex: function(queue) { 138 | return Memory.readInt(queue.add(16)); 139 | }, 140 | _setDequeueIndex: function(queue, index) { 141 | Memory.writeInt(queue.add(12), index); 142 | }, 143 | _setEnqueueIndex: function(queue, index) { 144 | Memory.writeInt(queue.add(16), index); 145 | }, 146 | _enqueue: function(queue, message) { 147 | pthread_mutex_lock(queue.sub(4)); 148 | var index = MessageQueue._getEnqueueIndex(queue); 149 | MessageQueue._set(queue, index, message); 150 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 151 | MessageQueue._incrementCount(queue); 152 | pthread_mutex_unlock(queue.sub(4)); 153 | }, 154 | _dequeue: function(queue) { 155 | var message = null; 156 | pthread_mutex_lock(queue.sub(4)); 157 | if (MessageQueue._count(queue)) { 158 | var index = MessageQueue._getDequeueIndex(queue); 159 | message = MessageQueue._get(queue, index); 160 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 161 | MessageQueue._decrementCount(queue); 162 | } 163 | pthread_mutex_unlock(queue.sub(4)); 164 | return message; 165 | } 166 | }; 167 | 168 | // hooks 169 | function setup() { 170 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 171 | onEnter: function(args) { 172 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 173 | cache.fd = args[0].toInt32(); 174 | if (cache.options.redirectHost) { 175 | var host = Memory.allocUtf8String(cache.options.redirectHost); 176 | Memory.writeInt(args[1].add(4), inet_addr(host)); 177 | } 178 | setupMessaging(); 179 | hacksupermod() 180 | } 181 | } 182 | }); 183 | } 184 | 185 | function hacksupermod() { 186 | const base = Module.findBaseAddress('lib39285EFA.so'); 187 | Interceptor.replace(base.add(0x000C0D0), new NativeCallback(function(a) { 188 | return 0; 189 | }, 'int', ['int'])); 190 | } 191 | 192 | function setupMessaging() { 193 | cache.pthreadReturn = cache.base.add(PTHREAD_COND_WAKE_RETURN); 194 | cache.serverConnection = Memory.readPointer(cache.base.add(SERVER_CONNECTION)); 195 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 196 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 197 | cache.recvQueue = cache.messaging.add(60); 198 | cache.sendQueue = cache.messaging.add(84); 199 | cache.state = cache.messaging.add(208); 200 | cache.loginMessagePtr = cache.messaging.add(212); 201 | 202 | cache.createMessageByType = new NativeFunction(cache.base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 203 | 204 | cache.sendMessage = function (message) { 205 | Message._encode(message); 206 | var byteStream = Message._getByteStream(message); 207 | var messagePayloadLength = ByteStream._getOffset(byteStream); 208 | var messageBuffer = malloc(messagePayloadLength + 7); 209 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 210 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 211 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 212 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 213 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 214 | free(messageBuffer); 215 | //Message._free(message); 216 | }; 217 | 218 | function onWakeup() { 219 | //console.log(cache.sendQueue); 220 | var message = MessageQueue._dequeue(cache.sendQueue); 221 | while (message) { 222 | var messageType = Message._getMessageType(message); 223 | if (messageType === 10100) { 224 | message = Memory.readPointer(cache.loginMessagePtr); 225 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 226 | } 227 | if (messageType == 14109) { 228 | var qbase = Module.findBaseAddress('lib39285EFA.so'); 229 | var offlinebattlector = new NativeFunction(qbase.add(0x6FF4), 'int', []); 230 | offlinebattlector(); 231 | } 232 | cache.sendMessage(message); 233 | message = MessageQueue._dequeue(cache.sendQueue); 234 | } 235 | } 236 | 237 | function onReceive() { 238 | var headerBuffer = malloc(7); 239 | libc_recv(cache.fd, headerBuffer, 7, 256); 240 | var messageType = Buffer._getMessageType(headerBuffer); 241 | if (messageType === 20104) { //LoginOk 242 | Memory.writeInt(cache.state, 5); 243 | } 244 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 245 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 246 | free(headerBuffer); 247 | var messageBuffer = malloc(payloadLength); 248 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 249 | var message = cache.createMessageByType(cache.messageFactory, messageType); 250 | Message._setVersion(message, messageVersion); 251 | var byteStream = Message._getByteStream(message); 252 | ByteStream._setLength(byteStream, payloadLength); 253 | if (payloadLength) { 254 | var byteArray = malloc(payloadLength); 255 | memmove(byteArray, messageBuffer, payloadLength); 256 | ByteStream._setByteArray(byteStream, byteArray); 257 | } 258 | Message._decode(message); 259 | // logMessage(message); 260 | MessageQueue._enqueue(cache.recvQueue, message); 261 | free(messageBuffer); 262 | } 263 | 264 | Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 265 | onEnter: function(args) { 266 | onWakeup(); 267 | } 268 | }); 269 | 270 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 271 | onEnter: function(args) { 272 | onReceive(); 273 | } 274 | }); 275 | } 276 | 277 | // startup 278 | rpc.exports = { 279 | init: function(stage, options) { 280 | cache.options = options || {}; 281 | onLoad('libg.so', function() { 282 | Interceptor.detachAll(); 283 | cache.base = Process.findModuleByName('libg.so').base; 284 | setup(); 285 | }); 286 | } 287 | }; 288 | -------------------------------------------------------------------------------- /Bs/V31/31.96.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | console.log("Da"); 8 | 9 | const SERVER_CONNECTION = 0xCB6450; 10 | const PTHREAD_COND_WAKE_RETURN = 0x82B7A2 + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x3962B0; 12 | const WAKEUP_RETURN_ARRAY = [0x2D1EA4, 0x2D30B8, 0x33F098, 0x4B6B58]; // 34D268 - Unk 13 | const SELECT_RETURN = 0x4E2368; 14 | const POINTER_SIZE = 4; 15 | 16 | var Login = 0; 17 | 18 | //libc native functions 19 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 20 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 21 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 22 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 23 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 24 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 25 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 26 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 27 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 28 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 29 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 30 | 31 | 32 | var Message = { 33 | _getByteStream: function(message) { 34 | return message.add(8); 35 | }, 36 | _getVersion: function(message) { 37 | return Memory.readInt(message.add(4)); 38 | }, 39 | _setVersion: function(message, version) { 40 | Memory.writeInt(message.add(4), version); 41 | }, 42 | _getMessageType: function(message) { 43 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 44 | }, 45 | _encode: function(message) { 46 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 47 | }, 48 | _decode: function(message) { 49 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 50 | }, 51 | _free: function(message) { 52 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 54 | } 55 | }; 56 | var ByteStream = { 57 | _getOffset: function(byteStream) { 58 | return Memory.readInt(byteStream.add(16)); 59 | }, 60 | _getByteArray: function(byteStream) { 61 | return Memory.readPointer(byteStream.add(28)); 62 | }, 63 | _setByteArray: function(byteStream, array) { 64 | Memory.writePointer(byteStream.add(28), array); 65 | }, 66 | _getLength: function(byteStream) { 67 | return Memory.readInt(byteStream.add(20)); 68 | }, 69 | _setLength: function(byteStream, length) { 70 | Memory.writeInt(byteStream.add(20), length); 71 | } 72 | }; 73 | var Buffer = { 74 | _getEncodingLength: function(buffer) { 75 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 76 | }, 77 | _setEncodingLength: function(buffer, length) { 78 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 79 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 80 | Memory.writeU8(buffer.add(4), length & 0xFF); 81 | }, 82 | _setMessageType: function(buffer, type) { 83 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 84 | Memory.writeU8(buffer.add(1), type & 0xFF); 85 | }, 86 | _getMessageVersion: function(buffer) { 87 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 88 | }, 89 | _setMessageVersion: function(buffer, version) { 90 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 91 | Memory.writeU8(buffer.add(6), version & 0xFF); 92 | }, 93 | _getMessageType: function(buffer) { 94 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 95 | } 96 | }; 97 | var MessageQueue = { 98 | _getCapacity: function(queue) { 99 | return Memory.readInt(queue.add(4)); 100 | }, 101 | _get: function(queue, index) { 102 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 103 | }, 104 | _set: function(queue, index, message) { 105 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 106 | }, 107 | _count: function(queue) { 108 | return Memory.readInt(queue.add(8)); 109 | }, 110 | _decrementCount: function(queue) { 111 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 112 | }, 113 | _incrementCount: function(queue) { 114 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 115 | }, 116 | _getDequeueIndex: function(queue) { 117 | return Memory.readInt(queue.add(12)); 118 | }, 119 | _getEnqueueIndex: function(queue) { 120 | return Memory.readInt(queue.add(16)); 121 | }, 122 | _setDequeueIndex: function(queue, index) { 123 | Memory.writeInt(queue.add(12), index); 124 | }, 125 | _setEnqueueIndex: function(queue, index) { 126 | Memory.writeInt(queue.add(16), index); 127 | }, 128 | _enqueue: function(queue, message) { 129 | pthread_mutex_lock(queue.sub(4)); 130 | var index = MessageQueue._getEnqueueIndex(queue); 131 | MessageQueue._set(queue, index, message); 132 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 133 | MessageQueue._incrementCount(queue); 134 | pthread_mutex_unlock(queue.sub(4)); 135 | }, 136 | _dequeue: function(queue) { 137 | var message = null; 138 | pthread_mutex_lock(queue.sub(4)); 139 | if (MessageQueue._count(queue)) { 140 | var index = MessageQueue._getDequeueIndex(queue); 141 | message = MessageQueue._get(queue, index); 142 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 143 | MessageQueue._decrementCount(queue); 144 | } 145 | pthread_mutex_unlock(queue.sub(4)); 146 | return message; 147 | } 148 | }; 149 | 150 | function setupMessaging() { 151 | const base = Process.findModuleByName('libg.so').base; 152 | cache.wakeUpReturnArray = []; 153 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 154 | cache.wakeUpReturnArray.push(base.add(WAKEUP_RETURN_ARRAY[i])); 155 | } 156 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 157 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 158 | cache.selectReturn = base.add(SELECT_RETURN); 159 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 160 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 161 | cache.recvQueue = cache.messaging.add(60); 162 | cache.sendQueue = cache.messaging.add(84); 163 | cache.state = cache.messaging.add(208); 164 | cache.loginMessagePtr = cache.messaging.add(212); 165 | 166 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 167 | 168 | cache.sendMessage = function (message) { 169 | Message._encode(message); 170 | var byteStream = Message._getByteStream(message); 171 | var messagePayloadLength = ByteStream._getOffset(byteStream); 172 | var messageBuffer = malloc(messagePayloadLength + 7); 173 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 174 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 175 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 176 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 177 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 178 | free(messageBuffer); 179 | //Message._free(message); 180 | }; 181 | 182 | function onWakeup() { 183 | console.log("WAKE UP!!"); 184 | var message = MessageQueue._dequeue(cache.sendQueue); 185 | while (message) { 186 | var messageType = Message._getMessageType(message); 187 | console.log(messageType) 188 | if (messageType === 10100) { 189 | message = Memory.readPointer(cache.loginMessagePtr); 190 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 191 | Login = 1; 192 | } 193 | cache.sendMessage(message); 194 | message = MessageQueue._dequeue(cache.sendQueue); 195 | 196 | } 197 | } 198 | 199 | function onReceive() { 200 | var headerBuffer = malloc(7); 201 | libc_recv(cache.fd, headerBuffer, 7, 256); 202 | var messageType = Buffer._getMessageType(headerBuffer); 203 | 204 | if (messageType >= 20000) { 205 | if (messageType === 20104) { //LoginOk 206 | Memory.writeInt(cache.state, 5); 207 | } 208 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 209 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 210 | free(headerBuffer); 211 | var messageBuffer = malloc(payloadLength); 212 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 213 | var message = cache.createMessageByType(cache.messageFactory, messageType); 214 | Message._setVersion(message, messageVersion); 215 | var byteStream = Message._getByteStream(message); 216 | ByteStream._setLength(byteStream, payloadLength); 217 | if (payloadLength) { 218 | var byteArray = malloc(payloadLength); 219 | memmove(byteArray, messageBuffer, payloadLength); 220 | ByteStream._setByteArray(byteStream, byteArray); 221 | } 222 | Message._decode(message); 223 | // logMessage(message); 224 | MessageQueue._enqueue(cache.recvQueue, message); 225 | free(messageBuffer); 226 | } 227 | } 228 | 229 | const wakeup = Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 230 | onEnter: function(args) { 231 | console.log("Interceptor wakeup samurai"); 232 | onWakeup(); 233 | //setTimeout(reAttach, 100); 234 | } 235 | }); 236 | 237 | function reAttach() { 238 | const wake = Interceptor.attach(base.add(0x82B7A2 + 1), { 239 | onEnter: function(args) { 240 | wake.detach(); 241 | console.log("Interceptor wakeup samurai"); 242 | onWakeup(); 243 | setTimeout(reAttach, 100); 244 | } 245 | }); 246 | } 247 | 248 | function unlocker() { 249 | Login = 0; 250 | attachTo(); 251 | } 252 | 253 | /*Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 254 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 255 | return pthread_cond_signal(a1); 256 | } 257 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 258 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 259 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 260 | onWakeup(); 261 | return 0; 262 | } 263 | } 264 | return pthread_cond_signal(a1); 265 | }, 'int', ['pointer']));*/ 266 | 267 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 268 | onEnter: function(args) { 269 | console.log("Receive"); 270 | onReceive(); 271 | } 272 | }); 273 | } 274 | 275 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 276 | onEnter: function(args) { 277 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 278 | cache.fd = args[0].toInt32(); 279 | console.log("Suka connecting...."); 280 | var host = Memory.allocUtf8String("192.168.0.100"); 281 | Memory.writeInt(args[1].add(4), inet_addr(host)); 282 | setupMessaging(); 283 | } 284 | } 285 | }); 286 | 287 | -------------------------------------------------------------------------------- /Bs/V33/33.118.js: -------------------------------------------------------------------------------- 1 | function hexStringToByte(str) { 2 | if (!str) { 3 | return new Uint8Array(); 4 | } 5 | 6 | var a = []; 7 | for (var i = 0, len = str.length; i < len; i += 2) { 8 | a.push(parseInt(str.substr(i, 2), 16)); 9 | } 10 | 11 | return new Uint8Array(a); 12 | } 13 | 14 | const SHA256 = "731a29e80b7ca89c7e9b39d381821ee8dccd1b0456782f788650945e7d60d8d3"; //SHA Digest 15 | 16 | Java.perform(function () { 17 | const MessageDigest = Java.use("java.security.MessageDigest"); 18 | const Str = Java.use("java.lang.String"); 19 | 20 | MessageDigest.digest.overload('[B').implementation = function(a1) { 21 | console.log("digest"); 22 | var digraw = hexStringToByte(SHA256); 23 | var jaw = Java.array('byte', digraw); 24 | return jaw; 25 | } 26 | }); 27 | 28 | // global cache 29 | var cache = { 30 | modules: {}, 31 | options: {} 32 | }; 33 | 34 | //libc native functions 35 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 36 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 37 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 38 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 39 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 40 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 41 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 42 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 43 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 44 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 45 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 46 | 47 | const SERVER_CONNECTION = 0xC68300; 48 | const PTHREAD_COND_WAKE_RETURN = 0x7D2AFE + 8 + 1; 49 | const CREATE_MESSAGE_BY_TYPE = 0x2FEF24; 50 | const NEW_OPERATOR = 0x7F4944 + 1; 51 | const WAKEUP_RETURN_ARRAY = [0x11897C, 0x12B21C, 0x21080C, 0x2AE020, 0x4923B4, 0x64BC54]; 52 | const SELECT_RETURN = 0x29573C; 53 | const CHECK = 0xB5030; 54 | const ON_RECEIVE = 0x363FD4; 55 | const POINTER_SIZE = 4; 56 | 57 | // logic helpers 58 | var Message = { 59 | _getByteStream: function(message) { 60 | return message.add(8); 61 | }, 62 | _getVersion: function(message) { 63 | return Memory.readInt(message.add(4)); 64 | }, 65 | _setVersion: function(message, version) { 66 | try { 67 | Memory.writeInt(message.add(4), version); 68 | } catch(error) { 69 | } 70 | }, 71 | _getMessageType: function(message) { 72 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 73 | }, 74 | _encode: function(message) { 75 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 76 | }, 77 | _decode: function(message) { 78 | try { 79 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 80 | } catch(error) { 81 | } 82 | }, 83 | _free: function(message) { 84 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 85 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 86 | } 87 | }; 88 | var ByteStream = { 89 | _getOffset: function(byteStream) { 90 | return Memory.readInt(byteStream.add(16)); 91 | }, 92 | _getByteArray: function(byteStream) { 93 | return Memory.readPointer(byteStream.add(28)); 94 | }, 95 | _setByteArray: function(byteStream, array) { 96 | try { 97 | Memory.writePointer(byteStream.add(28), array); 98 | } catch(error) { 99 | } 100 | }, 101 | _getLength: function(byteStream) { 102 | return Memory.readInt(byteStream.add(20)); 103 | }, 104 | _setLength: function(byteStream, length) { 105 | try { 106 | Memory.writeInt(byteStream.add(20), length); 107 | } catch(error) { 108 | } 109 | } 110 | }; 111 | var Buffer = { 112 | _getEncodingLength: function(buffer) { 113 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 114 | }, 115 | _setEncodingLength: function(buffer, length) { 116 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 117 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 118 | Memory.writeU8(buffer.add(4), length & 0xFF); 119 | }, 120 | _setMessageType: function(buffer, type) { 121 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 122 | Memory.writeU8(buffer.add(1), type & 0xFF); 123 | }, 124 | _getMessageVersion: function(buffer) { 125 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 126 | }, 127 | _setMessageVersion: function(buffer, version) { 128 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 129 | Memory.writeU8(buffer.add(6), version & 0xFF); 130 | }, 131 | _getMessageType: function(buffer) { 132 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 133 | } 134 | }; 135 | var MessageQueue = { 136 | _getCapacity: function(queue) { 137 | return Memory.readInt(queue.add(4)); 138 | }, 139 | _get: function(queue, index) { 140 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 141 | }, 142 | _set: function(queue, index, message) { 143 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 144 | }, 145 | _count: function(queue) { 146 | return Memory.readInt(queue.add(8)); 147 | }, 148 | _decrementCount: function(queue) { 149 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 150 | }, 151 | _incrementCount: function(queue) { 152 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 153 | }, 154 | _getDequeueIndex: function(queue) { 155 | return Memory.readInt(queue.add(12)); 156 | }, 157 | _getEnqueueIndex: function(queue) { 158 | return Memory.readInt(queue.add(16)); 159 | }, 160 | _setDequeueIndex: function(queue, index) { 161 | Memory.writeInt(queue.add(12), index); 162 | }, 163 | _setEnqueueIndex: function(queue, index) { 164 | Memory.writeInt(queue.add(16), index); 165 | }, 166 | _enqueue: function(queue, message) { 167 | pthread_mutex_lock(queue.sub(4)); 168 | var index = MessageQueue._getEnqueueIndex(queue); 169 | MessageQueue._set(queue, index, message); 170 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 171 | MessageQueue._incrementCount(queue); 172 | pthread_mutex_unlock(queue.sub(4)); 173 | }, 174 | _dequeue: function(queue) { 175 | var message = null; 176 | pthread_mutex_lock(queue.sub(4)); 177 | if (MessageQueue._count(queue)) { 178 | var index = MessageQueue._getDequeueIndex(queue); 179 | message = MessageQueue._get(queue, index); 180 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 181 | MessageQueue._decrementCount(queue); 182 | } 183 | pthread_mutex_unlock(queue.sub(4)); 184 | return message; 185 | } 186 | }; 187 | 188 | 189 | function setupMessaging() { 190 | cache.base = Module.findBaseAddress("libg.so"); 191 | cache.sett = 1; 192 | console.log("Base"); 193 | cache.pthreadReturn = cache.base.add(PTHREAD_COND_WAKE_RETURN); 194 | cache.wakeUpReturnArray = []; 195 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 196 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 197 | } 198 | cache.serverConnection = Memory.readPointer(cache.base.add(SERVER_CONNECTION)); 199 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 200 | console.log(cache.messaging); 201 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 202 | console.log(cache.messageFactory); 203 | cache.recvQueue = cache.messaging.add(60); 204 | cache.sendQueue = cache.messaging.add(84); 205 | cache.state = cache.messaging.add(208); 206 | cache.loginMessagePtr = cache.messaging.add(212); 207 | cache.createMessageByType = new NativeFunction(cache.base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 208 | cache.selectReturn = cache.base.add(SELECT_RETURN); 209 | cache.newOperator = new NativeFunction(cache.base.add(NEW_OPERATOR), 'pointer', ['int']); 210 | console.log(Memory.readByteArray(cache.serverConnection, 40)); 211 | console.log(Memory.readByteArray(cache.messaging, 40)); 212 | 213 | console.log(cache.messaging); 214 | 215 | cache.sendMessage = function (message) { 216 | var messageType = Message._getMessageType(message); 217 | Message._encode(message); 218 | var byteStream = Message._getByteStream(message); 219 | var messagePayloadLength = ByteStream._getOffset(byteStream); 220 | var messageBuffer = malloc(messagePayloadLength + 7); 221 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 222 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 223 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 224 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 225 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 226 | free(messageBuffer); 227 | }; 228 | 229 | function onWakeup() { 230 | var message = MessageQueue._dequeue(cache.sendQueue); 231 | while (message) { 232 | var messageType = Message._getMessageType(message); 233 | console.log(messageType); 234 | if (messageType === 10100) { 235 | message = Memory.readPointer(cache.loginMessagePtr); 236 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 237 | //patchReceive(); 238 | } 239 | cache.sendMessage(message); 240 | message = MessageQueue._dequeue(cache.sendQueue); 241 | } 242 | }; 243 | 244 | function onReceive() { 245 | var headerBuffer = cache.newOperator(7); 246 | libc_recv(cache.fd, headerBuffer, 7, 256); 247 | var messageType = Buffer._getMessageType(headerBuffer); 248 | if (messageType > 20000 && messageType < 30000) { 249 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 250 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 251 | free(headerBuffer); 252 | var messageBuffer = cache.newOperator(payloadLength); 253 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 254 | var message = cache.createMessageByType(cache.messageFactory, messageType); 255 | Message._setVersion(message, messageVersion); 256 | var byteStream = Message._getByteStream(message); 257 | ByteStream._setLength(byteStream, payloadLength); 258 | if (payloadLength) { 259 | var byteArray = cache.newOperator(payloadLength); 260 | memmove(byteArray, messageBuffer, payloadLength); 261 | ByteStream._setByteArray(byteStream, byteArray); 262 | } 263 | Message._decode(message); 264 | MessageQueue._enqueue(cache.recvQueue, message); 265 | if (messageType === 20104) { 266 | Memory.writeInt(cache.state, 5); 267 | hackProtections(); 268 | } 269 | free(messageBuffer); 270 | } 271 | }; 272 | 273 | var checks; 274 | 275 | function hackProtections() { 276 | Interceptor.replace(cache.base.add(ON_RECEIVE), new NativeCallback(function(a1, a2) { 277 | }, 'void', ['int', 'int'])); 278 | checks = Interceptor.attach(cache.base.add(CHECK), function() { 279 | this.context.r0 = 0x02; 280 | }); 281 | } 282 | 283 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 284 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 285 | return pthread_cond_signal(a1); 286 | } 287 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 288 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 289 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 290 | onWakeup(); 291 | return 0; 292 | } 293 | } 294 | return pthread_cond_signal(a1); 295 | }, 'int', ['pointer'])); 296 | 297 | //function patchReceive() { 298 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 299 | console.log("selection"); 300 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 301 | if (this.returnAddress.equals(cache.selectReturn)) { 302 | console.log("selected"); 303 | onReceive(); 304 | } 305 | return r; 306 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 307 | //} 308 | } 309 | 310 | 311 | function setup() { 312 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 313 | onEnter: function(args) { 314 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 315 | cache.fd = args[0].toInt32(); 316 | console.log("Connecting to 9339..."); 317 | var host = Memory.allocUtf8String("192.168.0.100"); 318 | Memory.writeInt(args[1].add(4), inet_addr(host)); 319 | setupMessaging(); 320 | } 321 | } 322 | }); 323 | } 324 | 325 | // startup 326 | rpc.exports = { 327 | init: function(stage, options) { 328 | cache.options = options || {}; 329 | Interceptor.detachAll(); 330 | setup(); 331 | } 332 | }; 333 | -------------------------------------------------------------------------------- /Bs/V35/35.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | console.log("Da"); 8 | 9 | const SERVER_CONNECTION = 0xD18784; 10 | const PTHREAD_COND_WAKE_RETURN = 0x85D6B6 + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x5EC014; 12 | const WAKEUP_RETURN_ARRAY = [0x2D1EA4, 0x2D30B8, 0x33F098, 0x4B6B58]; // 34D268 - Unk 13 | const SELECT_RETURN = 0x4E2368; 14 | const POINTER_SIZE = 4; 15 | 16 | var Login = 0; 17 | 18 | //libc native functions 19 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 20 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 21 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 22 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 23 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 24 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 25 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 26 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 27 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 28 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 29 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 30 | 31 | 32 | var Message = { 33 | _getByteStream: function(message) { 34 | return message.add(8); 35 | }, 36 | _getVersion: function(message) { 37 | return Memory.readInt(message.add(4)); 38 | }, 39 | _setVersion: function(message, version) { 40 | Memory.writeInt(message.add(4), version); 41 | }, 42 | _getMessageType: function(message) { 43 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 44 | }, 45 | _encode: function(message) { 46 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 47 | }, 48 | _decode: function(message) { 49 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 50 | }, 51 | _free: function(message) { 52 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 54 | } 55 | }; 56 | var ByteStream = { 57 | _getOffset: function(byteStream) { 58 | return Memory.readInt(byteStream.add(16)); 59 | }, 60 | _getByteArray: function(byteStream) { 61 | return Memory.readPointer(byteStream.add(28)); 62 | }, 63 | _setByteArray: function(byteStream, array) { 64 | Memory.writePointer(byteStream.add(28), array); 65 | }, 66 | _getLength: function(byteStream) { 67 | return Memory.readInt(byteStream.add(20)); 68 | }, 69 | _setLength: function(byteStream, length) { 70 | Memory.writeInt(byteStream.add(20), length); 71 | } 72 | }; 73 | var Buffer = { 74 | _getEncodingLength: function(buffer) { 75 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 76 | }, 77 | _setEncodingLength: function(buffer, length) { 78 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 79 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 80 | Memory.writeU8(buffer.add(4), length & 0xFF); 81 | }, 82 | _setMessageType: function(buffer, type) { 83 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 84 | Memory.writeU8(buffer.add(1), type & 0xFF); 85 | }, 86 | _getMessageVersion: function(buffer) { 87 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 88 | }, 89 | _setMessageVersion: function(buffer, version) { 90 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 91 | Memory.writeU8(buffer.add(6), version & 0xFF); 92 | }, 93 | _getMessageType: function(buffer) { 94 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 95 | } 96 | }; 97 | var MessageQueue = { 98 | _getCapacity: function(queue) { 99 | return Memory.readInt(queue.add(4)); 100 | }, 101 | _get: function(queue, index) { 102 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 103 | }, 104 | _set: function(queue, index, message) { 105 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 106 | }, 107 | _count: function(queue) { 108 | return Memory.readInt(queue.add(8)); 109 | }, 110 | _decrementCount: function(queue) { 111 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 112 | }, 113 | _incrementCount: function(queue) { 114 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 115 | }, 116 | _getDequeueIndex: function(queue) { 117 | return Memory.readInt(queue.add(12)); 118 | }, 119 | _getEnqueueIndex: function(queue) { 120 | return Memory.readInt(queue.add(16)); 121 | }, 122 | _setDequeueIndex: function(queue, index) { 123 | Memory.writeInt(queue.add(12), index); 124 | }, 125 | _setEnqueueIndex: function(queue, index) { 126 | Memory.writeInt(queue.add(16), index); 127 | }, 128 | _enqueue: function(queue, message) { 129 | pthread_mutex_lock(queue.sub(4)); 130 | var index = MessageQueue._getEnqueueIndex(queue); 131 | MessageQueue._set(queue, index, message); 132 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 133 | MessageQueue._incrementCount(queue); 134 | pthread_mutex_unlock(queue.sub(4)); 135 | }, 136 | _dequeue: function(queue) { 137 | var message = null; 138 | pthread_mutex_lock(queue.sub(4)); 139 | if (MessageQueue._count(queue)) { 140 | var index = MessageQueue._getDequeueIndex(queue); 141 | message = MessageQueue._get(queue, index); 142 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 143 | MessageQueue._decrementCount(queue); 144 | } 145 | pthread_mutex_unlock(queue.sub(4)); 146 | return message; 147 | } 148 | }; 149 | 150 | function setupMessaging() { 151 | const base = Process.findModuleByName('libg.so').base; 152 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 153 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 154 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 155 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 156 | cache.recvQueue = cache.messaging.add(60); 157 | cache.sendQueue = cache.messaging.add(84); 158 | cache.state = cache.messaging.add(208); 159 | cache.loginMessagePtr = cache.messaging.add(212); 160 | 161 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 162 | 163 | cache.sendMessage = function (message) { 164 | Message._encode(message); 165 | var byteStream = Message._getByteStream(message); 166 | var messagePayloadLength = ByteStream._getOffset(byteStream); 167 | var messageBuffer = malloc(messagePayloadLength + 7); 168 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 169 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 170 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 171 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 172 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 173 | free(messageBuffer); 174 | //Message._free(message); 175 | }; 176 | 177 | function onWakeup() { 178 | console.log("WAKE UP!!"); 179 | var message = MessageQueue._dequeue(cache.sendQueue); 180 | while (message) { 181 | var messageType = Message._getMessageType(message); 182 | console.log(messageType) 183 | if (messageType === 10100) { 184 | message = Memory.readPointer(cache.loginMessagePtr); 185 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 186 | Login = 1; 187 | } 188 | cache.sendMessage(message); 189 | message = MessageQueue._dequeue(cache.sendQueue); 190 | 191 | } 192 | } 193 | 194 | function onReceive() { 195 | var headerBuffer = malloc(7); 196 | libc_recv(cache.fd, headerBuffer, 7, 256); 197 | var messageType = Buffer._getMessageType(headerBuffer); 198 | 199 | if (messageType >= 20000) { 200 | if (messageType === 20104) { //LoginOk 201 | Memory.writeInt(cache.state, 5); 202 | } 203 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 204 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 205 | free(headerBuffer); 206 | var messageBuffer = malloc(payloadLength); 207 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 208 | var message = cache.createMessageByType(cache.messageFactory, messageType); 209 | Message._setVersion(message, messageVersion); 210 | var byteStream = Message._getByteStream(message); 211 | ByteStream._setLength(byteStream, payloadLength); 212 | if (payloadLength) { 213 | var byteArray = malloc(payloadLength); 214 | memmove(byteArray, messageBuffer, payloadLength); 215 | ByteStream._setByteArray(byteStream, byteArray); 216 | } 217 | Message._decode(message); 218 | // logMessage(message); 219 | MessageQueue._enqueue(cache.recvQueue, message); 220 | free(messageBuffer); 221 | } 222 | } 223 | 224 | const wakeup = Interceptor.attach(base.add(0x85D6B6 + 1), { 225 | onEnter: function(args) { 226 | if (Login == 1) { 227 | wakeup.detach(); 228 | } 229 | console.log("Interceptor wakeup samurai"); 230 | onWakeup(); 231 | setTimeout(reAttach, 100); 232 | } 233 | }); 234 | 235 | function reAttach() { 236 | const wake = Interceptor.attach(base.add(0x85D6B6 + 1), { 237 | onEnter: function(args) { 238 | wake.detach(); 239 | console.log("Interceptor wakeup samurai"); 240 | onWakeup(); 241 | setTimeout(reAttach, 100); 242 | } 243 | }); 244 | } 245 | 246 | function unlocker() { 247 | Login = 0; 248 | attachTo(); 249 | } 250 | 251 | /*Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 252 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 253 | return pthread_cond_signal(a1); 254 | } 255 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 256 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 257 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 258 | onWakeup(); 259 | return 0; 260 | } 261 | } 262 | return pthread_cond_signal(a1); 263 | }, 'int', ['pointer']));*/ 264 | 265 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 266 | onEnter: function(args) { 267 | console.log("Receive"); 268 | onReceive(); 269 | } 270 | }); 271 | } 272 | 273 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 274 | onEnter: function(args) { 275 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 276 | cache.fd = args[0].toInt32(); 277 | console.log("Suka connecting...."); 278 | var host = Memory.allocUtf8String("192.168.0.100"); 279 | Memory.writeInt(args[1].add(4), inet_addr(host)); 280 | setupMessaging(); 281 | } 282 | } 283 | }); 284 | 285 | -------------------------------------------------------------------------------- /Bs/V36/36_218_debug_button_d-1.so: -------------------------------------------------------------------------------- 1 | console.log("Hey"); 2 | var cache = {}; 3 | const base = Module.findBaseAddress("libg.so"); 4 | 5 | Interceptor.replace(base.add(0x57B7B4), new NativeCallback(function() { 6 | console.log("пошел нахуй"); 7 | }, 'void', [])); 8 | 9 | Interceptor.attach(base.add(0x68DE6C), function() { 10 | console.log("распрыжка"); 11 | this.context.r0 = base.add(0x68EE94); 12 | }); 13 | 14 | const SERVER_CONNECTION = 0x107E0A4; 15 | const CREATE_MESSAGE_BY_TYPE = 0x5CAF8C; 16 | const MESSAGE_FACTORY_CTOR = 0x3AF7F4; 17 | const hui = 0xB8A50; 18 | const POINTER_SIZE = 4; 19 | const NEW_OPERATOR = 0xB89C0; 20 | const HOMEPAGE_STARTGAME = 0x511000; 21 | const DEBUGMENU_CTOR = 0x317AEC; 22 | const STAGE_CTOR = 0x682100; 23 | const STAGEADDCHILD = 0x8D5E24; 24 | const STAGEREMOVECHILD = 0x4F6354; 25 | const ADD_FILE = 0x1D6940; 26 | const STAGE_ADDRESS = 0x1071D90; 27 | const ascdebugsc = 0xC49DC1; 28 | const LOGINMESSAGE_ENCODE = 0x492F58; 29 | const GUI_ADDRESS = 0x10698F4; 30 | 31 | const HUD_PRINT = 0xC86C0; 32 | 33 | const FONT_LOAD = 0x58651C; 34 | 35 | const DEBUGGER_SET_DEBUG_HUD = 0xCBBA0; 36 | const DEBUGHUD_CTOR = 0x7AFC70; 37 | const STRING_CTOR = 0x570C30; 38 | 39 | const GAMEMAIN_GET_ID = 0x4675D8; 40 | 41 | const GAMEMAIN_INSTANCE = 0x107239C; 42 | 43 | const TEXTFIELD_CTOR = 0x4E8840; 44 | const TEXTFILED_SETTEXT = 0x585608; 45 | 46 | //global constants 47 | const SOCK_STREAM = 1; 48 | const AF_INET = 2; 49 | 50 | const DUDKA = 0xB8A20; 51 | 52 | const WRITE_LONG = 0x142D8C; 53 | const WRITE_STRING = 0x8D9238; 54 | const WRITE_INT = 0x20E3D0; 55 | 56 | const WriteLong = new NativeFunction(base.add(WRITE_LONG), 'void', ['pointer', 'pointer']); 57 | const WriteString = new NativeFunction(base.add(WRITE_STRING), 'void', ['pointer', 'pointer']); 58 | const WriteInt = new NativeFunction(base.add(WRITE_INT), 'void', ['pointer', 'int']); 59 | 60 | const StageAdd = new NativeFunction(base.add(STAGEADDCHILD), 'void', ['pointer', 'pointer']); 61 | const StageRemove = new NativeFunction(base.add(STAGEREMOVECHILD), 'void', ['pointer', 'pointer']); 62 | const DebugMenuCtor = new NativeFunction(base.add(DEBUGMENU_CTOR), 'pointer', ['pointer']); 63 | const AddFile = new NativeFunction(base.add(ADD_FILE), 'int', ['pointer', 'pointer', 'int', 'int', 'int', 'int', 'int']); 64 | 65 | const StringCtor = new NativeFunction(base.add(STRING_CTOR), 'pointer', ['pointer', 'pointer']); 66 | const SetDebugHud = new NativeFunction(base.add(DEBUGGER_SET_DEBUG_HUD), 'pointer', ['pointer']); 67 | const DebugHudCtor = new NativeFunction(base.add(DEBUGHUD_CTOR), 'pointer', ['pointer', 'pointer']); 68 | const LoadFont = new NativeFunction(base.add(FONT_LOAD), 'pointer', ['pointer']); 69 | 70 | const GuiHudPrint = new NativeFunction(base.add(HUD_PRINT), 'pointer', ['pointer', 'pointer']); 71 | 72 | const GameMainGetAccountId = new NativeFunction(base.add(GAMEMAIN_GET_ID), 'pointer', ['pointer']); 73 | 74 | const TextFieldCtor = new NativeFunction(base.add(TEXTFIELD_CTOR), 'pointer', ['pointer']); 75 | const TextFieldSetText = new NativeFunction(base.add(TEXTFILED_SETTEXT), 'pointer', ['pointer', 'pointer']); 76 | const DISPLAYOBJECT_SETXY = 0x7DF8E0; 77 | const DisplayObjectSetXY = new NativeFunction(base.add(DISPLAYOBJECT_SETXY), 'pointer', ['pointer', 'int', 'int']); 78 | 79 | //server nativechick 80 | var socket = new NativeFunction(Module.findExportByName('libc.so', 'socket'), 'int', ['int', 'int', 'int']); 81 | var bind = new NativeFunction(Module.findExportByName('libc.so', 'bind'), 'int', ['int', 'pointer', 'int']); 82 | var memset = new NativeFunction(Module.findExportByName('libc.so', 'memset'), 'void', ['pointer', 'int', 'int']); 83 | var htons = new NativeFunction(Module.findExportByName('libc.so', 'htons'), 'uint16', ['uint16']); 84 | var listen = new NativeFunction(Module.findExportByName('libc.so', 'listen'), 'int', ['int', 'int']); 85 | var accept = new NativeFunction(Module.findExportByName('libc.so', 'accept'), 'int', ['int', 'pointer', 'pointer']); 86 | var pthread_create = new NativeFunction(Module.findExportByName('libc.so', 'pthread_create'), 'int', ['pointer', 'pointer', 'pointer', 'pointer']); 87 | 88 | function createStringPtr(message) { 89 | var charPtr = malloc(message.length + 1); 90 | Memory.writeUtf8String(charPtr, message); 91 | return charPtr 92 | } 93 | 94 | Interceptor.attach(Module.findExportByName("libc.so", "pthread_mutex_init"), { 95 | onEnter: function(args) { 96 | if (this.returnAddress.equals(base.add(0x315FD0))) { 97 | cache.messaging = args[0].sub(160); 98 | //setupNetworking(); 99 | } 100 | } 101 | }); 102 | 103 | 104 | //libc native functions 105 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 106 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 107 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 108 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 109 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 110 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 111 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 112 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 113 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 114 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 115 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 116 | var libc_close = new NativeFunction(Module.findExportByName('libc.so', 'close'), 'int', ['int']); 117 | var libc_connect = new NativeFunction(Module.findExportByName('libc.so', 'connect'), 'int', ['int', 'pointer', 'int']); 118 | var inet_pton = new NativeFunction(Module.findExportByName("libc.so", "inet_pton"), 'int', ['int', 'pointer', 'pointer']); 119 | 120 | Java.perform(function() { 121 | var Sys = Java.use("java.lang.System"); 122 | 123 | Sys.exit.implementation = function() { 124 | console.log("Nop"); 125 | } 126 | }); 127 | 128 | function toast(toastText) { 129 | Java.perform(function() { 130 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 131 | 132 | Java.scheduleOnMainThread(function() { 133 | var toast = Java.use("android.widget.Toast"); 134 | toast.makeText(context, Java.use("java.lang.String").$new(toastText), 1).show(); 135 | }); 136 | }); 137 | } 138 | 139 | var Message = { 140 | _getByteStream: function(message) { 141 | return message.add(8); 142 | }, 143 | _getVersion: function(message) { 144 | return Memory.readInt(message.add(4)); 145 | }, 146 | _setVersion: function(message, version) { 147 | Memory.writeInt(message.add(4), version); 148 | }, 149 | _getMessageType: function(message) { 150 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 151 | }, 152 | _encode: function(message) { 153 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 154 | }, 155 | _decode: function(message) { 156 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 157 | }, 158 | _free: function(message) { 159 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 160 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 161 | } 162 | }; 163 | var ByteStream = { 164 | _getOffset: function(byteStream) { 165 | return Memory.readInt(byteStream.add(16)); 166 | }, 167 | _getByteArray: function(byteStream) { 168 | return Memory.readPointer(byteStream.add(28)); 169 | }, 170 | _setByteArray: function(byteStream, array) { 171 | Memory.writePointer(byteStream.add(28), array); 172 | }, 173 | _getLength: function(byteStream) { 174 | return Memory.readInt(byteStream.add(20)); 175 | }, 176 | _setLength: function(byteStream, length) { 177 | Memory.writeInt(byteStream.add(20), length); 178 | } 179 | }; 180 | var Buffer = { 181 | _getEncodingLength: function(buffer) { 182 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 183 | }, 184 | _setEncodingLength: function(buffer, length) { 185 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 186 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 187 | Memory.writeU8(buffer.add(4), length & 0xFF); 188 | }, 189 | _setMessageType: function(buffer, type) { 190 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 191 | Memory.writeU8(buffer.add(1), type & 0xFF); 192 | }, 193 | _getMessageVersion: function(buffer) { 194 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 195 | }, 196 | _setMessageVersion: function(buffer, version) { 197 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 198 | Memory.writeU8(buffer.add(6), version & 0xFF); 199 | }, 200 | _getMessageType: function(buffer) { 201 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 202 | }, 203 | }; 204 | var MessageQueue = { 205 | _getCapacity: function(queue) { 206 | return Memory.readInt(queue.add(4)); 207 | }, 208 | _get: function(queue, index) { 209 | console.log(Memory.readPointer(queue).add(POINTER_SIZE * index) - cache.messaging); 210 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 211 | }, 212 | _set: function(queue, index, message) { 213 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 214 | }, 215 | _count: function(queue) { 216 | return Memory.readInt(queue.add(8)); 217 | }, 218 | _decrementCount: function(queue) { 219 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 220 | }, 221 | _incrementCount: function(queue) { 222 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 223 | }, 224 | _getDequeueIndex: function(queue) { 225 | return Memory.readInt(queue.add(12)); 226 | }, 227 | _getEnqueueIndex: function(queue) { 228 | return Memory.readInt(queue.add(16)); 229 | }, 230 | _setDequeueIndex: function(queue, index) { 231 | Memory.writeInt(queue.add(12), index); 232 | }, 233 | _setEnqueueIndex: function(queue, index) { 234 | Memory.writeInt(queue.add(16), index); 235 | }, 236 | _enqueue: function(queue, message) { 237 | pthread_mutex_lock(queue.sub(4)); 238 | var index = MessageQueue._getEnqueueIndex(queue); 239 | MessageQueue._set(queue, index, message); 240 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 241 | MessageQueue._incrementCount(queue); 242 | pthread_mutex_unlock(queue.sub(4)); 243 | }, 244 | _dequeue: function(queue) { 245 | var message = null; 246 | pthread_mutex_lock(queue.sub(4)); 247 | if (MessageQueue._count(queue)) { 248 | var index = MessageQueue._getDequeueIndex(queue); 249 | console.log(index); 250 | message = MessageQueue._get(queue, index); 251 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 252 | MessageQueue._decrementCount(queue); 253 | } 254 | pthread_mutex_unlock(queue.sub(4)); 255 | return message; 256 | } 257 | }; 258 | 259 | 260 | 261 | /*Interceptor.attach(tweakerpro.add(receivedpepe), { 262 | onLeave: function(ritual) { 263 | console.log("getter setter interpretter!"); 264 | var type = Buffer._getMessageType(ritual); 265 | console.log(type); 266 | } 267 | });*/ 268 | 269 | function openDebug() { 270 | cache.dptr = DebugMenu.new(); 271 | StageAdd(base.add(STAGE_ADDRESS).readPointer(), cache.dptr); 272 | 273 | cache.updateHook = Interceptor.attach(base.add(0x4F3364), { 274 | onLeave(retval) { 275 | DebugMenu.update(cache.dptr, 20); 276 | } 277 | }); 278 | } 279 | 280 | function dclose() { 281 | cache.updateHook.detach(); 282 | cache.opened = false; 283 | console.log("Close."); 284 | StageRemove(base.add(STAGE_ADDRESS).readPointer(), cache.dptr); 285 | free(cache.dptr); // вообще деструктор надо вызывать но похуй 286 | } 287 | 288 | function patchArxan() { 289 | Interceptor.replace(base.add(LOGINMESSAGE_ENCODE), new NativeCallback(function (a1) { 290 | var Stream = Message._getByteStream(a1); 291 | 292 | cache.loginMemory = a1; 293 | cache.loginStream = Stream; 294 | 295 | console.log("пиздоблядский мудопроёб"); 296 | 297 | WriteLong(Stream, a1.add(84).readPointer()); 298 | WriteString(Stream, a1.add(88).readPointer()); 299 | WriteInt(Stream, a1.add(92).readInt()); 300 | WriteInt(Stream, 0); 301 | WriteInt(Stream, a1.add(96).readInt()); 302 | WriteString(Stream, a1.add(116).readPointer()); 303 | }, 'void', ['pointer'])); 304 | } 305 | 306 | //function patchBattles() { 307 | //Interceptor.attach(base.add(HOMEPAGE_STARTGAME), { 308 | //onEnter: function(args) { 309 | //args[3] = ptr(3); 310 | //} 311 | //}) 312 | //} 313 | 314 | Interceptor.replace(base.add(0xE7088), new NativeCallback(function() { 315 | console.log("сам пошёл нахуй"); 316 | setupAntiPidor(); 317 | return 0; 318 | 319 | }, 'void', [])); 320 | 321 | function onReceive() { 322 | var headerBuffer = cache.newOperator(7); 323 | var received = libc_recv(cache.fd, headerBuffer, 7, 256); 324 | if (received == 0) { 325 | libc_close(cache.fd); 326 | cache.checks.detach(); 327 | //cache.battles.detach(); 328 | console.log("connection closed."); 329 | } 330 | var messageType = Buffer._getMessageType(headerBuffer); 331 | if (messageType > 20000 && messageType < 30000) { 332 | try { 333 | console.log(messageType); 334 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 335 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 336 | free(headerBuffer); 337 | var messageBuffer = cache.newOperator(payloadLength); 338 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 339 | var message = cache.createMessageByType(cache.messageFactory, messageType); 340 | Message._setVersion(message, messageVersion); 341 | var byteStream = Message._getByteStream(message); 342 | ByteStream._setLength(byteStream, payloadLength); 343 | if (payloadLength) { 344 | var byteArray = cache.newOperator(payloadLength); 345 | memmove(byteArray, messageBuffer, payloadLength); 346 | ByteStream._setByteArray(byteStream, byteArray); 347 | } 348 | Message._decode(message); 349 | MessageQueue._enqueue(cache.recvQueue, message); 350 | if (messageType === 20104) { 351 | Memory.writeInt(cache.state, 5); 352 | patchBattles(); 353 | //openDebug(); 354 | } 355 | free(messageBuffer);} 356 | catch(exception) {} 357 | } 358 | } 359 | 360 | function setupNetworking() { 361 | console.log(cache.messaging); 362 | 363 | cache.messageFactoryCtor = new NativeFunction(base.add(MESSAGE_FACTORY_CTOR), 'void', ['pointer', 'bool']); 364 | cache.messageFactory = malloc(228); 365 | cache.messageFactoryCtor(cache.messageFactory, 0); 366 | 367 | cache.recvQueue = cache.messaging.add(304); //288 368 | cache.sendQueue = cache.messaging.add(164); 369 | cache.state = cache.messaging.add(16); 370 | 371 | console.log("SendQueue: ", cache.sendQueue.readPointer()); 372 | console.log("RecvQueue: ", cache.sendQueue.readPointer()); 373 | console.log("Factory: ", cache.messageFactory); 374 | 375 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 376 | cache.newOperator = new NativeFunction(base.add(NEW_OPERATOR), 'pointer', ['int']); 377 | 378 | cache.sendMessage = function (message) { 379 | var messageType = Message._getMessageType(message); 380 | Message._encode(message); 381 | var byteStream = Message._getByteStream(message); 382 | var messagePayloadLength = ByteStream._getOffset(byteStream); 383 | var messageBuffer = malloc(messagePayloadLength + 7); 384 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 385 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 386 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 387 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 388 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 389 | free(messageBuffer); 390 | }; 391 | 392 | 393 | 394 | function onWakeup() { 395 | var message = MessageQueue._dequeue(cache.sendQueue); 396 | while (message) { 397 | console.log("message"); 398 | var messageType = Message._getMessageType(message); 399 | console.log("MessageType: ", messageType); 400 | cache.sendMessage(message); 401 | 402 | message = MessageQueue._dequeue(cache.sendQueue); 403 | } 404 | }; 405 | 406 | /*Interceptor.replace(base.add(0x208A54), new NativeCallback(function (a1, a2) { 407 | console.log("да бля"); 408 | console.log(a1.add(24).readByteArray(7)); 409 | //console.log(a2.readByteArray(7)); 410 | onReceive(); 411 | return 0; 412 | }, 'int', ['pointer', 'pointer']));*/ 413 | 414 | 415 | 416 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 417 | onWakeup(); 418 | return pthread_cond_signal(a1); 419 | }, 'int', ['pointer'])); 420 | } 421 | 422 | function setupPatcher() { 423 | Interceptor.replace(base.add(0x4CB9E0), new NativeCallback(function() { 424 | return 1; 425 | }, 'int', [])); 426 | 427 | Interceptor.replace(base.add(0x7CC82C), new NativeCallback(function() { 428 | return 0; 429 | }, 'int', [])); 430 | } 431 | 432 | Interceptor.attach(Module.findExportByName('libc.so', 'getaddrinfo'), { 433 | onEnter: function(args) { 434 | console.log('here'); 435 | this.z = args[0] = Memory.allocUtf8String("127.0.0.1"); 436 | setupPatcher(); 437 | } 438 | }); 439 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 440 | onEnter: function(args) { 441 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 442 | cache.fd = args[0].toInt32(); 443 | console.log("Connecting to 9339..."); 444 | //var host = Memory.allocUtf8String("192.168.0.100"); 445 | //Memory.writeInt(args[1].add(4), inet_addr(host)); 446 | //Interceptor.revert(Module.findExportByName('libc.so', 'select')); 447 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 448 | if (cache.recvHack != undefined) cache.recvHack.detach(); 449 | Interceptor.revert(base.add(0x4CB9E0)); 450 | Interceptor.revert(base.add(0x7CC82C)); 451 | setupNetworking(); 452 | //setupAntiPidor(); 453 | } 454 | } 455 | }); 456 | 457 | const DebugMenu = { 458 | new: function() { 459 | var dptr = malloc(1000); 460 | DebugMenuCtor(dptr); 461 | return dptr; 462 | }, 463 | update: function(instance, deltaTime) { 464 | new NativeFunction(base.add(0x7F24F4), 'void', ['pointer', 'float'])(instance, deltaTime); 465 | } 466 | }; 467 | 468 | function patchRecv() { 469 | ; 470 | } 471 | 472 | function strPtr(content) { 473 | return Memory.allocUtf8String(content); 474 | } 475 | 476 | function createDebugButton() { 477 | let btn = malloc(228); 478 | new NativeFunction(base.add(0x464EB0), 'void', ['pointer'])(btn); 479 | let movieClip = new NativeFunction(base.add(0x7019E8), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_button"), 1); 480 | new NativeFunction(base.add(0x475030), 'void', ['pointer', 'pointer'])(btn, movieClip); 481 | 482 | StageAdd(base.add(STAGE_ADDRESS).readPointer(), btn); 483 | new NativeFunction(base.add(0x7DF8E0), 'void', ['pointer', 'float', 'float'])(btn, 30, 560); 484 | 485 | cache.dbtn = btn; 486 | } 487 | 488 | function setupAntiPidor() { 489 | Interceptor.replace(base.add(0x2418C8), new NativeCallback(function() { 490 | //console.log("хуй ты меня destroy"); 491 | return 0; 492 | }, 'int', [])); 493 | 494 | cache.opened = false; 495 | 496 | const adder = Interceptor.attach(base.add(ADD_FILE), { 497 | onEnter: function(args) { 498 | adder.detach(); 499 | AddFile(args[0], base.add(ascdebugsc), -1, -1, -1, -1, 0); 500 | console.log("Debug Sc Loaded!"); 501 | patchArxan(); 502 | Memory.protect(base.add(0x208FB8), 4, 'rwx'); 503 | base.add(0x208FB8).writeByteArray([0, 0, 0, 0]); // у вас же тоже decrypt в 0 вкручен? 504 | 505 | Interceptor.replace(base.add(0x6707F4), new NativeCallback(function(dudka, lander, dudnik) { 506 | dudka.add(16).writeU32(5); 507 | new NativeFunction(base.add(0x25F9E0), 'void', ['pointer', 'pointer'])(dudka, dudnik); 508 | console.log("взломал твою ж и поменял 10100 и 10101 местами"); 509 | }, 'void', ['pointer', 'pointer', 'pointer'])); 510 | //initDebugger(); 511 | } 512 | }); 513 | 514 | const homeMode = Interceptor.attach(base.add(0x460AE8), { 515 | onLeave(retval) { 516 | createDebugButton(); 517 | } 518 | }); 519 | patchBattles(); 520 | Interceptor.attach(base.add(0x49BE10), { 521 | onEnter(args) { 522 | if (cache.dbtn) { 523 | if (args[0].toInt32() == cache.dbtn.toInt32()) { 524 | toggleDebug(); 525 | } 526 | } 527 | } 528 | }); 529 | } 530 | 531 | function toggleDebug() { 532 | if (!cache.opened) { 533 | cache.opened = true; 534 | 535 | openDebug(); 536 | } 537 | else { 538 | dclose(); 539 | } 540 | } 541 | 542 | toast("Server created Sparky"); -------------------------------------------------------------------------------- /Bs/V36/v36.218.js: -------------------------------------------------------------------------------- 1 | //this script was made by bread, but im NOT SURE IN THAT. 2 | 3 | const Armceptor = { 4 | replace(ptr, arr) { 5 | Memory.protect(ptr, arr.length, "rwx"); 6 | Memory.writeByteArray(ptr, arr); 7 | Memory.protect(ptr, arr.length, "rx"); 8 | }, 9 | nop(ptr) { 10 | Armceptor.replace(ptr, [0x00, 0xF0, 0x20, 0xE3]); 11 | }, 12 | ret(ptr) { 13 | Armceptor.replace(ptr, [0x1E, 0xFF, 0x2F, 0xE1]); 14 | } 15 | } 16 | 17 | 18 | function connect(address) { 19 | const base = Module.findBaseAddress('libg.so'); 20 | const ServerConnection_connectTo = base.add(0x4F87E4); 21 | 22 | Interceptor.attach(ServerConnection_connectTo, { 23 | onEnter(args) { 24 | if (args[1].add(8).readPointer().readUtf8String() === "game.brawlstarsgame.com") { 25 | console.log("блять об прод споткнулся"); 26 | args[1].add(8).readPointer().writeUtf8String(address); 27 | initMessaging(); 28 | } 29 | } 30 | }); 31 | } 32 | 33 | function misc() { 34 | const base = Module.findBaseAddress('libg.so'); 35 | 36 | Interceptor.replace(base.add(0x4CB9E0), new NativeCallback(function() { 37 | return 1; 38 | }, 'int', [])); 39 | 40 | Interceptor.replace(base.add(0x7CC82C), new NativeCallback(function() { 41 | if (this.returnAddress.equals(base.add(0x910C34)) || this.returnAddress.equals(base.add(0x910BEC))) { 42 | return 0; 43 | } 44 | return 1; 45 | }, 'int', [])); 46 | 47 | Interceptor.attach(base.add(0x1E1B18), { // BattleScreen::shouldShowChatButton 48 | onLeave(retval) { 49 | retval.replace(1); 50 | } 51 | }); 52 | 53 | Interceptor.attach(base.add(0x517310), { // HomePage::shouldShowTeamItems 54 | onLeave(retval) { 55 | retval.replace(1); 56 | } 57 | }); 58 | 59 | Interceptor.attach(base.add(0x511000), { 60 | onEnter(args) { 61 | args[3] = ptr(3); 62 | } 63 | }); 64 | } 65 | 66 | function hook() { 67 | const base = Module.findBaseAddress('libg.so'); 68 | 69 | const receiveMessage =Interceptor.attach(base.add(0x3642A0), { // MessageManager::receiveMessage 70 | onEnter(args) { 71 | const message = args[1]; 72 | const messageType = new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer'])(message); 73 | if (messageType === 20104) { 74 | misc(); 75 | receiveMessage.detach(); 76 | } 77 | } 78 | }); 79 | } 80 | 81 | function initMessaging() { 82 | const base = Module.findBaseAddress('libg.so'); 83 | 84 | Armceptor.ret(base.add(0x81D7D4)); // Messaging::decryptData 85 | Interceptor.attach(base.add(0x6707F4), { // Messaging::sendPepperAuthentication 86 | onEnter(args) { 87 | this.messaging = args[0]; 88 | args[0].add(16).writeU32(5); 89 | args[1] = args[2]; 90 | }, 91 | onLeave(re) { 92 | this.messaging.add(16).writeU32(5); 93 | } 94 | }); 95 | Interceptor.attach(base.add(0x2174A4), function() { // Messaging::encryptAndWrite 96 | this.context.r0 = 0x2774; 97 | }); 98 | } 99 | 100 | 101 | function destroy_protections() { 102 | const base = Module.findBaseAddress('libg.so'); 103 | const createGameInstanceJump = base.add(0x33CC04); 104 | const createGameInstanceClean = base.add(0x33CC80); 105 | const loginMessageEncodeJump = base.add(0x493304); 106 | const loginMessageEncodeClean = base.add(0x493EA8); 107 | const inputSystemUpdateJump = base.add(0x68DE6C); 108 | const inputSystemUpdateClean = base.add(0x68EE94); 109 | const gameMainCtorJump = base.add(0x66DCEC); 110 | const gameMainCtorClean = base.add(0x66E0A0); 111 | const combatHUDUltiButtonActivatedJump = base.add(0x7D8858); 112 | const combatHUDUltiButtonActivatedClean = base.add(0x7D8C34); 113 | const messagingConnectJump = base.add(0x39AD0C); 114 | const messagingConnectClean = base.add(0x39C55C); 115 | const resourceManagerInitJump = base.add(0x68A718); 116 | const resourceManagerInitClean = base.add(0x68B1F8); 117 | const openat = Module.findExportByName(null, 'openat'); 118 | 119 | 120 | Interceptor.attach(createGameInstanceJump, function() { 121 | console.log("а негры тоже пидорасы x1"); 122 | this.context.r0 = createGameInstanceClean; 123 | }); 124 | 125 | Interceptor.attach(gameMainCtorJump, function() { 126 | console.log("а негры тоже пидорасы x2"); 127 | this.context.r0 = gameMainCtorClean; 128 | }); 129 | 130 | Interceptor.attach(inputSystemUpdateJump, function() { 131 | console.log("а негры тоже пидорасы x3"); 132 | this.context.r0 = inputSystemUpdateClean; 133 | }); 134 | 135 | Interceptor.attach(resourceManagerInitJump, function() { 136 | console.log("а негры тоже пидорасы x4"); 137 | this.context.r0 = resourceManagerInitClean; 138 | }); 139 | 140 | /*Interceptor.attach(messagingConnectJump, function() { DO NOT TOUCH 141 | console.log("а негры тоже пидорасы x6"); 142 | this.context.r0 = messagingConnectClean; 143 | });*/ 144 | 145 | Interceptor.attach(loginMessageEncodeJump, function() { 146 | console.log("а негры тоже пидорасы x5"); 147 | this.context.r0 = loginMessageEncodeClean; 148 | }); 149 | 150 | Interceptor.attach(combatHUDUltiButtonActivatedJump, function() { 151 | console.log("а негры тоже пидорасы x6"); 152 | this.context.r0 = combatHUDUltiButtonActivatedClean; 153 | }); 154 | 155 | Interceptor.replace(base.add(0x8339F4), new NativeCallback(function() {}, 'void', ['int'])); // AntiCheat::guard_callback 156 | 157 | Interceptor.replace(base.add(0x6B7CD0), new NativeCallback(function() { // AntiCheat::getAntihackFlags 158 | return 0; 159 | }, 'int', [])); 160 | 161 | Interceptor.replace(openat, new NativeCallback(function() { // openat 162 | return 0; 163 | }, 'int', [])); 164 | } 165 | 166 | function init() { 167 | destroy_protections(); 168 | connect("127.0.0.1"); // ip 169 | hook(); 170 | console.log("Successfully injected!"); 171 | } 172 | 173 | rpc.exports.init = init; 174 | -------------------------------------------------------------------------------- /Bs/V39/libmeow.so: -------------------------------------------------------------------------------- 1 | var cache = { 2 | modules: {}, 3 | options: {} 4 | }; 5 | 6 | // Pointers \\ 7 | var DECRYPT_DATA_POINTER = 0x370AC4; 8 | var ENCRYPT_AND_WRITE_POINTER = 0x2FB984; 9 | var isDevPtr = 0x7B89A0; 10 | var isDevBuildPtr = 0x2D514C; 11 | var isProdPtr = 0x728FA4; 12 | var sendPepperAuthenticationPtr = 0x92EB0C; 13 | var homePageStartGamePtr = 0x5C845C; 14 | var signCheckPtr = 0x738198; 15 | var anticheatUpdatePtr = 0x27092C; 16 | var loginEncodePtr = 0x696A38; 17 | var UltiBypassPtr = 0x0A0E50; 18 | var camerdaModeChangedPtr = 0x2E1BF8; 19 | var supercellIdOpenWindowPtr = 0x87B158; 20 | var STATE = 16; 21 | // Pointers \\ 22 | 23 | // Config \\ 24 | var isDev = 1; 25 | var isDevBuild = 1; 26 | var isProd = 0; 27 | var POINTER_SIZE = 4; 28 | // Config \\ 29 | 30 | var log = function(text) { 31 | Java.use("android.util.Log").v("frida", " " + text); 32 | } 33 | 34 | var base = Module.findBaseAddress('libg.so'); 35 | var connect = new NativeFunction(Module.findExportByName('libc.so', 'connect'), 'int', ['int', 'pointer', 'uint']); 36 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 37 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 38 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 39 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 40 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 41 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 42 | 43 | var Message = { 44 | _getByteStream: function(message) { 45 | return message.add(8); 46 | }, 47 | _getVersion: function(message) { 48 | return Memory.readInt(message.add(4)); 49 | }, 50 | _getMessageType: function(message) { 51 | return new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer'])(message); 52 | }, 53 | _encode: function(message) { 54 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 55 | } 56 | }; 57 | var ByteStream = { 58 | _getOffset: function(byteStream) { 59 | return Memory.readInt(byteStream.add(16)); 60 | }, 61 | _getByteArray: function(byteStream) { 62 | return Memory.readPointer(byteStream.add(28)); 63 | } 64 | }; 65 | var Buffer = { 66 | _setEncodingLength: function(buffer, length) { 67 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 68 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 69 | Memory.writeU8(buffer.add(4), length & 0xFF); 70 | }, 71 | _setMessageType: function(buffer, type) { 72 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 73 | Memory.writeU8(buffer.add(1), type & 0xFF); 74 | }, 75 | _setMessageVersion: function(buffer, version) { 76 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 77 | Memory.writeU8(buffer.add(6), version & 0xFF); 78 | } 79 | }; 80 | 81 | function setupMessaging() { 82 | cache.clubLeagueClicked = new NativeFunction(base.add(0x84FF28), 'void', ['pointer', 'pointer']); 83 | cache.guiGetInstance = new NativeFunction(base.add(0x1544E4), 'pointer', []); 84 | cache.genericPopupClub = new NativeFunction(base.add(0x5688E8), 'void', ['pointer']); 85 | cache.guiShowPopup = new NativeFunction(base.add(0x464D9C), 'pointer', ['pointer', 'pointer', 'uint', 'uint', 'uint']); 86 | 87 | function setupPointers(messaging, loginMessage) { 88 | cache.messaging = messaging; 89 | cache.state = cache.messaging.add(STATE); 90 | } 91 | 92 | function onWakeup(message) { 93 | var messageType = Message._getMessageType(message); 94 | //log("[CLIENT] MessageType: " + messageType); 95 | //log("[CLIENT] Message: " + message); 96 | Message._encode(message); 97 | if (messageType === 10101) { 98 | hook_misc_functions(); 99 | Memory.writeInt(cache.state, 5); // Editing state as we don't intercept server packet 100 | } 101 | var byteStream = Message._getByteStream(message); 102 | var messagePayloadLength = ByteStream._getOffset(byteStream); 103 | var messageBuffer = malloc(messagePayloadLength + 7); 104 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 105 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 106 | Buffer._setMessageType(messageBuffer, messageType); 107 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 108 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 109 | free(messageBuffer); 110 | } 111 | 112 | var sendPepperAuthentication = Interceptor.attach(base.add(sendPepperAuthenticationPtr), { // sendPepperAuthentication2 113 | onEnter: function(args) { 114 | args[1] = args[2]; 115 | setupPointers(args[0], args[2]); 116 | sendPepperAuthentication.detach(); 117 | } 118 | }); 119 | 120 | Interceptor.replace(base.add(ENCRYPT_AND_WRITE_POINTER), new NativeCallback(function(Messaging, PiranhaMessage) { 121 | onWakeup(PiranhaMessage); 122 | }, 'void', ['pointer', 'pointer'])); 123 | 124 | Interceptor.attach(base.add(homePageStartGamePtr), { // offlineBattles 125 | onEnter: function(args) { 126 | args[3] = ptr(3); 127 | } 128 | }); 129 | 130 | Memory.protect(base.add(0x1DA6CC), 4, "rwx"); // PepperEncrypter::Decrypt 131 | base.add(0x1DA6CC).writeByteArray([0x00, 0x00, 0xa0, 0xe3]); 132 | 133 | Interceptor.attach(base.add(0x7AD928), { 134 | onEnter: function(args) { 135 | log("[WARNING] " + args[0].readUtf8String() + " " + this.returnAddress.sub(base)); 136 | } 137 | }); 138 | 139 | Interceptor.attach(base.add(0x545B0C), { 140 | onEnter: function(args) { 141 | log("[ERROR] " + args[0].readUtf8String() + " " + this.returnAddress.sub(base)); 142 | } 143 | }); 144 | 145 | 146 | } 147 | 148 | function hook_misc_functions() { 149 | var scidbutton = 0x38F250; 150 | Memory.protect(base.add(scidbutton), 4, "rwx"); // SCID Button 151 | base.add(scidbutton).writeByteArray([0x01, 0x70, 0xa0, 0xe3]); 152 | 153 | var scidbuttonText = 0xE7BDEF; 154 | var cameraModeText = "Camera Mode"; 155 | Memory.protect(base.add(scidbuttonText), 15, "rwx"); // scidbuttonText 156 | base.add(scidbuttonText).writeUtf8String(cameraModeText); 157 | 158 | var playedbeforetextPointer = 0xE95448; 159 | var playedbeforetext = "https://discord.gg/59zDRUp2rW"; 160 | Memory.protect(base.add(playedbeforetextPointer), 26, "rwx"); // scidbuttonText 161 | base.add(playedbeforetextPointer).writeUtf8String(playedbeforetext); 162 | 163 | var cameraChange = new NativeFunction(base.add(camerdaModeChangedPtr), 'int', []); 164 | Interceptor.replace(base.add(supercellIdOpenWindowPtr), new NativeCallback(function(a1, a2) { 165 | cameraChange(); 166 | }, 'void', ['pointer', 'pointer'])); 167 | 168 | Interceptor.replace(base.add(isProdPtr), new NativeCallback(function() { 169 | if (this.returnAddress.equals(base.add(0x7CF548)) || this.returnAddress.equals(base.add(0x7CF500))) { 170 | return isProd; 171 | } 172 | return 1; 173 | }, 'uint', [])); 174 | 175 | Interceptor.replace(base.add(isDevBuildPtr), new NativeCallback(function() { 176 | return isDevBuild; 177 | }, 'uint', [])); 178 | 179 | Interceptor.replace(base.add(isDevPtr), new NativeCallback(function() { 180 | return isDev; 181 | }, 'uint', [])); 182 | } 183 | 184 | Memory.protect(base.add(signCheckPtr), 4, "rwx"); // Signature check 185 | base.add(signCheckPtr).writeByteArray([0x00, 0xf0, 0x20, 0xe3]); 186 | 187 | Memory.protect(base.add(anticheatUpdatePtr), 4, "rwx"); // Anticheat Update 188 | base.add(anticheatUpdatePtr).writeByteArray([0x00, 0xf0, 0x20, 0xe3]); 189 | 190 | Memory.protect(base.add(loginEncodePtr), 4, "rwx"); // LoginMessage 191 | base.add(loginEncodePtr).writeByteArray([0xe0, 0x03, 0x00, 0xea]); 192 | 193 | Memory.protect(base.add(UltiBypassPtr), 4, "rwx"); // UltiBypass 194 | base.add(UltiBypassPtr).writeByteArray([0xd0, 0x04, 0x00, 0xea]); 195 | 196 | function hook_pre_functions() { 197 | 198 | } 199 | 200 | /*var sentryBypass = Interceptor.attach(Module.findExportByName('libsentry.so', 'sentry_set_tag'), { 201 | onEnter: function(args) { 202 | hook_pre_functions(); 203 | sentryBypass.detach(); 204 | } 205 | });*/ 206 | 207 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 208 | onEnter: function(args) { 209 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 210 | cache.fd = args[0].toInt32(); 211 | Memory.writeInt(args[1].add(4), inet_addr(Memory.allocUtf8String("10.0.0.231"))); 212 | setupMessaging(); 213 | } 214 | } 215 | }); 216 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # frida-scripts 2 | 3 | all leaked frida scripts for brawl stars servers 4 | 5 | ## Fяida 6 | --------------------------------------------------------------------------------