├── .gitattributes ├── 31.96.js ├── 33.118.js ├── 35.js ├── README.md ├── debug22test.js ├── libcorescript.js ├── libmrvitalik.script.js ├── libsctest.js ├── retrobrawl.script.js ├── v13 online battle.js ├── v18-debug.js ├── v27.js ├── v28.189.js └── v36.218.js /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /31.96.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | console.log("Da"); 8 | 9 | const SERVER_CONNECTION = 0xCB6450; 10 | const PTHREAD_COND_WAKE_RETURN = 0x82B7A2 + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x3962B0; 12 | const WAKEUP_RETURN_ARRAY = [0x2D1EA4, 0x2D30B8, 0x33F098, 0x4B6B58]; // 34D268 - Unk 13 | const SELECT_RETURN = 0x4E2368; 14 | const POINTER_SIZE = 4; 15 | 16 | var Login = 0; 17 | 18 | //libc native functions 19 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 20 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 21 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 22 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 23 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 24 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 25 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 26 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 27 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 28 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 29 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 30 | 31 | 32 | var Message = { 33 | _getByteStream: function(message) { 34 | return message.add(8); 35 | }, 36 | _getVersion: function(message) { 37 | return Memory.readInt(message.add(4)); 38 | }, 39 | _setVersion: function(message, version) { 40 | Memory.writeInt(message.add(4), version); 41 | }, 42 | _getMessageType: function(message) { 43 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 44 | }, 45 | _encode: function(message) { 46 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 47 | }, 48 | _decode: function(message) { 49 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 50 | }, 51 | _free: function(message) { 52 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 54 | } 55 | }; 56 | var ByteStream = { 57 | _getOffset: function(byteStream) { 58 | return Memory.readInt(byteStream.add(16)); 59 | }, 60 | _getByteArray: function(byteStream) { 61 | return Memory.readPointer(byteStream.add(28)); 62 | }, 63 | _setByteArray: function(byteStream, array) { 64 | Memory.writePointer(byteStream.add(28), array); 65 | }, 66 | _getLength: function(byteStream) { 67 | return Memory.readInt(byteStream.add(20)); 68 | }, 69 | _setLength: function(byteStream, length) { 70 | Memory.writeInt(byteStream.add(20), length); 71 | } 72 | }; 73 | var Buffer = { 74 | _getEncodingLength: function(buffer) { 75 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 76 | }, 77 | _setEncodingLength: function(buffer, length) { 78 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 79 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 80 | Memory.writeU8(buffer.add(4), length & 0xFF); 81 | }, 82 | _setMessageType: function(buffer, type) { 83 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 84 | Memory.writeU8(buffer.add(1), type & 0xFF); 85 | }, 86 | _getMessageVersion: function(buffer) { 87 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 88 | }, 89 | _setMessageVersion: function(buffer, version) { 90 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 91 | Memory.writeU8(buffer.add(6), version & 0xFF); 92 | }, 93 | _getMessageType: function(buffer) { 94 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 95 | } 96 | }; 97 | var MessageQueue = { 98 | _getCapacity: function(queue) { 99 | return Memory.readInt(queue.add(4)); 100 | }, 101 | _get: function(queue, index) { 102 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 103 | }, 104 | _set: function(queue, index, message) { 105 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 106 | }, 107 | _count: function(queue) { 108 | return Memory.readInt(queue.add(8)); 109 | }, 110 | _decrementCount: function(queue) { 111 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 112 | }, 113 | _incrementCount: function(queue) { 114 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 115 | }, 116 | _getDequeueIndex: function(queue) { 117 | return Memory.readInt(queue.add(12)); 118 | }, 119 | _getEnqueueIndex: function(queue) { 120 | return Memory.readInt(queue.add(16)); 121 | }, 122 | _setDequeueIndex: function(queue, index) { 123 | Memory.writeInt(queue.add(12), index); 124 | }, 125 | _setEnqueueIndex: function(queue, index) { 126 | Memory.writeInt(queue.add(16), index); 127 | }, 128 | _enqueue: function(queue, message) { 129 | pthread_mutex_lock(queue.sub(4)); 130 | var index = MessageQueue._getEnqueueIndex(queue); 131 | MessageQueue._set(queue, index, message); 132 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 133 | MessageQueue._incrementCount(queue); 134 | pthread_mutex_unlock(queue.sub(4)); 135 | }, 136 | _dequeue: function(queue) { 137 | var message = null; 138 | pthread_mutex_lock(queue.sub(4)); 139 | if (MessageQueue._count(queue)) { 140 | var index = MessageQueue._getDequeueIndex(queue); 141 | message = MessageQueue._get(queue, index); 142 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 143 | MessageQueue._decrementCount(queue); 144 | } 145 | pthread_mutex_unlock(queue.sub(4)); 146 | return message; 147 | } 148 | }; 149 | 150 | function setupMessaging() { 151 | const base = Process.findModuleByName('libg.so').base; 152 | cache.wakeUpReturnArray = []; 153 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 154 | cache.wakeUpReturnArray.push(base.add(WAKEUP_RETURN_ARRAY[i])); 155 | } 156 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 157 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 158 | cache.selectReturn = base.add(SELECT_RETURN); 159 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 160 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 161 | cache.recvQueue = cache.messaging.add(60); 162 | cache.sendQueue = cache.messaging.add(84); 163 | cache.state = cache.messaging.add(208); 164 | cache.loginMessagePtr = cache.messaging.add(212); 165 | 166 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 167 | 168 | cache.sendMessage = function (message) { 169 | Message._encode(message); 170 | var byteStream = Message._getByteStream(message); 171 | var messagePayloadLength = ByteStream._getOffset(byteStream); 172 | var messageBuffer = malloc(messagePayloadLength + 7); 173 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 174 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 175 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 176 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 177 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 178 | free(messageBuffer); 179 | //Message._free(message); 180 | }; 181 | 182 | function onWakeup() { 183 | console.log("WAKE UP!!"); 184 | var message = MessageQueue._dequeue(cache.sendQueue); 185 | while (message) { 186 | var messageType = Message._getMessageType(message); 187 | console.log(messageType) 188 | if (messageType === 10100) { 189 | message = Memory.readPointer(cache.loginMessagePtr); 190 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 191 | Login = 1; 192 | } 193 | cache.sendMessage(message); 194 | message = MessageQueue._dequeue(cache.sendQueue); 195 | 196 | } 197 | } 198 | 199 | function onReceive() { 200 | var headerBuffer = malloc(7); 201 | libc_recv(cache.fd, headerBuffer, 7, 256); 202 | var messageType = Buffer._getMessageType(headerBuffer); 203 | 204 | if (messageType >= 20000) { 205 | if (messageType === 20104) { //LoginOk 206 | Memory.writeInt(cache.state, 5); 207 | } 208 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 209 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 210 | free(headerBuffer); 211 | var messageBuffer = malloc(payloadLength); 212 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 213 | var message = cache.createMessageByType(cache.messageFactory, messageType); 214 | Message._setVersion(message, messageVersion); 215 | var byteStream = Message._getByteStream(message); 216 | ByteStream._setLength(byteStream, payloadLength); 217 | if (payloadLength) { 218 | var byteArray = malloc(payloadLength); 219 | memmove(byteArray, messageBuffer, payloadLength); 220 | ByteStream._setByteArray(byteStream, byteArray); 221 | } 222 | Message._decode(message); 223 | // logMessage(message); 224 | MessageQueue._enqueue(cache.recvQueue, message); 225 | free(messageBuffer); 226 | } 227 | } 228 | 229 | const wakeup = Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 230 | onEnter: function(args) { 231 | console.log("Interceptor wakeup samurai"); 232 | onWakeup(); 233 | //setTimeout(reAttach, 100); 234 | } 235 | }); 236 | 237 | function reAttach() { 238 | const wake = Interceptor.attach(base.add(0x82B7A2 + 1), { 239 | onEnter: function(args) { 240 | wake.detach(); 241 | console.log("Interceptor wakeup samurai"); 242 | onWakeup(); 243 | setTimeout(reAttach, 100); 244 | } 245 | }); 246 | } 247 | 248 | function unlocker() { 249 | Login = 0; 250 | attachTo(); 251 | } 252 | 253 | /*Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 254 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 255 | return pthread_cond_signal(a1); 256 | } 257 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 258 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 259 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 260 | onWakeup(); 261 | return 0; 262 | } 263 | } 264 | return pthread_cond_signal(a1); 265 | }, 'int', ['pointer']));*/ 266 | 267 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 268 | onEnter: function(args) { 269 | console.log("Receive"); 270 | onReceive(); 271 | } 272 | }); 273 | } 274 | 275 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 276 | onEnter: function(args) { 277 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 278 | cache.fd = args[0].toInt32(); 279 | console.log("Suka connecting...."); 280 | var host = Memory.allocUtf8String("192.168.0.100"); 281 | Memory.writeInt(args[1].add(4), inet_addr(host)); 282 | setupMessaging(); 283 | } 284 | } 285 | }); 286 | 287 | -------------------------------------------------------------------------------- /33.118.js: -------------------------------------------------------------------------------- 1 | function hexStringToByte(str) { 2 | if (!str) { 3 | return new Uint8Array(); 4 | } 5 | 6 | var a = []; 7 | for (var i = 0, len = str.length; i < len; i += 2) { 8 | a.push(parseInt(str.substr(i, 2), 16)); 9 | } 10 | 11 | return new Uint8Array(a); 12 | } 13 | 14 | const SHA256 = "731a29e80b7ca89c7e9b39d381821ee8dccd1b0456782f788650945e7d60d8d3"; //SHA Digest 15 | 16 | Java.perform(function () { 17 | const MessageDigest = Java.use("java.security.MessageDigest"); 18 | const Str = Java.use("java.lang.String"); 19 | 20 | MessageDigest.digest.overload('[B').implementation = function(a1) { 21 | console.log("digest"); 22 | var digraw = hexStringToByte(SHA256); 23 | var jaw = Java.array('byte', digraw); 24 | return jaw; 25 | } 26 | }); 27 | 28 | // global cache 29 | var cache = { 30 | modules: {}, 31 | options: {} 32 | }; 33 | 34 | //libc native functions 35 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 36 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 37 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 38 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 39 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 40 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 41 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 42 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 43 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 44 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 45 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 46 | 47 | const SERVER_CONNECTION = 0xC68300; 48 | const PTHREAD_COND_WAKE_RETURN = 0x7D2AFE + 8 + 1; 49 | const CREATE_MESSAGE_BY_TYPE = 0x2FEF24; 50 | const NEW_OPERATOR = 0x7F4944 + 1; 51 | const WAKEUP_RETURN_ARRAY = [0x11897C, 0x12B21C, 0x21080C, 0x2AE020, 0x4923B4, 0x64BC54]; 52 | const SELECT_RETURN = 0x29573C; 53 | const CHECK = 0xB5030; 54 | const ON_RECEIVE = 0x363FD4; 55 | const POINTER_SIZE = 4; 56 | 57 | // logic helpers 58 | var Message = { 59 | _getByteStream: function(message) { 60 | return message.add(8); 61 | }, 62 | _getVersion: function(message) { 63 | return Memory.readInt(message.add(4)); 64 | }, 65 | _setVersion: function(message, version) { 66 | try { 67 | Memory.writeInt(message.add(4), version); 68 | } catch(error) { 69 | } 70 | }, 71 | _getMessageType: function(message) { 72 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 73 | }, 74 | _encode: function(message) { 75 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 76 | }, 77 | _decode: function(message) { 78 | try { 79 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 80 | } catch(error) { 81 | } 82 | }, 83 | _free: function(message) { 84 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 85 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 86 | } 87 | }; 88 | var ByteStream = { 89 | _getOffset: function(byteStream) { 90 | return Memory.readInt(byteStream.add(16)); 91 | }, 92 | _getByteArray: function(byteStream) { 93 | return Memory.readPointer(byteStream.add(28)); 94 | }, 95 | _setByteArray: function(byteStream, array) { 96 | try { 97 | Memory.writePointer(byteStream.add(28), array); 98 | } catch(error) { 99 | } 100 | }, 101 | _getLength: function(byteStream) { 102 | return Memory.readInt(byteStream.add(20)); 103 | }, 104 | _setLength: function(byteStream, length) { 105 | try { 106 | Memory.writeInt(byteStream.add(20), length); 107 | } catch(error) { 108 | } 109 | } 110 | }; 111 | var Buffer = { 112 | _getEncodingLength: function(buffer) { 113 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 114 | }, 115 | _setEncodingLength: function(buffer, length) { 116 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 117 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 118 | Memory.writeU8(buffer.add(4), length & 0xFF); 119 | }, 120 | _setMessageType: function(buffer, type) { 121 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 122 | Memory.writeU8(buffer.add(1), type & 0xFF); 123 | }, 124 | _getMessageVersion: function(buffer) { 125 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 126 | }, 127 | _setMessageVersion: function(buffer, version) { 128 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 129 | Memory.writeU8(buffer.add(6), version & 0xFF); 130 | }, 131 | _getMessageType: function(buffer) { 132 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 133 | } 134 | }; 135 | var MessageQueue = { 136 | _getCapacity: function(queue) { 137 | return Memory.readInt(queue.add(4)); 138 | }, 139 | _get: function(queue, index) { 140 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 141 | }, 142 | _set: function(queue, index, message) { 143 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 144 | }, 145 | _count: function(queue) { 146 | return Memory.readInt(queue.add(8)); 147 | }, 148 | _decrementCount: function(queue) { 149 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 150 | }, 151 | _incrementCount: function(queue) { 152 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 153 | }, 154 | _getDequeueIndex: function(queue) { 155 | return Memory.readInt(queue.add(12)); 156 | }, 157 | _getEnqueueIndex: function(queue) { 158 | return Memory.readInt(queue.add(16)); 159 | }, 160 | _setDequeueIndex: function(queue, index) { 161 | Memory.writeInt(queue.add(12), index); 162 | }, 163 | _setEnqueueIndex: function(queue, index) { 164 | Memory.writeInt(queue.add(16), index); 165 | }, 166 | _enqueue: function(queue, message) { 167 | pthread_mutex_lock(queue.sub(4)); 168 | var index = MessageQueue._getEnqueueIndex(queue); 169 | MessageQueue._set(queue, index, message); 170 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 171 | MessageQueue._incrementCount(queue); 172 | pthread_mutex_unlock(queue.sub(4)); 173 | }, 174 | _dequeue: function(queue) { 175 | var message = null; 176 | pthread_mutex_lock(queue.sub(4)); 177 | if (MessageQueue._count(queue)) { 178 | var index = MessageQueue._getDequeueIndex(queue); 179 | message = MessageQueue._get(queue, index); 180 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 181 | MessageQueue._decrementCount(queue); 182 | } 183 | pthread_mutex_unlock(queue.sub(4)); 184 | return message; 185 | } 186 | }; 187 | 188 | 189 | function setupMessaging() { 190 | cache.base = Module.findBaseAddress("libg.so"); 191 | cache.sett = 1; 192 | console.log("Base"); 193 | cache.pthreadReturn = cache.base.add(PTHREAD_COND_WAKE_RETURN); 194 | cache.wakeUpReturnArray = []; 195 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 196 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 197 | } 198 | cache.serverConnection = Memory.readPointer(cache.base.add(SERVER_CONNECTION)); 199 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 200 | console.log(cache.messaging); 201 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 202 | console.log(cache.messageFactory); 203 | cache.recvQueue = cache.messaging.add(60); 204 | cache.sendQueue = cache.messaging.add(84); 205 | cache.state = cache.messaging.add(208); 206 | cache.loginMessagePtr = cache.messaging.add(212); 207 | cache.createMessageByType = new NativeFunction(cache.base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 208 | cache.selectReturn = cache.base.add(SELECT_RETURN); 209 | cache.newOperator = new NativeFunction(cache.base.add(NEW_OPERATOR), 'pointer', ['int']); 210 | console.log(Memory.readByteArray(cache.serverConnection, 40)); 211 | console.log(Memory.readByteArray(cache.messaging, 40)); 212 | 213 | console.log(cache.messaging); 214 | 215 | cache.sendMessage = function (message) { 216 | var messageType = Message._getMessageType(message); 217 | Message._encode(message); 218 | var byteStream = Message._getByteStream(message); 219 | var messagePayloadLength = ByteStream._getOffset(byteStream); 220 | var messageBuffer = malloc(messagePayloadLength + 7); 221 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 222 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 223 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 224 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 225 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 226 | free(messageBuffer); 227 | }; 228 | 229 | function onWakeup() { 230 | var message = MessageQueue._dequeue(cache.sendQueue); 231 | while (message) { 232 | var messageType = Message._getMessageType(message); 233 | console.log(messageType); 234 | if (messageType === 10100) { 235 | message = Memory.readPointer(cache.loginMessagePtr); 236 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 237 | //patchReceive(); 238 | } 239 | cache.sendMessage(message); 240 | message = MessageQueue._dequeue(cache.sendQueue); 241 | } 242 | }; 243 | 244 | function onReceive() { 245 | var headerBuffer = cache.newOperator(7); 246 | libc_recv(cache.fd, headerBuffer, 7, 256); 247 | var messageType = Buffer._getMessageType(headerBuffer); 248 | if (messageType > 20000 && messageType < 30000) { 249 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 250 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 251 | free(headerBuffer); 252 | var messageBuffer = cache.newOperator(payloadLength); 253 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 254 | var message = cache.createMessageByType(cache.messageFactory, messageType); 255 | Message._setVersion(message, messageVersion); 256 | var byteStream = Message._getByteStream(message); 257 | ByteStream._setLength(byteStream, payloadLength); 258 | if (payloadLength) { 259 | var byteArray = cache.newOperator(payloadLength); 260 | memmove(byteArray, messageBuffer, payloadLength); 261 | ByteStream._setByteArray(byteStream, byteArray); 262 | } 263 | Message._decode(message); 264 | MessageQueue._enqueue(cache.recvQueue, message); 265 | if (messageType === 20104) { 266 | Memory.writeInt(cache.state, 5); 267 | hackProtections(); 268 | } 269 | free(messageBuffer); 270 | } 271 | }; 272 | 273 | var checks; 274 | 275 | function hackProtections() { 276 | Interceptor.replace(cache.base.add(ON_RECEIVE), new NativeCallback(function(a1, a2) { 277 | }, 'void', ['int', 'int'])); 278 | checks = Interceptor.attach(cache.base.add(CHECK), function() { 279 | this.context.r0 = 0x02; 280 | }); 281 | } 282 | 283 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 284 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 285 | return pthread_cond_signal(a1); 286 | } 287 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 288 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 289 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 290 | onWakeup(); 291 | return 0; 292 | } 293 | } 294 | return pthread_cond_signal(a1); 295 | }, 'int', ['pointer'])); 296 | 297 | //function patchReceive() { 298 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 299 | console.log("selection"); 300 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 301 | if (this.returnAddress.equals(cache.selectReturn)) { 302 | console.log("selected"); 303 | onReceive(); 304 | } 305 | return r; 306 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 307 | //} 308 | } 309 | 310 | 311 | function setup() { 312 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 313 | onEnter: function(args) { 314 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 315 | cache.fd = args[0].toInt32(); 316 | console.log("Connecting to 9339..."); 317 | var host = Memory.allocUtf8String("192.168.0.100"); 318 | Memory.writeInt(args[1].add(4), inet_addr(host)); 319 | setupMessaging(); 320 | } 321 | } 322 | }); 323 | } 324 | 325 | // startup 326 | rpc.exports = { 327 | init: function(stage, options) { 328 | cache.options = options || {}; 329 | Interceptor.detachAll(); 330 | setup(); 331 | } 332 | }; 333 | -------------------------------------------------------------------------------- /35.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | console.log("Da"); 8 | 9 | const SERVER_CONNECTION = 0xD18784; 10 | const PTHREAD_COND_WAKE_RETURN = 0x85D6B6 + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x5EC014; 12 | const WAKEUP_RETURN_ARRAY = [0x2D1EA4, 0x2D30B8, 0x33F098, 0x4B6B58]; // 34D268 - Unk 13 | const SELECT_RETURN = 0x4E2368; 14 | const POINTER_SIZE = 4; 15 | 16 | var Login = 0; 17 | 18 | //libc native functions 19 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 20 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 21 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 22 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 23 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 24 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 25 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 26 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 27 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 28 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 29 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 30 | 31 | 32 | var Message = { 33 | _getByteStream: function(message) { 34 | return message.add(8); 35 | }, 36 | _getVersion: function(message) { 37 | return Memory.readInt(message.add(4)); 38 | }, 39 | _setVersion: function(message, version) { 40 | Memory.writeInt(message.add(4), version); 41 | }, 42 | _getMessageType: function(message) { 43 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 44 | }, 45 | _encode: function(message) { 46 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 47 | }, 48 | _decode: function(message) { 49 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 50 | }, 51 | _free: function(message) { 52 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 54 | } 55 | }; 56 | var ByteStream = { 57 | _getOffset: function(byteStream) { 58 | return Memory.readInt(byteStream.add(16)); 59 | }, 60 | _getByteArray: function(byteStream) { 61 | return Memory.readPointer(byteStream.add(28)); 62 | }, 63 | _setByteArray: function(byteStream, array) { 64 | Memory.writePointer(byteStream.add(28), array); 65 | }, 66 | _getLength: function(byteStream) { 67 | return Memory.readInt(byteStream.add(20)); 68 | }, 69 | _setLength: function(byteStream, length) { 70 | Memory.writeInt(byteStream.add(20), length); 71 | } 72 | }; 73 | var Buffer = { 74 | _getEncodingLength: function(buffer) { 75 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 76 | }, 77 | _setEncodingLength: function(buffer, length) { 78 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 79 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 80 | Memory.writeU8(buffer.add(4), length & 0xFF); 81 | }, 82 | _setMessageType: function(buffer, type) { 83 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 84 | Memory.writeU8(buffer.add(1), type & 0xFF); 85 | }, 86 | _getMessageVersion: function(buffer) { 87 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 88 | }, 89 | _setMessageVersion: function(buffer, version) { 90 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 91 | Memory.writeU8(buffer.add(6), version & 0xFF); 92 | }, 93 | _getMessageType: function(buffer) { 94 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 95 | } 96 | }; 97 | var MessageQueue = { 98 | _getCapacity: function(queue) { 99 | return Memory.readInt(queue.add(4)); 100 | }, 101 | _get: function(queue, index) { 102 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 103 | }, 104 | _set: function(queue, index, message) { 105 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 106 | }, 107 | _count: function(queue) { 108 | return Memory.readInt(queue.add(8)); 109 | }, 110 | _decrementCount: function(queue) { 111 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 112 | }, 113 | _incrementCount: function(queue) { 114 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 115 | }, 116 | _getDequeueIndex: function(queue) { 117 | return Memory.readInt(queue.add(12)); 118 | }, 119 | _getEnqueueIndex: function(queue) { 120 | return Memory.readInt(queue.add(16)); 121 | }, 122 | _setDequeueIndex: function(queue, index) { 123 | Memory.writeInt(queue.add(12), index); 124 | }, 125 | _setEnqueueIndex: function(queue, index) { 126 | Memory.writeInt(queue.add(16), index); 127 | }, 128 | _enqueue: function(queue, message) { 129 | pthread_mutex_lock(queue.sub(4)); 130 | var index = MessageQueue._getEnqueueIndex(queue); 131 | MessageQueue._set(queue, index, message); 132 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 133 | MessageQueue._incrementCount(queue); 134 | pthread_mutex_unlock(queue.sub(4)); 135 | }, 136 | _dequeue: function(queue) { 137 | var message = null; 138 | pthread_mutex_lock(queue.sub(4)); 139 | if (MessageQueue._count(queue)) { 140 | var index = MessageQueue._getDequeueIndex(queue); 141 | message = MessageQueue._get(queue, index); 142 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 143 | MessageQueue._decrementCount(queue); 144 | } 145 | pthread_mutex_unlock(queue.sub(4)); 146 | return message; 147 | } 148 | }; 149 | 150 | function setupMessaging() { 151 | const base = Process.findModuleByName('libg.so').base; 152 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 153 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 154 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 155 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 156 | cache.recvQueue = cache.messaging.add(60); 157 | cache.sendQueue = cache.messaging.add(84); 158 | cache.state = cache.messaging.add(208); 159 | cache.loginMessagePtr = cache.messaging.add(212); 160 | 161 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 162 | 163 | cache.sendMessage = function (message) { 164 | Message._encode(message); 165 | var byteStream = Message._getByteStream(message); 166 | var messagePayloadLength = ByteStream._getOffset(byteStream); 167 | var messageBuffer = malloc(messagePayloadLength + 7); 168 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 169 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 170 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 171 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 172 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 173 | free(messageBuffer); 174 | //Message._free(message); 175 | }; 176 | 177 | function onWakeup() { 178 | console.log("WAKE UP!!"); 179 | var message = MessageQueue._dequeue(cache.sendQueue); 180 | while (message) { 181 | var messageType = Message._getMessageType(message); 182 | console.log(messageType) 183 | if (messageType === 10100) { 184 | message = Memory.readPointer(cache.loginMessagePtr); 185 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 186 | Login = 1; 187 | } 188 | cache.sendMessage(message); 189 | message = MessageQueue._dequeue(cache.sendQueue); 190 | 191 | } 192 | } 193 | 194 | function onReceive() { 195 | var headerBuffer = malloc(7); 196 | libc_recv(cache.fd, headerBuffer, 7, 256); 197 | var messageType = Buffer._getMessageType(headerBuffer); 198 | 199 | if (messageType >= 20000) { 200 | if (messageType === 20104) { //LoginOk 201 | Memory.writeInt(cache.state, 5); 202 | } 203 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 204 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 205 | free(headerBuffer); 206 | var messageBuffer = malloc(payloadLength); 207 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 208 | var message = cache.createMessageByType(cache.messageFactory, messageType); 209 | Message._setVersion(message, messageVersion); 210 | var byteStream = Message._getByteStream(message); 211 | ByteStream._setLength(byteStream, payloadLength); 212 | if (payloadLength) { 213 | var byteArray = malloc(payloadLength); 214 | memmove(byteArray, messageBuffer, payloadLength); 215 | ByteStream._setByteArray(byteStream, byteArray); 216 | } 217 | Message._decode(message); 218 | // logMessage(message); 219 | MessageQueue._enqueue(cache.recvQueue, message); 220 | free(messageBuffer); 221 | } 222 | } 223 | 224 | const wakeup = Interceptor.attach(base.add(0x85D6B6 + 1), { 225 | onEnter: function(args) { 226 | if (Login == 1) { 227 | wakeup.detach(); 228 | } 229 | console.log("Interceptor wakeup samurai"); 230 | onWakeup(); 231 | setTimeout(reAttach, 100); 232 | } 233 | }); 234 | 235 | function reAttach() { 236 | const wake = Interceptor.attach(base.add(0x85D6B6 + 1), { 237 | onEnter: function(args) { 238 | wake.detach(); 239 | console.log("Interceptor wakeup samurai"); 240 | onWakeup(); 241 | setTimeout(reAttach, 100); 242 | } 243 | }); 244 | } 245 | 246 | function unlocker() { 247 | Login = 0; 248 | attachTo(); 249 | } 250 | 251 | /*Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 252 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 253 | return pthread_cond_signal(a1); 254 | } 255 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 256 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 257 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 258 | onWakeup(); 259 | return 0; 260 | } 261 | } 262 | return pthread_cond_signal(a1); 263 | }, 'int', ['pointer']));*/ 264 | 265 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 266 | onEnter: function(args) { 267 | console.log("Receive"); 268 | onReceive(); 269 | } 270 | }); 271 | } 272 | 273 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 274 | onEnter: function(args) { 275 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 276 | cache.fd = args[0].toInt32(); 277 | console.log("Suka connecting...."); 278 | var host = Memory.allocUtf8String("192.168.0.100"); 279 | Memory.writeInt(args[1].add(4), inet_addr(host)); 280 | setupMessaging(); 281 | } 282 | } 283 | }); 284 | 285 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Frida-Scripts 2 | Collection of Fяida scripts that i have. 3 | Enjoy! -------------------------------------------------------------------------------- /debug22test.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | const base = Module.findBaseAddress("libg.so"); 8 | 9 | // global constants 10 | const SERVER_CONNECTION = 0xA079B8; 11 | const NEW_OPERATOR = 0x643F54 + 1; 12 | const WAKEUP_RETURN_ARRAY = [0x464ac, 0xcacb0, 0xd1114, 0x3811a0, 0x4cd6d0, 0x4e2f78]; 13 | const PTHREAD_COND_WAKE_RETURN = 0x61691b; 14 | const CREATE_MESSAGE_BY_TYPE = 0x1f1aa8; // 'createMessageByType' function address // 30000 15 | const SELECT_RETURN = 0x3ae540; // x-ref select function 16 | const ON_RECEIVE = 0x54E730; // Messaging::onReceive subslave address. 17 | const POINTER_SIZE = 4; 18 | const ANTON_XUI_DEBUG_1 = 0x110E34; 19 | const GET_MOVIECLIP = 0x31F8BC; 20 | const fResourceManagerGetMovieClip = new NativeFunction(base.add(GET_MOVIECLIP), 'pointer', ['pointer', 'pointer']); 21 | const SET_MOVIE_CLIP = 0x2252BC; 22 | const stage_offset = 0xA0900C; 23 | const STAGE_DROCHILD = 0x16ED1C; 24 | const fStageDrochild = new NativeFunction(base.add(STAGE_DROCHILD), 'void', ['pointer', 'pointer']); 25 | 26 | const BUTTON_SETMOVIECLIP = 0x398210; 27 | 28 | const STRING_CTOR = 0x2FBCBC; 29 | 30 | const IS_DEV = 0x200934; // LogicVersion::isDev 31 | const IS_PROD = 0x4BD0DC; // LogicVersion::isProd 32 | 33 | const HOMEPAGE_STARTGAME = 0x277388; 34 | const ADD_VISION_UPDATE = 0x438FA4; 35 | 36 | const GAMEBUTTON_CTOR = 0x799D8; 37 | 38 | const SET_TEXT = 0xDE8A4; 39 | const REMOVE_CHILD = 0x61A40; 40 | 41 | // global lib calls 42 | const StringCtor = new NativeFunction(base.add(STRING_CTOR), 'void', ['pointer', 'pointer']); 43 | const ButtonSetClip = new NativeFunction(base.add(BUTTON_SETMOVIECLIP), 'void', ['pointer', 'pointer', 'bool']); 44 | const GameButtonCtor = new NativeFunction(base.add(GAMEBUTTON_CTOR), 'void', ['pointer']); 45 | const fSetText = new NativeFunction(base.add(SET_TEXT), 'void', ['pointer', 'pointer', 'bool']); 46 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 47 | const free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 48 | const adudkactor = new NativeFunction(base.add(ANTON_XUI_DEBUG_1), 'void', ['pointer']); 49 | const pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 50 | const pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 51 | const pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 52 | const select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 53 | const memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 54 | const ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 55 | const inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 56 | const libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 57 | const libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 58 | const libc_close = new NativeFunction(Module.findExportByName('libc.so', 'close'), 'int', ['int']); 59 | const setmovieclip = new NativeFunction(base.add(SET_MOVIE_CLIP), 'void', ['pointer', 'pointer', 'bool']); 60 | const setXY = 0x90460; 61 | const fSetXY = new NativeFunction(base.add(setXY), 'void', ['pointer', 'float', 'float']); 62 | const fRemoveChild = new NativeFunction(base.add(REMOVE_CHILD), 'void', ['pointer', 'pointer']); 63 | 64 | 65 | // logic helpers 66 | const Message = { 67 | _getByteStream: function(message) { 68 | return message.add(8); 69 | }, 70 | _getVersion: function(message) { 71 | return Memory.readInt(message.add(4)); 72 | }, 73 | _setVersion: function(message, version) { 74 | Memory.writeInt(message.add(4), version); 75 | }, 76 | _getMessageType: function(message) { 77 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 78 | }, 79 | _encode: function(message) { 80 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 81 | }, 82 | _decode: function(message) { 83 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 84 | }, 85 | _free: function(message) { 86 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 87 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 88 | } 89 | }; 90 | const ByteStream = { 91 | _getOffset: function(byteStream) { 92 | return Memory.readInt(byteStream.add(16)); 93 | }, 94 | _getByteArray: function(byteStream) { 95 | return Memory.readPointer(byteStream.add(28)); 96 | }, 97 | _setByteArray: function(byteStream, array) { 98 | Memory.writePointer(byteStream.add(28), array); 99 | }, 100 | _getLength: function(byteStream) { 101 | return Memory.readInt(byteStream.add(20)); 102 | }, 103 | _setLength: function(byteStream, length) { 104 | Memory.writeInt(byteStream.add(20), length); 105 | } 106 | }; 107 | const Buffer = { 108 | _getEncodingLength: function(buffer) { 109 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 110 | }, 111 | _setEncodingLength: function(buffer, length) { 112 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 113 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 114 | Memory.writeU8(buffer.add(4), length & 0xFF); 115 | }, 116 | _setMessageType: function(buffer, type) { 117 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 118 | Memory.writeU8(buffer.add(1), type & 0xFF); 119 | }, 120 | _getMessageVersion: function(buffer) { 121 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 122 | }, 123 | _setMessageVersion: function(buffer, version) { 124 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 125 | Memory.writeU8(buffer.add(6), version & 0xFF); 126 | }, 127 | _getMessageType: function(buffer) { 128 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 129 | } 130 | }; 131 | const MessageQueue = { 132 | _getCapacity: function(queue) { 133 | return Memory.readInt(queue.add(4)); 134 | }, 135 | _get: function(queue, index) { 136 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 137 | }, 138 | _set: function(queue, index, message) { 139 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 140 | }, 141 | _count: function(queue) { 142 | return Memory.readInt(queue.add(8)); 143 | }, 144 | _decrementCount: function(queue) { 145 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 146 | }, 147 | _incrementCount: function(queue) { 148 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 149 | }, 150 | _getDequeueIndex: function(queue) { 151 | return Memory.readInt(queue.add(12)); 152 | }, 153 | _getEnqueueIndex: function(queue) { 154 | return Memory.readInt(queue.add(16)); 155 | }, 156 | _setDequeueIndex: function(queue, index) { 157 | Memory.writeInt(queue.add(12), index); 158 | }, 159 | _setEnqueueIndex: function(queue, index) { 160 | Memory.writeInt(queue.add(16), index); 161 | }, 162 | _enqueue: function(queue, message) { 163 | pthread_mutex_lock(queue.sub(4)); 164 | var index = MessageQueue._getEnqueueIndex(queue); 165 | MessageQueue._set(queue, index, message); 166 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 167 | MessageQueue._incrementCount(queue); 168 | pthread_mutex_unlock(queue.sub(4)); 169 | }, 170 | _dequeue: function(queue) { 171 | var message = null; 172 | pthread_mutex_lock(queue.sub(4)); 173 | if (MessageQueue._count(queue)) { 174 | var index = MessageQueue._getDequeueIndex(queue); 175 | message = MessageQueue._get(queue, index); 176 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 177 | MessageQueue._decrementCount(queue); 178 | } 179 | pthread_mutex_unlock(queue.sub(4)); 180 | return message; 181 | } 182 | }; 183 | 184 | const HostPatcher = { 185 | init: function() { 186 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 187 | onEnter: function(args) { 188 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 189 | cache.fd = args[0].toInt32(); 190 | var host = Memory.allocUtf8String(HostPatcher.redirectAddress); 191 | Memory.writeInt(args[1].add(4), inet_addr(host)); 192 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 193 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 194 | Messaging.init(); 195 | } 196 | } 197 | }); 198 | } 199 | }; 200 | 201 | const DebugPatcher = { 202 | enableIsDev: function() { 203 | Interceptor.replace(cache.base.add(IS_PROD), new NativeCallback(function() { 204 | return 0; 205 | }, 'int', [])); 206 | 207 | Interceptor.replace(cache.base.add(IS_DEV), new NativeCallback(function() { 208 | return 1; 209 | }, 'int', [])); 210 | }, 211 | revert: function() { 212 | Interceptor.revert(cache.base.add(IS_PROD)); 213 | Interceptor.revert(cache.base.add(IS_DEV)); 214 | Interceptor.flush(); 215 | } 216 | }; 217 | 218 | const OfflineBattlePatcher = { 219 | init: function() { 220 | OfflineBattlePatcher.startGame = Interceptor.attach(cache.base.add(HOMEPAGE_STARTGAME), { 221 | onEnter(args) { 222 | args[3] = ptr(3); 223 | } 224 | }); 225 | 226 | OfflineBattlePatcher.viewerCountFaker = Interceptor.attach(cache.base.add(ADD_VISION_UPDATE), { 227 | onEnter(args) { 228 | args[1].add(92).writeInt(args[1].add(80).readInt()); 229 | } 230 | }); 231 | }, 232 | deinit: function() { 233 | if (OfflineBattlePatcher.startGame) OfflineBattlePatcher.startGame.detach(); 234 | if (OfflineBattlePatcher.viewerCountFaker) OfflineBattlePatcher.viewerCountFaker.detach(); 235 | } 236 | } 237 | 238 | function getOffsets() { 239 | cache.wakeUpReturnArray = []; 240 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 241 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 242 | } 243 | cache.pthreadReturn = cache.base.add(PTHREAD_COND_WAKE_RETURN); 244 | cache.serverConnection = Memory.readPointer(cache.base.add(SERVER_CONNECTION)); 245 | cache.selectReturn = cache.base.add(SELECT_RETURN); 246 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 247 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 248 | cache.recvQueue = cache.messaging.add(60); 249 | cache.sendQueue = cache.messaging.add(84); 250 | cache.state = cache.messaging.add(212); 251 | cache.loginMessagePtr = cache.messaging.add(216); 252 | 253 | cache.newOperator = new NativeFunction(cache.base.add(NEW_OPERATOR), 'pointer', ['int']); 254 | cache.createMessageByType = new NativeFunction(cache.base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 255 | } 256 | 257 | function createStringPtr(message) { 258 | var charPtr = malloc(message.length + 1); 259 | Memory.writeUtf8String(charPtr, message); 260 | return charPtr 261 | } 262 | 263 | function createStringObject(mmmdmskads) { 264 | var land = createStringPtr(mmmdmskads); 265 | let pesocheck = malloc(128); 266 | StringCtor(pesocheck, land); 267 | return pesocheck; 268 | } 269 | 270 | const nextCameraMode = new NativeFunction(base.add(0x1482E0), 'void', []); 271 | 272 | function debug_init(land) { // jejka 273 | let dbutton = malloc(700); 274 | GameButtonCtor(dbutton); 275 | let peskov = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_button")); 276 | ButtonSetClip(dbutton, peskov, 1); 277 | fSetXY(dbutton, 30, 560); 278 | 279 | fStageDrochild(base.add(stage_offset).readPointer(), dbutton); 280 | fSetText(dbutton, createStringObject("D"), 1); 281 | 282 | let debug = malloc(700); 283 | adudkactor(debug); 284 | let pesok = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu")); 285 | //console.log(pesok.toInt32()); 286 | setmovieclip(debug, pesok, 0); 287 | fSetXY(debug, 800, 0); 288 | fStageDrochild(base.add(stage_offset).readPointer(), debug); 289 | 290 | cache.addGemsButton = malloc(700); 291 | GameButtonCtor(cache.addGemsButton); 292 | 293 | let peschanik = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 294 | //console.log(peschanik.toInt32()); 295 | ButtonSetClip(cache.addGemsButton, peschanik, 1); 296 | fSetXY(cache.addGemsButton, 1000, 80); 297 | 298 | let haccers = malloc(700); 299 | GameButtonCtor(haccers); 300 | let peskovik = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 301 | ButtonSetClip(haccers, peskovik, 1); 302 | fSetXY(haccers, 1000, 140); 303 | 304 | fStageDrochild(base.add(stage_offset).readPointer(), haccers); 305 | fSetText(haccers, createStringObject("Add Resources"), 1); 306 | 307 | let perdoon = malloc(700); 308 | GameButtonCtor(perdoon); 309 | let danillnull = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 310 | ButtonSetClip(perdoon, danillnull, 1); 311 | fSetXY(perdoon, 1000, 200); 312 | 313 | fStageDrochild(base.add(stage_offset).readPointer(), perdoon); 314 | fSetText(perdoon, createStringObject("Maintenance Test Message"), 1); 315 | 316 | let xeontop = malloc(700); 317 | GameButtonCtor(xeontop); 318 | let nullnull = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 319 | ButtonSetClip(xeontop, nullnull, 1); 320 | fSetXY(xeontop, 1000, 260); 321 | 322 | fStageDrochild(base.add(stage_offset).readPointer(), xeontop); 323 | fSetText(xeontop, createStringObject("War Map Preview"), 1); 324 | 325 | let dudkaxui = malloc(700); 326 | GameButtonCtor(dudkaxui); 327 | let nullnullnull = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 328 | ButtonSetClip(dudkaxui, nullnullnull, 1); 329 | fSetXY(dudkaxui, 1000, 320); 330 | 331 | fStageDrochild(base.add(stage_offset).readPointer(), dudkaxui); 332 | fSetText(dudkaxui, createStringObject("Next Theme"), 1); 333 | 334 | let dudkaxuii = malloc(700); 335 | GameButtonCtor(dudkaxuii); 336 | let nullnullnulll = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 337 | ButtonSetClip(dudkaxuii, nullnullnulll, 1); 338 | fSetXY(dudkaxuii, 1000, 380); 339 | 340 | fStageDrochild(base.add(stage_offset).readPointer(), dudkaxuii); 341 | fSetText(dudkaxuii, createStringObject("Next Camera Mode"), 1); 342 | 343 | let dudkaxuiii = malloc(700); 344 | GameButtonCtor(dudkaxuiii); 345 | let nullnullnullll = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 346 | ButtonSetClip(dudkaxuiii, nullnullnullll, 1); 347 | fSetXY(dudkaxuiii, 1000, 440); 348 | 349 | fStageDrochild(base.add(stage_offset).readPointer(), dudkaxuiii); 350 | fSetText(dudkaxuiii, createStringObject("Reset Account"), 1); 351 | 352 | let latency = malloc(700); 353 | GameButtonCtor(latency); 354 | let tests = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_item")); 355 | ButtonSetClip(latency, tests, 1); 356 | fSetXY(latency, 1000, 500); 357 | 358 | fStageDrochild(base.add(stage_offset).readPointer(), latency); 359 | fSetText(latency, createStringObject("Latency Test Request"), 1); 360 | 361 | let perda = malloc(700); 362 | GameButtonCtor(perda); 363 | let danillsuka = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_button")); 364 | ButtonSetClip(perda, danillsuka, 1); 365 | fSetXY(perda, 915, 20); 366 | 367 | fStageDrochild(base.add(stage_offset).readPointer(), perda); 368 | fSetText(perda, createStringObject("Debug "), 1); 369 | 370 | let perdim = malloc(700); 371 | GameButtonCtor(perdim); 372 | let danillsukai = fResourceManagerGetMovieClip(createStringPtr("sc/debug.sc"), createStringPtr("debug_menu_button")); 373 | ButtonSetClip(perdim, danillsukai, 1); 374 | fSetXY(perdim, 1010, 20); 375 | 376 | fStageDrochild(base.add(stage_offset).readPointer(), perdim); 377 | fSetText(perdim, createStringObject("Menu"), 1); 378 | 379 | fStageDrochild(base.add(stage_offset).readPointer(), cache.addGemsButton); 380 | fSetText(cache.addGemsButton, createStringObject("Add Gems"), 1); 381 | let aopened = true; 382 | cache.buttonInterceptor = Interceptor.attach(base.add(0x360CDC), { 383 | onEnter(args) { 384 | //console.log("jekla"); 385 | if (args[0].toInt32() == cache.addGemsButton.toInt32()) { 386 | //console.log("lol"); 387 | sendCustomMessage(10777); 388 | } 389 | else if (args[0].toInt32() == haccers.toInt32()) { 390 | //console.log("pon"); 391 | sendCustomMessage(10666); 392 | } 393 | else if (args[0].toInt32() == perdoon.toInt32()) { 394 | //console.log("Perdoon Activated"); 395 | sendCustomMessage(22228); 396 | } 397 | else if (args[0].toInt32() == xeontop.toInt32()) { 398 | //console.log("War map 22288828282 Activated"); 399 | sendCustomMessage(10999); 400 | } 401 | else if (args[0].toInt32() == dudkaxui.toInt32()) { 402 | //console.log("ponos"); 403 | sendCustomMessage(10000); 404 | } 405 | else if (args[0].toInt32() == dudkaxuiii.toInt32()) { 406 | //console.log("lol"); 407 | sendCustomMessage(10166); 408 | } 409 | else if (args[0].toInt32() == latency.toInt32()) { 410 | //console.log("vzlom latency"); 411 | sendCustomMessage(10656); 412 | } 413 | else if (args[0].toInt32() == dudkaxuii.toInt32()) { 414 | //console.log("camernik"); 415 | nextCameraMode(); 416 | } 417 | else if (args[0].toInt32() == dbutton.toInt32()) { 418 | //console.log("toggler"); 419 | if (aopened) { 420 | close_debug(); 421 | } 422 | else if (!aopened){ 423 | //console.log("dudka tech!"); 424 | fRemoveChild(base.add(stage_offset).readPointer(), dbutton); 425 | cache.buttonInterceptor.detach(); 426 | debug_init(false); 427 | } 428 | } 429 | } 430 | }); 431 | 432 | function close_debug() { 433 | aopened = false; 434 | 435 | fRemoveChild(base.add(stage_offset).readPointer(), cache.addGemsButton); 436 | fRemoveChild(base.add(stage_offset).readPointer(), debug); 437 | fRemoveChild(base.add(stage_offset).readPointer(), haccers); 438 | fRemoveChild(base.add(stage_offset).readPointer(), perdoon); 439 | fRemoveChild(base.add(stage_offset).readPointer(), perda); 440 | fRemoveChild(base.add(stage_offset).readPointer(), perdim); 441 | fRemoveChild(base.add(stage_offset).readPointer(), xeontop); 442 | fRemoveChild(base.add(stage_offset).readPointer(), dudkaxui); 443 | fRemoveChild(base.add(stage_offset).readPointer(), dudkaxuii); 444 | fRemoveChild(base.add(stage_offset).readPointer(), dudkaxuiii); 445 | fRemoveChild(base.add(stage_offset).readPointer(), latency); 446 | 447 | free(cache.addGemsButton); 448 | free(haccers); 449 | free(perdoon); 450 | free(perda); 451 | free(perdim); 452 | free(xeontop); 453 | free(dudkaxui); 454 | free(dudkaxuii); 455 | free(dudkaxuiii); 456 | free(latency); 457 | free(debug); 458 | } 459 | 460 | if (land) close_debug(); 461 | 462 | } 463 | 464 | function sendCustomMessage(type) { 465 | var messageBuffer = cache.newOperator(7); 466 | Buffer._setEncodingLength(messageBuffer, 0); 467 | Buffer._setMessageType(messageBuffer, type); 468 | Buffer._setMessageVersion(messageBuffer, 0); 469 | libc_send(cache.fd, messageBuffer, 7, 0); 470 | free(messageBuffer); 471 | } 472 | 473 | const addfile = new NativeFunction(base.add(0x25A654), 'void', ['pointer', 'pointer', 'int', 'int', 'int', 'int']); 474 | 475 | function podload() { 476 | var lop = Interceptor.attach(base.add(0x25A654), { 477 | onEnter(args) { 478 | lop.detach(); 479 | addfile(args[0], createStringPtr("sc/debug.sc"), -1, -1, -1, -1); 480 | //console.log("loaded suka"); 481 | } 482 | }); 483 | } 484 | 485 | function fixer() { 486 | let l = Interceptor.attach(Module.findExportByName('libc.so', 'close'), { 487 | onEnter(args) { 488 | if (args[0].toInt32() == cache.fd) { 489 | l.detach(); 490 | //console.log("disconnector322"); 491 | OfflineBattlePatcher.deinit(); 492 | 493 | cache.buttonInterceptor.detach(); 494 | 495 | Interceptor.revert(cache.base.add(ON_RECEIVE)); 496 | DebugPatcher.revert(); 497 | 498 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 499 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 500 | 501 | Interceptor.flush(); 502 | } 503 | } 504 | }); 505 | } 506 | 507 | const Messaging = { 508 | init: function() { 509 | getOffsets(); 510 | 511 | Messaging.send = function (message) { 512 | Message._encode(message); 513 | var byteStream = Message._getByteStream(message); 514 | var messagePayloadLength = ByteStream._getOffset(byteStream); 515 | var messageBuffer = cache.newOperator(messagePayloadLength + 7); 516 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 517 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 518 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 519 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 520 | 521 | if (Message._getMessageType(message) == 10101) { 522 | //console.log("voloski"); 523 | Interceptor.replace(cache.base.add(ON_RECEIVE), new NativeCallback(function(){ 524 | //console.log("tevh"); 525 | }, 'void', [])); 526 | } 527 | 528 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 529 | free(messageBuffer); 530 | //Message._free(message); 531 | } 532 | 533 | Messaging.wakeup = function() { 534 | var message = MessageQueue._dequeue(cache.sendQueue); 535 | while (message) { 536 | var messageType = Message._getMessageType(message); 537 | if (messageType === 10100) { 538 | message = Memory.readPointer(cache.loginMessagePtr); 539 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 540 | } 541 | Messaging.send(message); 542 | message = MessageQueue._dequeue(cache.sendQueue); 543 | } 544 | } 545 | 546 | Messaging.onReceive = function() { 547 | var headerBuffer = cache.newOperator(7); 548 | var r = libc_recv(cache.fd, headerBuffer, 7, 256); 549 | 550 | if (r == 0) { 551 | //console.log("disconnected tcc"); 552 | 553 | OfflineBattlePatcher.deinit(); 554 | 555 | Interceptor.revert(cache.base.add(ON_RECEIVE)); 556 | DebugPatcher.revert(); 557 | 558 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 559 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 560 | 561 | Interceptor.flush(); 562 | 563 | libc_close(cache.fd); 564 | 565 | return; 566 | } 567 | 568 | var messageType = Buffer._getMessageType(headerBuffer); 569 | if (messageType === 20104) { 570 | Memory.writeInt(cache.state, 5); 571 | fixer(); 572 | DebugPatcher.enableIsDev(); 573 | OfflineBattlePatcher.init(); 574 | } 575 | else if (messageType === 28282) { 576 | debug_init(true); 577 | //console.log("Dev Account DETECTED! Debug Menu called"); 578 | } 579 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 580 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 581 | free(headerBuffer); 582 | var messageBuffer = cache.newOperator(payloadLength); 583 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 584 | var message = cache.createMessageByType(cache.messageFactory, messageType); 585 | Message._setVersion(message, messageVersion); 586 | var byteStream = Message._getByteStream(message); 587 | ByteStream._setLength(byteStream, payloadLength); 588 | if (payloadLength) { 589 | var byteArray = cache.newOperator(payloadLength); 590 | memmove(byteArray, messageBuffer, payloadLength); 591 | ByteStream._setByteArray(byteStream, byteArray); 592 | } 593 | Message._decode(message); 594 | // logMessage(message); 595 | MessageQueue._enqueue(cache.recvQueue, message); 596 | free(messageBuffer); 597 | } 598 | 599 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 600 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 601 | return pthread_cond_signal(a1); 602 | } 603 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 604 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 605 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 606 | Messaging.wakeup(); 607 | return 0; 608 | } 609 | } 610 | return pthread_cond_signal(a1); 611 | }, 'int', ['pointer'])); 612 | 613 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 614 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 615 | if (this.returnAddress.equals(cache.selectReturn)) { 616 | Messaging.onReceive(); 617 | } 618 | return r; 619 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 620 | } 621 | }; 622 | 623 | // startup 624 | rpc.exports = { 625 | init: function(stage, options) { 626 | Interceptor.detachAll(); 627 | cache.base = Process.findModuleByName('libg.so').base; 628 | HostPatcher.redirectAddress = "127.0.0.1" // ip here 629 | HostPatcher.init(); 630 | podload(); 631 | } 632 | }; 633 | -------------------------------------------------------------------------------- /libcorescript.js: -------------------------------------------------------------------------------- 1 | const base = Module.findBaseAddress("libg.so"); 2 | const readPtr = Module.findExportByName('libc.so', 'read'); 3 | 4 | 5 | const connect = Interceptor.attach(Module.findExportByName(null, 'getaddrinfo'), { 6 | onEnter: function(args) { 7 | this.path = args[0].readUtf8String(); 8 | if (this.path === base.add(0x055AD86).readUtf8String()) { 9 | this.z = args[0] = Memory.allocUtf8String("127.0.0.1"); 10 | } 11 | } 12 | }); 13 | 14 | var buf; 15 | var check = 0; 16 | 17 | const reader = Interceptor.attach(readPtr, { 18 | onEnter: function(args) { 19 | if(args[2] == 32) { 20 | check = 1; 21 | buf = args[1]; 22 | } 23 | }, 24 | onLeave: function(args) { 25 | if(check == 1) { 26 | Memory.writeByteArray(buf, [0xBB, 0x14, 0xD6, 0xFD, 0x2B, 0x7C, 0x98, 0x23, 0xEA, 0xED, 0xB4, 0x33, 0x8C, 0xB7, 0x23, 0x7F, 0x61, 0xE4, 0x22, 0xD2, 0x3C, 0x49, 0x77, 0xF7, 0x4A, 0xDA, 0x05, 0x27, 0x02, 0xC0, 0xC6, 0x2D]); 27 | check = 0; 28 | } 29 | } 30 | }); 31 | -------------------------------------------------------------------------------- /libmrvitalik.script.js: -------------------------------------------------------------------------------- 1 | var cache = { 2 | modules: {}, 3 | options: {} 4 | }; 5 | 6 | const base = Module.findBaseAddress("libg.so"); 7 | const readPtr = Module.findExportByName('libc.so', 'read'); 8 | const ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 9 | const inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 10 | 11 | function setup() { 12 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 13 | onEnter: function(args) { 14 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 15 | var host = Memory.allocUtf8String(cache.options.redirectHost); 16 | Memory.writeInt(args[1].add(4), inet_addr(host)); 17 | } 18 | } 19 | }); 20 | 21 | var buf; 22 | var check = 0; 23 | var lfd; 24 | 25 | const openf = Interceptor.attach(Module.findExportByName("libc.so", "open"), { 26 | onEnter: function(args) { 27 | this.r = (Memory.readUtf8String(args[0]) == "/dev/urandom"); 28 | }, 29 | onLeave: function(retval) { 30 | if(this.r) { 31 | lfd = retval.toInt32(); 32 | } 33 | } 34 | }); 35 | 36 | const reader = Interceptor.attach(readPtr, { 37 | onEnter: function(args) { 38 | if(lfd == args[0].toInt32() && args[2] == 32) { 39 | check = 1; 40 | buf = args[1]; 41 | } 42 | }, 43 | onLeave: function(args) { 44 | if(check == 1) { 45 | Memory.writeByteArray(buf, [0xBB, 0x14, 0xD6, 0xFD, 0x2B, 0x7C, 0x98, 0x23, 0xEA, 0xED, 0xB4, 0x33, 0x8C, 0xB7, 0x23, 0x7F, 0x61, 0xE4, 0x22, 0xD2, 0x3C, 0x49, 0x77, 0xF7, 0x4A, 0xDA, 0x05, 0x27, 0x02, 0xC0, 0xC6, 0x2D]); 46 | check = 0; 47 | } 48 | } 49 | }); 50 | } 51 | 52 | rpc.exports = { 53 | init: function(stage, options) { 54 | cache.options = options || {}; 55 | setup(); 56 | } 57 | }; 58 | -------------------------------------------------------------------------------- /libsctest.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | // global constants //TODO: update addresses! 8 | var SERVER_CONNECTION = 0xC86D10; //found by "Locale is null, needed by GameSCIDManag" UPDATED! 9 | var PTHREAD_COND_WAKE_RETURN = 0x80E5A2 + 8 + 1; 10 | var CREATE_MESSAGE_BY_TYPE = 0x4A7EE4; 11 | var POINTER_SIZE = 4; 12 | 13 | // global lib calls 14 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 15 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 16 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 17 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 18 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 19 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 20 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 21 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 22 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 23 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 24 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 25 | 26 | // injection method 27 | function onLoad(name, callback) { 28 | Java.perform(function() { 29 | var System = Java.use('java.lang.System'); 30 | var Runtime = Java.use('java.lang.Runtime'); 31 | var SystemLoad_2 = System.loadLibrary.overload('java.lang.String'); 32 | var VMStack = Java.use('dalvik.system.VMStack'); 33 | SystemLoad_2.implementation = function(library) { 34 | try { 35 | if (Runtime.getRuntime().loadLibrary0) { 36 | Runtime.getRuntime().loadLibrary0(VMStack.getCallingClassLoader(), library); 37 | } else { 38 | Runtime.getRuntime().loadLibrary(library, VMStack.getCallingClassLoader()); 39 | } 40 | if(name === 'lib' + library + '.so') { 41 | callback(); 42 | } 43 | } catch(error) { 44 | } 45 | }; 46 | }); 47 | } 48 | 49 | // logic helpers 50 | var Message = { 51 | _getByteStream: function(message) { 52 | return message.add(8); 53 | }, 54 | _getVersion: function(message) { 55 | return Memory.readInt(message.add(4)); 56 | }, 57 | _setVersion: function(message, version) { 58 | Memory.writeInt(message.add(4), version); 59 | }, 60 | _getMessageType: function(message) { 61 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 62 | }, 63 | _encode: function(message) { 64 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 65 | }, 66 | _decode: function(message) { 67 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 68 | }, 69 | _free: function(message) { 70 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 71 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 72 | } 73 | }; 74 | var ByteStream = { 75 | _getOffset: function(byteStream) { 76 | return Memory.readInt(byteStream.add(16)); 77 | }, 78 | _getByteArray: function(byteStream) { 79 | return Memory.readPointer(byteStream.add(28)); 80 | }, 81 | _setByteArray: function(byteStream, array) { 82 | Memory.writePointer(byteStream.add(28), array); 83 | }, 84 | _getLength: function(byteStream) { 85 | return Memory.readInt(byteStream.add(20)); 86 | }, 87 | _setLength: function(byteStream, length) { 88 | Memory.writeInt(byteStream.add(20), length); 89 | } 90 | }; 91 | var Buffer = { 92 | _getEncodingLength: function(buffer) { 93 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 94 | }, 95 | _setEncodingLength: function(buffer, length) { 96 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 97 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 98 | Memory.writeU8(buffer.add(4), length & 0xFF); 99 | }, 100 | _setMessageType: function(buffer, type) { 101 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 102 | Memory.writeU8(buffer.add(1), type & 0xFF); 103 | }, 104 | _getMessageVersion: function(buffer) { 105 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 106 | }, 107 | _setMessageVersion: function(buffer, version) { 108 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 109 | Memory.writeU8(buffer.add(6), version & 0xFF); 110 | }, 111 | _getMessageType: function(buffer) { 112 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 113 | } 114 | }; 115 | var MessageQueue = { 116 | _getCapacity: function(queue) { 117 | return Memory.readInt(queue.add(4)); 118 | }, 119 | _get: function(queue, index) { 120 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 121 | }, 122 | _set: function(queue, index, message) { 123 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 124 | }, 125 | _count: function(queue) { 126 | return Memory.readInt(queue.add(8)); 127 | }, 128 | _decrementCount: function(queue) { 129 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 130 | }, 131 | _incrementCount: function(queue) { 132 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 133 | }, 134 | _getDequeueIndex: function(queue) { 135 | return Memory.readInt(queue.add(12)); 136 | }, 137 | _getEnqueueIndex: function(queue) { 138 | return Memory.readInt(queue.add(16)); 139 | }, 140 | _setDequeueIndex: function(queue, index) { 141 | Memory.writeInt(queue.add(12), index); 142 | }, 143 | _setEnqueueIndex: function(queue, index) { 144 | Memory.writeInt(queue.add(16), index); 145 | }, 146 | _enqueue: function(queue, message) { 147 | pthread_mutex_lock(queue.sub(4)); 148 | var index = MessageQueue._getEnqueueIndex(queue); 149 | MessageQueue._set(queue, index, message); 150 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 151 | MessageQueue._incrementCount(queue); 152 | pthread_mutex_unlock(queue.sub(4)); 153 | }, 154 | _dequeue: function(queue) { 155 | var message = null; 156 | pthread_mutex_lock(queue.sub(4)); 157 | if (MessageQueue._count(queue)) { 158 | var index = MessageQueue._getDequeueIndex(queue); 159 | message = MessageQueue._get(queue, index); 160 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 161 | MessageQueue._decrementCount(queue); 162 | } 163 | pthread_mutex_unlock(queue.sub(4)); 164 | return message; 165 | } 166 | }; 167 | 168 | // hooks 169 | function setup() { 170 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 171 | onEnter: function(args) { 172 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 173 | cache.fd = args[0].toInt32(); 174 | if (cache.options.redirectHost) { 175 | var host = Memory.allocUtf8String(cache.options.redirectHost); 176 | Memory.writeInt(args[1].add(4), inet_addr(host)); 177 | } 178 | setupMessaging(); 179 | hacksupermod() 180 | } 181 | } 182 | }); 183 | } 184 | 185 | function hacksupermod() { 186 | const base = Module.findBaseAddress('lib39285EFA.so'); 187 | Interceptor.replace(base.add(0x000C0D0), new NativeCallback(function(a) { 188 | return 0; 189 | }, 'int', ['int'])); 190 | } 191 | 192 | function setupMessaging() { 193 | cache.pthreadReturn = cache.base.add(PTHREAD_COND_WAKE_RETURN); 194 | cache.serverConnection = Memory.readPointer(cache.base.add(SERVER_CONNECTION)); 195 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 196 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 197 | cache.recvQueue = cache.messaging.add(60); 198 | cache.sendQueue = cache.messaging.add(84); 199 | cache.state = cache.messaging.add(208); 200 | cache.loginMessagePtr = cache.messaging.add(212); 201 | 202 | cache.createMessageByType = new NativeFunction(cache.base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 203 | 204 | cache.sendMessage = function (message) { 205 | Message._encode(message); 206 | var byteStream = Message._getByteStream(message); 207 | var messagePayloadLength = ByteStream._getOffset(byteStream); 208 | var messageBuffer = malloc(messagePayloadLength + 7); 209 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 210 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 211 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 212 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 213 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 214 | free(messageBuffer); 215 | //Message._free(message); 216 | }; 217 | 218 | function onWakeup() { 219 | //console.log(cache.sendQueue); 220 | var message = MessageQueue._dequeue(cache.sendQueue); 221 | while (message) { 222 | var messageType = Message._getMessageType(message); 223 | if (messageType === 10100) { 224 | message = Memory.readPointer(cache.loginMessagePtr); 225 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 226 | } 227 | if (messageType == 14109) { 228 | var qbase = Module.findBaseAddress('lib39285EFA.so'); 229 | var offlinebattlector = new NativeFunction(qbase.add(0x6FF4), 'int', []); 230 | offlinebattlector(); 231 | } 232 | cache.sendMessage(message); 233 | message = MessageQueue._dequeue(cache.sendQueue); 234 | } 235 | } 236 | 237 | function onReceive() { 238 | var headerBuffer = malloc(7); 239 | libc_recv(cache.fd, headerBuffer, 7, 256); 240 | var messageType = Buffer._getMessageType(headerBuffer); 241 | if (messageType === 20104) { //LoginOk 242 | Memory.writeInt(cache.state, 5); 243 | } 244 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 245 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 246 | free(headerBuffer); 247 | var messageBuffer = malloc(payloadLength); 248 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 249 | var message = cache.createMessageByType(cache.messageFactory, messageType); 250 | Message._setVersion(message, messageVersion); 251 | var byteStream = Message._getByteStream(message); 252 | ByteStream._setLength(byteStream, payloadLength); 253 | if (payloadLength) { 254 | var byteArray = malloc(payloadLength); 255 | memmove(byteArray, messageBuffer, payloadLength); 256 | ByteStream._setByteArray(byteStream, byteArray); 257 | } 258 | Message._decode(message); 259 | // logMessage(message); 260 | MessageQueue._enqueue(cache.recvQueue, message); 261 | free(messageBuffer); 262 | } 263 | 264 | Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 265 | onEnter: function(args) { 266 | onWakeup(); 267 | } 268 | }); 269 | 270 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 271 | onEnter: function(args) { 272 | onReceive(); 273 | } 274 | }); 275 | } 276 | 277 | // startup 278 | rpc.exports = { 279 | init: function(stage, options) { 280 | cache.options = options || {}; 281 | onLoad('libg.so', function() { 282 | Interceptor.detachAll(); 283 | cache.base = Process.findModuleByName('libg.so').base; 284 | setup(); 285 | }); 286 | } 287 | }; 288 | -------------------------------------------------------------------------------- /retrobrawl.script.js: -------------------------------------------------------------------------------- 1 | //this is a script written entirely by me from scratch. Since RetroBrawl team decided to kick me out, I decided to make this script open source. 2 | 3 | var cache = { 4 | modules: {}, 5 | options: {} 6 | }; 7 | 8 | var csvFiles = [ 9 | "csv_logic/cards.csv", 10 | "csv_logic/characters.csv", 11 | "csv_logic/skills.csv", 12 | "csv_logic/projectiles.csv", 13 | "csv_logic/area_effects.csv", 14 | "csv_logic/items.csv", 15 | "csv_logic/maps.csv", 16 | "csv_logic/skins.csv", 17 | "csv_logic/tiles.csv" 18 | ]; 19 | 20 | const base = Module.findBaseAddress('libg.so'); 21 | const readPtr = Module.findExportByName('libc.so', 'read'); 22 | const malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 23 | const ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 24 | const inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 25 | const fopen = new NativeFunction(Module.findExportByName('libc.so', 'fopen'), 'pointer', ['pointer', 'pointer']); 26 | 27 | var wait = false; 28 | var ServerConnection = base.add(0x7D2B88).readU8(); 29 | 30 | 31 | function init() { 32 | checkPackageName('com.devbs.retrobrawl'); 33 | checkSignature('308203673082024fa00302010202043bc36e87300d06092a864886f70d01010b050030643110300e0603550406130730303030303030310f300d06035504081306527573736961310f300d060355040713064d6f73636f77310e300c060355040a13054465564273310e300c060355040b13054465564273310e300c060355040313054465564273301e170d3231303232373139323832355a170d3438303731353139323832355a30643110300e0603550406130730303030303030310f300d06035504081306527573736961310f300d060355040713064d6f73636f77310e300c060355040a13054465564273310e300c060355040b13054465564273310e300c06035504031305446556427330820122300d06092a864886f70d01010105000382010f003082010a0282010100dd6e1ff1176cc170409faa72c43bfb89619af888c5899a5bce12a61444e841f0853c971bd0f5d2a1b6c1748e59cb46c6abec1dcacda8efa8488d60a4f8332873019644d810673b14118946b1bc2789a78108070af91b9b39693ba1753b64b3f815c5b615121f67c1ba8aa33de6c7ac0204e216d08438b78c645211408bbf53e5a60adcb31040a81ad401e4278c6fefcf5bdd62226ca975ba84ce66d7176f1d2b3a45fd4c2d15c2862a4f599c51492078534cb800ffd306dd01c6dbf69787a0092023df9596114e760a0890ec07d6f98b19c9eb1f58395f2361d924eee867d966eb933994c7fd09faeb0e4d214942709d1954b470bf7fdf22107dbcc9397f65490203010001a321301f301d0603551d0e04160414225e45a50e9ef8f53caf2841353f848a300b42e3300d06092a864886f70d01010b05000382010100890bd66cab965264a5528042f884fb8ab67739c033deb52f2b7f04d2422f17c8f18d466e81c5099cb9739c247133ec6775ca02aa6a4d953e0c702a02d4270e21e4c36853a831a37327cafbdb21de53a4171c8ab95b564a1f27b823e67002abe09124a5075ce96727ecc8492a4ebba0f24daacd41c2068576d75d01f143176afd330e091b09ac737516827896d303e7cf8126bfb508e5ce4137276f03311c1792f83ce1c20b17e30374c0c2f7fe6cbad5f252c047464989c4e0180c57ad7ffdf9de6dea54997df7321384da775c7772eb3e2a6385674b264ba38d54ec5f1ad75f44655cea5180eb735fa43002f2cef2f2f34c94e79a40c43edb0a86de751f3fea'); 34 | checkFilesInUpdate(); 35 | setKeyVersion(7); 36 | toast('Private server created by RetroBrawl team.\nVK: https://vk.com/retro_brawl'); 37 | connect(); 38 | replaceKey(); 39 | fixer(); 40 | } 41 | 42 | function checkPackageName(packageName) { 43 | if (getPackageName() != packageName) { 44 | exit(); 45 | } 46 | } 47 | 48 | function getPackageName() { 49 | var packagename = ''; 50 | Java.perform(function(argument) { 51 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 52 | packagename = context.getPackageName(); 53 | }); 54 | return packagename; 55 | } 56 | 57 | function setKeyVersion(version) { 58 | base.add(0x60DD88).writeU16(version); 59 | } 60 | 61 | function getSignature() { 62 | var signature = ''; 63 | Java.perform(function() { 64 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 65 | var packageInfo = context.getPackageManager().getPackageInfo(getPackageName(), 64).signatures.value[0].toCharsString(); 66 | signature = packageInfo; 67 | }); 68 | return signature; 69 | } 70 | 71 | function checkSignature(signature) { 72 | if (getSignature() != signature) { 73 | exit(); 74 | } 75 | } 76 | 77 | function checkFilesInUpdate() { 78 | for (var i = 0; i < csvFiles.length; i++) { 79 | var path = '/data/data/' + getPackageName() + '/update/' + csvFiles[i]; 80 | var pFile = fopen(createStringPtrFromJSString(path), createStringPtrFromJSString("rb")); 81 | if (pFile.toInt32() != 0) { 82 | exit(); 83 | } 84 | } 85 | } 86 | 87 | function exit() { 88 | Java.scheduleOnMainThread(() => { 89 | Java.use("java.lang.System").exit(0); 90 | }); 91 | }; 92 | 93 | function toast(toastText) { 94 | Java.perform(function() { 95 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 96 | 97 | Java.scheduleOnMainThread(function() { 98 | var toast = Java.use("android.widget.Toast"); 99 | toast.makeText(context, Java.use("java.lang.String").$new(toastText), 1).show(); 100 | }); 101 | }); 102 | } 103 | 104 | function connect() { 105 | Interceptor.attach(Module.findExportByName(null, 'getaddrinfo'), { 106 | onEnter: function (args) { 107 | this.path = args[0].readUtf8String(); 108 | if (this.path === 'game.brawlstarsgame.com') { 109 | this.z = args[0] = Memory.allocUtf8String(cache.options.redirectHost); 110 | } 111 | } 112 | }); 113 | } 114 | 115 | function replaceKey() { 116 | var buf; 117 | var check = 0; 118 | 119 | const reader = Interceptor.attach(readPtr, { 120 | onEnter: function(args) { 121 | if(this.returnAddress.equals(base.add(0x1715B0)) && args[2] == 32) { 122 | check = 1; 123 | buf = args[1]; 124 | } 125 | }, 126 | onLeave: function(args) { 127 | if(check == 1) { 128 | Memory.writeByteArray(buf, [0x85, 0x98, 0x0a, 0xb6, 0x07, 0x5c, 0xc1, 0x97, 0xab, 0x8d, 0xe0, 0xfa, 0xba, 0x3c, 0x69, 0x96, 0x82, 0xb4, 0x59, 0x97, 0x93, 0x65, 0x43, 0x51, 0x44, 0x48, 0x2f, 0x5e, 0xba, 0xe8, 0x21, 0x45]); 129 | check = 0; 130 | } 131 | } 132 | }); 133 | } 134 | 135 | function fixer() { 136 | Interceptor.attach(Module.findExportByName("libg.so", "glEnable"), { 137 | onEnter: function(args) { 138 | if (this.returnAddress.equals(base.add(0x1cce2c)) && wait !== true) { 139 | wait = true; 140 | checkFilesInUpdate(); 141 | checkServerConnection() 142 | fixProfile(); 143 | } 144 | } 145 | }); 146 | } 147 | 148 | function fixProfile() { 149 | Interceptor.replace(base.add(0x24DB58), new NativeCallback(function(a1) { 150 | return null; 151 | }, "pointer", ["pointer"])); 152 | } 153 | 154 | function checkServerConnection() { 155 | var serverConnectionUpdate = Interceptor.attach(base.add(0x21167C), { 156 | onEnter: function(args) { 157 | ServerConnection = base.add(0x7D2B88).readU8(); 158 | if (ServerConnection === 0) { 159 | wait = false; 160 | checkFilesInUpdate(); 161 | serverConnectionUpdate.detach(); 162 | Interceptor.revert(base.add(0x24DB58)); 163 | } 164 | } 165 | }); 166 | } 167 | 168 | function createStringPtrFromJSString(message) { 169 | var charPtr = malloc(message.length + 1); 170 | Memory.writeUtf8String(charPtr, message); 171 | return charPtr 172 | } 173 | 174 | rpc.exports = { 175 | init: function(stage, options) { 176 | cache.options.redirectHost = 'retrobrawl.devbs.xyz'; 177 | init(); 178 | } 179 | }; 180 | -------------------------------------------------------------------------------- /v13 online battle.js: -------------------------------------------------------------------------------- 1 | // Processing, please wait... 2 | function fn_1() { 3 | function fn_3() { 4 | function fn_5() { 5 | if (!!n[arg0]) goto`l_145` 6 | label`l_9` 7 | if (!!e[arg0]) goto`l_95` 8 | label`l_15` 9 | if (!"function" == typeof require) goto`l_35` 10 | label`l_30` 11 | "function" == typeof require 12 | c = require; 13 | if (!!arg1) goto`l_50` 14 | label`l_41` 15 | if (!c) goto`l_50` 16 | label`l_44` 17 | return c(arg0, !0); 18 | if (!u) goto`l_60` 19 | label`l_54` 20 | return u(arg0, !0); 21 | a = new Error("Cannot find module '" + arg0 + "'"); 22 | a.code = "MODULE_NOT_FOUND"; 23 | throw a; 24 | } 25 | o = fn_5; 26 | if (!"function" == typeof require) goto`l_23` 27 | label`l_18` 28 | "function" == typeof require 29 | u = require; 30 | i = 0; 31 | if (!i < arg2.length) goto`l_42` 32 | label`l_33` 33 | o(arg2[i]) 34 | i++; 35 | goto`l_26` 36 | label`l_43` 37 | return o; 38 | } 39 | r = fn_3; 40 | return r; 41 | } 42 | function fn_7() { 43 | function fn_9() { 44 | _0x1455ca["add"](6466788)["writeU16"](arg0); 45 | } 46 | _0x59c477 = fn_9; 47 | function fn_11() { 48 | _0x47acd2 = _0x458dd8(arg0["length"] + 1); 49 | Memory["writeUtf8String"](_0x47acd2, arg0) 50 | return _0x47acd2; 51 | } 52 | _0x3fd494 = fn_11; 53 | function fn_13() { 54 | function fn_15() { 55 | if (!Memory["readUtf8String"](arg0) === "game.brawlstarsgame.com") goto`l_61` 56 | label`l_24` 57 | Memory["readUtf8String"](arg0) === "game.brawlstarsgame.com" 58 | arg0 = Memory["allocUtf8String"](_0x2cb4d9); 59 | console["log"]("game.brawlstarsgame.com replate to retro.royalegame.win") 60 | return _0x5b493d(arg0, arg1, arg2, arg3); 61 | } 62 | Interceptor["replace"](Module["findExportByName"]("libc.so", "getaddrinfo"), new NativeCallback(fn_15, "int", ["pointer", "pointer", "pointer", "pointer"])); 63 | } 64 | _0x1548cd = fn_13; 65 | function fn_17() { 66 | _0x2dc574 = _0x1455ca["add"](9879600)["readPointer"](); 67 | _0xbffe62 = _0x2dc574["add"](44)["readPointer"](); 68 | _0x578d3e = _0x458dd8(20); 69 | _0x5a5381 = _0x458dd8(20); 70 | _0x47e758(_0x578d3e, _0x3fd494("Url")) 71 | _0x47e758(_0x5a5381, _0x3fd494("https://connect.nulls.gg/")) 72 | _0x316977(_0xbffe62, _0x578d3e, _0x5a5381); 73 | } 74 | _0x3a2b32 = fn_17; 75 | function fn_19() { 76 | function onEnter() { 77 | this = this; 78 | if (!this["returnAddress"]["sub"](_0x1455ca) == 4696876) goto`l_43` 79 | label`l_30` 80 | this["returnAddress"]["sub"](_0x1455ca) == 4696876 81 | _0x30dd28["detach"]() 82 | _0x3a2b32(); 83 | } 84 | {}.onEnter = onEnter; 85 | _0x30dd28 = Interceptor["attach"](_0x1455ca["add"](246452), {}); 86 | } 87 | _0x5358ca = fn_19; 88 | function fn_23() { 89 | function onEnter() { 90 | Interceptor["detachAll"]() 91 | _0x5e5803(); 92 | } 93 | {}.onEnter = onEnter; 94 | Interceptor["attach"](_0x1455ca["add"](2624988), {}); 95 | } 96 | _0x1c9d52 = fn_23; 97 | function fn_27() { 98 | _0x59c477(7) 99 | _0x1455ca["add"](9919268)["writeU8"](1) 100 | function onEnter() { 101 | if (!_0x48b3fa(arg0[1]["add"](2)["readU16"]()) === 9339) goto`l_64` 102 | label`l_33` 103 | arg0[1]["add"](2)["writeU16"](_0x48b3fa(_0x4acf90)) 104 | goto`l_72` 105 | label`l_65` 106 | if !_0x48b3fa(arg0[1]["add"](2)["readU16"]()) === _0x4acf90) goto`l_72` 107 | label`l_72` 108 | _0x48b3fa(arg0[1]["add"](2)["readU16"]()); 109 | return; 110 | label`l_73` 111 | _0x48b3fa(arg0[1]["add"](2)["readU16"]()) 112 | function onEnter() { 113 | this = this; 114 | "key"."key" = arg0[0]; 115 | this; 116 | } 117 | {}.onEnter = onEnter; 118 | function onLeave() { 119 | this = this; 120 | _0x30d3a3["detach"]() 121 | this["key"]["writeByteArray"]([139, 94, 37, 171, 218, 27, 155, 208, 10, 22, 89, 202, 230, 84, 241, 96, 208, 235, 207, 12, 163, 119, 132, 75, 193, 228, 27, 103, 127, 34, 183, 125]); 122 | } 123 | {}.onLeave = onLeave; 124 | _0x30d3a3 = Interceptor["attach"](_0x1455ca["add"](1409880), {}); 125 | _0x510483["detach"]() 126 | function onEnter() { 127 | this = this; 128 | if (!this["returnAddress"]["sub"](_0x1455ca) == 366228) goto`l_134` 129 | label`l_29` 130 | _0x498fca["detach"]() 131 | _0x1c9d52() 132 | _0x22fa4b = new NativeFunction(Module["findExportByName"]("libc.so", "pthread_join"), "int", ["pointer", "pointer"]); 133 | function fn_37() { 134 | this = this; 135 | _0xbb8e82 = this["context"]["r5"]["readPointer"]()["add"](16)["readPointer"](); 136 | _0x22fa4b(_0xbb8e82, NULL); 137 | } 138 | Interceptor["attach"](_0x1455ca["add"](1966304), fn_37) 139 | } 140 | {}.onEnter = onEnter; 141 | _0x498fca = Interceptor["attach"](_0x1455ca["add"](246536), {}); 142 | } 143 | {}.onEnter = onEnter; 144 | _0x510483 = Interceptor["attach"](Module["findExportByName"]("libc.so", "connect"), {}); 145 | } 146 | _0x5e5803 = fn_27; 147 | _0x1455ca = Module["findBaseAddress"]("libg.so"); 148 | _0x458dd8 = new NativeFunction(Module["findExportByName"]("libc.so", "malloc"), "pointer", ["int"]); 149 | _0x4d9940 = new NativeFunction(Module["findExportByName"]("libc.so", "pthread_mutex_unlock"), "int", ["pointer"]); 150 | _0x48b3fa = new NativeFunction(Module["findExportByName"]("libc.so", "ntohs"), "uint16", ["uint16"]); 151 | _0x5b493d = new NativeFunction(Module["findExportByName"]("libc.so", "getaddrinfo"), "int", ["pointer", "pointer", "pointer", "pointer"]); 152 | _0x47e758 = new NativeFunction(_0x1455ca["add"](5157760), "pointer", ["pointer", "pointer"]); 153 | _0x316977 = new NativeFunction(_0x1455ca["add"](5021392), "void", ["pointer", "pointer", "pointer"]); 154 | _0x2339f9 = new NativeFunction(_0x1455ca["add"](2635392), "pointer", ["pointer", "pointer", "int", "int"]); 155 | _0x2cb4d9 = "magic.royalegame.win"; 156 | _0x4acf90 = 9334; 157 | function init() { 158 | _0x5358ca() 159 | _0x5e5803() 160 | _0x1548cd(); 161 | } 162 | {}.init = init; 163 | "exports"."exports" = {}; 164 | rpc; 165 | } 166 | {}.1 = [fn_7, {}]; 167 | fn_1()({}, {}, [1]); 168 | 169 | // Process exited successfully. 170 | -------------------------------------------------------------------------------- /v18-debug.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | console.log("Da"); 8 | const base = Process.findModuleByName('libg.so').base; 9 | const SERVER_CONNECTION = 0xA2B454; 10 | const PTHREAD_COND_WAKE_RETURN = 0x6108AA + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x14161C; 12 | const SELECT_RETURN = 0xB7060; 13 | const POINTER_SIZE = 4; 14 | const WAKEUP_RETURN_ARRAY = [0x889ac, 0x122af8, 0x1a29d0, 0x49d004, 0x52bdb0, 0x53efb4]; 15 | const DEBUG_MENU_CTOR = 0x3A6E70; 16 | const STAGE_ADD_CHILD = 0x36D3A8; 17 | const STAGE_ADDRESS = 0xA2B360; 18 | const ADD_FILE = 0x3A3C84; 19 | const ascdebugsc = 0x9E4F2E; 20 | const DEBUG_MENU_UPDATE_PTR = 0x10DDC4; 21 | const EFFECT_PREVIEW_CTOR = 0x451328; 22 | const EFFECT_PREVIEW_UPDATE_PTR = 0x21F71C; 23 | 24 | var Login = 0; 25 | 26 | const StageAdd = new NativeFunction(base.add(STAGE_ADD_CHILD), 'void', ['pointer', 'pointer']); 27 | const AddFile = new NativeFunction(base.add(ADD_FILE), 'int', ['pointer', 'pointer', 'int', 'int', 'int', 'int']); 28 | const DebugMenuCtor = new NativeFunction(base.add(DEBUG_MENU_CTOR), 'pointer', ['pointer']); 29 | const EffectPreviewCtor = new NativeFunction(base.add(EFFECT_PREVIEW_CTOR), 'pointer', ['pointer']); 30 | const DebugMenuUpdate = new NativeFunction(base.add(DEBUG_MENU_UPDATE_PTR), "int", ["pointer", "float"]); 31 | const EffectPreviewUpdate = new NativeFunction(base.add(EFFECT_PREVIEW_UPDATE_PTR), "int", ["pointer", "float"]); 32 | //libc native functions 33 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 34 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 35 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 36 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 37 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 38 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 39 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 40 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 41 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 42 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 43 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 44 | 45 | function toast(toastText) { 46 | Java.perform(function() { 47 | var context = Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(); 48 | 49 | Java.scheduleOnMainThread(function() { 50 | var toast = Java.use("android.widget.Toast"); 51 | toast.makeText(context, Java.use("java.lang.String").$new(toastText), 1).show(); 52 | }); 53 | }); 54 | } 55 | 56 | var Message = { 57 | _getByteStream: function(message) { 58 | return message.add(8); 59 | }, 60 | _getVersion: function(message) { 61 | return Memory.readInt(message.add(4)); 62 | }, 63 | _setVersion: function(message, version) { 64 | Memory.writeInt(message.add(4), version); 65 | }, 66 | _getMessageType: function(message) { 67 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 68 | }, 69 | _encode: function(message) { 70 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 71 | }, 72 | _decode: function(message) { 73 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 74 | }, 75 | _free: function(message) { 76 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 77 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 78 | } 79 | }; 80 | var ByteStream = { 81 | _getOffset: function(byteStream) { 82 | return Memory.readInt(byteStream.add(16)); 83 | }, 84 | _getByteArray: function(byteStream) { 85 | return Memory.readPointer(byteStream.add(28)); 86 | }, 87 | _setByteArray: function(byteStream, array) { 88 | Memory.writePointer(byteStream.add(28), array); 89 | }, 90 | _getLength: function(byteStream) { 91 | return Memory.readInt(byteStream.add(20)); 92 | }, 93 | _setLength: function(byteStream, length) { 94 | Memory.writeInt(byteStream.add(20), length); 95 | } 96 | }; 97 | var Buffer = { 98 | _getEncodingLength: function(buffer) { 99 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 100 | }, 101 | _setEncodingLength: function(buffer, length) { 102 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 103 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 104 | Memory.writeU8(buffer.add(4), length & 0xFF); 105 | }, 106 | _setMessageType: function(buffer, type) { 107 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 108 | Memory.writeU8(buffer.add(1), type & 0xFF); 109 | }, 110 | _getMessageVersion: function(buffer) { 111 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 112 | }, 113 | _setMessageVersion: function(buffer, version) { 114 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 115 | Memory.writeU8(buffer.add(6), version & 0xFF); 116 | }, 117 | _getMessageType: function(buffer) { 118 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 119 | } 120 | }; 121 | var MessageQueue = { 122 | _getCapacity: function(queue) { 123 | return Memory.readInt(queue.add(4)); 124 | }, 125 | _get: function(queue, index) { 126 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 127 | }, 128 | _set: function(queue, index, message) { 129 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 130 | }, 131 | _count: function(queue) { 132 | return Memory.readInt(queue.add(8)); 133 | }, 134 | _decrementCount: function(queue) { 135 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 136 | }, 137 | _incrementCount: function(queue) { 138 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 139 | }, 140 | _getDequeueIndex: function(queue) { 141 | return Memory.readInt(queue.add(12)); 142 | }, 143 | _getEnqueueIndex: function(queue) { 144 | return Memory.readInt(queue.add(16)); 145 | }, 146 | _setDequeueIndex: function(queue, index) { 147 | Memory.writeInt(queue.add(12), index); 148 | }, 149 | _setEnqueueIndex: function(queue, index) { 150 | Memory.writeInt(queue.add(16), index); 151 | }, 152 | _enqueue: function(queue, message) { 153 | pthread_mutex_lock(queue.sub(4)); 154 | var index = MessageQueue._getEnqueueIndex(queue); 155 | MessageQueue._set(queue, index, message); 156 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 157 | MessageQueue._incrementCount(queue); 158 | pthread_mutex_unlock(queue.sub(4)); 159 | }, 160 | _dequeue: function(queue) { 161 | var message = null; 162 | pthread_mutex_lock(queue.sub(4)); 163 | if (MessageQueue._count(queue)) { 164 | var index = MessageQueue._getDequeueIndex(queue); 165 | message = MessageQueue._get(queue, index); 166 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 167 | MessageQueue._decrementCount(queue); 168 | } 169 | pthread_mutex_unlock(queue.sub(4)); 170 | return message; 171 | } 172 | }; 173 | 174 | function setupMessaging() { 175 | cache.wakeUpReturnArray = []; 176 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 177 | cache.wakeUpReturnArray.push(base.add(WAKEUP_RETURN_ARRAY[i])); 178 | } 179 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 180 | cache.selectReturn = base.add(SELECT_RETURN); 181 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 182 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 183 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 184 | cache.recvQueue = cache.messaging.add(60); 185 | cache.sendQueue = cache.messaging.add(84); 186 | cache.state = cache.messaging.add(212) 187 | cache.loginMessagePtr = cache.messaging.add(216); 188 | 189 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 190 | 191 | cache.sendMessage = function (message) { 192 | Message._encode(message); 193 | var byteStream = Message._getByteStream(message); 194 | var messagePayloadLength = ByteStream._getOffset(byteStream); 195 | var messageBuffer = malloc(messagePayloadLength + 7); 196 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 197 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 198 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 199 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 200 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 201 | free(messageBuffer); 202 | //Message._free(message); 203 | }; 204 | 205 | function onWakeup() { 206 | console.log("WAKE UP!!"); 207 | var message = MessageQueue._dequeue(cache.sendQueue); 208 | while (message) { 209 | var messageType = Message._getMessageType(message); 210 | console.log(messageType) 211 | if (messageType === 10100) { 212 | message = Memory.readPointer(cache.loginMessagePtr); 213 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 214 | Login = 1; 215 | } 216 | cache.sendMessage(message); 217 | message = MessageQueue._dequeue(cache.sendQueue); 218 | 219 | } 220 | } 221 | 222 | function shelly() { 223 | var updater = Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 224 | onEnter: function(args) { 225 | DebugMenuUpdate(cache.dptr, 20); 226 | } 227 | }); 228 | 229 | } 230 | 231 | function onReceive() { 232 | var headerBuffer = malloc(7); 233 | libc_recv(cache.fd, headerBuffer, 7, 256); 234 | var messageType = Buffer._getMessageType(headerBuffer); 235 | 236 | if (messageType >= 20000) { 237 | if (messageType === 20104) { //LoginOk 238 | Memory.writeInt(cache.state, 5); 239 | } 240 | if (messageType === 24101) { 241 | setTimeout(function() { 242 | if (cache.debugOpened != true) { 243 | cache.debugOpened = true; 244 | cache.dptr = malloc(500); 245 | DebugMenuCtor(cache.dptr); 246 | StageAdd(base.add(STAGE_ADDRESS).readPointer(), cache.dptr); 247 | shelly(); 248 | } 249 | }, 2000); 250 | } 251 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 252 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 253 | free(headerBuffer); 254 | var messageBuffer = malloc(payloadLength); 255 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 256 | var message = cache.createMessageByType(cache.messageFactory, messageType); 257 | Message._setVersion(message, messageVersion); 258 | var byteStream = Message._getByteStream(message); 259 | ByteStream._setLength(byteStream, payloadLength); 260 | if (payloadLength) { 261 | var byteArray = malloc(payloadLength); 262 | memmove(byteArray, messageBuffer, payloadLength); 263 | ByteStream._setByteArray(byteStream, byteArray); 264 | } 265 | Message._decode(message); 266 | // logMessage(message); 267 | MessageQueue._enqueue(cache.recvQueue, message); 268 | free(messageBuffer); 269 | } 270 | } 271 | 272 | 273 | Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 274 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 275 | return pthread_cond_signal(a1); 276 | } 277 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 278 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 279 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 280 | onWakeup(); 281 | return 0; 282 | } 283 | } 284 | return pthread_cond_signal(a1); 285 | }, 'int', ['pointer'])); 286 | 287 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 288 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 289 | if (this.returnAddress.equals(cache.selectReturn)) { 290 | onReceive(); 291 | } 292 | return r; 293 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 294 | } 295 | 296 | 297 | const adder = Interceptor.attach(base.add(ADD_FILE), { 298 | onEnter: function(args) { 299 | adder.detach(); 300 | AddFile(args[0], base.add(ascdebugsc), -1, -1, -1, -1); 301 | toast("Debug Loaded!!"); 302 | } 303 | }); 304 | 305 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 306 | onEnter: function(args) { 307 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 308 | cache.fd = args[0].toInt32(); 309 | var host = Memory.allocUtf8String("127.0.0.1"); 310 | Memory.writeInt(args[1].add(4), inet_addr(host)); 311 | Interceptor.revert(Module.findExportByName('libc.so', 'pthread_cond_signal')); 312 | Interceptor.revert(Module.findExportByName('libc.so', 'select')); 313 | setupMessaging(); 314 | } 315 | } 316 | }); 317 | -------------------------------------------------------------------------------- /v27.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | const base = Process.findModuleByName('libg.so').base; 7 | console.log("Da"); 8 | 9 | const SERVER_CONNECTION = 0xC09140; 10 | const PTHREAD_COND_WAKE_RETURN = 0x7B1326 + 8 + 1; 11 | const WAKEUP_RETURN_ARRAY = [0xCE58C, 0xED038, 0xF7C78, 0x2DBF0C, 0x43A4C8, 0x44EF10]; 12 | const CREATE_MESSAGE_BY_TYPE = 0x60FCC0; 13 | const SELECT_RETURN = 0x1F1894; 14 | const POINTER_SIZE = 4; 15 | 16 | var Login = 0; 17 | //libc native functions 18 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 19 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 20 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 21 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 22 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 23 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 24 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 25 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 26 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 27 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 28 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 29 | 30 | 31 | 32 | 33 | var Message = { 34 | _getByteStream: function(message) { 35 | return message.add(8); 36 | }, 37 | _getVersion: function(message) { 38 | return Memory.readInt(message.add(4)); 39 | }, 40 | _setVersion: function(message, version) { 41 | Memory.writeInt(message.add(4), version); 42 | }, 43 | _getMessageType: function(message) { 44 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 45 | }, 46 | _encode: function(message) { 47 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 48 | }, 49 | _decode: function(message) { 50 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 51 | }, 52 | _free: function(message) { 53 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 54 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 55 | } 56 | }; 57 | var ByteStream = { 58 | _getOffset: function(byteStream) { 59 | return Memory.readInt(byteStream.add(16)); 60 | }, 61 | _getByteArray: function(byteStream) { 62 | return Memory.readPointer(byteStream.add(28)); 63 | }, 64 | _setByteArray: function(byteStream, array) { 65 | Memory.writePointer(byteStream.add(28), array); 66 | }, 67 | _getLength: function(byteStream) { 68 | return Memory.readInt(byteStream.add(20)); 69 | }, 70 | _setLength: function(byteStream, length) { 71 | Memory.writeInt(byteStream.add(20), length); 72 | } 73 | }; 74 | var Buffer = { 75 | _getEncodingLength: function(buffer) { 76 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 77 | }, 78 | _setEncodingLength: function(buffer, length) { 79 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 80 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 81 | Memory.writeU8(buffer.add(4), length & 0xFF); 82 | }, 83 | _setMessageType: function(buffer, type) { 84 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 85 | Memory.writeU8(buffer.add(1), type & 0xFF); 86 | }, 87 | _getMessageVersion: function(buffer) { 88 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 89 | }, 90 | _setMessageVersion: function(buffer, version) { 91 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 92 | Memory.writeU8(buffer.add(6), version & 0xFF); 93 | }, 94 | _getMessageType: function(buffer) { 95 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 96 | } 97 | }; 98 | var MessageQueue = { 99 | _getCapacity: function(queue) { 100 | return Memory.readInt(queue.add(4)); 101 | }, 102 | _get: function(queue, index) { 103 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 104 | }, 105 | _set: function(queue, index, message) { 106 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 107 | }, 108 | _count: function(queue) { 109 | return Memory.readInt(queue.add(8)); 110 | }, 111 | _decrementCount: function(queue) { 112 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 113 | }, 114 | _incrementCount: function(queue) { 115 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 116 | }, 117 | _getDequeueIndex: function(queue) { 118 | return Memory.readInt(queue.add(12)); 119 | }, 120 | _getEnqueueIndex: function(queue) { 121 | return Memory.readInt(queue.add(16)); 122 | }, 123 | _setDequeueIndex: function(queue, index) { 124 | Memory.writeInt(queue.add(12), index); 125 | }, 126 | _setEnqueueIndex: function(queue, index) { 127 | Memory.writeInt(queue.add(16), index); 128 | }, 129 | _enqueue: function(queue, message) { 130 | pthread_mutex_lock(queue.sub(4)); 131 | var index = MessageQueue._getEnqueueIndex(queue); 132 | MessageQueue._set(queue, index, message); 133 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 134 | MessageQueue._incrementCount(queue); 135 | pthread_mutex_unlock(queue.sub(4)); 136 | }, 137 | _dequeue: function(queue) { 138 | var message = null; 139 | pthread_mutex_lock(queue.sub(4)); 140 | if (MessageQueue._count(queue)) { 141 | var index = MessageQueue._getDequeueIndex(queue); 142 | message = MessageQueue._get(queue, index); 143 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 144 | MessageQueue._decrementCount(queue); 145 | } 146 | pthread_mutex_unlock(queue.sub(4)); 147 | return message; 148 | } 149 | }; 150 | 151 | function setupMessaging() { 152 | cache.base = Module.findBaseAddress("libg.so"); 153 | cache.wakeUpReturnArray = []; 154 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 155 | cache.wakeUpReturnArray.push(cache.base.add(WAKEUP_RETURN_ARRAY[i])); 156 | } 157 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 158 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 159 | cache.selectReturn = base.add(SELECT_RETURN); 160 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 161 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 162 | cache.recvQueue = cache.messaging.add(60); 163 | cache.sendQueue = cache.messaging.add(84); 164 | cache.state = cache.messaging.add(208); 165 | cache.loginMessagePtr = cache.messaging.add(212); 166 | 167 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 168 | 169 | cache.sendMessage = function (message) { 170 | Message._encode(message); 171 | var byteStream = Message._getByteStream(message); 172 | var messagePayloadLength = ByteStream._getOffset(byteStream); 173 | var messageBuffer = malloc(messagePayloadLength + 7); 174 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 175 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 176 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 177 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 178 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 179 | free(messageBuffer); 180 | //Message._free(message); 181 | }; 182 | 183 | function onWakeup() { 184 | console.log("WAKE UP!!"); 185 | var message = MessageQueue._dequeue(cache.sendQueue); 186 | while (message) { 187 | var messageType = Message._getMessageType(message); 188 | console.log(messageType) 189 | if (messageType === 10100) { 190 | message = Memory.readPointer(cache.loginMessagePtr); 191 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 192 | Login = 1; 193 | } 194 | cache.sendMessage(message); 195 | message = MessageQueue._dequeue(cache.sendQueue); 196 | 197 | } 198 | } 199 | 200 | function onReceive() { 201 | var headerBuffer = malloc(7); 202 | libc_recv(cache.fd, headerBuffer, 7, 256); 203 | var messageType = Buffer._getMessageType(headerBuffer); 204 | 205 | if (messageType >= 20000) { 206 | if (messageType === 20104) { //LoginOk 207 | Memory.writeInt(cache.state, 5); 208 | } 209 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 210 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 211 | free(headerBuffer); 212 | var messageBuffer = malloc(payloadLength); 213 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 214 | var message = cache.createMessageByType(cache.messageFactory, messageType); 215 | Message._setVersion(message, messageVersion); 216 | var byteStream = Message._getByteStream(message); 217 | ByteStream._setLength(byteStream, payloadLength); 218 | if (payloadLength) { 219 | var byteArray = malloc(payloadLength); 220 | memmove(byteArray, messageBuffer, payloadLength); 221 | ByteStream._setByteArray(byteStream, byteArray); 222 | } 223 | Message._decode(message); 224 | // logMessage(message); 225 | MessageQueue._enqueue(cache.recvQueue, message); 226 | free(messageBuffer); 227 | } 228 | } 229 | 230 | Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 231 | onEnter: function(args) { 232 | onWakeup(); 233 | } 234 | }); 235 | 236 | Interceptor.replace(Module.findExportByName('libc.so', 'select'), new NativeCallback(function(nfds, readfds, writefds, exceptfds, timeout) { 237 | var r = select(nfds, readfds, writefds, exceptfds, timeout); 238 | if (this.returnAddress.equals(cache.selectReturn)) { 239 | onReceive(); 240 | } 241 | return r; 242 | }, 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer'])); 243 | } 244 | function setup() { 245 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 246 | onEnter: function(args) { 247 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 248 | cache.fd = args[0].toInt32(); 249 | console.log("Suka connecting...."); 250 | var host = Memory.allocUtf8String("127.0.0.1"); 251 | Memory.writeInt(args[1].add(4), inet_addr(host)); 252 | setupMessaging(); 253 | } 254 | } 255 | }); 256 | } 257 | -------------------------------------------------------------------------------- /v28.189.js: -------------------------------------------------------------------------------- 1 | // global cache 2 | var cache = { 3 | modules: {}, 4 | options: {} 5 | }; 6 | 7 | const base = Process.findModuleByName('libg.so').base; 8 | 9 | const SERVER_CONNECTION = 0xC1BCC8; 10 | const PTHREAD_COND_WAKE_RETURN = 0x7B775E + 8 + 1; 11 | const CREATE_MESSAGE_BY_TYPE = 0x4F9F00; 12 | const WAKEUP_RETURN_ARRAY = [0x2D1EA4, 0x2D30B8, 0x33F098, 0x4B6B58]; // 34D268 - Unk 13 | const SELECT_RETURN = 0xCCFA4; 14 | const POINTER_SIZE = 4; 15 | const stage_offset = 0xC1AE80; 16 | const STAGE_ADD_CHILD = 0x210634; 17 | const StageAdd = new NativeFunction(base.add(STAGE_ADD_CHILD), 'void', ['pointer', 'pointer']); 18 | const ADD_FILE = 0x39C100; 19 | const AddFile = new NativeFunction(base.add(ADD_FILE), 'int', ['pointer', 'pointer', 'int', 'int', 'int', 'int', 'int']); 20 | const STAGE_REMOVE_CHILD = 0x219CF8; 21 | const StageRemove = new NativeFunction(base.add(STAGE_REMOVE_CHILD), 'void', ['pointer', 'pointer']); 22 | const STRING_CTOR = 0x449D88; 23 | const StringCtor = new NativeFunction(base.add(STRING_CTOR), 'pointer', ['pointer', 'pointer']); 24 | const SET_TEXT = 0x574840; 25 | const fSetText = new NativeFunction(base.add(SET_TEXT), 'pointer', ['pointer', 'pointer']); 26 | const START_GAME = 0x41C8D4; 27 | 28 | var Login = 0; 29 | 30 | //libc native functions 31 | var malloc = new NativeFunction(Module.findExportByName('libc.so', 'malloc'), 'pointer', ['int']); 32 | var free = new NativeFunction(Module.findExportByName('libc.so', 'free'), 'void', ['pointer']); 33 | var pthread_mutex_lock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_lock'), 'int', ['pointer']); 34 | var pthread_mutex_unlock = new NativeFunction(Module.findExportByName('libc.so', 'pthread_mutex_unlock'), 'int', ['pointer']); 35 | var pthread_cond_signal = new NativeFunction(Module.findExportByName('libc.so', 'pthread_cond_signal'), 'int', ['pointer']); 36 | var select = new NativeFunction(Module.findExportByName('libc.so', 'select'), 'int', ['int', 'pointer', 'pointer', 'pointer', 'pointer']); 37 | var memmove = new NativeFunction(Module.findExportByName('libc.so', 'memmove'), 'pointer', ['pointer', 'pointer', 'int']); 38 | var ntohs = new NativeFunction(Module.findExportByName('libc.so', 'ntohs'), 'uint16', ['uint16']); 39 | var inet_addr = new NativeFunction(Module.findExportByName('libc.so', 'inet_addr'), 'int', ['pointer']); 40 | var libc_send = new NativeFunction(Module.findExportByName('libc.so', 'send'), 'int', ['int', 'pointer', 'int', 'int']); 41 | var libc_recv = new NativeFunction(Module.findExportByName('libc.so', 'recv'), 'int', ['int', 'pointer', 'int', 'int']); 42 | 43 | 44 | var Message = { 45 | _getByteStream: function(message) { 46 | return message.add(8); 47 | }, 48 | _getVersion: function(message) { 49 | return Memory.readInt(message.add(4)); 50 | }, 51 | _setVersion: function(message, version) { 52 | Memory.writeInt(message.add(4), version); 53 | }, 54 | _getMessageType: function(message) { 55 | return (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer']))(message); 56 | }, 57 | _encode: function(message) { 58 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(8)), 'void', ['pointer']))(message); 59 | }, 60 | _decode: function(message) { 61 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(12)), 'void', ['pointer']))(message); 62 | }, 63 | _free: function(message) { 64 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(24)), 'void', ['pointer']))(message); 65 | (new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(4)), 'void', ['pointer']))(message); 66 | } 67 | }; 68 | var ByteStream = { 69 | _getOffset: function(byteStream) { 70 | return Memory.readInt(byteStream.add(16)); 71 | }, 72 | _getByteArray: function(byteStream) { 73 | return Memory.readPointer(byteStream.add(28)); 74 | }, 75 | _setByteArray: function(byteStream, array) { 76 | Memory.writePointer(byteStream.add(28), array); 77 | }, 78 | _getLength: function(byteStream) { 79 | return Memory.readInt(byteStream.add(20)); 80 | }, 81 | _setLength: function(byteStream, length) { 82 | Memory.writeInt(byteStream.add(20), length); 83 | } 84 | }; 85 | var Buffer = { 86 | _getEncodingLength: function(buffer) { 87 | return Memory.readU8(buffer.add(2)) << 16 | Memory.readU8(buffer.add(3)) << 8 | Memory.readU8(buffer.add(4)); 88 | }, 89 | _setEncodingLength: function(buffer, length) { 90 | Memory.writeU8(buffer.add(2), length >> 16 & 0xFF); 91 | Memory.writeU8(buffer.add(3), length >> 8 & 0xFF); 92 | Memory.writeU8(buffer.add(4), length & 0xFF); 93 | }, 94 | _setMessageType: function(buffer, type) { 95 | Memory.writeU8(buffer.add(0), type >> 8 & 0xFF); 96 | Memory.writeU8(buffer.add(1), type & 0xFF); 97 | }, 98 | _getMessageVersion: function(buffer) { 99 | return Memory.readU8(buffer.add(5)) << 8 | Memory.readU8(buffer.add(6)); 100 | }, 101 | _setMessageVersion: function(buffer, version) { 102 | Memory.writeU8(buffer.add(5), version >> 8 & 0xFF); 103 | Memory.writeU8(buffer.add(6), version & 0xFF); 104 | }, 105 | _getMessageType: function(buffer) { 106 | return Memory.readU8(buffer) << 8 | Memory.readU8(buffer.add(1)); 107 | } 108 | }; 109 | var MessageQueue = { 110 | _getCapacity: function(queue) { 111 | return Memory.readInt(queue.add(4)); 112 | }, 113 | _get: function(queue, index) { 114 | return Memory.readPointer(Memory.readPointer(queue).add(POINTER_SIZE * index)); 115 | }, 116 | _set: function(queue, index, message) { 117 | Memory.writePointer(Memory.readPointer(queue).add(POINTER_SIZE * index), message); 118 | }, 119 | _count: function(queue) { 120 | return Memory.readInt(queue.add(8)); 121 | }, 122 | _decrementCount: function(queue) { 123 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) - 1); 124 | }, 125 | _incrementCount: function(queue) { 126 | Memory.writeInt(queue.add(8), Memory.readInt(queue.add(8)) + 1); 127 | }, 128 | _getDequeueIndex: function(queue) { 129 | return Memory.readInt(queue.add(12)); 130 | }, 131 | _getEnqueueIndex: function(queue) { 132 | return Memory.readInt(queue.add(16)); 133 | }, 134 | _setDequeueIndex: function(queue, index) { 135 | Memory.writeInt(queue.add(12), index); 136 | }, 137 | _setEnqueueIndex: function(queue, index) { 138 | Memory.writeInt(queue.add(16), index); 139 | }, 140 | _enqueue: function(queue, message) { 141 | pthread_mutex_lock(queue.sub(4)); 142 | var index = MessageQueue._getEnqueueIndex(queue); 143 | MessageQueue._set(queue, index, message); 144 | MessageQueue._setEnqueueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 145 | MessageQueue._incrementCount(queue); 146 | pthread_mutex_unlock(queue.sub(4)); 147 | }, 148 | _dequeue: function(queue) { 149 | var message = null; 150 | pthread_mutex_lock(queue.sub(4)); 151 | if (MessageQueue._count(queue)) { 152 | var index = MessageQueue._getDequeueIndex(queue); 153 | message = MessageQueue._get(queue, index); 154 | MessageQueue._setDequeueIndex(queue, (index + 1) % MessageQueue._getCapacity(queue)); 155 | MessageQueue._decrementCount(queue); 156 | } 157 | pthread_mutex_unlock(queue.sub(4)); 158 | return message; 159 | } 160 | }; 161 | 162 | function offlinector() { 163 | Interceptor.attach(base.add(START_GAME), { 164 | onEnter(args) { 165 | args[3] = ptr(3); 166 | } 167 | }); 168 | } 169 | 170 | function setupMessaging() { 171 | cache.wakeUpReturnArray = []; 172 | for (var i = 0; i < WAKEUP_RETURN_ARRAY.length; i += 1) { 173 | cache.wakeUpReturnArray.push(base.add(WAKEUP_RETURN_ARRAY[i])); 174 | } 175 | cache.pthreadReturn = base.add(PTHREAD_COND_WAKE_RETURN); 176 | cache.serverConnection = Memory.readPointer(base.add(SERVER_CONNECTION)); 177 | cache.selectReturn = base.add(SELECT_RETURN); 178 | cache.messaging = Memory.readPointer(cache.serverConnection.add(4)); 179 | cache.messageFactory = Memory.readPointer(cache.messaging.add(52)); 180 | cache.recvQueue = cache.messaging.add(60); 181 | cache.sendQueue = cache.messaging.add(84); 182 | cache.state = cache.messaging.add(208); 183 | cache.loginMessagePtr = cache.messaging.add(212); 184 | 185 | cache.createMessageByType = new NativeFunction(base.add(CREATE_MESSAGE_BY_TYPE), 'pointer', ['pointer', 'int']); 186 | 187 | cache.sendMessage = function (message) { 188 | Message._encode(message); 189 | var byteStream = Message._getByteStream(message); 190 | var messagePayloadLength = ByteStream._getOffset(byteStream); 191 | var messageBuffer = malloc(messagePayloadLength + 7); 192 | memmove(messageBuffer.add(7), ByteStream._getByteArray(byteStream), messagePayloadLength); 193 | Buffer._setEncodingLength(messageBuffer, messagePayloadLength); 194 | Buffer._setMessageType(messageBuffer, Message._getMessageType(message)); 195 | Buffer._setMessageVersion(messageBuffer, Message._getVersion(message)); 196 | libc_send(cache.fd, messageBuffer, messagePayloadLength + 7, 0); 197 | free(messageBuffer); 198 | Interceptor.replace(base.add(0x214B10), new NativeCallback(function() { 199 | return 0; 200 | }, 'int', [])); 201 | //Message._free(message); 202 | }; 203 | 204 | function onWakeup() { 205 | var message = MessageQueue._dequeue(cache.sendQueue); 206 | while (message) { 207 | var messageType = Message._getMessageType(message); 208 | console.log(messageType) 209 | if (messageType === 10100) { 210 | message = Memory.readPointer(cache.loginMessagePtr); 211 | Memory.writePointer(cache.loginMessagePtr, ptr(0)); 212 | Login = 1; 213 | } 214 | cache.sendMessage(message); 215 | message = MessageQueue._dequeue(cache.sendQueue); 216 | 217 | } 218 | } 219 | 220 | function onReceive() { 221 | var headerBuffer = malloc(7); 222 | libc_recv(cache.fd, headerBuffer, 7, 256); 223 | var messageType = Buffer._getMessageType(headerBuffer); 224 | 225 | if (messageType >= 20000) { 226 | if (messageType === 20104) { //LoginOk 227 | Memory.writeInt(cache.state, 5); 228 | offlinector(); 229 | } 230 | if (messageType === 22228) { 231 | createDebugButton(); 232 | } 233 | var payloadLength = Buffer._getEncodingLength(headerBuffer); 234 | var messageVersion = Buffer._getMessageVersion(headerBuffer); 235 | free(headerBuffer); 236 | var messageBuffer = malloc(payloadLength); 237 | libc_recv(cache.fd, messageBuffer, payloadLength, 256); 238 | var message = cache.createMessageByType(cache.messageFactory, messageType); 239 | Message._setVersion(message, messageVersion); 240 | var byteStream = Message._getByteStream(message); 241 | ByteStream._setLength(byteStream, payloadLength); 242 | if (payloadLength) { 243 | var byteArray = malloc(payloadLength); 244 | memmove(byteArray, messageBuffer, payloadLength); 245 | ByteStream._setByteArray(byteStream, byteArray); 246 | } 247 | Message._decode(message); 248 | // logMessage(message); 249 | MessageQueue._enqueue(cache.recvQueue, message); 250 | free(messageBuffer); 251 | } 252 | } 253 | 254 | const wakeup = Interceptor.attach(Module.findExportByName('libc.so', 'pthread_cond_signal'), { 255 | onEnter: function(args) { 256 | onWakeup(); 257 | //setTimeout(reAttach, 100); 258 | } 259 | }); 260 | 261 | function reAttach() { 262 | const wake = Interceptor.attach(base.add(0x8428FA + 1), { 263 | onEnter: function(args) { 264 | wake.detach(); 265 | onWakeup(); 266 | setTimeout(reAttach, 100); 267 | } 268 | }); 269 | } 270 | 271 | function unlocker() { 272 | Login = 0; 273 | attachTo(); 274 | } 275 | 276 | /*Interceptor.replace(Module.findExportByName('libc.so', 'pthread_cond_signal'), new NativeCallback(function(a1) { 277 | if(!this.returnAddress.equals(cache.pthreadReturn)) { 278 | return pthread_cond_signal(a1); 279 | } 280 | var sp4 = Memory.readPointer(this.context.sp.add(4)); 281 | for (var i = 0; i < cache.wakeUpReturnArray.length; i += 1) { 282 | if (sp4.equals(cache.wakeUpReturnArray[i])) { 283 | onWakeup(); 284 | return 0; 285 | } 286 | } 287 | return pthread_cond_signal(a1); 288 | }, 'int', ['pointer']));*/ 289 | 290 | Interceptor.attach(Module.findExportByName('libc.so', 'select'), { 291 | onEnter: function(args) { 292 | onReceive(); 293 | } 294 | }); 295 | } 296 | 297 | const adder = Interceptor.attach(base.add(ADD_FILE), { 298 | onEnter: function(args) { 299 | adder.detach(); 300 | AddFile(args[0], strPtr("sc/debug.sc"), -1, -1, -1, -1, 0); 301 | } 302 | }); 303 | 304 | Interceptor.attach(Module.findExportByName('libc.so', 'connect'), { 305 | onEnter: function(args) { 306 | if (ntohs(Memory.readU16(args[1].add(2))) === 9339) { 307 | cache.fd = args[0].toInt32(); 308 | var host = Memory.allocUtf8String("185.105.90.122"); 309 | Memory.writeInt(args[1].add(4), inet_addr(host)); 310 | Memory.writeU16(args[1].add(2), ntohs(parseInt(4444))); 311 | setupMessaging(); 312 | } 313 | } 314 | }); 315 | 316 | function strPtr(message) { 317 | var charPtr = malloc(message.length + 1); 318 | Memory.writeUtf8String(charPtr, message); 319 | return charPtr 320 | } 321 | 322 | function createStringObject(mmmdmskads) { 323 | var land = strPtr(mmmdmskads); 324 | let pesocheck = malloc(128); 325 | StringCtor(pesocheck, land); 326 | return pesocheck; 327 | } 328 | 329 | function sendDebugAction(action) { 330 | var messageBuffer = malloc(7 + 4); 331 | Buffer._setEncodingLength(messageBuffer, 4); 332 | Buffer._setMessageType(messageBuffer, 10777); 333 | Buffer._setMessageVersion(messageBuffer, 0); 334 | messageBuffer.add(7).writeInt(action); 335 | libc_send(cache.fd, messageBuffer, 7 + 4, 0); 336 | free(messageBuffer); 337 | } 338 | 339 | const CumButton = new NativeFunction(base.add(0xEE428), 'int', []); 340 | 341 | function createDebugButton() { 342 | let btn = malloc(300); 343 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(btn); 344 | let movieClip = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_button"), 1); 345 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(btn, movieClip); 346 | 347 | StageAdd(base.add(stage_offset).readPointer(), btn); 348 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(btn, 30, 560); 349 | fSetText(btn, createStringObject("D")); 350 | 351 | let debug = malloc(300); 352 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(debug); 353 | let movieCliper = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_menu"), 1); 354 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(debug, movieCliper); 355 | 356 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(debug, 700, 0); 357 | 358 | let close = malloc(300); 359 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(close); 360 | let movieCliperrrrrr = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_button"), 0); 361 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(close, movieCliperrrrrr); 362 | 363 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(close, 965, 60); 364 | fSetText(close, createStringObject("Close")); 365 | 366 | let pop = malloc(300); 367 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(pop); 368 | let movieCliperrrrrrr = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_menu_button"), 1); 369 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(pop, movieCliperrrrrrr); 370 | 371 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(pop, 800, 0); 372 | fSetText(pop, createStringObject("Debug Menu")); 373 | 374 | let cummode = malloc(300); 375 | new NativeFunction(base.add(0x2AD55C), 'void', ['pointer'])(cummode); 376 | let movieCliperr = new NativeFunction(base.add(0x622BA0), 'pointer', ['pointer', 'pointer', 'bool'])(strPtr("sc/debug.sc"), strPtr("debug_menu_item"), 0); 377 | new NativeFunction(base.add(0x2093CC), 'void', ['pointer', 'pointer'])(cummode, movieCliperr); 378 | 379 | new NativeFunction(base.add(0x2BAC08), 'void', ['pointer', 'float', 'float'])(cummode, 860, 100); 380 | fSetText(cummode, createStringObject("Next Camera Mode")); 381 | 382 | cache.buttonInterceptor = Interceptor.attach(base.add(0x46DB0C), { 383 | onEnter(args) { 384 | if (args[0].toInt32() == btn.toInt32()) { 385 | StageAdd(base.add(stage_offset).readPointer(), debug); 386 | StageAdd(base.add(stage_offset).readPointer(), cummode); 387 | StageAdd(base.add(stage_offset).readPointer(), close); 388 | StageAdd(base.add(stage_offset).readPointer(), pop); 389 | } 390 | if (args[0].toInt32() == close.toInt32()) { 391 | StageRemove(base.add(stage_offset).readPointer(), debug); 392 | StageRemove(base.add(stage_offset).readPointer(), close); 393 | StageRemove(base.add(stage_offset).readPointer(), cummode); 394 | StageRemove(base.add(stage_offset).readPointer(), pop); 395 | } 396 | if (args[0].toInt32() == cummode.toInt32()) { 397 | CumButton(); 398 | } 399 | } 400 | }); 401 | } 402 | -------------------------------------------------------------------------------- /v36.218.js: -------------------------------------------------------------------------------- 1 | //this script was made by bread, but im NOT SURE IN THAT. 2 | 3 | const Armceptor = { 4 | replace(ptr, arr) { 5 | Memory.protect(ptr, arr.length, "rwx"); 6 | Memory.writeByteArray(ptr, arr); 7 | Memory.protect(ptr, arr.length, "rx"); 8 | }, 9 | nop(ptr) { 10 | Armceptor.replace(ptr, [0x00, 0xF0, 0x20, 0xE3]); 11 | }, 12 | ret(ptr) { 13 | Armceptor.replace(ptr, [0x1E, 0xFF, 0x2F, 0xE1]); 14 | } 15 | } 16 | 17 | 18 | function connect(address) { 19 | const base = Module.findBaseAddress('libg.so'); 20 | const ServerConnection_connectTo = base.add(0x4F87E4); 21 | 22 | Interceptor.attach(ServerConnection_connectTo, { 23 | onEnter(args) { 24 | if (args[1].add(8).readPointer().readUtf8String() === "game.brawlstarsgame.com") { 25 | console.log("блять об прод споткнулся"); 26 | args[1].add(8).readPointer().writeUtf8String(address); 27 | initMessaging(); 28 | } 29 | } 30 | }); 31 | } 32 | 33 | function misc() { 34 | const base = Module.findBaseAddress('libg.so'); 35 | 36 | Interceptor.replace(base.add(0x4CB9E0), new NativeCallback(function() { 37 | return 1; 38 | }, 'int', [])); 39 | 40 | Interceptor.replace(base.add(0x7CC82C), new NativeCallback(function() { 41 | if (this.returnAddress.equals(base.add(0x910C34)) || this.returnAddress.equals(base.add(0x910BEC))) { 42 | return 0; 43 | } 44 | return 1; 45 | }, 'int', [])); 46 | 47 | Interceptor.attach(base.add(0x1E1B18), { // BattleScreen::shouldShowChatButton 48 | onLeave(retval) { 49 | retval.replace(1); 50 | } 51 | }); 52 | 53 | Interceptor.attach(base.add(0x517310), { // HomePage::shouldShowTeamItems 54 | onLeave(retval) { 55 | retval.replace(1); 56 | } 57 | }); 58 | 59 | Interceptor.attach(base.add(0x511000), { 60 | onEnter(args) { 61 | args[3] = ptr(3); 62 | } 63 | }); 64 | } 65 | 66 | function hook() { 67 | const base = Module.findBaseAddress('libg.so'); 68 | 69 | const receiveMessage =Interceptor.attach(base.add(0x3642A0), { // MessageManager::receiveMessage 70 | onEnter(args) { 71 | const message = args[1]; 72 | const messageType = new NativeFunction(Memory.readPointer(Memory.readPointer(message).add(20)), 'int', ['pointer'])(message); 73 | if (messageType === 20104) { 74 | misc(); 75 | receiveMessage.detach(); 76 | } 77 | } 78 | }); 79 | } 80 | 81 | function initMessaging() { 82 | const base = Module.findBaseAddress('libg.so'); 83 | 84 | Armceptor.ret(base.add(0x81D7D4)); // Messaging::decryptData 85 | Interceptor.attach(base.add(0x6707F4), { // Messaging::sendPepperAuthentication 86 | onEnter(args) { 87 | this.messaging = args[0]; 88 | args[0].add(16).writeU32(5); 89 | args[1] = args[2]; 90 | }, 91 | onLeave(re) { 92 | this.messaging.add(16).writeU32(5); 93 | } 94 | }); 95 | Interceptor.attach(base.add(0x2174A4), function() { // Messaging::encryptAndWrite 96 | this.context.r0 = 0x2774; 97 | }); 98 | } 99 | 100 | 101 | function destroy_protections() { 102 | const base = Module.findBaseAddress('libg.so'); 103 | const createGameInstanceJump = base.add(0x33CC04); 104 | const createGameInstanceClean = base.add(0x33CC80); 105 | const loginMessageEncodeJump = base.add(0x493304); 106 | const loginMessageEncodeClean = base.add(0x493EA8); 107 | const inputSystemUpdateJump = base.add(0x68DE6C); 108 | const inputSystemUpdateClean = base.add(0x68EE94); 109 | const gameMainCtorJump = base.add(0x66DCEC); 110 | const gameMainCtorClean = base.add(0x66E0A0); 111 | const combatHUDUltiButtonActivatedJump = base.add(0x7D8858); 112 | const combatHUDUltiButtonActivatedClean = base.add(0x7D8C34); 113 | const messagingConnectJump = base.add(0x39AD0C); 114 | const messagingConnectClean = base.add(0x39C55C); 115 | const resourceManagerInitJump = base.add(0x68A718); 116 | const resourceManagerInitClean = base.add(0x68B1F8); 117 | const openat = Module.findExportByName(null, 'openat'); 118 | 119 | 120 | Interceptor.attach(createGameInstanceJump, function() { 121 | console.log("а негры тоже пидорасы x1"); 122 | this.context.r0 = createGameInstanceClean; 123 | }); 124 | 125 | Interceptor.attach(gameMainCtorJump, function() { 126 | console.log("а негры тоже пидорасы x2"); 127 | this.context.r0 = gameMainCtorClean; 128 | }); 129 | 130 | Interceptor.attach(inputSystemUpdateJump, function() { 131 | console.log("а негры тоже пидорасы x3"); 132 | this.context.r0 = inputSystemUpdateClean; 133 | }); 134 | 135 | Interceptor.attach(resourceManagerInitJump, function() { 136 | console.log("а негры тоже пидорасы x4"); 137 | this.context.r0 = resourceManagerInitClean; 138 | }); 139 | 140 | /*Interceptor.attach(messagingConnectJump, function() { DO NOT TOUCH 141 | console.log("а негры тоже пидорасы x6"); 142 | this.context.r0 = messagingConnectClean; 143 | });*/ 144 | 145 | Interceptor.attach(loginMessageEncodeJump, function() { 146 | console.log("а негры тоже пидорасы x5"); 147 | this.context.r0 = loginMessageEncodeClean; 148 | }); 149 | 150 | Interceptor.attach(combatHUDUltiButtonActivatedJump, function() { 151 | console.log("а негры тоже пидорасы x6"); 152 | this.context.r0 = combatHUDUltiButtonActivatedClean; 153 | }); 154 | 155 | Interceptor.replace(base.add(0x8339F4), new NativeCallback(function() {}, 'void', ['int'])); // AntiCheat::guard_callback 156 | 157 | Interceptor.replace(base.add(0x6B7CD0), new NativeCallback(function() { // AntiCheat::getAntihackFlags 158 | return 0; 159 | }, 'int', [])); 160 | 161 | Interceptor.replace(openat, new NativeCallback(function() { // openat 162 | return 0; 163 | }, 'int', [])); 164 | } 165 | 166 | function init() { 167 | destroy_protections(); 168 | connect("127.0.0.1"); // ip 169 | hook(); 170 | console.log("Successfully injected!"); 171 | } 172 | 173 | rpc.exports.init = init; 174 | --------------------------------------------------------------------------------