This is the AMP version of this page.
If you want to load the real page instead, click this text.

Help! Finding critical function that effect health

L

Lan.tw

Platinian
I'm working on an unity game with il2cpp. I've successfully dumpped il2cpp and get Assembly-CSharp. However, I can't find the function that effect health. Are there any ways to find functions efficiently beside searching?
Game: Azur Lane
PS. This game comes with xapk (apk + obb)
 
Sort by date Sort by votes
I've looked up some tutorial on the internet for hooking lua, but seems like this game isn't based on lua. I checked in dnspy, yes it gets LuaDLL in it. However, when I tried to hook the methods, nothing was found.
 
Upvote 0 Downvote
In addition, I tried hooking all java method and print out function name when they are called, it seems that java code only handles network socket. I don't even see any lua or JNI related java method being executed. I'm guessing that beside network oriented process, all the other execution is in lua, but when and how is the lua loaded?
 
Upvote 0 Downvote

@CodeJutsu is correct Azur Lane is lua, dnSpy is only showing you data from il2cpp.so, while it does mention Lua its still the binary file for UnityEngine so the Lua stuff you are seeing in dnSpy could be just some stuff for Lua and Unity to communicate to eachother, Azur Lane stores the lua scripts packed together and encrypted in the obb.

Open the obb and go into assets/AssetBundles/ then scroll down and you will see the script files there are 2 files, one for 32 bit and another for 64 bit.
There is also a "libtolua.so" binary in the libs folder which is the lib that loads the lua files, you can see this by hooking the function luaL_loadbufferx in libtolua.so and logging the functions parameters.
JavaScript: 
// int luaL_loadbuffer(lua_State *L, const char *buff, size_t sz, const char *name);
Interceptor.attach(Module.findExportByName("libtolua.so", 'luaL_loadbufferx'), {
    onEnter: function (args) {
        var fileBytesAddress = args[1];
        var fileSize = args[2].toInt32();
        var fileName = args[3].readUtf8String();

        console.log(`File ${fileName} is at ${fileBytesAddress} with file size ${fileSize}.`)
    },
    onLeave: function (retval) {
      
    },
});
Once the game is loading you should very quickly see messages logging.
 
Upvote 0 Downvote

That's the easiest part there to get the files, last time i check Azure uses LuaJit but with scrambled opcodes and there are few potential ways to mod it
1- dumping opcodes with the right order and make a decompiler to decompile files

2- hooking lua state, hijack lua state, and do whatever you want from dumping globals to functions and variables, hook these functions to mod the game

There alot of other ways but more complicated
 
Upvote 0 Downvote
Lan.tw said:
still need some time to learn though.
Click to expand...

Good luck!

Do note though, Azur Lane isnt a great starting point for Lua, like CodeJutsu said they use LuaJit so even if you dump the lua files (which you can do through LuaL_loadbuffer) you still wont get readable lua. There are luajit decompilers for example on github but again like CodeJutsu said if they are modifying the opcode order in the Lua virtual machine the standard decompilers likely wont work with Azur Lane's luajit files.
 
Upvote 0 Downvote
You must log in or register to reply here.
Menu
Log in
Register