Tutorial How to hook arrays in Unity's Il2cpp

[Numark]

Okay, so apparently I've been asked many times on how to modify arrays, not gonna get deep into this, but here we go.


First of all, you need a monoArray struct, which I will provide.

template <typename T>
struct monoArray
{
    void* klass;
    void* monitor;
    void* bounds;
    int   max_length;
    void* vector [1];
    int getLength()
    {
        return max_length;
    }
    T getPointer()
    {
        return (T)vector;
    }
};

Let's say you wanted to modify a Player List in a photon game, like getting other players?

When you use this Array, you need to make a hook for this.

monoArray<void *> *(*PhotonNetwork_get_OtherPlayers)() = (monoArray<void *> *(*)())il2cppAddress + 0x84EB8C;

To access players as an example, you can use this code to get a vector to the players.

auto photonplayers = PhotonNetwork_getOtherPlayers();

for (int i = 0; i < photonplayers->getLength(); ++i)
{
    auto photonplayer = photonplayers->getPointer()[i];
}

If whatever type the method is, change it if it's a void, int, bool, float, whatever it is.

Credits: Toshiro and Slice Cast

 

[hienngocloveyou]

Hi @
Tiuu

How about struct's member. Can you show me how to access member in struct.

Thanks

 

[nitchi zx]

Error' bro

 

[hienngocloveyou]

Error' bro

use
monoArray<void **> instead of monoArray<void *>

 

[nitchi zx]

use
monoArray<void **> instead of monoArray<void *>

Not working, error'

 

[hienngocloveyou]

Not working, error'

In my case work. You must find what are your problem. Check your code carefully

 

[asdf101]

Can you help me with List<>. I dont know how to hook that

// RVA: 0x140D26C Offset: 0x140D26C VA: 0x140D26C
    public static List<RemotePlayer> GetRemotePlayers(Predicate<RemotePlayer> predicate) { }

 

[hienngocloveyou]

Can you help me with List<>. I dont know how to hook that

// RVA: 0x140D26C Offset: 0x140D26C VA: 0x140D26C
    public static List<RemotePlayer> GetRemotePlayers(Predicate<RemotePlayer> predicate) { }

Use this link

UnityStuff/Unity.h at master · kp7742/UnityStuff

A collection of structs and other useful things for hacking 64 bit iOS Unity games - kp7742/UnityStuff

github.com

You can find the struct monoList in that page.

Regards,

 

[asdf101]

I mean how can you get the predicate<playerbase> because you need it in order for the hook to work correctly

 

[hienngocloveyou]

I mean how can you get the predicate<playerbase> because you need it in order for the hook to work correctly

You must make that object and reference to it

 

[asdf101]

Another question: I want to read c# list of strings

// RVA: 0x140C528 Offset: 0x140C528 VA: 0x140C528
    public static List<string> GetAllPlayersIdShuffled() { }

Is this how I should do it?

monoList<monoString> *(*GetPlayerIds)() = (monoList<monoString> *(*)()) getAbsoluteAddress(targetLibName, 0x140C528);
auto getplayerids = GetPlayerIds();

I dont know how to read it. Help please

 

[hienngocloveyou]

Another question: I want to read c# list of strings

// RVA: 0x140C528 Offset: 0x140C528 VA: 0x140C528
    public static List<string> GetAllPlayersIdShuffled() { }

Is this how I should do it?

monoList<monoString> *(*GetPlayerIds)() = (monoList<monoString> *(*)()) getAbsoluteAddress(targetLibName, 0x140C528);
auto getplayerids = GetPlayerIds();

I dont know how to read it. Help please

Please read document I posted above

 

[asdf101]

You must make that object and reference to it

In c# predicate class only returns boolean, true or false. Since it only returns that can you do this?

monoList<void**> *(*GetPlayers)(bool) = (monoList<void**> *(*)(bool)) getAbsoluteAddress(targetLibName, offset);

 

[Onlyfaris]

How to get player list in List< ?

 

[Baba44]

public void InitiatePurchase(Product product, string developerPayload) { }

In lgl menu how to hack this free store using monostring??

 

[imls01245]

How to hook this :

public Boards[] boards; // 0x54

i try to hook it like this: How to Hook Field List Offset

void (*_casMenuUpdate)(void *ins);
void casMenuUpdate(void *ins) {
    if (ins != NULL) {
        monoArray<void> *boards = *(monoArray<void>**)((uint64_t) ins + 0x54);
        if (boards != NULL) {
            for (int i = 0; i < boards->getLength(); i++) {
                auto board = (*void) boards->getPointer();
                board[i] = 0;
            }
        }
    }
}

But error arises: Expected "(" for function style cast or type construction

 

[quangcha]

Hi @
Tiuu

How about struct's member. Can you show me how to access member in struct.

Thanks

Have you done it with struct?

 

[Patients]

Thank you It's very helpful！

 

[Keqzi]

How I can get access to this class
public class RoomController // TypeDefIndex: 1420
{
// Fields
public Dictionary<int, PlayerInRoom> players; // 0x8
public ObscuredBool roomAccess; // 0xC
public ObscuredBool roomCarClassLock; // 0x18
public ObscuredBool roomCollisionCar; // 0x24
public ObscuredBool premiumAccess; // 0x30
public Maps roomMap; // 0x3C
public GameType roomGameType; // 0x40
public ObscuredString roomCarClass; // 0x44
public ObscuredString roomUpperClassLock; // 0x48
public ObscuredString roomLowerClassLock; // 0x4C
public ObscuredInt roomID; // 0x50
public ObscuredInt roomMaxPlayersCount; // 0x60
public ObscuredInt roomPlayersCount; // 0x70
public ObscuredInt roomConfigId; // 0x80
public ObscuredInt roomCID; // 0x90
public ObscuredString roomName; // 0xA0
public ObscuredString roomPass; // 0xA4

// Methods

// RVA: 0x1DCD19C Offset: 0x1DCD19C VA: 0x1DCD19C
public void .ctor() { }
}

Via another class RoomListController with Update Offset,and it's have field
public List<RoomController> rooms; // 0x114

I need to get ObscuredString roomPass and copy them to clipboard