Help! I need help. Hooking ObscuredInt types in LGL Mod Menu

[NotAWeeb!]

As resumed as possible:

Been dealing with a il2cpp game with particular protections. Pairip and codestage. Bypassed pairip for various reasons (mainly converting from XAPK to APK). Codestage doesn't seem to be stopping me from modding (or so it seems). Game has worked before with various hex patches, and also does with the Menu.

So the problem is probably at my hook code. I just don't know where or how.

Been learning hooking intensively and creating my first hooks, for the sake of modifying 3 different currencies from the game that are stored in public ObscuredInt types.

These are the ObscuredInt methods and its field offsets:

// RVA: 0x983F90 Offset: 0x983F90 VA: 0x983F90
public ObscuredInt get_Pickles() { }

// RVA: 0x85E1E4 Offset: 0x85E1E4 VA: 0x85E1E4
public ObscuredInt get_CurrentGold() { }

// RVA: 0x85E204 Offset: 0x85E204 VA: 0x85E204
public ObscuredInt get_CurrentGems() { }


//Fields

private ObscuredInt <Pickles>k__BackingField; // 0x18
private ObscuredInt <CurrentGold>k__BackingField; // 0x88
private ObscuredInt <CurrentGems>k__BackingField; // 0x98

Technically talking, offsets and field offsets seem to be the correct ones.

Down below, at the Spoiler, you'll find the screenshots of all my Main.cpp code.

I don't have much hooking experience. I don't know much about hooking Obscured types. I also don't have much experience with the LGL Menu, so I've been figuring new things out lately, now that I'm learning hooks.

My hooks just won't work to change the currencies. Game doesn't crash or anything after enabling the toggles of the currencies' hooks. Hooks apparently work fine, lib loads fine, toggling the hooks doesn't cause errors or related messages in the game... Everything seems fine, according to the logcat.

Don't really know why it doesn't work. Maybe it's just a dumb ass mistake, or the entire hooking code is wrong. I don't know C++ yet, but I can kind of understand what it does. I normally learn and copy code from various examples around sites like this forum, GitHub, YouTube tutorials and so on, and try to adapt it to my needs.


Please, help me out and teach me the ways. I'll seriously appreciate it.

P.D: Only the hex patch for Damage works. Not even the health (GodMode) float hook works.


Here's my code:

Spoiler: All the code

(...)

(...)

 

[mIsmanXP]

Why are you calling MSHook inside your hook? That's probably the problem?
And are you sure these functions you hooked actually get called?
Also how do you bypass pairip

 

[NotAWeeb!]

Why are you calling MSHook inside your hook? That's probably the problem?
Also how do you bypass pairip

I actually don't know where I'm supposed to call MSHook. Where do I have to put it?

Also, how do I know my hooked functions actually get called?

And I might probably upload a tutorial soon on how to bypass pairip. It's way easier than what you might expect

 

[mIsmanXP]

I actually don't know where I'm supposed to call MSHook. Where do I have to put it?

And I might probably upload a tutorial soon on how to bypass pairip. It's way easier than what you might expect

Remove it, my assumption is MSHook replace you hook with old hook, which makes your hook like it's never there (just my assumption tho)

Just modifying the smali is enough to bypass pairip? Or are you modifying libpairipcore?

 

[NotAWeeb!]

Remove it, my assumption is MSHook replace you hook with old hook, which makes your hook like it's never there (just my assumption tho)

Just modifying the smali is enough to bypass pairip? Or are you modifying libpairipcore?

I'll try two things: Just removing MSHookFunction in every hook. If that doesn't work, I'll move the MSHookFunction codes to *hack_thread, to be loaded right after the lib.

Also, to bypass pairip I don't even change a single smali or lib file It's very funny

Do you realize pairip lib and smali protections get called through AndroidManifest.xml, right?

So when you locate the pairip related text at AndroidManifest.xml, you can find the main pairip smali file (typically it's calling "com.pairip.application.Application"), so that means you can locate it ("com\pairip\application\Application.smali" at one of the smali_classes folder).

You don't even do anything with the main pairip smali file. Just look at the first lines of code, and locate the main game/app smali file that's referencing.

.class public Lcom/pairip/application/Application;
.super Landroid/app/Application;

As you can see, it's Landroid/app/Application;

So we just replace that "com.pairip.application.Application" by "android.app.Application" (it's important to make it readable to AndroidManifest.xml with the dots)

Last but not least, after compiling the APK, you just need to replace the CRC32 signature with the one that's from the original APK file without modification.

Repeat the CRC32 signature replacing procedure every time you do modifications to the APK, and you're good to go

 

[mIsmanXP]

MSHook is what HOOK macro do under the hood, so i don't think you need to call it again

And damn, that easy??

 

[mIsmanXP]

Also, how do I know my hooked functions actually get called?

Put LOGD inside your hook

 

[NotAWeeb!]

MSHook as what HOOK macro do under the hood, so i don't think you need to call it again

And damn, that easy??

Alright, I'll test it out and let you know. I'll also add the LOGD inside the hooks, that one is very useful as logcat clearly doesn't say shit
And yes, this bypass (if it can even be called like that, it's more like ignoring and not giving a fuck) even works with the latest pairip

 

[NotAWeeb!]

@mlmmanXP it didn't work :( it looks like it really isn't calling the hooks for some reason.

I just removed the MSHookFunctions and added the LOGD to the hooks.

Here I put one of the hooks as an example of what I did, just incase:

void(*old_Coins)(void *instance);
void Coins(void *instance) {
    LOGD("Coins hook called");
    if(featureHookToggle) {
        LOGD("Feature hook toggle is on");
        SetObscuredIntValue((uint32_t)instance + 0x88, 999999);
    }
    return old_Coins(instance);
}

What's the solution to the hooks not being called?

 

[mIsmanXP]

Try hooking another method from the same class, like Update method if there's any, since it's the same class, you should have access to that same field

 

[NotAWeeb!]

Try hooking another method from the same class, like Update method if there's any, since it's the same class, you should have access to that same field

You mean hooking these?

    // RVA: 0x8DAF78 Offset: 0x8DAF78 VA: 0x8DAF78
    private void UpdatePickles(int pickles) { }
  
    // RVA: 0xA6BDA4 Offset: 0xA6BDA4 VA: 0xA6BDA4
    private void UpdateCoins(int amount) { }
  
    // RVA: 0x912978 Offset: 0x912978 VA: 0x912978
    public void UpdateGems(int _) { }

I have to hook them as a void but returning a normal value, right?

Also, not even the float GodMode hook gets called. Why is it?

 

[mIsmanXP]

You mean hooking these?

    // RVA: 0x8DAF78 Offset: 0x8DAF78 VA: 0x8DAF78
    private void UpdatePickles(int pickles) { }
 
    // RVA: 0xA6BDA4 Offset: 0xA6BDA4 VA: 0xA6BDA4
    private void UpdateCoins(int amount) { }
 
    // RVA: 0x912978 Offset: 0x912978 VA: 0x912978
    public void UpdateGems(int _) { }

I have to hook them as a void but returning a normal value, right?

Also, not even the float GodMode hook gets called. Why is it?

You can probably try that.

The game probably just never call that function, or you haven't reach the stage where the game calls it

 

[mIsmanXP]

Are you modding pickle pete ?
Been trying to mod it but it has pairip

 

[NotAWeeb!]

You can probably try that.

The game probably just never call that function, or you haven't reach the stage where the game calls it

I've just coded every Update hook, so going to implement to the APK and test again.

I actually make sure it should have been called (because I'm using those currencies or something) before enabling the toggles. They still don't get called according to the logcat, so the Update hooks should be my saviour now.

 

[NotAWeeb!]

Are you modding pickle pete ?
Been trying to mod it but it has pairip

Yes, and yeah, I've heard something like that but I just "ignored" it

CodeStage is also supposed to be a joke of an anticheat, but it's making sure my weak ass hooking skills don't ever get to mod the currencies with the ObscuredInt shit methods

 

[mIsmanXP]

I actually make sure it should have been called (because I'm using those currencies or something) before enabling the toggles. They still don't get called according to the logcat, so the Update hooks should be my saviour now.

The fact that your hook doesn't get called means the game used other method to get the currencies, maybe it directly accesses the field instead of using/calling the getter/setter method, which is why your hook doesn't get called

 

[NotAWeeb!]

The fact that your hook doesn't get called means the game used other method to get the currencies, maybe it directly accesses the field instead of using/calling the getter/setter method, which is why your hook doesn't get called

Oof, that would be pretty bad, don't really know if you can hook field offsets directly if it was the case. And even still, why would the devs make the get_Pickles and the other currencies ObscuredInt types if they weren't going to use them to store the value? This is all so fucked up. Don't know if to laugh or to cry

 

[NotAWeeb!]

Btw, waiting for the APK to compile, then gonna test again. Let's see how the Update hooks go

 

[NotAWeeb!]

@mIsmanXP Oh dear lord. It looks like as soon as I pick up or get a pickle, the game freezes. I have a feeling that the responsible is CodeStage because it's somehow detecting a hook that directly goes to the holding value method.

I'm gonna go to bed, but I'll be working on it tomorrow. Thank you very much for helping me out. I'm going to top it all and create a killer mod menu, no matter how hard it is.

 

[mIsmanXP]

@mIsmanXP Oh dear lord. It looks like as soon as I pick up or get a pickle, the game freezes. I have a feeling that the responsible is CodeStage because it's somehow detecting a hook that directly goes to the holding value method.

I'm gonna go to bed, but I'll be working on it tomorrow. Thank you very much for helping me out. I'm going to top it all and create a killer mod menu, no matter how hard it is.

Good luck man