Help! Need help on codestage anticheat on a il2cpp encrypted game.

[ghostroy12]

Hello,

I was told to post the question here.
I have been following tutorials and modded some games using C#, but now i am looking into il2cpp encrypted games.
Game in example is archero.
I used dnspy to find the methods that i want to change, but they are encrypted with obscured values from the codestage anticheat kit.

Questions:
- The methods (eg. health) refer to an anticheat instruction, which turns the value into an obscured value. How do change or reverse this value?

Spoiler: Example

// Token: 0x1700015B RID: 347
    // (get) Token: 0x060018EF RID: 6383 RVA: 0x00005940 File Offset: 0x00003B40
    // (set) Token: 0x060018F0 RID: 6384 RVA: 0x00002053 File Offset: 0x00000253
    [Token(Token = "0x17000109")]
    public ObscuredLong CurrentEnergy
    {
        [Token(Token = "0x60015D5")]
        [Address(RVA = "0x893FD8", Offset = "0x893FD8", VA = "0x893FD8")]
        get
        {
            return default(ObscuredLong);
        }
        [Token(Token = "0x60015D6")]
        [Address(RVA = "0x893FF8", Offset = "0x893FF8", VA = "0x893FF8")]
        set
        {
        }
    }

- I've tried decompiling and then recompiling the apk, but it got stuck on a white screen (without changing any files)
Would there be some kind of function in anti cheat that is causing this?

I'm sorry if this sounds like a noob question, but i've been stuck here for several days and i really want to learn modding these kind of games.
Thanks in advance!

 

[ghostroy12]

@Yaskashije i believe you said to reverse the function in ida?

 

[Yaskashije]

@Yaskashije i believe you said to reverse the function in ida?

Yes

I've tried decompiling and then recompiling the apk, but it got stuck on a white screen (without changing any files)
Would there be some kind of function in anti cheat that is causing this?

Never tried that game myself, but good chances your assumption is correct.

 

[ghostroy12]

Yes

So, for example if i would find a method that RemovesEnergy from the player object; I would only need to get the offset, hex search it in hxeditor and change it to false?
(Would it be unlikely that the anti cheat system compares values afterwards?)

Never tried that game myself, but good chances your assumption is correct.

After some more trial and error i found out that the white screen was caused because a certificate was lost during decompiling and recompiling/signing the apk. I finally got it to work by extracting and zipping the apk instead.

Thanks for the help, by the way.

 

[Yaskashije]

So, for example if i would find a method that RemovesEnergy from the player object; I would only need to get the offset, hex search it in hxeditor and change it to false?
(Would it be unlikely that the anti cheat system compares values afterwards?)

Codestage Anticheat is a joke and I'd not be surprised if that were to work.
Test and try stuff, thats how you learn new things when modding.
If nothing ends u working, you can always use ida.

 

[pl0nk]

CodeStage used to have some hash checksum check against the DLLs and apk signature, maybe check that too

 

[Tiahh]

A long should be an integer but more longer, so you could try to use this function:

Parameters:
    - location: the location of the ObscuredInt
    - value: the value we're setting the ObscuredInt to
*/
void SetObscuredIntValue(uint64_t location, int value){
    int cryptoKey = *(int *)location;
    
    *(int *)(location + 0x4) = value ^ cryptoKey;
}

This should work fine and you will get the value that you want.

 

[MrTas]

I have found with codestage, a basic 0 return on activate anticheat helped with a couple if games on the checksum, it was a stab in the dark when I tried it but worked, good work on finding and pinpointing Ur own question

 

[ziz59]

A long should be an integer but more longer, so you could try to use this function:

Parameters:
    - location: the location of the ObscuredInt
    - value: the value we're setting the ObscuredInt to
*/
void SetObscuredIntValue(uint64_t location, int value){
    int cryptoKey = *(int *)location;
   
    *(int *)(location + 0x4) = value ^ cryptoKey;
}

This should work fine and you will get the value that you want.

I actually tested this method to get the GET or to do a SET, but each time the game crashes when I activate the toogle in my menu, there are functions specific to NOP?

 

[Tiahh]

I actually tested this method to get the GET or to do a SET, but each time the game crashes when I activate the toogle in my menu, there are functions specific to NOP?

try to use this function instead:

/*
Set the real value of an ObscuredFloat.
Parameters:
    - location: the location of the ObscuredFloat
    - value: the value we're setting the ObscuredFloat to
*/
void SetObscuredFloatValue(uint64_t location, float value){
    int cryptoKey = *(int *)location;

    /* use this intfloat to get the integer representation of our parameter value */
    intfloat IF;
    IF.f = value;
    
    /* use this intfloat to generate our hacked ObscuredFloat */
    intfloat IF2;
    IF2.i = IF.i ^ cryptoKey;
    
    *(float *)(location + 0x4) = IF2.f;
}

this should work as intended, since float is more longer than an int.