Unity Engine : Universal Background Unlocker

Upload *YOUR* gamehacking tools/helpers here
Post Reply
User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 870
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 1446

Unity Engine : Universal Background Unlocker

Post by cfemen »

Hey,

it bothered me a lot that unity games are always pause the complete process if the game is not focused.
maybe some table makers here can relate that, almost every unity game stops when you tab out to cheat engine or doing something else while the game loads...

i have created 2 scripts that should work as "universal background unlocker" :)
activate mono - execute the x64 or x86 script -> focus the game for a sec -> deactivate script and game should run in background.

if you want to reverse it:
push 0 for x86
mov ecx,0 for x64

X86:

Code: Select all

[ENABLE]
aobscanregion(activate,UnityEngine:Application:set_runInBackground,UnityEngine:Application:set_runInBackground+5,55)
aobscanregion(aobMono86,UnityEngine:Camera:get_clearFlags,UnityEngine:Camera:get_clearFlags+100,E8 ** ** ** ** **) // should be unique
alloc(newmem,$1000,aobMono86)

label(code)
label(return)

alloc(orig,5)
registersymbol(orig)

orig:
readmem(aobMono86,5)

newmem:

code:
  reassemble(aobMono86)
  mov eax,"UnityEngine:Application:set_runInBackground"
  push 1
  call eax
  pop eax
  jmp return

aobMono86:
  jmp newmem
return:
registersymbol(aobMono86)

[DISABLE]

aobMono86:
  readmem(orig,5)

unregistersymbol(aobMono86)
dealloc(newmem)
X64:

Code: Select all

[ENABLE]
aobscanregion(activate,UnityEngine:Application:set_runInBackground,UnityEngine:Application:set_runInBackground+5,55)
aobscanregion(aobMono64,UnityEngine:Camera:get_clearFlags,UnityEngine:Camera:get_clearFlags+100,0F 84 ** ** ** ** **) // should be unique
alloc(newmem,$1000,aobMono64)

label(code)
label(return)

alloc(orig64,6)
registersymbol(orig64)

orig64:
readmem(aobMono64,6)

newmem:

code:
  reassemble(aobMono64)
  mov ecx,1
  mov r11,"UnityEngine:Application:set_runInBackground"
  call r11
  jmp return

aobMono64:
  jmp newmem
  nop
return:
registersymbol(aobMono64)

[DISABLE]

aobMono64:
  readmem(orig64,6)

unregistersymbol(aobMono64)
dealloc(newmem)
thats it, maybe someone can need it :)
i tested it on 10+ unity games and it always worked

Edit:

i also did a script for IL2CPP Unity games :)

tested on 3 IL2CPP games now, and it worked perfectly.

note : script needs to stay activated

IL2CPP x64:

Code: Select all

[ENABLE]
aobscanmodule(aobILBackg,UnityPlayer.dll,E8 ** ** ** ** 48 85 C0 75 05 48 83 C4 28 C3 E8 ** ** ** ** 48 85 C0) 

aobILBackg+08:
  db 90 90
registersymbol(aobILBackg)

[DISABLE]

aobILBackg+08:
  db 75 05

unregistersymbol(aobILBackg)
Il2CPP X86:

Code: Select all

[ENABLE]
// universal run in background for mono + ilcpp x86

aobscanmodule(aobShouldRunInBackground,UnityPlayer.dll,E8 ** ** ** ** 85 C0 75 03 32 C0 C3 E8 ** ** *** 85 C0) 
alloc(origShould,3)
registersymbol(origShould)

origShould:
readmem(aobShouldRunInBackground,3)

aobShouldRunInBackground:
  db B0 01 C3

registersymbol(aobShouldRunInBackground)

[DISABLE]

aobShouldRunInBackground:
  readmem(origShould,3)

unregistersymbol(aobShouldRunInBackground)
Note : you can probably use the Il2CPP scripts also for newer Mono Games(Unity Version 2019 and higher), coz the inject point is in the native UnityPlayer.dll
Last edited by cfemen on Thu Jul 15, 2021 8:36 pm, edited 4 times in total.

GreenHouse
Expert Cheater
Expert Cheater
Posts: 857
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 889

Re: Unity Engine : Universal Background Unlocker

Post by GreenHouse »

This is amazing. It will surely be of so much help. Thanks :D

User avatar
Chiados
Fearless Furry
Fearless Furry
Posts: 317
Joined: Tue Apr 25, 2017 6:56 am
Reputation: 240

Re: Unity Engine : Universal Background Unlocker

Post by Chiados »

Niiice. Thanks a lot for this :D

JohnFK
Expert Cheater
Expert Cheater
Posts: 55
Joined: Tue Aug 29, 2017 10:50 am
Reputation: 24

Re: Unity Engine : Universal Background Unlocker

Post by JohnFK »

Why so complicated when you can just call it directly? (Need to mouse hover game window once after activating when its currently paused)

Code: Select all

{$lua}
local method = mono_findMethod('UnityEngine', 'Application', 'set_runInBackground')
local domain = mono_enumDomains()[1]
local args={}
args[1]={}
args[1].type=vtByte
args[1].value=1
mono_invoke_method(domain, method, 0, args)
{$asm}

User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 870
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 1446

Re: Unity Engine : Universal Background Unlocker

Post by cfemen »

JohnFK wrote:
Wed Dec 11, 2019 1:19 am
Why so complicated when you can just call it directly? (Need to mouse hover game window once after activating when its currently paused)

Code: Select all

{$lua}
local method = mono_findMethod('UnityEngine', 'Application', 'set_runInBackground')
local domain = mono_enumDomains()[1]
local args={}
args[1]={}
args[1].type=vtByte
args[1].value=1
mono_invoke_method(domain, method, 0, args)
{$asm}
nice!
i really didnt know that i can find a mono method and call it with lua

///

updated the main post with a script for IL2CPP games.

if someone is interested how it works:
Application.runInBackground writes to PlayerSettings
GetPlayerShouldRunInBackground reads from GetPlayerSetting

script injects at UnityPlayer.GetPlayerShouldRunInBackground and kills the jump check = always true.

i tested the script on 3 unity games with IL2CPP and own builds with unity version 2018,2019,2020
it always worked :)

User avatar
SvT
Table Makers
Table Makers
Posts: 586
Joined: Tue Dec 24, 2019 5:17 am
Reputation: 1834

Re: Unity Engine : Universal Background Unlocker

Post by SvT »

Maybe I'm doing something wrong, but I haven't been able to get this script working for several different games in the last few months. Seems that 'set_runInBackground' is stripped and there's only the 'get_runInBackground' method.

User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 870
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 1446

Re: Unity Engine : Universal Background Unlocker

Post by cfemen »

SovietWristwatch.jpg wrote:
Thu Jul 15, 2021 3:13 pm
Maybe I'm doing something wrong, but I haven't been able to get this script working for several different games in the last few months. Seems that 'set_runInBackground' is stripped and there's only the 'get_runInBackground' method.
I don't think you are doing something wrong, can you write me which Unity Engine Version is used for the games you mentioned? (executable fileversion = Unity Engine Version, or open the _Data\sharedassets.assets with NotePad+ to see the Engine Version )
Then i can compile some custom tests with it, or write me some of the games and i will look into it if i have the time :)

Edit: did you test the IL2CPP script?
the UnityPlayer code is native, it should also work for Mono Games ( the IL2CPP scripts injects at the UnityPlayer.GetPlayerShouldRunInBackground
function, which is called from UnityPlayer.MainMessageLoop)

i just tested the Il2CPP script on the 2021.1 unity version with a Mono-Backend, it worked :)

User avatar
SvT
Table Makers
Table Makers
Posts: 586
Joined: Tue Dec 24, 2019 5:17 am
Reputation: 1834

Re: Unity Engine : Universal Background Unlocker

Post by SvT »

cfemen wrote:
Thu Jul 15, 2021 6:57 pm
SovietWristwatch.jpg wrote:
Thu Jul 15, 2021 3:13 pm
Maybe I'm doing something wrong, but I haven't been able to get this script working for several different games in the last few months. Seems that 'set_runInBackground' is stripped and there's only the 'get_runInBackground' method.
I don't think you are doing something wrong, can you write me which Unity Engine Version is used for the games you mentioned? (executable fileversion = Unity Engine Version, or open the _Data\sharedassets.assets with NotePad+ to see the Engine Version )
Then i can compile some custom tests with it, or write me some of the games and i will look into it if i have the time :)
An example of a game where it's not working is The Falconeer on Unity version: 2019.4.23f1
Oddly enough I just downloaded a different game called Bloodroots that is also using 2019.4.23f1 but the script works in this one.

Only difference is that it appears the method 'set_runInBackground' is stripped from the first game.

User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 870
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 1446

Re: Unity Engine : Universal Background Unlocker

Post by cfemen »

SovietWristwatch.jpg wrote:
Thu Jul 15, 2021 7:36 pm

Only difference is that it appears the method 'set_runInBackground' is stripped from the first game.

sooo okay looked into it, my Native/Il2CPP method is working, i just needed to write it for x86:

Code: Select all


[ENABLE]
// universal run in background for mono + ilcpp x86 games with unity version 2019 or higher:

aobscanmodule(aobShouldRunInBackground,UnityPlayer.dll,E8 ** ** ** ** 85 C0 75 03 32 C0 C3 E8 ** ** *** 85 C0) 
alloc(origShould,3)
registersymbol(origShould)

origShould:
readmem(aobShouldRunInBackground,3)

aobShouldRunInBackground:
  db B0 01 C3

registersymbol(aobShouldRunInBackground)

[DISABLE]

aobShouldRunInBackground:
  readmem(origShould,3)

unregistersymbol(aobShouldRunInBackground)
it's working on Falconeer, this method should work for all Mono and ILC2PP games with Unity Version 2019 or higher.

BR
cfemen

User avatar
SvT
Table Makers
Table Makers
Posts: 586
Joined: Tue Dec 24, 2019 5:17 am
Reputation: 1834

Re: Unity Engine : Universal Background Unlocker

Post by SvT »

cfemen wrote:
Thu Jul 15, 2021 8:00 pm

sooo okay looked into it, my Native/Il2CPP method is working, i just needed to write it for x86:

Code: Select all


[ENABLE]
// universal run in background for mono + ilcpp x86 games with unity version 2019 or higher:

aobscanmodule(aobShouldRunInBackground,UnityPlayer.dll,E8 ** ** ** ** 85 C0 75 03 32 C0 C3 E8 ** ** *** 85 C0) 
alloc(origShould,3)
registersymbol(origShould)

origShould:
readmem(aobShouldRunInBackground,3)

aobShouldRunInBackground:
  db B0 01 C3

registersymbol(aobShouldRunInBackground)

[DISABLE]

aobShouldRunInBackground:
  readmem(origShould,3)

unregistersymbol(aobShouldRunInBackground)
it's working on Falconeer, this method should work for all Mono and ILC2PP games with Unity Version 2019 or higher.

BR
cfemen
Hmm can't seem to find that AOB. This is the Windows Store version - not that it should matter if it's the same version of Unity?

User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 870
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 1446

Re: Unity Engine : Universal Background Unlocker

Post by cfemen »

SovietWristwatch.jpg wrote:
Fri Jul 16, 2021 3:48 am

Hmm can't seem to find that AOB. This is the Windows Store version - not that it should matter if it's the same version of Unity?
Ahh Windows Store :mellow:

The game is compiled with [Link], and yes the AOBs are different with the UWP Backend.

If I have time i might compile some tests with UWP to look for the new AOBs, but i really don't like UWP/Windows-Store stuff :/

User avatar
igromanru
Table Makers
Table Makers
Posts: 241
Joined: Sat Mar 25, 2017 11:20 pm
Reputation: 381

Re: Unity Engine : Universal Background Unlocker

Post by igromanru »

Thanks for the scripts and info.
I'm trying to make a script for Deep Rock Galactic: Survivor to run in background, the game is using Unity 2022.3.7f1 and IL2CPP.
Sadly your AOB for IL2CPP doesn't work.
Do you know if UnityPlayer.GetPlayerShouldRunInBackground gets called somewhere in the GameAssembly.dll? I don't want to download the whole Unity Engine to get PDBs for it.

User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 870
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 1446

Re: Unity Engine : Universal Background Unlocker

Post by cfemen »

igromanru wrote:
Wed Feb 21, 2024 3:44 pm
Thanks for the scripts and info.
I'm trying to make a script for Deep Rock Galactic: Survivor to run in background, the game is using Unity 2022.3.7 and IL2CPP.
Sadly your AOB for IL2CPP doesn't work.
Do you know if UnityPlayer.GetPlayerShouldRunInBackground gets called somewhere in the GameAssembly.dll? I don't want to download the whole Unity Engine to get PDBs for it.
Hi,
(UnityEngine.CoreModule.dll) UnityEngine.Application.get_runInBackground should always be found ( the set_ method is not always reflected in newer versions )
then you can trace that to get the Application ptr and set the flag to 1:

quick script to set the flag without a hook:

Code: Select all

{$lua}
if syntaxcheck then return end
[ENABLE]
AutoAssemble([[
aobscanmodule(aobCheckApplicationFlag,UnityPlayer.dll,48 8B 05 ** ** ** ** 48 85 C0 74 08 0F B6 80 57 02 00 00 C3 C3)
registersymbol(aobCheckApplicationFlag)

label(pApplication)
registersymbol(pApplication)

aobCheckApplicationFlag+7+(DWORD)[aobCheckApplicationFlag+3]:
pApplication:
]])

local pApp = readPointer(getAddress("pApplication"))
writeBytes(pApp+0x257,0x1)

[DISABLE]

User avatar
igromanru
Table Makers
Table Makers
Posts: 241
Joined: Sat Mar 25, 2017 11:20 pm
Reputation: 381

Re: Unity Engine : Universal Background Unlocker

Post by igromanru »

I've found the "PlayerShouldRunInBackground" function for Unity 2022.3.X.
AOB:

Code: Select all

48 83 EC 28 48 83 3D ? ? ? ? ? 75 07
However, always returning true only let the Music play in the Background. I guess in my case Devs are using something like OnApplicationFocus to pause the game.

EDIT:
cfemen wrote:
Wed Feb 21, 2024 4:37 pm
Hi,
(UnityEngine.CoreModule.dll) UnityEngine.Application.get_runInBackground should always be found ( the set_ method is not always reflected in newer versions )
Thanks for the tip, I figured out that the Application.get_runInBackground method leads to UnityPlayer.Application_Get_Custom_PropRunInBackground and 0x257 is the runInBackground property offset.
Setting it to true works indeed.

Post Reply

Who is online

Users browsing this forum: shanerGT