Mono Disector JIT Boolean Always True

ZixMatrix · Post by **ZixMatrix** » Sun Feb 19, 2023 3:38 pm

so i have this kind boolean property from mono disector
i want to set it to "TRUE"
how to do it using code injection ?
please care to explain it, i still can't understand assembly / code injection
thanks

Code: Select all

GWUserData.IsChatTitleUnlocked - 55                    - push ebp
GWUserData.IsChatTitleUnlocked+1- 8B EC                 - mov ebp,esp
GameAssembly.dll+661923        - 80 3D A5512062 00     - cmp byte ptr [GameAssembly.dll+1B651A5],00 { (0),0 }
GameAssembly.dll+66192A        - 75 1E                 - jne GameAssembly.dll+66194A
GameAssembly.dll+66192C        - 68 B8901362           - push GameAssembly.dll+1A990B8 { (-2.13) }
GameAssembly.dll+661931        - E8 3A67B5FF           - call GameAssembly.dll+1B8070
GameAssembly.dll+661936        - 68 28921362           - push GameAssembly.dll+1A99228 { (-2.13) }
GameAssembly.dll+66193B        - E8 3067B5FF           - call GameAssembly.dll+1B8070
GameAssembly.dll+661940        - 83 C4 08              - add esp,08 { 8 }
GameAssembly.dll+661943        - C6 05 A5512062 01     - mov byte ptr [GameAssembly.dll+1B651A5],01 { (0),1 }
GameAssembly.dll+66194A        - 83 7D 0C FF           - cmp dword ptr [ebp+0C],-01 { 255 }
GameAssembly.dll+66194E        - 74 63                 - je GameAssembly.dll+6619B3
GameAssembly.dll+661950        - 56                    - push esi
GameAssembly.dll+661951        - 8B 75 08              - mov esi,[ebp+08]
GameAssembly.dll+661954        - 83 BE 7C040000 00     - cmp dword ptr [esi+0000047C],00 { 0 }
GameAssembly.dll+66195B        - 74 51                 - je GameAssembly.dll+6619AE
GameAssembly.dll+66195D        - 57                    - push edi
GameAssembly.dll+66195E        - 8D 45 0C              - lea eax,[ebp+0C]
GameAssembly.dll+661961        - 6A 00                 - push 00 { 0 }
GameAssembly.dll+661963        - 50                    - push eax
GameAssembly.dll+661964        - E8 B7796900           - call GameAssembly.dll+CF9320
GameAssembly.dll+661969        - 8B 8E 7C040000        - mov ecx,[esi+0000047C]
GameAssembly.dll+66196F        - 83 C4 08              - add esp,08 { 8 }
GameAssembly.dll+661972        - 8B F8                 - mov edi,eax
GameAssembly.dll+661974        - 85 C9                 - test ecx,ecx
GameAssembly.dll+661976        - 74 3F                 - je GameAssembly.dll+6619B7
GameAssembly.dll+661978        - FF 35 B8901362        - push [GameAssembly.dll+1A990B8] { (-2.13) }
GameAssembly.dll+66197E        - 57                    - push edi
GameAssembly.dll+66197F        - 51                    - push ecx
GameAssembly.dll+661980        - E8 FB95AF00           - call GameAssembly.dll+115AF80
GameAssembly.dll+661985        - 83 C4 0C              - add esp,0C { 12 }
GameAssembly.dll+661988        - 84 C0                 - test al,al
GameAssembly.dll+66198A        - 75 04                 - jne GameAssembly.dll+661990
GameAssembly.dll+66198C        - 5F                    - pop edi
GameAssembly.dll+66198D        - 5E                    - pop esi
GameAssembly.dll+66198E        - 5D                    - pop ebp
GameAssembly.dll+66198F        - C3                    - ret 
GameAssembly.dll+661990        - 8B 86 7C040000        - mov eax,[esi+0000047C]
GameAssembly.dll+661996        - 85 C0                 - test eax,eax
GameAssembly.dll+661998        - 74 1D                 - je GameAssembly.dll+6619B7
GameAssembly.dll+66199A        - FF 35 28921362        - push [GameAssembly.dll+1A99228] { (-2.13) }
GameAssembly.dll+6619A0        - 57                    - push edi
GameAssembly.dll+6619A1        - 50                    - push eax
GameAssembly.dll+6619A2        - E8 496EF500           - call GameAssembly.dll+15B87F0
GameAssembly.dll+6619A7        - 83 C4 0C              - add esp,0C { 12 }
GameAssembly.dll+6619AA        - 5F                    - pop edi
GameAssembly.dll+6619AB        - 5E                    - pop esi
GameAssembly.dll+6619AC        - 5D                    - pop ebp
GameAssembly.dll+6619AD        - C3                    - ret 
GameAssembly.dll+6619AE        - 32 C0                 - xor al,al
GameAssembly.dll+6619B0        - 5E                    - pop esi
GameAssembly.dll+6619B1        - 5D                    - pop ebp
GameAssembly.dll+6619B2        - C3                    - ret 
GameAssembly.dll+6619B3        - B0 01                 - mov al,01 { 1 }
GameAssembly.dll+6619B5        - 5D                    - pop ebp
GameAssembly.dll+6619B6        - C3                    - ret

Post by **Messy6666** » Sun Feb 19, 2023 4:24 pm

ZixMatrix wrote: ↑
Sun Feb 19, 2023 3:38 pm
so i have this kind boolean property from mono disector
i want to set it to "TRUE"
how to do it using code injection ?
please care to explain it, i still can't understand assembly / code injection
thanks

ofc this is rly hard to say this way
but seeing the end of the function

Code: Select all

GWUserData.IsChatTitleUnlocked - 55                    - push ebp
GWUserData.IsChatTitleUnlocked+1- 8B EC                 - mov ebp,esp
....
....
GameAssembly.dll+6619AE        - 32 C0                 - xor al,al <<<<<<------- AL = 0 = FALSE
GameAssembly.dll+6619B0        - 5E                    - pop esi
GameAssembly.dll+6619B1        - 5D                    - pop ebp
GameAssembly.dll+6619B2        - C3                    - ret 
GameAssembly.dll+6619B3        - B0 01                 - mov al,01 { 1 } <<<<---- AL = 1 = TRUE
GameAssembly.dll+6619B5        - 5D                    - pop ebp
GameAssembly.dll+6619B6        - C3                    - ret

the return value is in AL ( 0 = false, 1 = true , see <<<<------)

so to always return true
modifiy the begin of the function:

Code: Select all

GWUserData.IsChatTitleUnlocked:
 mov al, 1  // AL = true
 ret            //  return TRUE

or change the
xor al, al
into
mov al, 01

But i am not sure about that because there's a return also above those.

again... hard to say of this will work this way for your game
it's only theoretical

-edit-
ps.
if this is the boolean GameAssembly.dll+1B651A5:

Code: Select all

GWUserData.IsChatTitleUnlocked:
 mov al, 1  // AL = true
 mov  [GameAssembly.dll+1B651A5], al	/// <<--- set to TRUE
 ret            //  return TRUE

it will set it to true

ZixMatrix · Post by **ZixMatrix** » Sun Feb 19, 2023 6:44 pm

Messy6666 wrote: ↑
Sun Feb 19, 2023 4:24 pm

ZixMatrix wrote: ↑
Sun Feb 19, 2023 3:38 pm
so i have this kind boolean property from mono disector
i want to set it to "TRUE"
how to do it using code injection ?
please care to explain it, i still can't understand assembly / code injection
thanks
ofc this is rly hard to say this way
but seeing the end of the function
Code: Select all
GWUserData.IsChatTitleUnlocked - 55                    - push ebp
GWUserData.IsChatTitleUnlocked+1- 8B EC                 - mov ebp,esp
....
....
GameAssembly.dll+6619AE        - 32 C0                 - xor al,al <<<<<<------- AL = 0 = FALSE
GameAssembly.dll+6619B0        - 5E                    - pop esi
GameAssembly.dll+6619B1        - 5D                    - pop ebp
GameAssembly.dll+6619B2        - C3                    - ret 
GameAssembly.dll+6619B3        - B0 01                 - mov al,01 { 1 } <<<<---- AL = 1 = TRUE
GameAssembly.dll+6619B5        - 5D                    - pop ebp
GameAssembly.dll+6619B6        - C3                    - ret 
the return value is in AL ( 0 = false, 1 = true , see <<<<------)

so to always return true
modifiy the begin of the function:
Code: Select all
GWUserData.IsChatTitleUnlocked:
 mov al, 1  // AL = true
 ret            //  return TRUE
or change the
xor al, al
into
mov al, 01

But i am not sure about that because there's a return also above those.

again... hard to say of this will work this way for your game
it's only theoretical

-edit-
ps.
if this is the boolean GameAssembly.dll+1B651A5:
Code: Select all
GameAssembly.dll+661923        - 80 3D A5512062 00     - cmp byte ptr [GameAssembly.dll+1B651A5],00 { (0),0 }
GameAssembly.dll+66192A        - 75 1E                 - jne GameAssembly.dll+66194A
you can also replace
Code: Select all
GameAssembly.dll+66192A        - 75 1E                 - jne GameAssembly.dll+66194A
with
Code: Select all
nop
nop
it will set it to true

thanks for your really detail and simple explanation
my problem is im not familiar with cheat engine (advance cheating), but if android hacking im still can do it by myself (game available for pc and mobile and both is made from unity)

again thank you very much

ZixMatrix · Post by **ZixMatrix** » Sun Feb 19, 2023 7:05 pm

Messy6666 wrote: ↑
Sun Feb 19, 2023 4:24 pm

-edit-
ps.
if this is the boolean GameAssembly.dll+1B651A5:
Code: Select all
GWUserData.IsChatTitleUnlocked:
 mov al, 1  // AL = true
 mov  [GameAssembly.dll+1B651A5], al	/// <<--- set to TRUE
 ret            //  return TRUE
it will set it to true

can you help me to explain what Dark Byte mean in this thread ?
[Link]
thanks

ZixMatrix · Post by **ZixMatrix** » Sun Feb 19, 2023 7:08 pm

Messy6666 wrote: ↑
Sun Feb 19, 2023 4:24 pm
Code: Select all
GWUserData.IsChatTitleUnlocked:
 mov al, 1  // AL = true
 ret            //  return TRUE

this is works
thanks

Toga · Post by **Toga** » Mon Feb 20, 2023 9:55 pm

ZixMatrix wrote: ↑
Sun Feb 19, 2023 7:05 pm
...
can you help me to explain what Dark Byte mean in this thread ?
[Link]
thanks

same logic but now using variables on the stack
i.e. function parameters / local variables

best to ask the op of that post ( i am nowhere his knowledge )

FearLess Cheat Engine

Mono Disector JIT Boolean Always True

Mono Disector JIT Boolean Always True

Re: Mono Disector JIT Boolean Always True

Re: Mono Disector JIT Boolean Always True

Re: Mono Disector JIT Boolean Always True

Re: Mono Disector JIT Boolean Always True

Re: Mono Disector JIT Boolean Always True

Who is online