sdk is working! test with ammo

4 years ago · b31c7bfce7
parent 5b0da954a1
commit b31c7bfce7
12 changed files with 192 additions and 95 deletions
--- a/ligma-cheat/ligma-cheat/SDK/Il2Cpp/Il2Cpp.cpp
+++ b/ligma-cheat/ligma-cheat/SDK/Il2Cpp/Il2Cpp.cpp
@ -3,6 +3,8 @@
 //

 #include "Il2Cpp.h"
+#include "../../ligma.h"
+
 // ========================================================================================================================================== //
 #define IL2CPP__TAG "Il2CppSdk"
 #define IL2CPP_LOGI(...) __android_log_print(ANDROID_LOG_INFO,IL2CPP__TAG,__VA_ARGS__)
@ -14,7 +16,7 @@ std::map<std::string, std::size_t> m_cacheFields;
 std::map<std::string, void*> m_cacheMethods;
 std::map<std::string, void*> m_cacheClasses;
 // ========================================================================================================================================== //
-namespace 
+namespace // all of this dog shit needs to be cleaned up...
 {
    const void *(*il2cpp_assembly_get_image)(const void *assembly);
    void *(*il2cpp_domain_get)();
@ -66,10 +68,12 @@ void *get_export_function(const char *lib, const char *name)
 }

 // ========================================================================================================================================== //
-#define GAME_LIB_ENGINE "libil2cpp.so"
 std::uintptr_t Il2CppBase()
 {
-    return reinterpret_cast<std::uintptr_t>(dlopen(GAME_LIB_ENGINE, RTLD_NOLOAD));
+    static const auto module_base =
+        ligma::utils::get_module_base("libil2cpp.so");
+
+    return module_base;
 }
 // ========================================================================================================================================== //
 typedef unsigned short UTF16;
@ -194,6 +198,7 @@ bool Il2Cpp::Attach(const char *libname)

    if (!(il2cpp_string_new_utf16 = (Il2CppString * (*)(const wchar_t*, size_t)) get_export_function(libname, "il2cpp_string_new_utf16")))
        return false;
+
    return true;
 }
 // ========================================================================================================================================== //
--- a/ligma-cheat/ligma-cheat/bypass/bypass.cpp
+++ b/ligma-cheat/ligma-cheat/bypass/bypass.cpp
@ -1,4 +1,6 @@
 #include "bypass.h"
+#include <link.h>
+#include <dlfcn.h>

 namespace ligma
 {
@ -15,11 +17,34 @@ namespace ligma
 			{
 				LOGI("libxlua.so base = %p", module_base);
 				ligma::hook::make_hook(
-					dlsym(reinterpret_cast<void*>(module_base), "luaL_loadbufferx"),
+					dlsym(dlopen("libxlua.so", RTLD_NOLOAD), "luaL_loadbufferx"),
 					reinterpret_cast<void*>(&load_bufferx_hook)
 				);
 			});

+			ligma::utils::on_image_load("libtersafe.so", [&](const std::uintptr_t module_base)
+			{
+				LOGI("libtersafe.so = %p", module_base);
+				ligma::hook::make_hook(
+					reinterpret_cast<void*>(module_base + offset_ischeat_packet),
+					reinterpret_cast<void*>(&tss_sdk_ischeatpacket)
+				);
+				ligma::hook::make_hook(
+					reinterpret_cast<void*>(module_base + offset_tencent_init),
+					reinterpret_cast<void*>(&Java_com_tencent_tp_TssSdk_init)
+				);
+			});
+
+			// for some reason lubcubehawk.so is never loaded??
+			ligma::utils::on_image_load("libcubehawk.so", [&](const auto module_base) 
+			{
+				LOGI("libcubehawk.so = %p", module_base);
+				ligma::hook::make_hook(
+					dlsym(dlopen("libcubehawk.so", RTLD_NOLOAD), "Java_com_tencent_hawk_bridge_HawkNative_checkEmulator"),
+					reinterpret_cast<void*>(&Java_com_tencent_hawk_bridge_HawkNative_checkEmulator)
+				);
+			});
+
 			fopen_ptr = dlsym(dlopen("libc.so", RTLD_NOLOAD), "fopen");
 			dlopen_ptr = dlsym(dlopen("libdl.so", RTLD_NOLOAD), "dlopen");
 			system_prop_get = dlsym(dlopen("libc.so", RTLD_NOLOAD), "__system_property_get");
@ -29,6 +54,37 @@ namespace ligma
 			ligma::hook::make_hook(system_prop_get, reinterpret_cast<void*>(&system_property_hook));
 		}

+		int Java_com_tencent_hawk_bridge_HawkNative_checkEmulator(int a1, int a2, int a3, int a4)
+		{
+			LOGI("check emulator called! a1 = 0x%x, a2 = 0x%x, a3 = 0x%x, a4 = 0x%x", a1, a2, a3, a4);
+			static const auto check_emulator =
+				reinterpret_cast<decltype(&Java_com_tencent_hawk_bridge_HawkNative_checkEmulator)>(
+					dlsym(dlopen("libcubehawk.so", RTLD_NOLOAD), "Java_com_tencent_hawk_bridge_HawkNative_checkEmulator"));
+			const auto result = check_emulator(a1, a2, a3, a4);
+			LOGI("check emulator result = 0x%x", result);
+			return result;
+		}
+
+		int tss_sdk_ischeatpacket(int a1)
+		{
+			LOGI("-------------- is cheat packet called! a1 = 0x%x -----------------", a1);
+			const auto result =
+				reinterpret_cast<decltype(&tss_sdk_ischeatpacket)>(
+					dlsym(dlopen("libtersafe.so", RTLD_NOLOAD), "tss_sdk_ischeatpacket"))(a1);
+			LOGI("is cheat packet result = 0x%x", a1);
+			return result;
+		}
+
+		int Java_com_tencent_tp_TssSdk_init(int a1, int a2, int a3)
+		{
+			LOGI("----------- Java_com_tencent_tp_TssSdk_init called! a1 = 0x%x, a2 = 0x%x, a3 = 0x%x --------------", a1, a2, a3);
+			const auto result =
+				reinterpret_cast<decltype(&Java_com_tencent_tp_TssSdk_init)>(
+					dlsym(dlopen("libtersafe.so", RTLD_NOLOAD), "Java_com_tencent_tp_TssSdk_init"))(a1, a2, a3);
+			LOGI("result = 0x%x", result);
+			return result;
+		}
+
 		//
 		// dont let a single lua script load!
 		//
@ -79,7 +135,7 @@ namespace ligma
 				if (strstr(filename, file_key.c_str()))
 				{
 					ligma::utils::get_callbacks()->erase(file_key);
-					callback(reinterpret_cast<std::uintptr_t>(result));
+					callback(ligma::utils::get_module_base(file_key.c_str()));
 					break;
 				}
 			}
--- a/ligma-cheat/ligma-cheat/bypass/bypass.h
+++ b/ligma-cheat/ligma-cheat/bypass/bypass.h
@ -1,15 +1,16 @@
 #pragma once
 #include <dlfcn.h>
+#include <link.h>
 #include <mutex>
 #include <android/log.h>
 #include <sys/system_properties.h>
 #include "../ligma.h"

 #define HWID_VALUE "what do you call nuts on your chin? a dick down your throat you fucking retard!"
-#define offset_emulator_check 0x000D7B4
-#define offset_ischeat_packet 0x00128E0
+#define offset_emulator_check  0x000D7B4
+#define offset_ischeat_packet  0x00128E0
 #define offset_mshook_function 0x0010358
-#define offset_fopen_got 0x23ECC
+#define offset_tencent_init    0x0021CAC

 namespace ligma
 {
@ -25,6 +26,9 @@ namespace ligma
 		inline std::mutex dlopen_mutex;

 		void init(const std::function<void(std::uintptr_t)>& callback);
+		int tss_sdk_ischeatpacket(int a1);
+		int Java_com_tencent_hawk_bridge_HawkNative_checkEmulator(int a1, int a2, int a3, int a4);
+		int Java_com_tencent_tp_TssSdk_init(int a1, int a2, int a3);
 		void* dlopen_hook(const char* filename, int flags);
 		FILE* fopen_hook(const char* path, const char* mode);
 		int system_property_hook(const char* name, char* value);
--- a/ligma-cheat/ligma-cheat/hooks/got_hook.h
+++ b/ligma-cheat/ligma-cheat/hooks/got_hook.h
@ -1,46 +0,0 @@
-#include <elf.h>
-#include <cstdint>
-#include <dlfcn.h>
-#include <map>
-#include <android/log.h>
-
-#define LOGI(...) ((void)__android_log_print(4, "ligma", __VA_ARGS__))
-#define LOGW(...) ((void)__android_log_print(5, "ligma", __VA_ARGS__))
-
-namespace ligma
-{
-	namespace hook
-	{
-		//
-		// TODO this doesnt work yet, needs to be debugged!
-		//
-		inline void* got_hook(elf32_hdr* module_base, const std::pair<const char*, const char*>& module_info, void* new_ptr)
-		{
-			if (!module_base || !module_info.first || !module_info.second || !new_ptr)
-				return {};
-
-			const auto orig_module_base = dlopen(module_info.first, RTLD_NOW);
-			const auto orig_ptr = dlsym(orig_module_base, module_info.second);
-
-			const auto shstrtab_header_offset = module_base->e_shoff + module_base->e_shstrndx * sizeof(elf32_shdr);
-			const auto shstr_header = reinterpret_cast<elf32_shdr*>(reinterpret_cast<std::uintptr_t>(module_base) + shstrtab_header_offset);
-
-			const auto shstr_section = reinterpret_cast<const char*>(module_base) + shstr_header->sh_offset;
-			auto section_header = reinterpret_cast<elf32_shdr*>(reinterpret_cast<std::uintptr_t>(module_base) + module_base->e_shoff);
-
-			for (auto idx = 0u; idx < module_base->e_shnum; ++idx)
-			{
-				if (strcmp(shstr_section + section_header->sh_name, ".got"))
-				{
-					for (auto section_value = reinterpret_cast<std::uintptr_t>(module_base) + section_header->sh_offset;
-						section_value < reinterpret_cast<std::uintptr_t>(module_base) + section_header->sh_size; section_value += 0x8)
-						if (*reinterpret_cast<void**>(section_value) == orig_ptr)
-							*reinterpret_cast<void**>(section_value) = new_ptr;
-					break;
-				}
-				section_header++;
-			}
-			return orig_ptr;
-		}
-	}
-}
--- a/ligma-cheat/ligma-cheat/hooks/xhook.h
+++ b/ligma-cheat/ligma-cheat/hooks/xhook.h
@ -0,0 +1,50 @@
+// Copyright (c) 2018-present, iQIYI, Inc. All rights reserved.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+//
+
+// Created by caikelun on 2018-04-11.
+
+#ifndef XHOOK_H
+#define XHOOK_H 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define XHOOK_EXPORT __attribute__((visibility("default")))
+
+int xhook_register(const char *pathname_regex_str, const char *symbol,
+                   void *new_func, void **old_func) XHOOK_EXPORT;
+
+int xhook_ignore(const char *pathname_regex_str, const char *symbol) XHOOK_EXPORT;
+
+int xhook_refresh(int async) XHOOK_EXPORT;
+
+void xhook_clear() XHOOK_EXPORT;
+
+void xhook_enable_debug(int flag) XHOOK_EXPORT;
+
+void xhook_enable_sigsegv_protection(int flag) XHOOK_EXPORT;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
--- a/ligma-cheat/ligma-cheat/libxhook.a
+++ b/ligma-cheat/ligma-cheat/libxhook.a
--- a/ligma-cheat/ligma-cheat/ligma-cheat.vcxproj
+++ b/ligma-cheat/ligma-cheat/ligma-cheat.vcxproj
@ -42,9 +42,10 @@
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="bypass\bypass.h" />
-    <ClInclude Include="hooks\got_hook.h" />
    <ClInclude Include="hooks\shithook.h" />
+    <ClInclude Include="hooks\xhook.h" />
    <ClInclude Include="ligma.h" />
+    <ClInclude Include="SDK\Assembly-CSharp.dll\GameEngine.h" />
    <ClInclude Include="SDK\Il2Cpp\Il2Cpp.h" />
    <ClInclude Include="SDK\Il2Cpp\Il2CppType.h" />
    <ClInclude Include="utils\utils.h" />
@ -159,7 +160,8 @@
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>adb logcat -c
@ -178,7 +180,8 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>adb logcat -c
@ -197,7 +200,8 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>adb logcat -c
@ -221,7 +225,8 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>adb logcat -c
@ -245,7 +250,8 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>adb logcat -c
@ -269,7 +275,8 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
    </Link>
    <PostBuildEvent>
      <Command>adb logcat -c
@ -292,9 +299,7 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <CppLanguageStandard>c++1z</CppLanguageStandard>
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
-    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
+    <Link />
    <PostBuildEvent>
      <Command>adb logcat -c

@ -308,6 +313,10 @@ start cmd /k "title 'all logs' &amp; adb logcat"
 adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.PermissionGrantActivity
 </Command>
    </PostBuildEvent>
+    <Link>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
+    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
    <ClCompile>
@ -316,9 +325,7 @@ adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.Per
      <CppLanguageStandard>c++1z</CppLanguageStandard>
      <ExceptionHandling>Enabled</ExceptionHandling>
    </ClCompile>
-    <Link>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
+    <Link />
    <PostBuildEvent>
      <Command>adb logcat -c

@ -332,6 +339,10 @@ start cmd /k "title 'all logs' &amp; adb logcat"
 adb shell am start -n com.activision.callofduty.shooter/com.tencent.tmgp.cod.PermissionGrantActivity
 </Command>
    </PostBuildEvent>
+    <Link>
+      <AdditionalDependencies>
+      </AdditionalDependencies>
+    </Link>
  </ItemDefinitionGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets" />
--- a/ligma-cheat/ligma-cheat/ligma-cheat.vcxproj.filters
+++ b/ligma-cheat/ligma-cheat/ligma-cheat.vcxproj.filters
@ -39,9 +39,6 @@
    <ClInclude Include="bypass\bypass.h">
      <Filter>headers\bypass</Filter>
    </ClInclude>
-    <ClInclude Include="hooks\got_hook.h">
-      <Filter>headers\hooks</Filter>
-    </ClInclude>
    <ClInclude Include="hooks\shithook.h">
      <Filter>headers\hooks</Filter>
    </ClInclude>
@ -51,6 +48,10 @@
    <ClInclude Include="ligma.h">
      <Filter>headers</Filter>
    </ClInclude>
+    <ClInclude Include="hooks\xhook.h">
+      <Filter>headers\hooks</Filter>
+    </ClInclude>
+    <ClInclude Include="SDK\Assembly-CSharp.dll\GameEngine.h" />
    <ClInclude Include="SDK\Il2Cpp\Il2Cpp.h" />
    <ClInclude Include="SDK\Il2Cpp\Il2CppType.h" />
  </ItemGroup>
--- a/ligma-cheat/ligma-cheat/ligma.h
+++ b/ligma-cheat/ligma-cheat/ligma.h
@ -2,7 +2,6 @@
 #include <android/log.h>
 #include "utils/utils.h"
 #include "hooks/shithook.h"
-#include "hooks/got_hook.h"

 #define LOGI(...) ((void)__android_log_print(4, "ligma", __VA_ARGS__))
 #define LOGW(...) ((void)__android_log_print(5, "ligma", __VA_ARGS__))
--- a/ligma-cheat/ligma-cheat/main.cpp
+++ b/ligma-cheat/ligma-cheat/main.cpp
@ -1,22 +1,26 @@
 #include <thread>
-#include "bypass/bypass.h"
-#include "SDK/Il2Cpp/Il2Cpp.h"
-#include "SDK/Assembly-CSharp.dll/GameEngine.h"
 #include "SDK/Assembly-CSharp.dll/GameBase.h"
+#include "SDK/Assembly-CSharp.dll/GameEngine.h"
+#include "bypass/bypass.h"

-#include "SDK/UnityEngine.dll/Includes/UnityEngine/Component.h"
-#include "SDK/UnityEngine.dll/Includes/UnityEngine/Transform.h"
-#include "SDK/UnityEngine.dll/Includes/UnityEngine/Screen.h"
-#include "SDK/UnityEngine.dll/Includes/UnityEngine/Camera.h"
-#include "SDK/UnityEngine.dll/Includes/UnityEngine/Physics.h"
-#include "SDK/UnityEngine.dll/Includes/UnityEngine/RaycastHit.h"
-#include "SDK/UnityEngine.dll/Includes/UnityEngine/Object.h"
-
-// just an example that this never gets called, ever
-int get_localplayer_hook()
+void test()
 {
-	LOGI("=========== get local player called!!!! ===========");
-	return NULL;
+	LOGI("sleeping 10 seconds....");
+	sleep(10);
+	while (true)
+	{
+		const auto currentWeapon = GameEngine::GamePlay::get_CurrentWeapon<GameBase::Weapon*>();
+		LOGI("current Weapon = %p", currentWeapon);
+
+		if (currentWeapon)
+		{
+			currentWeapon->AddCurrentAmmo(0x100);
+			currentWeapon->AddCarriedAmmo(0x100);
+			currentWeapon->set_MaxAmmoCount(0x1000);
+			sleep(10);
+		}
+		sleep(1);
+	}
 }

 __attribute__((constructor))
@ -25,6 +29,7 @@ void init()
 	ligma::bypass::init([&](const std::uintptr_t il2cpp_base)
 	{
 		LOGI("il2cpp base address = %p", il2cpp_base);
-		ligma::hook::make_hook(reinterpret_cast<void*>(il2cpp_base + 0x36F2600), reinterpret_cast<void*>(&get_localplayer_hook));
+		if (Il2Cpp::Attach())
+			std::thread(&test).detach();
 	});
 }
--- a/ligma-cheat/ligma-cheat/utils/utils.cpp
+++ b/ligma-cheat/ligma-cheat/utils/utils.cpp
@ -1,5 +1,5 @@
 #include "utils.h"
-#include <experimental/filesystem>
+#include <inttypes.h>

 namespace ligma
 {
@ -18,15 +18,26 @@ namespace ligma

 		void iterate_memory(const std::function<void(const std::pair<std::uintptr_t, std::uintptr_t>&, const std::string& protection)>& callback)
 		{
-			std::fstream maps("/proc/self/maps");
-			std::pair<std::uintptr_t, std::uintptr_t> memory_range;
-			std::string page_perms;
-			while (maps >> memory_range.first >> memory_range.second >> page_perms)
+
+		}
+
+		std::uintptr_t get_module_base(const char* module_name)
+		{
+			const auto maps_handle = fopen("/proc/self/maps", "r");
+			char line[512];
+			while (fgets(line, sizeof line, maps_handle))
 			{
-				maps.ignore(std::numeric_limits<std::streamsize>::max(), '\n'); // skip to next line :)
-				callback(memory_range, page_perms);
+				std::uintptr_t base;
+				char tmp[64];
+				sscanf(line, "%" PRIXPTR "-%*" PRIXPTR " %*s %*s %*s %*s %s", &base, tmp);
+				if (strstr(tmp, module_name))
+				{
+					fclose(maps_handle);
+					return base;
+				}
 			}
-			maps.close();
+			fclose(maps_handle);
+			return NULL;
 		}
 	}
 }
--- a/ligma-cheat/ligma-cheat/utils/utils.h
+++ b/ligma-cheat/ligma-cheat/utils/utils.h
@ -7,6 +7,7 @@ namespace ligma
 {
 	namespace utils
 	{
+		std::uintptr_t get_module_base(const char* module_name);
 		auto get_callbacks() -> std::map<std::string, std::function<void(const std::uintptr_t)>>*;
 		void iterate_memory(const std::function<void(const std::pair<std::uintptr_t, std::uintptr_t>&, const std::string& protection)>& callback);
 		void on_image_load(const std::string& module_name, const std::function<void(const std::uintptr_t)>& callback);