Tutorial Android Function Pointers & Hooking Template Tutorial

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

HelloWhyMe

Android Modding
Meme Tier VIP
Fleep Tier Donator
Dank Tier Donator
Apr 3, 2019
196
4,428
9
Ah bois. Here I am again with another tutorial. This time I will cover function pointers and my hooking template.

But before we start ask yourself these things:
- Do I have a brain?
- Do I know how to program or do I just know how to CTRL+C & CTRL + V?
- Did I read this tutorial Mod Menus for Android ?
- Am I willing to really read this thread or will I just skim through it?

If you had to answer any of these questions with NO I have to stop you right here and complete these setps first.

1584895603147.png

.......


Okk are the plebs gone now? good.

Now the peeps remaining you have to complete some steps too!
Here they are:
- Download and Install Android Studio
- Download dnSpy
- Download Il2Cpp Dumper by Prefare
- Get my Template
- Download NDK r16b
- Download the latest version of the game you wanna hack from Apkpure. My choice Bullet Force
- Download the latest Apktool

ok... Done?
Gooooooood. Now we can start =)
This is gonna be alot of text so you better turn up your jam while reading.

So yea. First of all decompile your app. In my case I will decompile Bullet Force and dump the il2cpp lib (armeabi-v7a tho because substrate doesnt support AARCH64 or arm64-v8a)

Open up dem DummyDlls in dnSpy and search for GameManager(you will notice pretty fast that this game is obfuscated which makes this a little bit harder. But the GameManager class has alot of functions that still arent obfuscated so we gonna use this class)

So first what should we look for. Well of course if there are functions or fields we wonna modifiy/use.
Second and one of the most important does this game have an Update/LateUpdate function. Why you ask? Because this is a non-static function that is called by Unity once per frame. If you have 60 FPS in a game, Update is being called 60 times a second. Why is this good? Think about it. We wouldn't want to get and set instance variables on an object that hasn't been updated for a while right? We need our most current object to modify, and what better way of getting it than hooking a function that is called 60 times every second?

So GameManager has such function. Nice. (Well its called LateUpdate but thats nearly the same. LateUpdate Unity Docs)

So open up my template In Android Studio and set the NDK location to the path you downloaded the NDK r16b to. This is also explained in the thread where you downloaded the template from =)
And OH whats that. We will be greated with the barebones function hook for GameManager.LateUpdate()... WOA
Awesome. So we can get right to coding. (You may wanna update the Offset in the MSHook line)
(Also I would recommend changing the hex values in the MenuService or you will greeted with a barely good lookin menu xD. There is also code in it to change the background to an Image)

Ok now we found in the GameManager class a Function we wanna use. But what do we do now?
Well we are gonna create a function pointer for it which seems confusing at first but when you get the hang of it its quite awesome and just feels right.

So how does a function pointer look like you may ask?

Declare a function pointer:
<type> (*<function name>)(<this pointer>, <any additional parameters>) = (<type>)(*)(void *, <types of additional parameters))getAbsoluteAddress(<libName>, <offset>);
But we wont declare them like this. Because when we do it like this for example for this function:

1584973166052.png


Like this

1584973323614.png

(I guessed the int. It is obfuscated so you have to guess alot. But it seems I guessed right cause dat can be the only parameter which holds a number lul)
(Btw when this is a static function you dont need the _this thing. The first argument to any non-static function in assembly is the this pointer in Unity so static functions dont have that.)
Dat will crash your hack. Why you may ask. Let me explain. When your lib is loaded sometimes the il2cpp lib isnt loaded already. But you lib doesnt know that and already tries to read the address. which will result in a null pointer. So we have to wait for the lib to load. How do we do that? Well we split this function pointer, like this:

1584973511913.png

Really simple huh? Here is a good explanation about function pointers.

So now you will notice that we have a bool called 'exampleBooleanForToggle' we gonna rename this to 'addMoney' and add an if-statement in our hooked LateUpdate function like so:

1584973728827.png


And rename one string in our JNI function (I update the total_features thing. Now you dont have to manually increase this int)

1584973770838.png


So now when you compile this and implement this into the game (this is explained in my other tutorial) your results should look like this:

1584974942538.png


Btw due too the fact that this is an update function remember that our AddMoney function will be called as many times in a second as your FPS are. thats why I set it to 10.

1584975028023.png


BOOM. So much money.

Also one thing. I only got the addresses for the armeabi-v7a so this hack will only support this architecture. if you wanna support multiple archs you have to dump all il2cpp libs from every arch and check in your hack which arch is used and then set the offsets. I delete every lib folder in an app except for the armeabi-v7a folder.

I will explain in another tutorial on how to use and set fields. So till then
Have fun hacking

Edit:
If you need to set a string because your function pointer needs it or something using std::string or const char* wont work.
Use this instead

C++:
struct Il2CppObject
{
    void* klass;
    void* monitor;
};

struct Il2CppString
{
    Il2CppObject object;
    int length;                                ///< Length of string *excluding* the trailing null (which is included in 'chars').
    unsigned short chars[1];
};


//or in one struct
typedef struct _il2cppString
{
    void* klass;
    void* monitor;
    int length; 
    char chars[1]; 
    int getLength()
    {
      return length;
    }
    char* getChars()
    {
        return chars;
    }
}il2cppString;
 
Last edited:

HelloWhyMe

Android Modding
Meme Tier VIP
Fleep Tier Donator
Dank Tier Donator
Apr 3, 2019
196
4,428
9
Added a struct in a spoiler tag cause some people asked how to work with strings and couldnt figure it out even when I told them that the il2cpp source is on your PC when you have Unity installed. but ye boi here we go
 
Last edited:
  • Like
Reactions: PixelYT

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
767
22,668
47
Added a struct in a spoiler tag cause some people asked how to work with strings and couldnt figure it out even when I told them that the il2cpp source is on your PC when you have Unity installed. but ye boi here we go
The il2cpp source is available on your pc the heck.

Edit: The whole source is available under Unity/Editors/<version>/Editor/Data/libil2cpp
 
  • Like
Reactions: PixelYT

HelloWhyMe

Android Modding
Meme Tier VIP
Fleep Tier Donator
Dank Tier Donator
Apr 3, 2019
196
4,428
9
The il2cpp source is available on your pc the heck.

Edit: The whole source is available under Unity/Editors/<version>/Editor/Data/libil2cpp
Yup. the whole goddamn source. And people still dont understand how to use it to your advantage.
 
  • Like
Reactions: PixelYT

HelloWhyMe

Android Modding
Meme Tier VIP
Fleep Tier Donator
Dank Tier Donator
Apr 3, 2019
196
4,428
9
Thanks you man, I really appreciate the work you put into this <3
Thank you very much. I try to make some good tutorials on android hacking because I noticed that there aren't so many and things like this are "secrets" which shouldnt be shared.
 
  • Like
Reactions: PixelYT
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts