Ok, Kongregate now support games made with unity3d, and since this forum is called "KongregateHack", i thought that a tut about how to hack unity3d games efficiently cannot be bad...

Introduction :
So, to hack these kind of games, you'll need the following tools :
 - Adblock Plus (download it here)
 - The Unity3D Obfuscator (download it here)
 - The .NET Reflector (download it here)
 - Cheat Engine (download it here)

I) Download the game :
Now that we have all the needed tools, let's find a game to hack, and the hack we will make. In this tut, the game will be Sarah's run. The first thing to do is to download the game. To achieve this, you just have to follow the tut made by KongregateHack, and to replace the extension ".swf" by ".unity3d" when you search for the game with adblock plus. After a few minutes playing with this game we can see that Sarah die if we touch the electrified ground, so a good hack could be invincibility, for exemple.

II) Unpack and decompile the game :
Open the Unity3d Obfuscator, and click "new project". Set the source type to "Web player, player streamed..." and target your game with extension .unity3d and then ckick the finish button. In the main screen of the obfuscator, click "Unpack web archive in a directory". Close the obfuscator, and you should have many files in your directory, including a file called "Assembly - CSharp.dll". This file contains all the code of the game, but since it compiled, you'll need to decompile it in order to see understandable code.

To decompile the game, just open the RedGate's .NET Reflector, choose open, and target the file "Assembly - CSharp.dll". Then open this file in the list, and choose the directory with the two brackets.

Now you should be with a list of all code parts. Since we want invincibility hack, we can assume that the code that will handle ground collision and player death will be in the "playerControl" part. Click it, and then open the "fixedUpdate" function (all the usefull informations are usually in these functions). When it ask somethink, just click "OK".


III) Find the array of bytes :
Since we have the code displayed, we just have to find the part that deals with death. In this case, this is pretty simple : after a few minutes searching, we can see the following part of code :

if ((component == null) || component.activated)
{
     this.masterScript.Die();
     this.hasControl = false;
}
MonoBehaviour.print("DEAD!");

Now that we have the interesting part, we have to translate it in CIL bytecode (if someone know how to do it automatically, please let me know how). You can see the whole list of CIL instructions here.

First, we will translate the two instructions in the brackets. In the CIL instructions, we can see that "this" is 0x02. Then the code gets an object (0x7B) and calls one of its methods (0x6F). Cause we don't know the adresses of the objects and function, we will use wildcards. We have :

this.masterScript.Die();
02 7b ?? ?? ?? ?? 6f ?? ?? ?? ??

Then, we will translate the next line : the code calls "this" (0x02), pushes "false" on the stack (0x16), and sets this value to the hasControl variable (0x7D). So wh have the following code :

this.masterScript.Die();
this.hasControl = false;

02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??

We have to change the AoB, to skip these instructions, and allow us to be invincible in the game. The easiest way to skip instructions is, in this case, to nop all the bytes. The nop instruction is 0x00, so we will be with the following Aob :

Invincibility :
   02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IV) Test and use the AoB :
Open the game in your browser, and open Cheat Engine. If you're using Firefox, select "firefox.exe" as process, not "plugin-container.exe", wich is only for Flash games. Start a new scan, without touching anything in the game, and select "Array of Bytes" as scan type. Type "02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??" as value, and you should see 8 results. Select them all and change them to "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00". Back to the game, you should be able to walk on electricity, and lazers.

V) Conclusion
I hope you liked this little tutorial, and don't hesitate to correct me if I wrote something wrong, or if I forgot something. Cya guys!

First, we will translate the two instructions in the brackets. In the CIL instructions, we can see that "this" is 0x02. Then the code gets an object (0x7B) and calls one of its methods (0x6F). Cause we don't know the adresses of the objects and function, we will use wildcards. We have :

Code: [Select]

this.masterScript.Die();
02 7b ?? ?? ?? ?? 6f ?? ?? ?? ??Then, we will translate the next line : the code calls "this" (0x02), pushes "false" on the stack (0x16), and sets this value to the hasControl variable (0x7D). So wh have the following code :

Code: [Select]

this.masterScript.Die();
this.hasControl = false;
02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??We have to change the AoB, to skip these instructions, and allow us to be invincible in the game. The easiest way to skip instructions is, in this case, to nop all the bytes. The nop instruction is 0x00, so we will be with the following Aob :

Code: [Select]

Invincibility :
   02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??
-> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

awesome! just found out Ildasm was a thing. takes all the guesswork out of figuring out how the compiler decided to build the assembly dll

Im this is where i get lost. How do you know that "this" is 02? On that list you referenced, it says:

Code: [Select]

0x02 ldarg.0 Load argument 0 onto the stack.