[Unity3D] Bytecode hacking Tutorial
-migrated-
[Unity3D] Bytecode hacking Tutorial Posted on: 01/07/2011 7:27am
Quote Post

Ok, Kongregate now support games made with unity3d, and since this forum is called "KongregateHack", i thought that a tut about how to hack unity3d games efficiently cannot be bad...

Introduction :
So, to hack these kind of games, you'll need the following tools :
 - Adblock Plus (download it here)
 - The Unity3D Obfuscator (download it here)
 - The .NET Reflector (download it here)
 - Cheat Engine (download it here)

I) Download the game :
Now that we have all the needed tools, let's find a game to hack, and the hack we will make. In this tut, the game will be Sarah's run. The first thing to do is to download the game. To achieve this, you just have to follow the tut made by KongregateHack, and to replace the extension ".swf" by ".unity3d" when you search for the game with adblock plus. After a few minutes playing with this game we can see that Sarah die if we touch the electrified ground, so a good hack could be invincibility, for exemple.

II) Unpack and decompile the game :
Open the Unity3d Obfuscator, and click "new project". Set the source type to "Web player, player streamed..." and target your game with extension .unity3d and then ckick the finish button. In the main screen of the obfuscator, click "Unpack web archive in a directory". Close the obfuscator, and you should have many files in your directory, including a file called "Assembly - CSharp.dll". This file contains all the code of the game, but since it compiled, you'll need to decompile it in order to see understandable code.

To decompile the game, just open the RedGate's .NET Reflector, choose open, and target the file "Assembly - CSharp.dll". Then open this file in the list, and choose the directory with the two brackets.

Now you should be with a list of all code parts. Since we want invincibility hack, we can assume that the code that will handle ground collision and player death will be in the "playerControl" part. Click it, and then open the "fixedUpdate" function (all the usefull informations are usually in these functions). When it ask somethink, just click "OK".


III) Find the array of bytes :
Since we have the code displayed, we just have to find the part that deals with death. In this case, this is pretty simple : after a few minutes searching, we can see the following part of code :

if ((component == null) || component.activated)
{
     this.masterScript.Die();
     this.hasControl = false;
}
MonoBehaviour.print("DEAD!");


Now that we have the interesting part, we have to translate it in CIL bytecode (if someone know how to do it automatically, please let me know how). You can see the whole list of CIL instructions here.

First, we will translate the two instructions in the brackets. In the CIL instructions, we can see that "this" is 0x02. Then the code gets an object (0x7B) and calls one of its methods (0x6F). Cause we don't know the adresses of the objects and function, we will use wildcards. We have :

this.masterScript.Die();
02 7b ?? ?? ?? ?? 6f ?? ?? ?? ??


Then, we will translate the next line : the code calls "this" (0x02), pushes "false" on the stack (0x16), and sets this value to the hasControl variable (0x7D). So wh have the following code :

this.masterScript.Die();
this.hasControl = false;

02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??


We have to change the AoB, to skip these instructions, and allow us to be invincible in the game. The easiest way to skip instructions is, in this case, to nop all the bytes. The nop instruction is 0x00, so we will be with the following Aob :

Invincibility :
   02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


IV) Test and use the AoB :
Open the game in your browser, and open Cheat Engine. If you're using Firefox, select "firefox.exe" as process, not "plugin-container.exe", wich is only for Flash games. Start a new scan, without touching anything in the game, and select "Array of Bytes" as scan type. Type "02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??" as value, and you should see 8 results. Select them all and change them to "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00". Back to the game, you should be able to walk on electricity, and lazers.

V) Conclusion
I hope you liked this little tutorial, and don't hesitate to correct me if I wrote something wrong, or if I forgot something. Cya guys!

Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/07/2011 8:38am
Quote Post
awesome job on the tut, this is just what we need, now we will be ready for when people start requesting hacks for unity games.

+1 karma for it.
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/07/2011 8:46am
Quote Post
Ahh, CIL. Long time no see.
For future reference: http://en.wikipedia.org/wiki/List_of_CIL_instructions

Edit: Sorry, didn't see you there. @_@
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/07/2011 8:48am
Quote Post
Quote from: "Zirak"
Ahh, CIL. Long time no see.
For future reference: http://en.wikipedia.org/wiki/List_of_CIL_instructions
Quote from: "Kazuru"
You can see the whole list of CIL instructions here.

@Topic Great tutorial, there isn't as much difference between unity3d and flash as I thought. (broken image removed)
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/07/2011 2:52pm
Quote Post
Kind of gimped from here but in an easy to read and clear format  (broken image removed)

I recommend people write a simple command line program to strip out the irrelevant information and replace it with the correct bytecode.

I'd release mine but it's poorly coded and I don't want people to see what a shit C# coder I am since there's probably a million things that I could improve/do better  :roll:
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/08/2011 12:53am
Quote Post
Derek, MOST of the hacking tuts are gimped from somewhere, it's giving the time and dedication into making it into a clear and concise walkthrough that's the hard part, who's going to shift through two pages of rambling when it's all in one clear post?



Check before you post, someone may have beaten you there.

Don't fear my banhammer, fear the God holding it...

Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/09/2011 4:55am
Quote Post
[spoiler=big quote:1o6jgkwg]
Quote from: "Kazuru"
First, we will translate the two instructions in the brackets. In the CIL instructions, we can see that "this" is 0x02. Then the code gets an object (0x7B) and calls one of its methods (0x6F). Cause we don't know the adresses of the objects and function, we will use wildcards. We have :
Code: [Select]
this.masterScript.Die();
02 7b ?? ?? ?? ?? 6f ?? ?? ?? ??
Then, we will translate the next line : the code calls "this" (0x02), pushes "false" on the stack (0x16), and sets this value to the hasControl variable (0x7D). So wh have the following code :
Code: [Select]
this.masterScript.Die();
this.hasControl = false;
02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??
We have to change the AoB, to skip these instructions, and allow us to be invincible in the game. The easiest way to skip instructions is, in this case, to nop all the bytes. The nop instruction is 0x00, so we will be with the following Aob :
Code: [Select]
Invincibility :
   02 7b ?? ?? ?? ?? 6f ?? ?? ?? ?? 02 16 7d ?? ?? ?? ??
-> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00



Im this is where i get lost. How do you know that "this" is 02? On that list you referenced, it says:
Code: [Select]
0x02 ldarg.0 Load argument 0 onto the stack.
So how does that translate to "this"? Also, how do you know how many wildcards to insert?
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/09/2011 5:42am
Quote Post
Never let a computer tell me shit.
Quote from: "Aerelyte"
how do you know how many wildcards to insert?
32 bit address system needs 32bits/2 words/4 bytes

some commands use int16/int8 though. for instance 2F <int8> branch if greater than or equal to

for more specific info, i highly suggest reading these whitepages
http://www.ecma-international.org/publi ... MA-335.pdf
partition 3 will have the most relevant info for you. the table of contents for partition 3 is on page 326.



I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"

Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/24/2011 3:01pm
Quote Post
Yeah I'm not getting how you got 0x02 from "this". The site that you linked us to didn't make any sense to me.

Anyway you can help out with the translation?
I've been going crazy trying to find a way to make this work :shock:
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/24/2011 3:11pm
Quote Post
If you follow this link, you can see that opcode 0x02 = Load argument 0 onto the stack, which pretty much translates to 'this'
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 01/24/2011 3:43pm
Quote Post
...WOW I have no clue how you got that.
lol Why couldn't they just put "this" in there instead of that  :roll:
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 09/23/2011 4:31am
Quote Post
Never let a computer tell me shit.
awesome! just found out Ildasm was a thing. takes all the guesswork out of figuring out how the compiler decided to build the assembly dll



I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"

Re: [Unity3D] Bytecode hacking Tutorial Posted on: 09/25/2011 2:51pm
Quote Post
Quote from: "kolonelkadat"
awesome! just found out Ildasm was a thing. takes all the guesswork out of figuring out how the compiler decided to build the assembly dll
Note that Ildasm is fairly buggy and most obfuscators use the SuppressIldasmAttribute.

Quote from: "Aerelyte"
Im this is where i get lost. How do you know that "this" is 02? On that list you referenced, it says:
Code: [Select]
0x02 ldarg.0 Load argument 0 onto the stack.
http://stackoverflow.com/questions/1785 ... 94#1785394
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 12/21/2011 2:06pm
Quote Post
Quote from: "kolonelkadat"
32 bit address system needs 32bits/2 words/4 bytes
Technically the word size on any i86, later than a 386 is 32 bits. (x64 is 64 bits.) What Microsoft call a word size and a double word size is down to the 16 bit legacy of the original 8086/8088 CPUs.[1]

Basically, don't use word as it gets confusing, unless you're using a sensible processor (e.g. ARM).

[1] Word size is the size of the CPU's databus, not the size of an instruction, an instruction's parameter or owt else.
Re: [Unity3D] Bytecode hacking Tutorial Posted on: 12/22/2011 2:14am
Quote Post
Never let a computer tell me shit.
:oops: fair enough. 16bit asm was my second language. old habits die hard.



I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"