This file lists useful applications to debug and modify the game code.
Helpful articles:
Small tools that might come handy.
-e -s ORIG MOD PATCH.vcdiff
-d -s BAK PATCH.vcdiff MOD
Use: Decompile and patch UnityPlayer.dll, C code preview
Link: https://ghidra-sre.org/
Hints:
Use: decrypted global-metadata.dat
+ UserAssembly.dll
=> debug information
Link: https://github.com/djkaty/Il2CppInspector
Hints:
WINEDEBUG=-all wine Il2CppInspector-cli.exe -m global-metadata.dat -i UserAssembly.dll -t Ghidra --unity-version 2017.4.30f1
Generate C# code: 2'296.42 sec
A fork of the Il2CppInspector subcomponent.
Link: https://github.com/kagurazakasanae/Il2CppDumper-YuanShen
Hints:
dump.cs
for manual lookup
VA: 0x18xxxxxxx
is the virtual memory addressUse: Set breakpoints, rudimentary backtraces
Link: https://www.cheatengine.org/downloads.php
Only works partially on Linux!
Partially broken as of v3.3.0
Required settings:
Optional: copy & paste the x86_64 binary and rename it. That might avoid detection.
"Debug" instructions:
mhyprot2
is running, suspend_start cannot stop the application any more.
¹) The 7 digits correspond to the virtual memory offset, but with the first byte removed. 0x181234567 becomes 0x1234567
Use: Debug processes, disassebling and memory modifications
Link: https://x64dbg.com/
Currently does not work in Wine
Anti-anti-debug: (thanks to 0x90, POL thread)
gs:[60]+2 = 0
(x64 BeingDebugged
flag)gs:[60]+bc = 0
(x64 mask 0x70
indicates debugging)RDX = 0
RCX = 0
RDX = 0x7 // RDX = 0x1e
RCX = 0xDEADCODE
RDX = 0x11
Alternatively: ScyllaHide plugin
Alternatively: TitanHide (see Issue#7 for binaries)
Use: Capture all TCP/TLS data
Link: https://mitmproxy.org/
Hints:
mitmdump -w output_file.mitm
(regular user is okay)export {http,https,ftp}_proxy="http://127.0.0.1:8080"
mitmproxy -nr output_file.mitm
Use: Capture DNS lookups for packets that mitmproxy cannot catch
dnstop -l 4 NETDEVNAME
WINEDEBUG=+relay
Wine 5.19, UnityPlayer 1.0.1:
Backtrace:
=>0 0x000000007b638000 EntryPoint+0x3a0() in kernel32 (0x00000000050cfe58)
1 0x00000001808637b8 EntryPoint+0xfeae9208() in unityplayer (0x00000000050cfe58)
2 0x000000007b631e09 EntryPoint+0xffffffffffffffff() in kernel32 (0x00000000050cfe58)
3 0x000000007bc4b5cf EntryPoint+0xffffffffffffffff() in ntdll (0x00000000050cfe58)
4 0x000000007b601b66 EntryPoint+0xffffffffffffffff() in kernel32 (0x0000000000000000)
5 0x000000007bc5e9b3 EntryPoint+0xffffffffffffffff() in ntdll (0x0000000000000000)
0x000000007b638000 EntryPoint+0x3a0 in kernel32: addb (%rax),%al
winedbg
Detected as debugger
gdb --args wine ...
Cannot debug due to SIGTRAP being spammed on purpose.
Process stalls when SIGTRAP is ignored:
handle SIGTRAP nostop
handle SIGTRAP noprint