GL-DEV
from here find the : @interface ScreenShot : NSObject { } - (void)takeScreenShotEx:(id)arg1; // IMP=0x00000000001b2aa8 - (void *)getBufFromImage:(id)arg1; // IMP=0x00000000001b2658 - (id)screenshotOfView:(id)arg1; // IMP=0x00000000001b24f4 - (id)getAppโฆ
Edited :
and then go to game sdk of shadow but NOT the file above ! :
here you can name it Lua script helper to take screenshot ..
its take screenshot by Lua script then send it to server. to handle it its can NOT be swizzled like above one caz its not objc , so you have to do it with function table using read and right, and be careful here about integrity you (may) cough and get ban, not caz of write on function table method but for integrity check
i thing they do integrity check by read x function table pointer value and compare it with what they have as original pointer
and then go to game sdk of shadow but NOT the file above ! :
// Object Name: Class Client.ScreenshotMaker
// Size: 0x28 // Inherited bytes: 0x28
struct UScreenshotMaker : UObject {
here you can name it Lua script helper to take screenshot ..
its take screenshot by Lua script then send it to server. to handle it its can NOT be swizzled like above one caz its not objc , so you have to do it with function table using read and right, and be careful here about integrity you (may) cough and get ban, not caz of write on function table method but for integrity check
i thing they do integrity check by read x function table pointer value and compare it with what they have as original pointer
โค3
Pubg GL 3.5:
GWorld Fun: 0x1027dbb98
GWorld Data: 0x109c87fb0
GName Fun: 0x104526804
GName Data:0x1098248a0
lineOfSight: 0x1058f35b4
GUobject: 0x109aca290
HUD : 0x103107430
GEngine: 0x109c86db0
CanvasMap: 0x1099016a0
//by @saudgl
//@pubg_dev
โค4๐คฏ3๐3๐1
GName Fun: 0x1046bec8c
GUObject : 0x109ca1910
Pubg KR 3.5
GName Fun: 0x1046e74a4
GUObject : 0x109cc7a10
@Bubg_dev
@saudgl
โค4
Bupg 3.5 VNG
GUObject 0x1099BC010
GNames func 0x10448928C
GNames data 0x109716600
GWorld func 0x102817F78
GWorld data 0x109B79D30
GEngine 0x109B78B30
Pubg KR 3.5
GUObject 0x109CC7A10
GNames func 0x1046E74A4
GNames fata 0x109A21DA0
GWorld func 0x102A75FA0
GWorld fata 0x109E85730
GEngine 0x109E84530
credits : prze666
shared from: @pubg_dev
updated ..
โค2๐1
Learn about Frida in ios โค๏ธ its worth to watch it
https://youtu.be/TKWSwEGUyH8?si=D-SVhuCxduq7IDXj
https://youtu.be/TKWSwEGUyH8?si=D-SVhuCxduq7IDXj
YouTube
r2con2024 - day 2 - Frida hooking tricks on non-jailbroken iOS - mrmacete
After removing the jailbreak superpowers, what options remain for placing Frida hooks in the context of an app process on iOS? A survey of "jailed" Frida hooking techniques and their trade-offs in terms of depth and requirements, with step-by-step practicalโฆ
โค3
BGMโI 3.5
GUObjectArray 3.5 = 0x109191c90
GNames_Fun 3.5 = 0x104046f70
by @g66lk
๐4โค1
This how Bupg get the .text size then hash to sha256 or crc32. i made to two hash while they use crc32
#import <Foundation/Foundation.h>
#import <mach-o/dyld.h>
#import <mach-o/loader.h>
#import <CommonCrypto/CommonDigest.h>
#import <zlib.h> // For CRC32
void calculateHashesForTextSection() {
const struct mach_header *header = _dyld_get_image_header(0); // Main executable
if (!header) {
NSLog(@"Failed to get mach header");
return;
}
// Locate LC_SEGMENT_64 (or LC_SEGMENT for 32-bit)
const struct load_command *cmd = (const struct load_command *)((uint8_t *)header + sizeof(struct mach_header_64));
for (uint32_t i = 0; i < header->ncmds; i++) {
if (cmd->cmd == LC_SEGMENT_64) {
const struct segment_command_64 *segCmd = (const struct segment_command_64 *)cmd;
if (strcmp(segCmd->segname, "__TEXT") == 0) {
const struct section_64 *sections = (const struct section_64 *)((uint8_t *)segCmd + sizeof(struct segment_command_64));
for (uint32_t j = 0; j < segCmd->nsects; j++) {
if (strcmp(sections[j].sectname, "__text") == 0) {
const uint8_t *textStart = (uint8_t *)header + sections[j].offset; // Start of .text section
size_t textSize = sections[j].size; // Size of .text section
// Compute CRC32
uLong crc32Result = crc32(0L, Z_NULL, 0); // Initialize CRC32
crc32Result = crc32(crc32Result, textStart, (uInt)textSize);
// Compute SHA-256
uint8_t sha256Hash[CC_SHA256_DIGEST_LENGTH];
CC_SHA256(textStart, (CC_LONG)textSize, sha256Hash);
// Convert SHA-256 to hex string
NSMutableString *sha256String = [NSMutableString string];
for (int k = 0; k < CC_SHA256_DIGEST_LENGTH; k++) {
[sha256String appendFormat:@"%02x", sha256Hash[k]];
}
//log
NSLog(@"CRC32 of .text section: %08lx", crc32Result);
NSLog(@"SHA-256 of .text section: %@", sha256String);
return;
}
}
}
}
cmd = (const struct load_command *)((uint8_t *)cmd + cmd->cmdsize);
}
}
But thr problem came with lua script which came from server like this:-- Lua script to calculate `.text` size and hash
local mach_header = get_mach_header() -- Function to fetch the Mach header (provided by the app)
local text_size = 0
local text_hash = ""
for _, segment in ipairs(mach_header.segments) do
if segment.name == "__TEXT" then
for _, section in ipairs(segment.sections) do
if section.name == "__text" then
text_size = section.size
text_hash = compute_sha256(section.start, section.size) -- Compute hash
break
end
end
end
end
-- Return results
return { size = text_size, hash = text_hash }
#import <Foundation/Foundation.h>
#import "lua.h"
#import "lauxlib.h"
#import "lualib.h"
void executeLuaScript(const char *script) {
lua_State *L = luaL_newstate();
luaL_openlibs(L);
// Provide app-specific functions to Lua (e.g., get_mach_header)
lua_pushcfunction(L, getMachHeaderLua);
lua_setglobal(L, "get_mach_header");
// Load and execute the script
if (luaL_dostring(L, script) == 0) {
lua_getglobal(L, "size");
lua_getglobal(L, "hash");
int textSize = lua_tointeger(L, -2);
const char *textHash = lua_tostring(L, -1);
NSLog(@"Text Size: %d, Hash: %s", textSize, textHash);
} else {
NSLog(@"Lua Error: %s", lua_tostring(L, -1));
}
lua_close(L);
}
// Example: Mock
for Lua
int getMachHeaderLua(lua_State *L) {
lua_newtable(L);
// Add segments, sections, etc. here
// This should simulate the Mach header in Lua
return 1; // Return one table
}
โค7๐1
The lua script validated before run
And obfuscate and with time-based token to prevent reuse.
conclusion: both must be handled ๐ฉ
And obfuscate and with time-based token to prevent reuse.
conclusion: both must be handled ๐ฉ
Bubg VNG 3.6
GWorld Fun : 0x10278fba0
GWorld Data: 0x10a171a00
GName Fun: 0x104510ef0
GName Data: 0x109aaa1a0
LineOfsight : 0x105a4e978
GUobject: 0x109f5c2a0
ActorArray : 0x105bb38a0
@pubg_dev
@saudgl
๐2โค1
Bubg GL 3.6
GWorld Fun : 0x102829098
GWorld Data: 0x10a27bc80
GName Fun: 0x1045aa3e8
GName Data: 0x109bb4440
LineOfsight : 0x105ae7e70
@pubg_dev
@saudgl
๐6โค2
ARMP_PUBGM_(v3.6.0)_64Bit 2.zip
4.3 MB
3.6.0 SDK | BUBG VN ๐ป๐ณby @D_V_4
shared from: @pubg_dev
โค3
ุดุงุช ุจุงูุนุฑุจู ุจูุงุก ุนูู ุทูุจ ุงูุฃุนุถุงุก ุชูุถู ุดุงุฑู ู
ุนูุง
https://t.me/pubg_dev_ar
@pubg_dev_ar
https://t.me/pubg_dev_ar
@pubg_dev_ar
โค5
pubgm vng 3.6
gobject 0x109F5C2A0
gname_func 0x104510EF0
gname_data 0x109AAA1A0
gengine 0x10A1707F0
gworld func 0x1028791CC
gworld data 0x10A171A00
pubgm gl 3.6
gobject 0x10A066520
gname func 0x1045AA3E8
gname data 0x109BB4440
gengine 0x10A27AA70
gworld func 0x1029126C4
gworld data 0x10A27BC80
pubgm tw 3.6
gobject 0x10A23DBA0
gname func 0x104742830
gname data 0x109D8B830
gengine 0x10A4520F0
gworld func 0x102AAAB0C
gworld data 0x10A453300
pubgm kr 3.6
gobject 0x10A267CA0
gname func 0x10476F14C
gname data 0x109DB5940
gengine 0x10A47C1F0
gworld func 0x102AD71F8
gworld data 0x10A47D400
Shared from :@pubg_dev
credits: prze666
โค4๐1
Bubg GL 3.6
Yaw : 0x868
Pitch: 0x860
Roll : 0x870
@pubg_dev
@saudgl
๐1
Bubg offset 3.6.0 All Pubg Mobile
Offsets For Dolphin's Project Pubg
3.6.0 All Versions
By : @g66lk
Shared from @pubg_dev
Offsets For Dolphin's Project Pubg
3.6.0 All Versions
By : @g66lk
Shared from @pubg_dev
SelfOffset Offset: 0x2670
MouseOffset Offset: 0x468
CameraManagerOffset Offset: 0x4d0
PovOffset FIRST Offset: 0x1030 , second 0x10 , final: 0x1040
ULevelOffset Offset: 0x30
ObjectArrayOffset Offset: 0xa0
ObjectCountOffset Offset: 0xa8
StatusOffset Offset: 0xf80
TeamOffset Offset: 0x938
NameOffset Offset: 0x8f0
RobotOffset Offset: 0x9e9
HpOffset Offset: 0xdc0
AliveTEAM Offset: 0xaa0
HpmaxOffset Offset: 0xdc4
isDaed Offset: 0xddc
MeshOffset Offset: 0x498
HumanOffset Offset: 0x1a8
BonesOffset Offset: 0x878
OpenFireOffset Offset: 0x1650
OpenTheSightOffset Offset: 0x1051
WeaponOneOffset Offset: 0x27c8
ShootModeOffset Offset: 0xf0c
WeaponAttrOffset Offset: 0x1038
BulletSpeedOffset Offset: 0x508
RecoilOffset Offset: 0xc58
GoodsListOffset Offset: 0x890
DataBase Offset: 0x38
CoordOffset Offset: 0x1b0
CoordOffset_2 Offset: 0x168
โค8๐5๐1