18. juni 2017

How to fix "error: only position independent executables (PIE) are supported."?

Some users still using old gdb and are getting an error "error: only position independent executables (PIE) are supported." when executing gdb on Lollipop and above. It only work on Android 4.2.2-4.4.4, ARM based devices only

To fix it, you must modify linker file and risk it replacing it in your rooted device. Make a full backup or make a Nandroid backup from recovery first.

If you do not like taking risks, please use Termux instead, it works on Lollipop, Marshmallow and above.

If you have x86 device, please use GameGuardian

7. juni 2017

Wonder Tactics... Why I can't decrypt files?

I have been asked by some modders why they couldn't decrypt .dll file or attach the process.

Wonder Tactics is Secneo-protected. It have anti-tamper, anti-debugging, etc and that protection is actually playing hide and seek with us which make us harder to get decrypted file. I can't get decrypted .dex because game crash instantly when I attach the process. They also make hacking tool bugs to prevent us from decompiling the APK file, like create long file names "rwerwer3r203235r23r32523cv5235c3215c1xccn4b74b73v....."above 255 bytes to create 255 bytes character limit error on Operating systems
We don't have much freedom gameplay in their protected game anymore :( We uninstall the game if the game is getting harder, harder and boring.

To remove protection, you must get decrypted .dex file but that is also ard to get it due to protections. If you are good at C++ coding, read more at https://www.alphagamers.net/threads/dump-dex-files.278417/

I don't have C++ coding skills unfortunately and I'm not looking into this for now on

3. juni 2017

.ba6 File Extension - What is a .ba6 file?

What is a .ba6 file?
A WAV audio file. These .ba6 files are from old flash-based games on Android/iOS. They are uncompressed

Software that will open?
- Windows Media Player
- AVS Audio Converter

Can i rename .ba6 to .wav?
Yes, you can, but you may need an audio converter to play that file on any devices.

.ba6 files spotted in GT Racing 1 data files /sdcard/games/GloftGTFM

2. juni 2017

Android - How to disable "No location access" popup (Root needed)

Google recently pushed an update of Google Play Services with this annoying popup says "no location access" when you reboot your device or turn off location. This is super annoying when it popups on boot. I don't know what's going on with Google designer, seems they are working with annoying features on Android devices and plans to remove random features for no reason without any notice. You are been warned!


You can disable that annoying thing but you need a rooted device and an app named DisableService. It can be downloaded from Play Store.

Launch DisableService app, tap on System, select Google Play Services


Click on full/short to show full service names, and uncheck com.google.android.location.util.PreferenceService. This disables the popup. It does NOT break the app but it may happen if you do something wrong. Reboot your device and enjoy using your device without annoying popup by Google

Thanks Akmal_hyperion in XDA for this trick!

12. maj 2017

Dumping files from custom OBB using BMS script

I found a script to dump custom obb made by EA. It's not a zip version of obb like the others, but it's self made compression obb, maybe FMOBB-02....

Note: This script may slow down and freeze your computer

Download QuickBMS and extract it: http://aluigi.altervista.org/quickbms.htm

Copy the script, and create a .txt file

Launch quickbms.exe, a dialog box will appear. Select the .txt BMS script file

A dialogbox will open again, select obb file

And the last one, select the output folder you want to. It will take some time to dump files

That's all. I don't know if it's possible to compress it back. Hope someone who are binary expert will find out. In this game, i found some mp3, png... but there are lot of .dat files. I don't know what are these .dat files. I deleted all files after that because it froze my entire computer while explorer.exe not responding.  You can see more info about viewing car models, maps and etc. for NL and other games if you're interested

NFS NL map. Source xentax.com
Image result for nfs nl maps

2. maj 2017

Bypass signature check in Assembly-Csharp.dll

Well that's pretty easy, just search IsGenuine, GetSignature or InstalledFromRightLocation and return it to TRUE. They are all boolean.

Use dnSpy, it's much easier to edit code. Right click inside method code, select "Edit Method (C#)..." and replace it with "return true;"

Tip: Dump source code from dll and search keywords in files using Notepad++ and analize them. It's much easier for me because i can search string, url string, excat code etc.

Keywords to search: Integrity, Check, Genuine, Signature, Installed, Location etc.

How i found IsGenuine?
First, i was analizing ShowInvalidBuildError() but i was unable to locate the check, so i just just dump the entire source code and search "signature" in files using Notepad++ because it's much easier for me to find the useful code. My former friend told me that trick.

How i found InstalledFromRightLocation?
I recorded a logcat using Matlog app to find an error, and i already found interesting function ReceiveInstallFromWrongLocationError()
so i took a look in dnSpy. I analized it , look InitOnStart() and there is a code
bool flag2 = AndroidUnityUtilWrapper.InstalledFromRightLocation();

InstalledFromRightLocation() is also an interesting method. It was a boolead so I returned it true and it worked!


14. april 2017

How to fully reset Fiddler Web Debugger Tool

If you have any problems with Fiddler and you can't figure it out what's going on, follow this guide to fully reset Fiddler. Press SHIFT and launch Fiddler does not really help.

Open regedit.exe, navigate to " HKEY_CURRENT_USER\Software\Microsoft\". right click on Fiddler2 folder, and delete it.


Open My documents and delete Fiddler2 folder


Launch Fiddler. Open Options -> HTTPS, click on Actions -> Reset All Certificates. It will ask you to reset, and add certificate. Click OK or Yes when asked.

That's all. Fiddler should work correctly again as it should :)

13. april 2017

APK Easy Tool v1.37 for Windows (GUI tool, user friendly)

This tool is signed so the crappy 360 anti-virus should not detect it as a false positive malware

Windows vista or newer (This tool will not work for Windows XP)
.NET Framework 4.5.2 or newer
Java SE/JDK is required for decompile, compile, and sign APK. If you don't have Java installed, you can only use Zipalign or Install APK. Download and install Java SE/JDK now

Apktool.jar version selections
Decompile APK
Compile APK
Sign APK after compile
Sign seletected APK (It will clone the selected APK, and sign it)
Sign compiled APK (If you forgot to sign your compiled APK, you can sign it)
SignAPK (signapk.jar v1.0)
Remember path when closed (config will reset if EXE file was moved to somewere else)
Framework installer (uses apktool.jar's commands)
Logs tab
Drag and drop file support
Full options of decompile and compile
Cancel button in waiting dialog box
Clear logs when exit
Allow path changes in textbox
Java heap option. Default 512m
Options to rename the apk file
Options to select apktool version.
Enable/Disable check for updates
Enable/Disable tips and ToolTips
and more...

How to use:
1. Download the EXE file, place it somewhere, and open it (If you open it, the resources required for this tool, will be extracted to your personal documents)
2. Set the decompile and compile directory
3. Select the APK file you want to work with
4. Decompile the APK file, and do some work
5. Re-compile APK and Sign, or whatever, when you are done.

You do not need to select APK and set the directory if you do drag and drop actions.

Framework are for ROM developers and System App modder only

It works the same way as you did in the command lines :)

Link #1

Link #2

iAndroHacker (Creator of this tool)
ibotpeaches (Creator of apktool.jar)
Android SignAPK (Creator of signapk.jar)

1.37 (13 april 2017)
Fixed sign APK after compile
- Support signing flashable ZIP for ROM developers. You can drag and drop ZIP file on Sign APK button to sign a ZIP file
Some minor fixes

More changelogs:

4. april 2017

How to dump and mod il2cpp games (Metadata v21-23) (2017)

<iframe width="560" height="315" src="https://www.youtube.com/embed/BN5UCGP_5os" frameborder="0" allowfullscreen></iframe>
Video tutorial by TechX Original

Most peoples asked me to make a new tutorial so I did! I know it's very late but I had not enough time to make the tutorial.

il2cpp dumper helps you to find the right function + offset to mod.

This guide is for IDA modding experience only!

- IDA Pro. Download link
- Notepad++. Download link
- Any Hex Editor software. I'm using Hex Workshop. Download link. (You can modify hex in IDA but editing the file in hex editor is the fastest way for me)
- Online ARM converter. Link to the website
- Basic C# and ARM knowledge. You don't really need to learn C# but know simple codes of C#
- Know how to use IDA Pro
- Perfare or Katy's dumper. Links below

Extract required files from APK file:
Open the APK and extract the following files to dump:

Using Perfare's Il2CppDumper:

Launch Il2CppDumper.exe, the program want you to select the ELF file or Mach-O file. Select libil2cpp.so file. The dialog box should appear again. Select global-metadata.dat file.

The program asks you to select mode. Manual (1) or auto (2)

Auto mode:
Automatically find the required offsets to dump il2cpp.
Press 2 and the file dump.cs will be created

Skip reading manual mode if you don't want to use manual mode.

Manual mode:
The manual mode is the complicated steps to dump il2cpp. Auto mode does tell you the offsets, but I would like to show you how to find offsets to manually dump il2cpp.

Disassemble libil2cpp.so in IDA Pro. Click on Search -> Sequence of bytes...

Search this hex
1C 00 9F E5 20 10 9F E5 00 20 8F E0
Click OK

IDA should jump to this function

But there's no unk offsets, right? now try this trick:
Right click on loc_xxxxxxx and select Create Function, you will get the unk offsets

In the console app, press 1, it will ask you to input the CodeRegistration(R0). Input the unk offset of R0, R12, R2. Example: 15C70C4. Hit enter. Input MetadataRegistration(R1), and Hit enter.

The dump.cs file will be created

Using Katy's Il2CppInspector:

Skip this if you are using Perfare's Il2CppDumper

Extract the ZIP file. The il2cppdumper.exe can't run with just double-click, so you have to use CMD, "cd" to the path of Il2CppInspector or click File -> Open commandprompt, and type this command.

Il2CppDumper [<binary-file> [<metadata-file> [<output-file>]]]

What does these usage mean?

Il2CppDumper = Execute Il2CppDumper.exe file
<binary-file> = Path of libil2cpp.so
<metadata-file> = Path of global-metadata.dat
<output-file> = Output file. You can name the file. Example: dumpedfile.cs

This is my example:
il2cppdumper "D:\Android apps + data\Craft Royale\libil2cpp.so" "D:\Android apps + data\Craft Royale\global-metadata.dat" "D:\Android apps + data\Craft Royale\dumped.cs"

Hit enter and it will dump il2cpp for you. The dumped file will be created at the path you have given

If you want to use command anywhere, add the PATH environment variable in Advanced System Properties

View the dumped file with Notepad++:
Right click on the dumped file and select Edit with Notepad++
You'll see a C# code. It's not a full code but the code tells you function names and offsets to mod.
To search, click Search -> Find...
To find all keyword, click on Find All in Current Document

If you never seen C# code before, I'll explain a bit what this method mean

public static int get_IsCheater(); // e8e9cc

public is an access modifier. It can be private, protected etc.This is not important to know

static is a static modified to declare a static member. This is not important to know

int is a data type. It can be float, double, boolean etc....

// e8e9cc is a comment. This tells you the real offset (sub_xxxxxx) to mod. You can search it in functions window in IDA

Fields and Properties are not modable, so don't look at them. Only look at fuctions under // Methods

Modding il2cpp game is the same as modding other .so file.

That's all.

Happy modding!

iAndroHacker (this tutorial)

29. marts 2017

How to decrypt an encrypted .dll and other files using Termux app (Root only, 5.0 and up, ARM & x86)

I have found a new way to decrypt .dll and other files using Termux. In this tutorial, I'll show you how to decrypt an encrypted .dll file

- Rooted device or Emulator. ARM or x86.
- A powerful Android device: 1 GB RAM, 4 cores, 1.5 - 2.x GHz. If you have a low-end device, your device may freeze during dumping.
- Available free space of Internal storage or Sdcard: 2 GB
- Requires Android 5.0 and up. Works on Marshmallow 6.0.1. Termux will not work on 4.4.4 and below.
- Termux app. It is avaliable on Play Store
- Modified Winhex for Windows (free version will not work for this purpose).

There is no need PIE patching. gdb 7.12 natively support Android 5.0 and up

If your device is running Kitkat 4.4.4 and below, please read my old tutorial: http://www.iandrohacker.net/2015/11/tutorial-how-to-decrypt-encrypted-dll.html

Does it work on Emulator?
Yes, Termux and GDB are working, but it does not support dumping a memory, return an error "Target does not support core file generation"


Finding the package name of the app:
Find the package name of the app you're going to hack!

This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".
You can find it going (with your browser) to the Google Play website, looking for the game you have installed on your device and then copying what's next to "id=".
See screenshot:

Alternatively, you can Install Package Name Viewer 2.0 from play store and you'll find the package name of any app you have installed on your device.

If your device is running Cyanogenmod/Lineage OS, you can go to Settings -> Apps and then you'll find the package name of any app you have installed on your device.


Termux setup and decryption:
Open Termux. It should be very similar to the following one:

Type the following commands:

Tip: apt-get or apt doesn't matter. apt-get's most commonly used commands are available in apt

apt update
Update package infomation
apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies.

apt install gdb tsu
Install both gdb and tsu

gdb is a process debugger

tsu is a root mode for Termux.

Press the home button and launch the game. Let the game fully load.

Open multitask, and go back to Termux

Type the following commands:

Superuser mode
And grant root access to enter superuser mode for your device.

dumpsys meminfo | grep com*

Show process list
This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol). The package name of the game is always at top. Don't forget to note it


Exit Superuser mode

Root mode for Termux

gdb -pid <pid>

attach a process with gdb

gdb -pid 12345

Hit return to continue when asked.

Do not worry about any warnings like these you may read in the Terminal app:

gcore <path>
save core file

gcore /sdcard/thegametodump

Type Y when asked

This will take 3-5 minutes. You device may freeze during dumping. Do not touch your device.


quit gdb
And deattach the process when asked
Or you can exit Termux session from notification

Connect your device to your computer and copy your dumped file, if the file does not appear, just create a folder and move the file. This way Windows should be able to see it

Recover decrypted files using WinHex
Open Winhex.exe
File -> Open... and select a dumped file
Tools -> Disk Tools -> File Recovery by Type

Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

The file recover will now begin and, when it finished you'll get a message like this:

Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.

You can finally close WinHex.

Happy modding!

x-ways devs (Winhex program)

Fredrik (Termux app)

TuTuApp leeched my APK MOD!!!

I thought TuTu team was an awesome modder, but unfortunately they aren't. They are the leecher. They leeched my non-working APK mod and put it in their service.
Bad written english.
They also leeched the iOS version because the IPA mod 1.1.1 came from someone that i don't know. There is still no IPA mod for 2.0.0

Niiiiiiiiice TuTu

It was fun playing leeched SMR 1.1.1 mod on iOS. I won't donate to you for iOS version anymore.
Never buy TuTu app on iOS version.

[Exclusive] CSR Racing 2 - How to hack bronze, silver, and gold keys

Exclusive tutorial for CSR2 hacking fans

I'm play legit but I still really want to hack without getting ban, so I modified the keys and buy many gold crates. I did it 20 times and never got banned.

So today, i'm gonna show you all how to hack bronze, silver, and gold keys in dnSpy.

Extract the Managed folder from APK file and load Assembly-CSharp.dll into dnSpy
Make sure Assembly-CSharp.dll is selected

Search KeysEarned. Double click on GachaBronzeKeysEarned PlayerProfile and it will highlight the code.

In the code, right click next to return this.ProfileData.GachaBronzeKeysEarned; and select "Edit Method (C#)...  Ctrl+Shift+E"

change it to "return 200;"

In GachaBronzeKeysSpent change it to " return 100;"

So 200 - 100 = 100, you have 100 bronze keys

Do the same with GachaSilverKeysEarned, GachaSilverKeysSpent, GachaGoldKeysEarned, GachaGoldKeysSpent
You can add any number you want but don't give it too many numbers

If I want to avoid getting banned, I will simply add some random numbers

GachaBronzeKeysEarned = 202
GachaBronzeKeysSpent = 100
I have 102 bronze keys

GachaSilverKeysEarned = 103
GachaSilverKeysSpent = 50
I have 53 silver keys

GachaGoldKeysEarned = 21
GachaGoldKeysSpent = 10
I have 11 gold keys

Save the .dll file and replace the .dll file inside the APK file

Happy cheating! :)

Credit: iAndroHacker