Dead Frontier: Finding Aob Hacks

[pr2hack]

The process of finding Array of Byte codes for a Unity game isn't that hard (unless the game's scripts are obfuscated ).

The programs you need: .Net Reflector, Unity3D Obfuscator, Raw Data AoB Extractor, and Cheat Engine.

Step 1: Getting the .unity3d file.

-Load Dead Frontier and go to the city.
-Right click on the side of the page and select View Page Info.
-Click on Media on the top of the pop-up page and select the .unity3d file.
-click on save as and place it on your desktop.
*picture below shows the popup page



Step 2: Extracting the .dll files from .unity3d file.

-Open Unity3dObfuscator.
-Select New Project (wizard).
-Set source type to "Web Player, Web Player Streamed...", select the dead frontier .unity3d file and click finish.
-Click on Unpack Web Archive in a directory (.unity3d) and place it on your desktop.
-Close the popup that comes up and go to your desktop.
*picture below shows the .dll files of dead frontier



Step 3: Viewing scripts

-Open .Net Reflector.
-Select your recent .net framework version.
-Open a .dll file (i.e. Assembly-UnityScript.dll) by clicking on file -> Open Assembly.
-View scripts of the .dll file (take your time and look at the logic of the game dynamics).
-Set the script language to IL once you found a script you wish to convert to AoBs.
-Go to bottom of script and click on expand methods (if popup occurs, select the .dll file you opened up).
-Select the whole or part of a script that you wish to convert to AoBs (i.e. Disable Zombie Attack's script).
*If you can't highlight the script, click on tools -> options and close the options popup (it should fix the issue).
-Paste them on a text file (for safe-keeping).
*Picture below shows .Net Reflector



Step 4: Converting IL script to AoB

-Open Raw Data AoB Extractor
-Click on Unity (IL DASM -> bytecode).
-Paste IL script you pasted on your text file and click Generate Instructions.
-Select the whole generated instructions IL script and paste it on your text file (delete the other IL script if you want).
-Click on Get AoB and paste it on your text file.
*Picture Below Shows Raw Data AoB Extractor



Step 5: Finding bytes for wildcard ?? (lowers address count in Cheat Engine)

-Open cheat engine.
-Set value type to Array of Byte.
-Select your process (i.e. Firefox: plugin-container.exe).
-Paste huge chunk of byte data in text field and click scan
*If no addresses pop up, you have to find the byte data for a small portion of the IL script (i.e. Disable Zombie Attack).
-Select the addresses and click on red arrow.
-Select all the pasted addresses and right click (change record -> value)
-Copy the whole AoB and paste it on a text file.
*Picture below shows IL string for Disable Zombie Attack and it's full AoB



Step 6: Setting AoB modifications in Dead Frontier

*In this video, the AoB used is a wildcard version of Disable Zombie Attack; since only 3 addresses popped up, you don't have to worry about Step 5.



**If you want to find out what to replace for the original AoB, you have to learn about hexadecimals and their meanings.

This is the whole process of hacking Dead Frontier and other Unity games

[demondays1]

Nice job!

[HowlingNight]

Does this still work and is it able to be detected?

[lekedu]

Mmmh I'm new at thi AOB thing, i see a couple of things that could be edited in the dll, like damage multiplier, but how do i translate that into a cheat engine array??
Any little help wpuld be appreciated.

PS thi is what i mean

L_0022: ldarg.0
L_0023: ldc.r4 1
L_0028: stfld float32 ACF_(bunch of numbers)/$::$damageMulti$1570

By changing that ldc.r4 1 to 2, 3, 1000 the damage would be miltiplied...maybe, but how do i turn it into a searchable array in CE.

[demonika1996]

man you have a metod to find a god mode ? .. a name or something ? please answer

[demonika1996]

Pr2Hack this is good for make a godmode ? or how to find the god mode or any like life hack or damage x3-4 .. .. please answer anybody

[lai007]

oh man, there are so many codes and i am so confused what to start

[Iridionium]

Hey , Guys I found a script in XCF_ff41ac2be57e18edd9e068aa4f79c36839c01d42

.method public hidebysig static object GainExp(object exp) cil managed
{
.maxstack 27
.locals init (
[0] object obj2,
[1] float32 num,
[2] object obj3)
L_0000: ldsfld bool XCF_ff41ac2be57e18edd9e068aa4f79c36839c01d42::expO n
L_0005: brtrue.s L_0025
L_0007: ldc.i4.5
L_0008: switch (L_0007)
L_0011: ldc.i4.1
L_0012: brtrue.s L_001a
L_0014: ldtoken object XCF_ff41ac2be57e18edd9e068aa4f79c36839c01d42::Gain Exp(object)
L_0019: pop
L_001a: ldc.i4.0
L_001b: box int32
L_0020: br L_0181
L_0025: ldtoken [UnityScript.Lang]UnityScript.Lang.UnityBuiltins
L_002a: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
L_002f: dup
L_0030: pop
L_0031: ldstr "parseInt"
L_0036: ldc.i4.1
L_0037: newarr object
L_003c: dup
L_003d: ldc.i4.0
L_003e: ldstr "MainPlayerStats_df_hungerhp"
L_0043: call object XCF_0e36aebce4fd6fab3500877fa110b24485403d25::XCF_ 7660648041b7ebec8b080c77b5da30cfee023570(object)
L_0048: dup
L_0049: pop
L_004a: stelem.ref
L_004b: ldtoken [UnityEngine]UnityEngine.MonoBehaviour
L_0050: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
L_0055: call object [UnityScript.Lang]UnityScript.Lang.UnityRuntimeServices::Invoke(obje ct, string, object[], class [mscorlib]System.Type)
L_005a: dup
L_005b: pop
L_005c: stloc.0
L_005d: ldc.r4 1.5
L_0062: stloc.1
L_0063: ldstr "op_LessThan"
L_0068: ldloc.0
L_0069: ldc.i4.s 0x4b
L_006b: box int32
L_0070: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::InvokeBinaryOper ator(string, object, object)
L_0075: call bool [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::ToBool(object)
L_007a: dup
L_007b: pop
L_007c: brfalse.s L_008e
L_007e: ldc.i4.6
L_007f: switch (L_007e)
L_0088: ldc.r4 1.2
L_008d: stloc.1
L_008e: ldstr "op_LessThan"
L_0093: ldloc.0
L_0094: ldc.i4.s 50
L_0096: box int32
L_009b: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::InvokeBinaryOper ator(string, object, object)
L_00a0: call bool [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::ToBool(object)
L_00a5: brfalse.s L_00b7
L_00a7: ldc.i4.7
L_00a8: switch (L_00a7)
L_00b1: ldc.r4 0.9
L_00b6: stloc.1
L_00b7: ldstr "op_LessThan"
L_00bc: ldloc.0
L_00bd: ldc.i4.s 0x19
L_00bf: box int32
L_00c4: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::InvokeBinaryOper ator(string, object, object)
L_00c9: dup
L_00ca: pop
L_00cb: call bool [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::ToBool(object)
L_00d0: brfalse.s L_00e2
L_00d2: ldc.i4.3
L_00d3: switch (L_00d2)
L_00dc: ldc.r4 0.6
L_00e1: stloc.1
L_00e2: ldtoken [UnityScript.Lang]UnityScript.Lang.UnityBuiltins
L_00e7: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
L_00ec: ldstr "parseInt"
L_00f1: ldc.i4.1
L_00f2: newarr object
L_00f7: dup
L_00f8: ldc.i4.0
L_00f9: ldstr "op_Multiply"
L_00fe: ldtoken [UnityScript.Lang]UnityScript.Lang.UnityBuiltins
L_0103: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
L_0108: dup
L_0109: pop
L_010a: ldstr "parseFloat"
L_010f: ldc.i4.1
L_0110: newarr object
L_0115: dup
L_0116: ldc.i4.0
L_0117: ldarg.0
L_0118: stelem.ref
L_0119: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::Invoke(object, string, object[])
L_011e: dup
L_011f: pop
L_0120: ldloc.1
L_0121: box float32
L_0126: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::InvokeBinaryOper ator(string, object, object)
L_012b: dup
L_012c: pop
L_012d: stelem.ref
L_012e: ldtoken [UnityEngine]UnityEngine.MonoBehaviour
L_0133: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
L_0138: dup
L_0139: pop
L_013a: call object [UnityScript.Lang]UnityScript.Lang.UnityRuntimeServices::Invoke(obje ct, string, object[], class [mscorlib]System.Type)
L_013f: dup
L_0140: pop
L_0141: starg exp
L_0145: nop
L_0146: nop
L_0147: ldstr "op_Addition"
L_014c: ldtoken [UnityScript.Lang]UnityScript.Lang.UnityBuiltins
L_0151: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
L_0156: ldstr "parseInt"
L_015b: ldc.i4.1
L_015c: newarr object
L_0161: dup
L_0162: ldc.i4.0
L_0163: ldstr "GameplayStats_Exp"
L_0168: call object XCF_bc8e50bbd99691d87a36838067bdabfa32d9ed31::XCF_ 7660648041b7ebec8b080c77b5da30cfee023570(object)
L_016d: dup
L_016e: pop
L_016f: stelem.ref
L_0170: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::Invoke(object, string, object[])
L_0175: dup
L_0176: pop
L_0177: ldarg.0
L_0178: call object [Boo.Lang]Boo.Lang.Runtime.RuntimeServices::InvokeBinaryOper ator(string, object, object)
L_017d: dup
L_017e: pop
L_017f: stloc.2
L_0180: ldarg.0
L_0181: ret
}

I'm hoping that somehow , by changing the XP multiplier , I can make the character receive 5x Xp , 10x Xp etc.

I copied a section of the code and got this :



72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 A2 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 0A 22 ?? ?? ?? ?? 0B 72 ??
?? ?? ?? 06 1F ?? 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 2C ?? 1C 45 ?? ?? ?? ?? ?? ?? ?? ?? 22 ?? ?? ?? ??
0B 72 ?? ?? ?? ?? 06 1F ?? 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 1D 45 ?? ?? ?? ?? ?? ?? ?? ?? 22 ?? ?? ?? ??
0B 72 ?? ?? ?? ?? 06 1F ?? 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 2C ?? 19 45 ?? ?? ?? ?? ?? ?? ?? ?? 22 ?? ?? ??
?? 0B D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 8D ?? ?? ?? ?? 25 16

Change to :

72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 A2 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 0A 22 ?? ?? ?? ?? 0B 72 ?? ?? ?? ??
06 1F ?? 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 2C ?? 1C 45 ?? ?? ?? ?? ?? ?? ?? ?? 22 ?? ?? ?? ?? 0B 72 ?? ?? ?? ??
06 1F ?? 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 1D 45 ?? ?? ?? ?? ?? ?? ?? ?? 22 ?? ?? ?? ?? 0B 72 ?? ?? ?? ?? 06 1F ??
8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 26 28 ?? ?? ?? ?? 2C ?? 19 45 ?? ?? ?? ?? ?? ?? ?? ?? 22 ?? ?? ?? ?? 0B D0 ?? ?? ?? ?? 28 ?? ?? ?? ??
72 ?? ?? ?? ?? 17 8D ?? ?? ?? ?? 25 16



Can somebody make it simpler ? Thanx..........

[silagava]

what is this code for?

[acxcvxcvsadawewe]

are you still messing with it if so contact me @ person_wannabe on skype we might be able to work together :/