Open Kneesnap opened 4 years ago
I am currently looking into the obfuscation. It appears that function names and parameter names are being obfuscated by BeeByte here, everything else can be easily de-obfuscated by beeless. A beebyte deobfuscator. I've read that someone on unknowncheats actually made a deobfuscator for amongus obfuscation, but until we can't confirm that it works we will have to wait.
My thoughts on this: We could take the previous version of the decompiled .hpp/.cpp and compare it to the current de-obfuscated one. If functions are still in the same position we could write a script which translates all the function names and parameter names to the new files. After that is finished we could repeat this step from previous version to next version and so on.
The addresses are different, but the order is the same. Whatever we do, we should figure something out a solution to make it future-proof
On Fri, Sep 25, 2020, 12:36 PM v0idp notifications@github.com wrote:
I am currently looking into the obfuscation. It appears that function names and parameter names are being obfuscated by BeeByte here, everything else can be easily de-obfuscated by beeless. A beebyte deobfuscator. I've read that someone on unknowncheats actually made a deobfuscator for amongus obfuscation, but until we can't confirm that it works we will have to wait.
My thoughts on this: We could take the previous version of the decompiled .hpp/.cpp and compare it to the current de-obfuscated one. If functions are still in the same position we could write a script which translates all the function names and parameter names to the new files. After that is finished we could repeat this step from previous version to next version and so on.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ExtraConcentratedJuice/ChristWareAmongUs/issues/16#issuecomment-699116476, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABSCIYNA3LAC5L7NETDTCTTSHTWKTANCNFSM4RZ7OFCA .
I just compared the files and noticed the line counts aren't the same in il2cpp-functions.h
and il2cpp-types.h
Maybe obfuscation by adding garbage functions and datastructs or actual new functionality ? Hard to believe that 30k+ lines were added to il2cpp-functions.h
with actual functionality. I assume it's part of the obfuscation.
Maybe we could integrate de4dot into Il2CppInspector to implement the de-obfuscation process in there.
Any other ideas ?
Yeah but if we have the old binary we can generate FLIRT signatures or something to that effect. That way any extra functions don't matter.
On Fri, Sep 25, 2020, 1:47 PM v0idp notifications@github.com wrote:
I just compared the files and noticed the line counts aren't the same in il2cpp-functions.h and il2cpp-types.h
Maybe obfuscation by adding garbage functions and datastructs or actual new functionality ? Hard to believe that 30k+ lines were added to il2cpp-functions.h with actual functionality. I assume it's part of the obfuscation.
Maybe we could integrate de4dot into Il2CppInspector to implement the de-obfuscation process in there.
Any other ideas ?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ExtraConcentratedJuice/ChristWareAmongUs/issues/16#issuecomment-699147259, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABSCIYLW6ZYLQIYNG4Z6FMTSHT6U7ANCNFSM4RZ7OFCA .
I almost finished manually reversing all the necessary functions and types to make the cheat work again. I could need your help. I need the obfuscated name for Palette
if somebody can find out which one it is, we can make this cheat run again! Everything else I already finished.
For some reason it's missing in the il2cpp-types-ptr.h
only thing left there is the obfuscated TempData
Type. Everything else I was able to find. If anyone can find the obfuscated name for Palette I would appreciate it !
previous version:
new version:
There we go. I was finally able to update all the necessary Types and Functions to make it work again !
The issue with hardcoding new names like that is that the obfuscator can just generate new names on build different from the current ones.
A good solution for this is creating signatures so that function offsets may be found automatically by the cheat, but that requires some effort.
We also need to access TypeInfo which may be harder to create signatures for since they are all in a huge contiguous list of pointers
For some reason it's missing in the
il2cpp-types-ptr.h
only thing left there is the obfuscatedTempData
Type. Everything else I was able to find. If anyone can find the obfuscated name for Palette I would appreciate it !
DO_TYPEDEF(0x01468854, Palette);
Hello, why I can't compile the dll, for upgrade something. I got so many errors "462" Example: cannot open source file "vcruntime.h", "stdarg.h", "vcruntime-string.h", attribute "noreturn" does not apply here, expected a ')'
I use VS Code, (Release, x86), or I stupid, or my VSC not support, or something else...
cracked among us v2020.9.9s
taken from https://igg-games.com/among-us-free-download.html using wayback machine
I don't think that link belongs here. If anything, maybe xdeltas should be included to turn the steam version into 2020.9.9s, but certainly not a full download.
On Sat, Oct 10, 2020, 1:58 AM mathmakgakpak notifications@github.com wrote:
this is cracked among us 2020.9.9s https://drive.google.com/file/d/1iAFiihoFYooBpHAU1qkyo-SoTuBHeZHz/view if someone needs
taken from https://igg-games.com/among-us-free-download.html
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ExtraConcentratedJuice/ChristWareAmongUs/issues/16#issuecomment-706515316, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABSCIYPVVBVEPS5WPKYL6ELSKAOZPANCNFSM4RZ7OFCA .
i know but i didn't know where i could post it
@Kneesnap you seem to know a bit about code; is christware a virus? see the latest issue i opened to see what i mean
Unfortunately, it appears upgrading to v2020.9.22s will provide some additional hurdles. After updating the il2cpp mappings, it appears some obfuscation has been applied, which will make updating to new versions somewhat of a pain. I propose some kind of macro-based solution, if not trying some kind of automated obfuscation mappings generator which uses the data from previous versions before obfuscation was applied. I'm not familiar with how such a thing could be applied to il2cpp unfortunately.
This issue is likely a duplicate of #12.