game-hacking

https://github.com/dsasmblr/game-hacking

Cheat Engine

Hacking memory

Cheat engine have a feature called Dissect mono that can help hacking game's memory. This video series about using cheat engine is really useful.

https://wiki.cheatengine.org/index.php?title=Mono

https://github.com/cheat-engine/cheat-engine

[Open Source] A powerful, all-in-one game hacking tool with an extensive feature set. Varying versions for Mac, Linux, and Android can be found here. CE video tutorials here.

CrySearch Memory Scanner

https://www.crysearch.nl/

[Open Source] A memory scanner akin to Cheat Engine, but with different features and a cleaner UI.

可以找到mono.dll的起始地址，size是39700

搜字符串

搜索IsValidForCurrentMode

this.externalProcessMemory_0.ReadStringA(address) "IsValidForCurrentMode" string
+ address 0x0C1CDFDB System.IntPtr 现在是0x1254E325

this.externalProcessMemory_0.ReadStringA(address) "CanClickToConvertToStandard" string
+ address 0x0C1CDFF1 System.IntPtr 现在是0x1254E33B

0x3B-0x25=0x16

0xF1-0xDB=0x16

this.externalProcessMemory_0.ReadStringA(address) "get_SCALED_UP_LOCAL_SCALE" string
+ address 0x0C1CDE38 System.IntPtr 现在是 0x1254E182 相差0x0638 034A‬

this.externalProcessMemory_0.ReadStringA(address) "set_SCALED_UP_LOCAL_SCALE" string
+ address 0x0C1CDE52 System.IntPtr 现在是0x1254E19C 也是相差638 034A‬

0x9c-0x82=0x1A

public bool IsValidForCurrentMode()
        {
            return base.method_11<bool>("IsValidForCurrentMode", Array.Empty<object>());
        }

internal T method_11<T>(string string_4, params object[] object_0) where T : struct
        {
            return this.method_10<T>(string_4, null, object_0);
        }

internal T method_10<T>(string string_4, Class276.Enum20[] enum20_0, params object[] object_0) where T : struct
        {
            IntPtr intPtr = this.method_7(string_4, enum20_0, object_0);
            if (intPtr == IntPtr.Zero)
            {
                return default(T);
            }
            if (typeof(T) == typeof(bool))
            {
                IntPtr addr = MonoClass.Class276_0.method_26(intPtr);
                return (T)((object)(MonoClass.ExternalProcessMemory_0.Read<byte>(addr) > 0));
            }
            return MonoClass.ExternalProcessMemory_0.Read<T>(MonoClass.Class276_0.method_26(intPtr));
        }

internal IntPtr method_33(IntPtr intptr_37, string string_0, params Class276.Enum20[] enum20_0)
        {
            while (intptr_37 != IntPtr.Zero)
            {
                using (AllocatedMemory allocatedMemory = this.externalProcessMemory_0.CreateAllocatedMemory(256))
                {
                    allocatedMemory.AllocateOfChunk<IntPtr>("Itr");
                    IntPtr intPtr;
                    while ((intPtr = this.method_35(intptr_37, allocatedMemory["Itr"])) != IntPtr.Zero)
                    {
                        IntPtr address = this.method_37(intPtr);
                        if (this.externalProcessMemory_0.ReadStringA(address) == string_0)
                        {
                            if (enum20_0 != null)
                            {
                                Class276.Enum20[] array = this.method_31(intPtr);
                                if (array.Length != enum20_0.Length || !array.SequenceEqual(enum20_0))
                                {
                                    continue;
                                }
                            }
                            return intPtr;
                        }
                    }
                    intptr_37 = this.method_25(intptr_37);
                }
            }
            return IntPtr.Zero;
        }