Since i had struggles finding Objects while reversing Unity games i am going to share you how to find Objects by classname.
First of all: This will only work for mono games.
Games using IL2CPP need another approach.
So first of all, What are Objects in the Unity Game Engine?
Objects are instances of a classes for example Objects which gets rendered, the local player instance, ....
Sometimes classes hold static properties which provides a list of instances.
But if that's not the case we need to obtain them in another way.
That's where "FindObjectsOfType" comes in hand.
First of all we need to initialize mono to get access to all game internal stuff when injecting a dll.
So "mono.dll" exports a few symbols which we can use in our DLL.
You can get the C++ SDK from here: Mono SDK On Github
So lets add a file called "mono-loader.h" which will get our mono symbols so we can call them from out of C++.
This file will look like the following:
So no we are not ready yet to call our mono functions.
We can fix that by calling "LoadMonoFunctions" and executing "mono_thread_attach_func" with "mono_get_root_domain_func" at the beginning of our main thread.
This will look like the following:
Lets Implement our "FindObjectsOfType" function.
To do that we need to have a look in DnSPy to see where it is defined at.
If you look at "UnityEngine.CoreModule", you will see a class Called "Object".
This object class has a static function called "FindObjectsOfType" which takes a class instance of "Type" as argument.
To resolve the type by providing a String which Contains Module, Namespace and Class name we need to have a look at "mscorlib::system::type" within DnSpy. There we will find a static function "GetType".
So what do we need to do?
First of all we need to create a string used by the UnityEngine to get our type.
We can do that by defining a new function within our "MonoLoader" namespace called "MonoString".
This will create a Unity Engine / Mono string instance within our memory.
After that we can resolve our Type which we then need to provide to "FindObjectsOfType" by declaring a few helper functions.
First of all we need a function to resolve a Class.
After that a function to retrieve a mono module.
After that we need a function to get a class method, and a function to compile a function after obtaining the class method.
This are the needed Implementations:
So lets create our helper functions so that we can later on implement "GetObjectsOfType".
First of all we need to be able to retrieve our needed classes.
We can do that with the following implementations:
After that we can implement "GetObjectsOfType" pretty easily.
Have look:
This function will return a pointer to a c# array which we can read with the following functions:
To find out why i am using this offsets, please have a look at Cheat Engine using the dissect mono feature!
So lets imagine we want to create an aimbot and retrieve all enemies in a game.
In the game i am trying to hack there is a class called "Enemy" which has no namspace and is declared in the "Assembly-CSharp" module.
So that we can retrieve our enemy array and walk through it we can simply do the following:
To better explaing "FindObjectsByType" function:
The first argument is the Object name str which is constructed out of
"<classname>, <module-name>". If there is a namespace it would look like
"<classname>, <module-name>, <namespace>".
Well. From there on you are ready to hack!
Happy Hacking!
Top comments (0)