Hi everyone, since there are still people who are engaged in the Rust for more than a month and do not understand even how to find offsets in the dump and ask questions in the reverse theme, I will describe everything in simple words and to each word I will give an example.
Don’t be afraid to run ida, your brain will not fail, at first just study idu on any simple file, how it works, basic functionality and all, then practice every day on gamassembly.
The programs that will be shown in this thread are ida , il2cppdumper and any notepad to find offsets, I use Visual Studio Code.
Let’s start with the offsets.
1. BaseNetworkable_c
Be sure you have the latest version of the game downloaded, and do a dump using il2cppdumper (video - https://rutube.ru/video/520af3664dcb…t=yastatic.net).
Open your script.json and dump.cs in ur notepad.
First we need to open dump.cs and find the class BaseNetworkable.% (CTRL + F), and find a class similar to the one on the screenshot , the hash always changes.
Once you have found it you need to copy BaseNetworkable.% (as on the screenshot (
Paste the hash you copied and you get the BaseNetworkable offset.
From this offset we can find the networkable and list decrypts, also the chain entityloop.
For this u need to open ida.
Open the calculator and write our offset in dec to get the hex
After that, we go back to the program with the copied hex offset.
Add 0x+ur offset + get_imagebase() at the bottom where the console is.
For convenience, for the sake of the example, I will rename the offset to its name
Go to the sub that is opposite. F5 - decompiling.
We see that BaseNetworkable is assigned to v1 , and v1 first sub is our decrypt, 0xb8 is a static chane, 8LL changes.
Let’s go to the first sub v1 for the networkable decrypt
we have found the networable decrypt, now we will look for the List decrypt.
Since I am loading ida, the variables have changed, but it doesn’t make sense, let’s go back to the basenetworkable, under the sub where the decrypt is, there is another sub where we use v1 (already v5 since ida is loaded).
Go to this sub, we see a2 + 16 and in front of the sub, this sub is our decrypt.
Go to it and get our decryptlist
We can stretch it to many offsets that are used in basenetworkable, but we will go further.
2. uint32_t decrypt (cl_active_item)
Open our dump and look for the BasePlayer class
Looking for clactiveitem (at the time of topic creation 0x440), we have brackets <> inside them is a crypt value of itemid, for convenience I will rename it, copy it:
When copied - look for the method where it is used.
I’ll take this method, copy the virtual address and just paste it into the console without anything in ida
Decompile it and get the decrypt
Pay attention to what offset is used in the addition with a1, as you may find a different decrypt.
3. BasePlayer.(PlayerEyes , inventory)
Also go to the base-player class and from it look for a method with the search PlayerEyes , I will take such method:
Also copy the virtual address and go to ida.
We compare the offset playerEyes and the one, which is formed with a1, if everything is correct, we go to the sub:
And we get the decrypt:
The inventory is the same as the eyes, just look for a method from the baseplayer where it is used , also check against the offset that slides with a1 and get the decrypt.
The rest of the baseprojectile decrypts are searched for in the same way as basenetworkable.