DeFexNN/NightcoreLiosImgui

# 🌙 NightcoreLios — ImGui Overlay 游戏增强套件 一个生产级的 Android Unity 游戏增强工具，包含 **Dear ImGui** 渲染 overlay、IL2CPP runtime 内省、Dobby inline hook、Zygisk/Magisk 模块注入，以及全面的反作弊绕过架构。 三种注入变体，一套代码库。使用 C++17 (NDK)、Java (Android SDK) 和 OpenGL ES 3.0 构建。 ## 理念 NightcoreLios 展示了复杂的 Android 游戏 修改的完整生命周期：从进程注入到 ImGui overlay 渲染，从 IL2CPP 符号解析到 100 多个反作弊补丁，从 Zygisk systemless 模块 到服务端身份验证。 该代码库被组织为一个 **单一共享核心**，具有三种注入 变体，证明了干净的架构允许相同的渲染引擎、 菜单系统和游戏逻辑通过不同的部署 机制来交付，而无需代码重复。 ## 三种注入变体 ``` ┌─────────────────────────────────────────────────────────────────┐ │ Shared Core │ │ │ │ ImGui Renderer · Menu UI · ESP Engine · Game Hacks │ │ IL2CPP Resolver · Memory Patches · Anti-Cheat Bypass │ │ Font Rendering · Theme Engine · Auth System │ └──────────────┬──────────────────────────────────────────────────┘ │ ┌─────────┼──────────┐ │ │ │ ┌────┴────┐ ┌──┴───┐ ┌───┴──────────┐ │INJECT │ │INJECT│ │MODULE_LIOS │ │LIOS │ │LITE │ │ │ │ │ │ │ │ │ │JNI_OnLoad│ │APK │ │Zygisk Module │ │APK-based│ │based │ │Magisk-based │ │Overlay │ │AES │ │Systemless │ │Activity │ │auth │ │dlopen hook │ └─────────┘ └──────┘ └──────────────┘ ``` ## 架构 ``` ┌──────────────────────────────────────────────────────────────┐ │ Injection Phase │ │ │ │ JNI_OnLoad / Zygisk → Auth → Poll libil2cpp.so │ │ │ │ │ ▼ │ │ Hook eglSwapBuffers (Dobby inline hook) │ │ Hook InputConsumer::initializeMotionEvent (touch capture) │ │ Hook RegisterNatives::nativeInjectEvent (Java input) │ │ offsets_load() → 100+ MemoryPatch + Il2Cpp method hooks │ └──────────────────────────────────────────────────────────────┘ │ ┌──────────────────────────────────────────────────────────────┐ │ Render Loop (every frame) │ │ │ │ eglSwapBuffers hook → │ │ ├── glInit() (one-time: ImGui context, fonts, theme) │ │ ├── LoadMenu() → build ImGui draw data │ │ │ ├── ESP Tab (box, skeleton, health, distance) │ │ │ ├── Weapon Tab (no recoil, fast shoot, bullet mag) │ │ │ ├── Player Tab (fly, speed, aimbot, auto-farm) │ │ │ └── Settings Tab (theme, save/load config) │ │ └── ImGui_ImplOpenGL3_RenderDrawData() → composite │ └──────────────────────────────────────────────────────────────┘ │ ┌──────────────────────────────────────────────────────────────┐ │ Game Manipulation │ │ │ │ Battle_Update hook → player tracking, damage logging │ │ PlayerController hook → fly, speed, sticky, stealth │ │ Gun hooks → no recoil, fast shoot, aim assist │ │ Vehicle hooks → fly car, speed boost │ │ Monster hooks → collision bypass, damage │ │ Builder hooks → force build, rotation control │ │ ~100 bypass hooks → CheatMgr, MailMgr, HeartBeat │ └──────────────────────────────────────────────────────────────┘ ``` ## 代码示例 ### eglSwapBuffers Hook — 每一帧注入 ImGui (C++) ``` EGLBoolean (*old_eglSwapBuffers)(EGLDisplay dpy, EGLSurface surface); EGLBoolean hook_eglSwapBuffers(EGLDisplay dpy, EGLSurface surface) { eglQuerySurface(dpy, surface, EGL_WIDTH, &glWidth); eglQuerySurface(dpy, surface, EGL_HEIGHT, &glHeight); if (!imguiInitialized) { glInit(); // one-time: ImGui::CreateContext, fonts, theme imguiInitialized = true; } // Start new ImGui frame ImGui_ImplOpenGL3_NewFrame(); ImGui_ImplAndroid_NewFrame(glWidth, glHeight); ImGui::NewFrame(); LoadMenu(); // build all ImGui UI elements ImGui::EndFrame(); ImGui::Render(); ImGui_ImplOpenGL3_RenderDrawData(ImGui::GetDrawData()); return old_eglSwapBuffers(dpy, surface); } ``` ### IL2CPP Runtime 内省 ``` // Resolve Unity IL2CPP functions dynamically — works across game updates void* resolve_il2cpp_function(const char* klass, const char* method, int args) { auto domain = r_il2cpp_domain_get(); auto assembly = r_il2cpp_domain_assembly_open(domain, "Assembly-CSharp"); auto image = r_il2cpp_assembly_get_image(assembly); Il2CppClass* clazz = r_il2cpp_class_from_name(image, "", klass); const MethodInfo* mi = r_il2cpp_class_get_method_from_name(clazz, method, args); return (void*)mi->methodPointer; } // Usage: auto update_fn = (UpdateFunc)resolve_il2cpp_function( "BattleWorld", "Update", 0); ``` ### Dobby Inline Hook 模式 ``` #include // Hook any function with signature-compatible replacement void* (*old_PlayerController_Update)(void* instance); void hook_PlayerController_Update(void* instance) { // Get player position, apply fly/speed/stealth modifications auto transform = Component_GetTransform(instance); auto position = Transform_GetPosition(transform); if (settings.fly) { position.y += flySpeed * deltaTime; Transform_SetPosition(transform, position); } if (settings.speed) { // Modify movement speed multiplier *speedPtr = speedMultiplier; } return old_PlayerController_Update(instance); } // Install hook DobbyHook(resolve_il2cpp_function("PlayerController", "Update", 1), (void*)hook_PlayerController_Update, (void**)&old_PlayerController_Update); ``` ### 反作弊绕过（系统化） ``` // Hook every anti-cheat traffic serialization method to empty stubs. // The game still thinks it's reporting — it just sends nothing. // Pattern: Hook C*_Serializer::Marshal → return without serializing #define ANTI_CHEAT_HOOK(name) \ DobbyHook(resolve_il2cpp_function("C" #name "Inspect", "OnInspIn", 1), \ (void*)dummy_bypass, (void**)&old_##name); ANTI_CHEAT_HOOK(Application) // CApplicationInspect::OnInspIn ANTI_CHEAT_HOOK(HeartBeat) // CHeartBeat::OnInspIn ANTI_CHEAT_HOOK(ReportRole) // CReportRoleCheating::OnInspIn ANTI_CHEAT_HOOK(CheckMemory) // memory integrity verification ANTI_CHEAT_HOOK(CheckRoot) // root detection bypass ANTI_CHEAT_HOOK(CheckEmulator) // emulator detection bypass // ... 100+ more void dummy_bypass(void* instance) { return; // literally nothing } ``` ### 带有自定义 Widget 的 ImGui 菜单 ``` #include "Garbage/Tabs.h" #include "Garbage/ColorPicker.h" static int currentTab = 0; void LoadMenu() { ImGui::SetNextWindowPos({50, 50}, ImGuiCond_FirstUseEver); ImGui::SetNextWindowSize({600, 400}, ImGuiCond_FirstUseEver); ImGui::Begin("NightcoreLios", nullptr, ImGuiWindowFlags_NoResize | ImGuiWindowFlags_NoCollapse); // Custom animated tab bar CustomTabs("ESP\0Weapon\0Player\0Vehicle\0Settings\0", ¤tTab); switch (currentTab) { case 0: // ESP ImGui::Checkbox("Box ESP", &settings.box); ImGui::Checkbox("Skeleton", &settings.skeleton); ImGui::Checkbox("Health Bar", &settings.healthBar); ImGui::ColorEdit3("Box Color", settings.boxColor); break; case 1: // Weapon ImGui::Checkbox("No Recoil", &settings.noRecoil); ImGui::Checkbox("Fast Shoot", &settings.fastShoot); ImGui::SliderFloat("Aim FOV", &settings.aimFov, 1, 360); break; // ... more tabs } ImGui::End(); } ``` ### ESP 渲染（World-to-Screen） ``` void DrawESP() { for (auto& player : players) { // World to screen transformation Vector2 screenPos; if (!WorldToScreen(player.position, screenPos)) continue; Vector2 headPos; WorldToScreen(player.position + Vector3(0, player.height, 0), headPos); float boxHeight = abs(screenPos.y - headPos.y); float boxWidth = boxHeight * 0.4f; if (settings.box) { DrawBox(screenPos.x - boxWidth/2, headPos.y, boxWidth, boxHeight, settings.boxColor); } if (settings.skeleton) { DrawSkeleton(player, settings.skeletonColor); } if (settings.healthBar) { DrawHealthBar(screenPos.x - boxWidth/2 - 4, headPos.y, boxHeight, player.health, player.maxHealth); } DrawText(screenPos.x, headPos.y - 10, player.name + " [" + std::to_string((int)player.distance) + "m]", settings.textColor); } } ``` ### Zygisk 模块入口点 ``` #include "zygisk.hpp" class MyModule : public zygisk::ModuleBase { public: void onLoad(Api* api, JNIEnv* env) override { this->api = api; env->GetJavaVM(&vm); } void preAppSpecialize(AppSpecializeArgs* args) override { auto dir = env->GetStringUTFChars(args->app_data_dir, nullptr); isTargetGame = strstr(dir, "com.herogame.gplay.lastdayrulessurvival"); env->ReleaseStringUTFChars(args->app_data_dir, dir); // Only inject into target game — no other app affected } void postAppSpecialize(const AppSpecializeArgs* args) override { if (!isTargetGame) return; std::thread(hack_thread).detach(); // start cheat logic } }; REGISTER_ZYGISK_MODULE(MyModule) ``` ## 功能矩阵 | 类别 | 功能 | 机制 | |----------|---------|-----------| | **ESP** | Box、Skeleton、Health Bar、Distance、Weapon | ImGui draw list、world-to-screen 数学计算 | | **Weapon** | No Recoil、Fast Shoot、Bullet Magnet、Aimbot | 通过 Il2Cpp 进行 Gun method hook | | **Player** | Fly、Speed、Sticky、Stealth、Auto-Farm | PlayerController Update hook | | **Vehicle** | Fly Vehicle、Speed Boost | VehicleMonitor Update hook | | **Building** | Force Build、Rotation Control | BuilderBehaviour hook | | **Monsters** | Collision Bypass、Damage Multiplier | MonsterController hook | | **Anti-Cheat** | 100 多个绕过补丁 | CheatMgr、MailMgr、HeartBeat hook stub | | **Auth** | Key 验证、HWID 绑定 | AES-CBC + PHP 后端 | | **UI** | 动画选项卡、颜色选择器、水印 | 自定义 ImGui widget | ## 技术栈 | 层级 | 技术 | |-------|-----------| | 语言 | **C++17** (NDK)、Java (Android SDK) | | UI | **Dear ImGui** (OpenGL ES 3.0 backend) | | Hook 引擎 | **Dobby** (inline hook)、Cydia Substrate | | 内存 | KittyMemory、`/proc/[pid]/maps`、`process_vm_readv` | | 注入 | JNI_OnLoad、Zygisk/Magisk 模块 | | 游戏引擎 | Unity + **IL2CPP** scripting backend | | Auth | libcurl + OpenSSL、AES-CBC | | 字符串保护 | 编译时 XOR (`OBFUSCATE.h`) | | 字体 | 内置 TTF（6 种字体，支持中文） | *"Overlay 世界。掌控游戏。"*

标签：Android逆向, IL2CPP, ImGui, Inline Hook, JS文件枚举, SSH蜜罐, 反作弊对抗, 客户端加密, 游戏外挂, 进程注入