HackedGlory

HackedGlory is a reverse-engineering archive and tooling workspace for the final iOS release of Vainglory (GameKindred v4.13.4). The repository combines static analysis, runtime interception, protocol decoding, and targeted unlock work to document how the client behaved and which systems were disabled in the Community Edition build.

Community updates: EU Discord

Table of Contents

• Project Overview
• CE Gate Analysis
• Current Restored Surfaces
• Additional Major Findings
• Ghidra Reverse Engineering Workflow
• Repository Layout
• Tooling and Environment
• Android Port Status
• License

Project Overview

This repository exists to preserve and extend technical understanding of the final Vainglory client. It contains:

• Ghidra-based static reverse-engineering notes and automation
• MITM and TCP interception tooling for controlled traffic capture
• protocol decoders, schema extractors, and analysis scripts
• generated reports, inventories, and decoded match artifacts
• unlock libraries for iOS and Android experiments

The repository is best understood as a research archive rather than a polished product. The strongest results currently documented here are:

• the Community Edition gate architecture and its disabled feature surface
• the in-match protocol decryption and message analysis
• the menu/UI event system and hidden panel flows
• the inferred JSON-RPC platform surface used by the client
• the iOS unlock path and the Android offset-verification effort

CE Gate Analysis

The Community Edition gate is one of the most important findings in this repository.

Static analysis shows that Vainglory CE relies on a single master gate function, FUN_100131560, that hardcodes return 1. That gate is called by 164 BL instructions across 92 unique functions, making it the central mechanism used to disable or hide large portions of the original client. The practical result is that CE is not just a content-reduced build; it is a build with broad feature suppression spread across UI registration, data-loading paths, profile views, progression surfaces, and menu visibility logic.

This is significant because it explains why many systems still exist in the binary and can be partially restored with targeted hooks, but cannot be safely re-enabled by naively patching one function globally. Some code paths only need visibility or registration bypasses. Others depend on data-population paths, backend responses, or object layouts that also changed between builds.

What Appears To Be Gated

• Sidebar and tab registration for Academy, Party, Social, and related panels
• Bag sub-tabs, including trophies and season-related UI
• Profile surfaces, including ranked tabs, stats tabs, and fuller profile layouts
• Leaderboard visibility and associated navigation paths
• Guild, team, and social feature paths
• Progression, reward, chest, market, and season displays
• Party, matchmaking, queue, and play-mode UI flows
• Spectate and replay related paths

What Can Currently Be Unlocked

• Sidebar panels can be restored for Academy, Party, and Social
• Trophy-related UI can be reintroduced into the bag/sidebar flow
• The full profile card can be re-enabled, including ICE, Glory, Opals, Karma, level shield, and XP bar
• Ranked and stats-related profile surfaces can be exposed
• Leaderboard-related UI visibility can be forced for inspection
• Social and profile-adjacent features can be surfaced far beyond the stock CE presentation

What Remains Constrained

• A direct patch of the master gate is not a safe universal fix; too many dependent paths activate at once
• Some restored UI still depends on backend data that the CE client never requests
• Some profile and trophy flows require targeted hooks into population or layout functions, not just visibility bypasses
• Android offset work is still mixed between confirmed targets and items that need additional Ghidra verification

For the full function-level breakdown, hook inventory, and next-step analysis, see reports/ce_gate_analysis.md and reports/trophy_investigation_summary.md.

Current Restored Surfaces

The screenshots below show some of the UI that can now be surfaced or inspected through the current unlock work.

<p> <img src="images/trophy.png" alt="Trophy UI Screenshot" width="32%"> <img src="images/leaderboard.png" alt="Leaderboard UI Screenshot" width="32%"> <img src="images/friendlist.png" alt="Social UI Screenshot" width="32%"> </p> <p> <img src="images/IMG_8323.PNG" alt="Academy Screenshot" width="32%"> <img src="images/IMG_8324.PNG" alt="Party Screenshot" width="32%"> <img src="images/IMG_8325.PNG" alt="Profile Screenshot" width="32%"> </p> <p> <img src="images/IMG_8326.PNG" alt="Ranked Screenshot" width="32%"> <img src="images/IMG_8327.PNG" alt="Stats Screenshot" width="32%"> <img src="images/IMG_8328.PNG" alt="Sidebar Screenshot" width="32%"> </p>

Additional Major Findings

Platform Surface

The client strongly appears to use HTTPS JSON-RPC for authentication, session bootstrap, profile, social, party, guild, inventory, and content flows. The repository includes inferred method surfaces, extracted field clusters, and machine-generated protocol artifacts. A good starting point is reports/vainglory_static_report.md.

In-Match Protocol

The in-match transport has been substantially decoded. The current best explanation, documented in reports/protocol_decryption_writeup.md, is:

• 2-byte big-endian framing on the TCP stream
• Blowfish ECB encryption
• per-match key derivation using MD5(salt + match_id)
• ARM64 little-endian word-order handling in the client implementation
• a large decoded opcode surface with working packet analysis and match summaries

This result was derived primarily from static reverse engineering, then verified against captured match traffic.

Some older notes in the repository describe earlier hypotheses about the match transport. When protocol documents disagree, treat reports/protocol_decryption_writeup.md as the current best explanation.

Menu And UI Control

The repository also documents the E.V.I.L. engine menu/UI system: event hashing, panel switching, localization lookups, data-loading paths, and how leaderboard/friends/profile surfaces are wired through the client. See reports/menu_ui_control_guide.md.

Ghidra Reverse Engineering Workflow

Ghidra is the main static-analysis backbone for this repository.

The scripts/ directory contains automation used to inspect the iOS GameKindred binary and the Android libGameKindred.so port. These scripts were used to map vtables, trace UI flows, identify feature-gate consumers, extract RPC-adjacent schema clues, follow profile/trophy/sidebar control paths, and recover Android RELRO-backed function-pointer offsets.

What The Ghidra Work Produced

• CE gate mapping from the master gate to 92 gated functions and 164 call sites
• UI event and panel-flow tracing for profile, sidebar, leaderboard, and social screens
• protocol tracing that led to the Blowfish/MD5 match-transport result
• RPC and field extraction reports under reports/generated/
• Android offset verification helpers under scripts/android/

Representative Script Categories

• GhidraMenuUIAnalysis.java, GhidraSidebarTrace.java, GhidraSidebarGates.java
• GhidraProfile*.java, GhidraTrophy*.java, GhidraVisibilityGates.java
• GhidraMatchProtocol.java, GhidraGameConnect.java, GhidraRpcSchemaExtractor.java
• Android scripts such as GhidraFindNavRefresh.java, GhidraFindSetTabVisible.java, and GhidraAndroidRelroScan.java

Static Analysis Versus Runtime Work

The repository separates discovery from activation:

• static Ghidra analysis identifies code paths, structures, gates, and candidate hook points
• runtime tooling in mitm/ captures traffic and validates hypotheses
• unlock libraries in mitm/vg_unlock/ and mitm/vg_unlock_android/ apply targeted hooks based on those findings

This distinction matters because many of the most valuable results here, including the CE gate map and match-protocol derivation, were first established statically before being exercised in controlled runtime setups.

Repository Layout

reports/

Long-form findings, subsystem investigations, generated inventories, and decoded protocol artifacts.

High-value entry points:

• reports/ce_gate_analysis.md: comprehensive CE gate mapping, hook inventory, and unlock status
• reports/trophy_investigation_summary.md: trophy/profile-specific findings and unresolved paths
• reports/protocol_decryption_writeup.md: deepest in-match protocol result in the repository
• reports/vainglory_static_report.md: broad static overview of hosts, methods, and data shapes
• reports/vainglory_deep_inventory.md: expanded artifact inventory and network hypothesis
• reports/menu_ui_control_guide.md: menu architecture, event system, and screen-control analysis
• reports/generated/: machine-generated inventories and extracted clues
• reports/decoded_matches/: decoded packet logs and per-match summari