-
-
[原创]**大师(v 2.3.2)歌曲解锁分析 + 完整源代码
-
发表于: 2014-5-23 14:23
-
没有做过多测试,了解方法即可!
用IDA高版本(到官方下载DEMO即可)加载 PLClient
由于是要解锁歌曲,索引用关键字 “song、lock”等搜索函数列表,碰碰运气 (当然我之前用GDB调试过的,O(∩_∩)O~)
找到如下可疑函数:
GamePlay::GameConfig::IsBuyedSong(int)
GamePlay::MessageManager::IsSongDiffLock(int,GamePlay::EDiffcult)
GamePlay::MessageManager::IsSongDiffLockBought(int,GamePlay::EDiffcult)
GamePlay::MessageManager::IsVIPInTheSong(int)
目测应该是其中某个了,,用theos一个个尝试,得出结论:
IsVIPInTheSong 函数 -- 将歌曲后面的图标由免费变成VIP -- 实际还是没解锁--放过
IsSongDiffLock 函数 -- 没解锁
IsSongDiffLockBought -- 顺利解锁 --- 就是它了!
所以hook IsSongDiffLockBought 返回1即可
为了满足自己内心需要,你可以把上面几个全hook掉
用IDA高版本(到官方下载DEMO即可)加载 PLClient
由于是要解锁歌曲,索引用关键字 “song、lock”等搜索函数列表,碰碰运气 (当然我之前用GDB调试过的,O(∩_∩)O~)
找到如下可疑函数:
GamePlay::GameConfig::IsBuyedSong(int)
GamePlay::MessageManager::IsSongDiffLock(int,GamePlay::EDiffcult)
GamePlay::MessageManager::IsSongDiffLockBought(int,GamePlay::EDiffcult)
GamePlay::MessageManager::IsVIPInTheSong(int)
目测应该是其中某个了,,用theos一个个尝试,得出结论:
IsVIPInTheSong 函数 -- 将歌曲后面的图标由免费变成VIP -- 实际还是没解锁--放过
IsSongDiffLock 函数 -- 没解锁
IsSongDiffLockBought -- 顺利解锁 --- 就是它了!
所以hook IsSongDiffLockBought 返回1即可
为了满足自己内心需要,你可以把上面几个全hook掉
/*
**大师 IOS 2.3.2 歌曲解锁
By PiaoYun
http://www.dllhook.com
*/
%hook AppDelegate
// 开启VIP
BOOL (*Kernel_GamePlay_MessageManager_IsVIPInTheSong)(void* self, int Value);
// 购买标记
BOOL (*Kernel_GamePlay_GameConfig_IsBuyedSong)(void* self, int Value);
// 解锁所有歌曲
BOOL (*Kernel_GamePlay_MessageManager_IsSongDiffLockBought)(void* self, int Value);
%new
BOOL My_GamePlay_MessageManager_IsVIPInTheSong(void* self, int Value)
{
NSLog(@"into My_GamePlay_MessageManager_IsVIPInTheSong!!!!");
Kernel_GamePlay_MessageManager_IsVIPInTheSong(self, Value);
return YES;
}
%new
BOOL My_GamePlay_GameConfig_IsBuyedSong(void* self, int Value)
{
NSLog(@"into My_GamePlay_GameConfig_IsBuyedSong!!!!");
Kernel_GamePlay_GameConfig_IsBuyedSong(self, Value);
return YES;
}
%new
BOOL My_GamePlay_MessageManager_IsSongDiffLockBought(void* self, int Value)
{
NSLog(@"into My_GamePlay_MessageManager_IsSongDiffLockBought!!!!");
Kernel_GamePlay_MessageManager_IsSongDiffLockBought(self, Value);
return YES;
}
__attribute__((constructor)) void dylibMain()
{
NSLog(@"inject success!!!!");
MSHookFunction(((void*)MSFindSymbol(NULL, "__ZN8GamePlay14MessageManager14IsVIPInTheSongEi")),(void*)My_GamePlay_MessageManager_IsVIPInTheSong, (void**)&Kernel_GamePlay_MessageManager_IsVIPInTheSong);
MSHookFunction(((void*)MSFindSymbol(NULL, "__ZN8GamePlay10GameConfig11IsBuyedSongEi")),(void*)My_GamePlay_GameConfig_IsBuyedSong, (void**)&Kernel_GamePlay_GameConfig_IsBuyedSong);
MSHookFunction(((void*)MSFindSymbol(NULL, "__ZN8GamePlay14MessageManager20IsSongDiffLockBoughtEiNS_9EDiffcultE")),(void*)My_GamePlay_MessageManager_IsSongDiffLockBought, (void**)&Kernel_GamePlay_MessageManager_IsSongDiffLockBought);
}
%end
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
赞!
|
|
|
|
|
|
|
|
|
|
