某个il2cpp游戏,解包出了一个函数
public void RegisterOneFrameData(int index, ButtonType buttonType, float addScore, int addPower, int addCombo, JudgeNoteType noteType, NoteResultType result, NoteResultType adjustedResult, float rate, bool isSync);//3d89ec
现在想修改这个函数的参数的传入值(比如float rate固定传入1.4)
通过ida找到偏移地址查看
.text:003D89EC ; int sub_3D89EC(int, float, int, int, int, float, int)
.text:003D89EC sub_3D89EC ; CODE XREF: .text:005348B4p
.text:003D89EC ; .text:00535FF4p ...
.text:003D89EC
.text:003D89EC var_48 = -0x48
.text:003D89EC var_44 = -0x44
.text:003D89EC var_40 = -0x40
.text:003D89EC var_3C = -0x3C
.text:003D89EC var_38 = -0x38
.text:003D89EC var_34 = -0x34
.text:003D89EC var_30 = -0x30
.text:003D89EC var_2C = -0x2C
.text:003D89EC arg_0 = 8
.text:003D89EC arg_4 = 0xC
.text:003D89EC arg_8 = 0x10
.text:003D89EC arg_C = 0x14
.text:003D89EC arg_10 = 0x18
.text:003D89EC arg_14 = 0x1C
.text:003D89EC arg_18 = 0x20
.text:003D89EC
.text:003D89EC STMFD SP!, {R4-R11,LR}
.text:003D89F0 ADD R11, SP, #0x1C
.text:003D89F4 SUB SP, SP, #4
.text:003D89F8 VPUSH {D8}
.text:003D89FC SUB SP, SP, #0x20
.text:003D8A00 MOV R5, R0
.text:003D8A04 LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x3D8A18)
.text:003D8A08 LDR R6, =(unk_1D6A910 - 0x1D67AEC)
.text:003D8A0C MOV R4, R2
.text:003D8A10 ADD R0, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:003D8A14 MOV R10, R1
.text:003D8A18 ADD R0, R6, R0 ; unk_1D6A910
.text:003D8A1C STR R3, [SP,#0x48+var_2C]
.text:003D8A20 LDRB R0, [R0,#(byte_1D6A98B - 0x1D6A910)]
.text:003D8A24 CMP R0, #1
.text:003D8A28 BEQ loc_3D8A50
.text:003D8A2C LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x3D8A3C)
.text:003D8A30 LDR R1, =(off_1D35D54 - 0x1D67AEC) ; unsigned int
.text:003D8A34 ADD R7, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:003D8A38 LDR R0, [R1,R7] ; unk_1B51580
.text:003D8A3C LDR R0, [R0] ; this
.text:003D8A40 BL j__ZN6il2cpp2vm13MetadataCache24InitializeMethodMetadataEj ; il2cpp::vm::MetadataCache::InitializeMethodMetadata(uint)
.text:003D8A44 ADD R0, R6, R7 ; unk_1D6A910
.text:003D8A48 MOV R1, #1
.text:003D8A4C STRB R1, [R0,#(byte_1D6A98B - 0x1D6A910)]
然后产生了很多问题。。为什么sub_3d89ec里只有7个参数?另外求解参数rate传入的操作是哪一步。。
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!