Travel Frog Unity Game Reverse Modification--iOS Edition

Travel Frog Unity Game Reverse Modification--iOS Edition

I wrote an article analyzing Android C# scripts before, mainly to pave the way for this article. Because iOS is now in IL2CPP mode, C# scripts have been converted to C code. So it would be much more difficult to analyze iOS alone. If you start with Android C# scripts, because iOS and Android scripts are the same, you can match the function names analyzed in Android to the C functions in iOS and then make hook modifications.

Extract ipa

First, extract the ipa package of Traveling Frog from the jailbroken device, and use frida-ios-dump to extract it with one click. Since it is a Japanese name, first list the name through ./dump.py -l, then copy the name or dump it through the bundle id.

IL2CPP symbol restoration

Since the unity game is compiled with the IL2CPP option, cpp code will be generated. You cannot see the functions and function names directly using IDA, and the strings used in the game are saved in the global-metadata.dat resource file. First, you need to restore the symbols of the corresponding c functions by extracting the strings in the global-metadata.dat file. There are also ready-made articles: Restoring symbols of unity games compiled with IL2CPP, and there are also threaded projects on github that do this Il2CppDumper. Download the release tool, run Il2CppDumper.exe and select the il2cpp executable file and global-metadata.dat file in turn, then select the Auto (Plus) mode, and the dump.cs file and script.py script will be generated. Use IDA to open the executable file and then use the script.py script to restore the symbols.

Makingmethodname...MakemethodnamedoneSettingString...SetstringdoneMakingfunction...Makefunctiondone, please wait forIDAtocomplete the analysisScriptfinish!

According to the function hook code

After restoration, you can hook the corresponding code according to the function name analyzed before. First, the number of clovers is obtained through SuperGameMaster.CloverPointStock(). Search CloverPointStock in IDA as follows:

Then you can directly hook this function. Since the inline hook is currently on a jailbroken machine, the solution for hooking a non-jailbroken machine will be discussed later. Use MonkeyDev to create a new Logos Tweak project, clear the contents of .xml and write the following content:

  1. #import#import#importint(*old_clover_point_stock)(void);intnew_clover_point_stock(void){return9999;}%ctor{ @autoreleasepool {unsignedlongclover_point_stock = _dyld_get_image_vmaddr_slide(0) +0x100093A2C; MSHookFunction((void*)clover_point_stock, (void*)&new_clover_point_stock, (void**)&old_clover_point_stock); }}

Then set the port and device password in build settings and then install it with command + b to see the effect. The same goes for other function hooks:

  1. #import#import#importint(*old_clover_point_stock)(void);intnew_clover_point_stock(void){return9999;} int (*old_ticket_stock)(void);intnew_ticket_stock(void){return9999;}void(*old_lotterycheck)(unsignedlongobj);voidnew_lotterycheck(unsignedlongobj){ *( int *)(obj +80) = rand() %4+1;}id(*old_new_clover_object)(intindex,idcloverData,idcloverObj,boolfourLeafFlag);idnew_new_clover_object(intindex,idcloverData,idcloverObj,boolfourLeafFlag){ fourLeafFlag = true ;returnold_new_clover_object( index ,cloverData,cloversObj,fourLeafFlag);}%ctor{@autoreleasepool{unsignedlongclover_point_stock = _dyld_get_image_vmaddr_slide(0) +0x100093A2C; MSHookFunction((void*)clover_point_stock, (void*)&new_clover_point_stock, (void**)&old_clover_point_stock);unsignedlongticket_stock = _dyld_get_image_vmaddr_slide(0) +0x100093AA4; MSHookFunction((void*)ticket_stock, (void*)&new_ticket_stock, (void**)&old_ticket_stock);unsignedlonglotterycheck = _dyld_get_image_vmaddr_slide(0) +0x100086CF4; MSHookFunction((void*)lotterycheck, (void*)&new_lotterycheck, (void**)&old_lotterycheck); unsignedlongnew_clover_object = _dyld_get_image_vmaddr_slide(0) +0x100037100; MSHookFunction((void*)new_clover_object, (void*)&new_new_clover_object, (void**)&old_new_clover_object); }}

There is a function RaffelPanel$$LotteryCheck. To modify the value of result in it, we need to look at the position of result assignment according to the assembly or pseudo code. The pseudo code of this function obtained by F5 is as follows:

  1. __int64 __fastcall RaffelPanel__LotteryCheck(__int64 a1){
  2. __int64 v1; // x19
  3. __int64 v2; // x0
  4. __int64 v3; // x0
  5. int v4; // w20
  6. int v5; // w23
  7. signed int v6; // w24
  8. __int64 v7; // x0
  9. __int64 result; // x0
  10. v1 = a1;
  11. if ( !(byte_10137EDBB & 1) )
  12. {
  13. sub_100DEAD34(6810LL);
  14. byte_10137EDBB = 1;
  15. }v2 = qword_101439198;if( *(_BYTE *)(qword_101439198 +266) &1&& !*(_DWORD *)(qword_101439198 +188) ){
  16. sub_100DFF71C();
  17. v2 = qword_101439198;
  18. }if( !*(_QWORD *)(*(_QWORD *)(v2 +160) +192LL) )LABEL_17: sub_100DE28B4(); v3 = sub_1000FB954(); v4 = Random__Range_71094(0LL,0LL, v3,0LL); v5 =0; *(_DWORD *)(v1 +80) =0; this.result = Rank.White;//The default is white balls v6 = -1;while(1){
  19. v7 = qword_101439198;
  20. if ( *(_BYTE *)(qword_101439198 + 266) & 1 )
  21. {
  22. if ( !*(_DWORD *)(qword_101439198 + 188) )
  23. {
  24. sub_100DFF71C();
  25. v7 = qword_101439198;
  26. }}if( !*(_QWORD *)(*(_QWORD *)(v7 +160) +192LL) )gotoLABEL_17; result = sub_1000FB954(); v5 += result;if( v4 < v5 )//if (num < num2)break;if( ++v6 >=4) return result; } *(_DWORD *)(v1 +80) = v6 +1;//this.result = (Rank)i; return result;}

The position of *(_DWORD *)(v1 + 80) here is actually this.result, so just modify the value of the offset position 80.

Summarize

In summary, it is not easy to analyze the converted C code of the script in iOS. If you can restore the iOS symbols based on the results of the Android C# script analysis, you can directly hook the corresponding iOS function based on the function analyzed by Android to modify the parameters or values. However, this is still a hook on a jailbroken device, and then it will be explained that static hook operations can also be performed on non-jailbroken devices.

<<:  Recommend some keys to improve iOS development efficiency

>>:  Some keys to improve iOS development efficiency

Recommend

Different ways to implement locks in Objective-C (Part 2)

Different ways to implement locks in Objective-C ...

oCPC costs remain high? Come and try this method!

When delivering information flow, especially runn...

Cross-platform and cross-device applications may become a hot topic

The popularity of mobile smart devices also bring...

Practical case analysis: How to deeply understand user growth

The concept of User Growth (UG) originated from t...

Analysis of APP PUSH mechanism

Push is defined as the act of a message sender de...

Bring KTV home, "Tianlai Karaoke" TV version of passionate experience

Nowadays, more and more young people may choose t...

Why can’t mobile phones be multi-tasked like computers?

The human brain seems to be naturally equipped wi...

SMMT: UK new car registrations fell 34.9% in June 2020

According to data released by the SMMT, new car r...

How to improve the conversion rate of APP landing page?

Landing page quality and user matching are two ke...

Did you know that many of the firsts in Chinese civilization came from Henan?

The earliest playable musical instrument, the ear...

How to use the media to create internet celebrity products?

Every company wants to build its own internet cel...

Weibo Advertising-A Customer Acquisition Guide for the Wedding Industry!

The wedding photography industry has different wa...