Travel Frog Unity Game Reverse Modification--iOS Edition

I wrote an article analyzing Android C# scripts before, mainly to pave the way for this article. Because iOS is now in IL2CPP mode, C# scripts have been converted to C code. So it would be much more difficult to analyze iOS alone. If you start with Android C# scripts, because iOS and Android scripts are the same, you can match the function names analyzed in Android to the C functions in iOS and then make hook modifications.

Extract ipa

First, extract the ipa package of Traveling Frog from the jailbroken device, and use frida-ios-dump to extract it with one click. Since it is a Japanese name, first list the name through ./dump.py -l, then copy the name or dump it through the bundle id.

IL2CPP symbol restoration

Since the unity game is compiled with the IL2CPP option, cpp code will be generated. You cannot see the functions and function names directly using IDA, and the strings used in the game are saved in the global-metadata.dat resource file. First, you need to restore the symbols of the corresponding c functions by extracting the strings in the global-metadata.dat file. There are also ready-made articles: Restoring symbols of unity games compiled with IL2CPP, and there are also threaded projects on github that do this Il2CppDumper. Download the release tool, run Il2CppDumper.exe and select the il2cpp executable file and global-metadata.dat file in turn, then select the Auto (Plus) mode, and the dump.cs file and script.py script will be generated. Use IDA to open the executable file and then use the script.py script to restore the symbols.

Makingmethodname...MakemethodnamedoneSettingString...SetstringdoneMakingfunction...Makefunctiondone, please wait forIDAtocomplete the analysisScriptfinish!

According to the function hook code

After restoration, you can hook the corresponding code according to the function name analyzed before. First, the number of clovers is obtained through SuperGameMaster.CloverPointStock(). Search CloverPointStock in IDA as follows:

Then you can directly hook this function. Since the inline hook is currently on a jailbroken machine, the solution for hooking a non-jailbroken machine will be discussed later. Use MonkeyDev to create a new Logos Tweak project, clear the contents of .xml and write the following content:

 #import#import#importint(*old_clover_point_stock)(void);intnew_clover_point_stock(void){return9999;}%ctor{ @autoreleasepool {unsignedlongclover_point_stock = _dyld_get_image_vmaddr_slide(0) +0x100093A2C; MSHookFunction((void*)clover_point_stock, (void*)&new_clover_point_stock, (void**)&old_clover_point_stock); }}

Then set the port and device password in build settings and then install it with command + b to see the effect. The same goes for other function hooks:

 #import#import#importint(*old_clover_point_stock)(void);intnew_clover_point_stock(void){return9999;} int (*old_ticket_stock)(void);intnew_ticket_stock(void){return9999;}void(*old_lotterycheck)(unsignedlongobj);voidnew_lotterycheck(unsignedlongobj){ *( int *)(obj +80) = rand() %4+1;}id(*old_new_clover_object)(intindex,idcloverData,idcloverObj,boolfourLeafFlag);idnew_new_clover_object(intindex,idcloverData,idcloverObj,boolfourLeafFlag){ fourLeafFlag = true ;returnold_new_clover_object( index ,cloverData,cloversObj,fourLeafFlag);}%ctor{@autoreleasepool{unsignedlongclover_point_stock = _dyld_get_image_vmaddr_slide(0) +0x100093A2C; MSHookFunction((void*)clover_point_stock, (void*)&new_clover_point_stock, (void**)&old_clover_point_stock);unsignedlongticket_stock = _dyld_get_image_vmaddr_slide(0) +0x100093AA4; MSHookFunction((void*)ticket_stock, (void*)&new_ticket_stock, (void**)&old_ticket_stock);unsignedlonglotterycheck = _dyld_get_image_vmaddr_slide(0) +0x100086CF4;        MSHookFunction((void*)lotterycheck, (void*)&new_lotterycheck, (void**)&old_lotterycheck); unsignedlongnew_clover_object = _dyld_get_image_vmaddr_slide(0) +0x100037100; MSHookFunction((void*)new_clover_object, (void*)&new_new_clover_object, (void**)&old_new_clover_object); }}

There is a function RaffelPanel$$LotteryCheck. To modify the value of result in it, we need to look at the position of result assignment according to the assembly or pseudo code. The pseudo code of this function obtained by F5 is as follows:

 __int64 __fastcall RaffelPanel__LotteryCheck(__int64 a1){
 __int64 v1; // x19
 __int64 v2; // x0
 __int64 v3; // x0
 int v4; // w20
 int v5; // w23
 signed int v6; // w24
 __int64 v7; // x0
 __int64 result; // x0
 v1 = a1;
  if ( !(byte_10137EDBB & 1) )
 {
 sub_100DEAD34(6810LL);
 byte_10137EDBB = 1;
  }v2 = qword_101439198;if( *(_BYTE *)(qword_101439198 +266) &1&& !*(_DWORD *)(qword_101439198 +188) ){
 sub_100DFF71C();
 v2 = qword_101439198;
 }if( !*(_QWORD *)(*(_QWORD *)(v2 +160) +192LL) )LABEL_17: sub_100DE28B4(); v3 = sub_1000FB954(); v4 = Random__Range_71094(0LL,0LL, v3,0LL); v5 =0; *(_DWORD *)(v1 +80) =0; this.result = Rank.White;//The default is white balls v6 = -1;while(1){
 v7 = qword_101439198;
    if ( *(_BYTE *)(qword_101439198 + 266) & 1 )
 {
      if ( !*(_DWORD *)(qword_101439198 + 188) )
 {
 sub_100DFF71C();
 v7 = qword_101439198;
      }}if( !*(_QWORD *)(*(_QWORD *)(v7 +160) +192LL) )gotoLABEL_17; result = sub_1000FB954(); v5 += result;if( v4 < v5 )//if (num < num2)break;if( ++v6 >=4) return result; } *(_DWORD *)(v1 +80) = v6 +1;//this.result = (Rank)i; return result;}

The position of *(_DWORD *)(v1 + 80) here is actually this.result, so just modify the value of the offset position 80.

Summarize

In summary, it is not easy to analyze the converted C code of the script in iOS. If you can restore the iOS symbols based on the results of the Android C# script analysis, you can directly hook the corresponding iOS function based on the function analyzed by Android to modify the parameters or values. However, this is still a hook on a jailbroken device, and then it will be explained that static hook operations can also be performed on non-jailbroken devices.