Travel Frog Unity Game Reverse Modification--iOS Edition

Travel Frog Unity Game Reverse Modification--iOS Edition

I wrote an article analyzing Android C# scripts before, mainly to pave the way for this article. Because iOS is now in IL2CPP mode, C# scripts have been converted to C code. So it would be much more difficult to analyze iOS alone. If you start with Android C# scripts, because iOS and Android scripts are the same, you can match the function names analyzed in Android to the C functions in iOS and then make hook modifications.

Extract ipa

First, extract the ipa package of Traveling Frog from the jailbroken device, and use frida-ios-dump to extract it with one click. Since it is a Japanese name, first list the name through ./dump.py -l, then copy the name or dump it through the bundle id.

IL2CPP symbol restoration

Since the unity game is compiled with the IL2CPP option, cpp code will be generated. You cannot see the functions and function names directly using IDA, and the strings used in the game are saved in the global-metadata.dat resource file. First, you need to restore the symbols of the corresponding c functions by extracting the strings in the global-metadata.dat file. There are also ready-made articles: Restoring symbols of unity games compiled with IL2CPP, and there are also threaded projects on github that do this Il2CppDumper. Download the release tool, run Il2CppDumper.exe and select the il2cpp executable file and global-metadata.dat file in turn, then select the Auto (Plus) mode, and the dump.cs file and script.py script will be generated. Use IDA to open the executable file and then use the script.py script to restore the symbols.

Makingmethodname...MakemethodnamedoneSettingString...SetstringdoneMakingfunction...Makefunctiondone, please wait forIDAtocomplete the analysisScriptfinish!

According to the function hook code

After restoration, you can hook the corresponding code according to the function name analyzed before. First, the number of clovers is obtained through SuperGameMaster.CloverPointStock(). Search CloverPointStock in IDA as follows:

Then you can directly hook this function. Since the inline hook is currently on a jailbroken machine, the solution for hooking a non-jailbroken machine will be discussed later. Use MonkeyDev to create a new Logos Tweak project, clear the contents of .xml and write the following content:

  1. #import#import#importint(*old_clover_point_stock)(void);intnew_clover_point_stock(void){return9999;}%ctor{ @autoreleasepool {unsignedlongclover_point_stock = _dyld_get_image_vmaddr_slide(0) +0x100093A2C; MSHookFunction((void*)clover_point_stock, (void*)&new_clover_point_stock, (void**)&old_clover_point_stock); }}

Then set the port and device password in build settings and then install it with command + b to see the effect. The same goes for other function hooks:

  1. #import#import#importint(*old_clover_point_stock)(void);intnew_clover_point_stock(void){return9999;} int (*old_ticket_stock)(void);intnew_ticket_stock(void){return9999;}void(*old_lotterycheck)(unsignedlongobj);voidnew_lotterycheck(unsignedlongobj){ *( int *)(obj +80) = rand() %4+1;}id(*old_new_clover_object)(intindex,idcloverData,idcloverObj,boolfourLeafFlag);idnew_new_clover_object(intindex,idcloverData,idcloverObj,boolfourLeafFlag){ fourLeafFlag = true ;returnold_new_clover_object( index ,cloverData,cloversObj,fourLeafFlag);}%ctor{@autoreleasepool{unsignedlongclover_point_stock = _dyld_get_image_vmaddr_slide(0) +0x100093A2C; MSHookFunction((void*)clover_point_stock, (void*)&new_clover_point_stock, (void**)&old_clover_point_stock);unsignedlongticket_stock = _dyld_get_image_vmaddr_slide(0) +0x100093AA4; MSHookFunction((void*)ticket_stock, (void*)&new_ticket_stock, (void**)&old_ticket_stock);unsignedlonglotterycheck = _dyld_get_image_vmaddr_slide(0) +0x100086CF4; MSHookFunction((void*)lotterycheck, (void*)&new_lotterycheck, (void**)&old_lotterycheck); unsignedlongnew_clover_object = _dyld_get_image_vmaddr_slide(0) +0x100037100; MSHookFunction((void*)new_clover_object, (void*)&new_new_clover_object, (void**)&old_new_clover_object); }}

There is a function RaffelPanel$$LotteryCheck. To modify the value of result in it, we need to look at the position of result assignment according to the assembly or pseudo code. The pseudo code of this function obtained by F5 is as follows:

  1. __int64 __fastcall RaffelPanel__LotteryCheck(__int64 a1){
  2. __int64 v1; // x19
  3. __int64 v2; // x0
  4. __int64 v3; // x0
  5. int v4; // w20
  6. int v5; // w23
  7. signed int v6; // w24
  8. __int64 v7; // x0
  9. __int64 result; // x0
  10. v1 = a1;
  11. if ( !(byte_10137EDBB & 1) )
  12. {
  13. sub_100DEAD34(6810LL);
  14. byte_10137EDBB = 1;
  15. }v2 = qword_101439198;if( *(_BYTE *)(qword_101439198 +266) &1&& !*(_DWORD *)(qword_101439198 +188) ){
  16. sub_100DFF71C();
  17. v2 = qword_101439198;
  18. }if( !*(_QWORD *)(*(_QWORD *)(v2 +160) +192LL) )LABEL_17: sub_100DE28B4(); v3 = sub_1000FB954(); v4 = Random__Range_71094(0LL,0LL, v3,0LL); v5 =0; *(_DWORD *)(v1 +80) =0; this.result = Rank.White;//The default is white balls v6 = -1;while(1){
  19. v7 = qword_101439198;
  20. if ( *(_BYTE *)(qword_101439198 + 266) & 1 )
  21. {
  22. if ( !*(_DWORD *)(qword_101439198 + 188) )
  23. {
  24. sub_100DFF71C();
  25. v7 = qword_101439198;
  26. }}if( !*(_QWORD *)(*(_QWORD *)(v7 +160) +192LL) )gotoLABEL_17; result = sub_1000FB954(); v5 += result;if( v4 < v5 )//if (num < num2)break;if( ++v6 >=4) return result; } *(_DWORD *)(v1 +80) = v6 +1;//this.result = (Rank)i; return result;}

The position of *(_DWORD *)(v1 + 80) here is actually this.result, so just modify the value of the offset position 80.

Summarize

In summary, it is not easy to analyze the converted C code of the script in iOS. If you can restore the iOS symbols based on the results of the Android C# script analysis, you can directly hook the corresponding iOS function based on the function analyzed by Android to modify the parameters or values. However, this is still a hook on a jailbroken device, and then it will be explained that static hook operations can also be performed on non-jailbroken devices.

<<:  Recommend some keys to improve iOS development efficiency

>>:  Some keys to improve iOS development efficiency

Recommend

Traffic surges during the epidemic, how to place online advertisements?

In the Internet age, advertisements are everywher...

4 new media writing suggestions that you may need!

The popularity of WeChat has also brought about a...

How to develop a new market and implement marketing strategy?

What do we base our marketing plan on when develo...

The 6 core components of fission marketing!

Many activities seem to have been done, and time ...

Integrated marketing communication full case skills!

Let me first summarize it in a brief outline. A c...

10 basic skills necessary for operating Douyin

Douyin became a huge hit like a bolt from the blu...

What is MBA: Website Optimization Work Plan

The following are the methods and steps for makin...

Anemia, what are the misunderstandings about iron supplementation

Iron is an important essential trace element for ...