Use TTX to analyze game cracking at multiple levels, and ttx to analyze game cracking at multiple levels.

Use TTX to analyze game cracking at multiple levels, and ttx to analyze game cracking at multiple levels.
I have been busy with my recent work and have no time to write articles. I just met a small game today. After a simple analysis, I wrote this article at noon.

We have already written many articles on mobile MM games. If you haven't read any of them, you can search for them by yourself. Today we continue to analyze a similar game, but we can analyze it in multiple ways. At the same time, you are welcome to add new ways to expand your thinking.

0x1: Game trial

After opening the game for a while, there have been a lot of such games recently, and they do not like to play or not, so check the mall directly.

View the directory structure of the game decompilation in combination:

You can simply guess whether the game's internal purchase is mobile MM.

Then, we can work with ourselves to check the smali code and determine that the payment method for the internal purchase is mobile MM.

0x2: Analysis and cracking

After determining the payment method of the game, we will analyze how to analyze its cracking situation with purpose.

Here I will add again:

Mobile MM payment method and SDK call Method

Http://wenku.it168.com/d_001271444.shtm

By understanding its payment process, we can test where he may be cracked, that is, fraudulent payment.

As described in this article, we will not repeat it here:

Http://www.52pojie.cn/thread-259909-1-1.html

Then, we can think:

①. We directly modify the payment result and fail to replace the payment with the payment method.

② Directly lock the status code that determines whether the payment is successful to make the payment

③ Directly modify game gold coins

4. modify the payment SMS

 

0x3: first payment method cracking

As mentioned above, search for onBillingFinish.

The first method is far-fetched. However, if the payment fails, the code here will also change. Let's let him go through the method of successful order, modify the judgment statement in the method.

Modify the corresponding smali code.

 

0x4: second lock Status Code cracking

 

We found the PurchaseCode when tracking the context of the onBillingFinish method. getStatusCode () I method and MessageInfo in smali. the getPurchasecode () I Method in smali should be used to define the payment code status, that is, the payment is successful, the payment fails, and the payment is canceled.

In the PurchaseCode. smali file, we found:

. Field public static final WEAK_ORDER_ OK: I = 0x3e9

This is the status code that defines the successful payment order. This is generally used in mobile MM.

Therefore, we can see that the getStatusCode () I method and getPurchasecode () I method both return values of the int type, so we can directly change the return value to 0x3e9, that is, the number 1001, the payment is successful.

We saved the changes, compiled them back, viewed them, and clicked the Buy button. The following message is displayed:

Everything is normal in the non-card mode, so we are sure that our modifications are correct and will not be charged.

 

0x5: directly modify the gold coins

OnBillingFinish () method

Go to this PopStar to view:

Of course, there are many methods in this class that support cracking, such:

Defines the number of gold coins purchased, that is, the quantity that is increased after successful purchase. And so on...

 

To put it short, we can see that the PopStar. nativeAddCoin method is determined to be a native method, so we can find the above

System. loadLibrary ("xinxin ");

Load libxinxin. so with IDA, and locate the nativeAddCoin method.

Now most of us use IDA, which has F5, so we can directly press f5.

View the method here, useGameCoin method. Open this method to view:

Here is the comment I added, which is very clear. If you don't understand it, you will know it at F5.

Because getIntegerForKey, the return value is R0, and then the second line of code goes down, R0 = R0 + R6, the key is to modify R0 here, that is, the number of gold coins

Hex: Check the binary. Here is the Thumb command, so we have high operation limitations.

Therefore, here is an idea for you to find a simpler method.

That is, BL getIntegerForKey. We will copy a value of R0 directly, and then move the value of R0 logic to the left of the following Adds R0, R0, and R6, that is, the value of LSL increases.

Because the first BL is 4 bytes, we directly modify 00 09 20, that is, Movs R0. R0 indicates that there is no operation. 09 20 is to assign the number 9 to R0.

Then, the ADDs row contains two bytes, which are changed to 00 04, that is, LSLS R0, R0, #0x10.

In this way, we have completed the value assignment to the number of gold coins, such:

Then, we modify the address in hexadecimal notation, and select 010Editor or UE, ctrl + g to jump to the address. Find the address we modified in IDA, modify, save, and replace it with the previous one, back-compile.

Note: int a = 9; a = a <0x10; that is, the gold coin is locked to 589824.

It should be noted that when will this method be called to activate the assignment of gold coins?

Press the x key directly in IDA to view 5 calls. It should be easily activated.

The items marked in red are items using gold coins. According to the places where we can see that the method is called, this item is called, and then the number of gold coins is defined by us.

 

0x6: Modify SMS

 

Let's not talk about it here. Use the system's SMS sending function to find and modify the content, replace the text message content, and replace the text message sender.

It is easier for me to directly use the hook method ..

The related code is not difficult. After reading the previous articles on hook java, it should be easy for me to write code. I will not write more here. If you are interested, I will do it myself.

 

Documents and related attachments:

Http://pan.baidu.com/s/1kTLwwDL