With TTX more lovely analytic hierarchy process game hack

recent work too busy, not much time to write articles, today encountered a little bit of the game, analysis. Write this article with the advantage of noon.

Move the game in MM. We have written in front of a lot of articles, not seen friends, self-search can be, today we continue to analyze a similar game, just use a variety of ways to analyze, at the same time. Students are welcome to add new ways to expand their thinking.

0x1: game demo

Open the game and play for a while. This kind of game many recently, also do not like to play does not like playing. Then check the mall directly.

To view the folder structure of the game Anti-compilation:

The ability to simply push the game to see if the inside purchase is moving MM .

Then with our own simple view of the next Smali Code, to determine the internal purchase payment method for mobile MM.

0x2Analytical cracking

Determines how the game is paid. We have a purpose to analyze how to analyze its crack situation.

Here again to add:

Moving MM the payment method and SDK the related calling method

Http://wenku.it168.com/d_001271444.shtm

By understanding its payment process. To test where he is in a place where there is the possibility of being cracked, that is, cheating payment.

In this article, there is already a simple explanation, here is no longer repeated:

Http://www.52pojie.cn/thread-259909-1-1.html

And then. We can think of:

①. We change the payment results directly. Replace payment failure with a successful payment method

②. The status code that directly infers whether the payment is successful or not is locked for payment success

③. Change game coins directly

④. Change Payment SMS

0x3The first method of payment is cracked

It's still on the top of that. Direct search for Onbillingfinish.

In the first way, it's a little far-fetched, but if the payment fails, the code here will change, and we'll let him take the method of ordering success. That is, the inference statement inside the change method.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvz3vpz3v6atexmta=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

The corresponding Smali code can be changed on its own.

0x4another kind of lock state code hack

We are tracking the onbillingfinish method context. Discover the getstatuscode()I method in Purchasecode.smali and the getpurchasecode () I method in Messageinfo.smali should be used to define the status of the payment code, that is, the payment succeeds, the payment fails, and the payment is canceled.

In the purchasecode.smali file. We found that:

. field public static final weak_order_ok:i = 0x3e9

This is the status code that defines the success of the payment order. Generally in moving MM inside. Most of them are this.

So. We can see that the getstatuscode()I method and the getpurchasecode () I method are the return values of int type of. Then we change the return value directly to 0x3e9. That is, the digital 1001. That means payment is successful.

We save the changes. Back to compile. Check to see, click buy button. Direct prompt:

In the non-card mode test, everything is normal. So it is certain that our changes are correct and will not be charged.

0x5Change coins directly

Through the onbillingfinish () method

We go into this PopStar View:

Of course. There are a lot of methods in this class, and there are a lot of ways to support cracking. such as :

Defines the number of coins purchased, that is, the quantity added after the purchase is successful. Wait a minute...

To make a long story short, after we see the popstar.nativeaddcoin method, OK is a native method, then we find the above

System. LoadLibrary ("Xinxin");

Use Ida to load libxinxin.so, and then navigate to the Nativeaddcoin method.

Now that Ida, the big guy with the F5, we're just F5.

Look at the method here, theusegamecoin method. Open this method to view :

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvz3vpz3v6atexmta=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

Here I add the gaze, very clear, see not clear,F5 a bit also know.

Because of Getintegerforkey, the return value is R0. And then down the second line of code,r0=r0+r6, so our key is here to change R0, that is, the number of coins

Hex look at the binary . Here is the Thumb instruction, then we can operate the limitation is very high.

So. Here's a thought. You can find a more convenient way.

that is. bl getintegerforkey we copy the directly. r0 adds r0,r0,r6 here , go directly to r0 LSL a bit, the value is larger.

Because of the first bl is 4 00 00 09 20  MOVS R0,R0  Represents no action, 09 20 is the number 9 assign to r0

Then ADDs the line, with two bytes. Changed directly to xx, namely Lsls R0,R0,#0x10

In this way, we are finished with the value of the number of coins. For example, with:

Then, we change in the system, choose 010Editor or UE,Ctrl + G. Make an address jump to find the address we changed in IDA . In accordance with the above changes. Save, replace, and compile back.

Gaze:: int a=9;         a=a<<0x10; That is, the coin is locked to 589824

What needs to be explained here is. When is this method called, the ability to activate our value of gold?

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvz3vpz3v6atexmta=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

Face this method directly in IDA Press the X key to view the call, there are 5 places. Then it should be very easy to be activated.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvz3vpz3v6atexmta=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

The red label is the item that uses the gold coin. According to where we see the method being called. is called here. Then the amount of gold is what we define.

0x6: Change SMS

There is not much to say, according to the system to send SMS function to find changes, replace the text message content, replace the text message sender can.

I used the hook directly to replace the way, more convenient.

The relevant code is not difficult. After reading my previous several hooks Java article classmate. It should be very easy to write code. There is no more writing here. Be interested, do it yourself.

Documentation and related attachments:

Http://pan.baidu.com/s/1kTLwwDL

With TTX more lovely analytic hierarchy process game hack