An android game cracking record

Required tools: IDA, APK, and ghost

Cause: CatWar2, diamond is not enough, and after modification with the diamond artifact, the diamond quantity will be automatically cleared 0
 

Clue:
 

Search for bg_sysmsg

 

It is found to be referenced in the libhelloworld. so file.

Reference:
The. so file is a dynamic link library file, which is equivalent to the. dll file under win.
As a result, IDA and ALT + T search bg_sysmsg

 

After some observation, according to the function name
Reference:
ShopScene2: init (void)
Appear in initialization, and then find ShopScene2: ShowSysMsg (int) in the function list ).
Reference:
. Text: 000E864A MOVS R0, 0x3F800000
. Text: 000E864E BL _ ZN7cocos2d11CCDelayTime18actionWithDurationEf; cocos2d: CCDelayTime: actionWithDuration (float)
When latency is used, the prompt of the first figure is that it disappears after a period of time. This function is called to display information.

Search for reference again
 

Enter the first function, which references a very suspicious function: WRIntEncrypt: Get (void)

Reference:
BL _ ZN12WRIntEncrypt3GetEv; WRIntEncrypt: Get (void)
Let's take a look at all the functions of this class. This is what we are looking.
 

Comes to the constructor:
(PS: R0 is the this pointer)
Reference:
. Text: 000F1260 pushed {R4-R6, LR}
. Text: 000F1262 MOVS R5, #0
. Text: 000F1264 STR R5, [R0]
. Text: 000F1266 MOVS R4, R0
. Text: 000F1268 BLX lrand48
. Text: 000F126C STR R5, [R4, #8]
. Text: 000F126E STR R0, [R4, #4]
. Text: 000F1270 BLX lrand48
. Text: 000F1274 STR R0, [R4, # 0xC]
. Text: 000F1276 STR R5, [R4, #0x10]
. Text: 000F1278 MOVS R0, R4
. Text: 000f0000a POP {R4-R6, PC}
Make sure that this class has five members. After initialization
+ 0 0
+ 4 random number 1
+ 8 0
+ C random number 2
+ 10 0

Let's look at WRIntEncrypt: Set (int)
(PS: R1 is the parameter, which is the value to be set)
Reference:
. Text: 000F1118 LDR R3, [R0, #4]
. Text: 000F111A STR R1, [R0, #0x10]
. Text: 000F111C EORS R3, R1
. Text: 000F111E STR R3, [R0]
. Text: 000F1120 LDR R3, [R0, # 0xC]
. Text: 000F1122 EORS R1, R3
. Text: 000F1124 STR R1, [R0, #8]
. Text: 000F1126 BX LR
From here we can see
+ 0 unencrypted value exclusive or random number 1
+ 4 random number 1
+ 8 unencrypted values, unique or random number, 2
+ C random number 2
+ 10 unencrypted values

Struct EncryptInt
{
Int eint1; // The encrypted value.
Int key1; // random key
Int eint2; // The encrypted value.
Int key2; // random key
Int realint; // the original value.
};

That is to say, the game stores three copies of data, two copies are encrypted, and one copy is unencrypted.

Let's take a look at WRIntEncrypt: Get (void)
Reference:
. Text: 000F120C PUSH {R4, LR}
. Text: 000F120E LDR R3, [R0, # EncryptInt]
. Text: 000F1210 LDR R2, [R0, # EncryptInt. key1]
. Text: 000F1212 LDR R1, [R0, # EncryptInt. key2]
. Text: 000F1214 MOVS R4, R0
. Text: 000F1216 EORS R2, R3
. Text: 000F1218 LDR R3, [R0, # EncryptInt. eint2]
. Text: 000F121A EORS R3, R1
. Text: 000F121C LDR R1, [R0, # EncryptInt. realint]
. Text: 000F121E MOVS R0, #1
. Text: 000F1220 CMP R3, R1
. Text: 000F1222 BEQ loc_F123C
. Text: 000F1224 CMP R2, R3
. Text: 000F1226 BEQ loc_F1246
. Text: 000F1228
. Text: 000F1228 loc_F1228; code xref: WRIntEncrypt: Get (void) + 38j
. Text: 000F1228; WRIntEncrypt: Get (void) + 3Ej
. Text: 000F1228 MOVS R0, R4
. Text: 000F122A BL _ ZN12WRIntEncrypt8CheatingEv; WRIntEncrypt: Cheating (void)
Compared with the encrypted value, if it is not equal, Cheating will be performed. WRIntEncrypt: Cheating (void)

It's easy to know how to handle encryption. Go back to your mobile phone and find realint.

Struct EncryptInt
{
Int eint1;
Int key1;
Int eint2;
Int key2;
Int realint;
};

Then eint1, eint2, and realint are all changed to 0 xFFFFFF, key1, and key2. Any value or 0 remains unchanged.

 



 
 

It's not APKDIY, but this is the only option. Finally, it was found that after the diamond exited, the game would be cleared again. There may be other verification points. However, after modifying the diamond, after upgrading the hero, it is basically invincible. It is enough.