节奏大师(v 2.3.2)歌曲解锁分析 + 完整源代码

iOS

没有做过多测试,了解方法即可!

用IDA高版本(到官方下载DEMO即可)加载 PLClient                                     
                                                                                   
由于是要解锁歌曲,索引用关键字 “song、lock”等搜索函数列表,碰碰运气  (当然我之前用GDB调试过的,O(∩_∩)O~)             
                                                                                   
找到如下可疑函数:                                                                 
                                                                                   
GamePlay::GameConfig::IsBuyedSong(int)                                             
GamePlay::MessageManager::IsSongDiffLock(int,GamePlay::EDiffcult)                  
GamePlay::MessageManager::IsSongDiffLockBought(int,GamePlay::EDiffcult)          
GamePlay::MessageManager::IsVIPInTheSong(int)                                      
                        
                                                                                   
目测应该是其中某个了,,用theos一个个尝试,得出结论:                              
IsVIPInTheSong 函数 -- 将歌曲后面的图标由免费变成VIP -- 实际还是没解锁--放过   
IsSongDiffLock 函数 -- 没解锁                                                      
IsSongDiffLockBought -- 顺利解锁 --- 就是它了!                                    
                                                                                   
                                                                                   
所以hook IsSongDiffLockBought 返回1即可                                            

为了满足自己内心需要,你可以把上面几个全hook掉



/* 
**大师 IOS 2.3.2 歌曲解锁
By PiaoYun
http://www.dllhook.com
*/

%hook AppDelegate

// 开启VIP
BOOL (*Kernel_GamePlay_MessageManager_IsVIPInTheSong)(void* self, int Value);

// 购买标记
BOOL (*Kernel_GamePlay_GameConfig_IsBuyedSong)(void* self, int Value);

// 解锁所有歌曲
BOOL (*Kernel_GamePlay_MessageManager_IsSongDiffLockBought)(void* self, int Value);

%new
BOOL My_GamePlay_MessageManager_IsVIPInTheSong(void* self, int Value)
{
	NSLog(@"into My_GamePlay_MessageManager_IsVIPInTheSong!!!!");
	Kernel_GamePlay_MessageManager_IsVIPInTheSong(self, Value);
	return YES;
}

%new
BOOL My_GamePlay_GameConfig_IsBuyedSong(void* self, int Value)
{
	NSLog(@"into My_GamePlay_GameConfig_IsBuyedSong!!!!");
	Kernel_GamePlay_GameConfig_IsBuyedSong(self, Value);
	return YES;
}

%new
BOOL My_GamePlay_MessageManager_IsSongDiffLockBought(void* self, int Value)
{
	NSLog(@"into My_GamePlay_MessageManager_IsSongDiffLockBought!!!!");
	Kernel_GamePlay_MessageManager_IsSongDiffLockBought(self, Value);
	return YES;
}

__attribute__((constructor)) void dylibMain()
{
	NSLog(@"inject success!!!!");
	MSHookFunction(((void*)MSFindSymbol(NULL, "__ZN8GamePlay14MessageManager14IsVIPInTheSongEi")),(void*)My_GamePlay_MessageManager_IsVIPInTheSong, (void**)&Kernel_GamePlay_MessageManager_IsVIPInTheSong);
	MSHookFunction(((void*)MSFindSymbol(NULL, "__ZN8GamePlay10GameConfig11IsBuyedSongEi")),(void*)My_GamePlay_GameConfig_IsBuyedSong, (void**)&Kernel_GamePlay_GameConfig_IsBuyedSong);
	MSHookFunction(((void*)MSFindSymbol(NULL, "__ZN8GamePlay14MessageManager20IsSongDiffLockBoughtEiNS_9EDiffcultE")),(void*)My_GamePlay_MessageManager_IsSongDiffLockBought, (void**)&Kernel_GamePlay_MessageManager_IsSongDiffLockBought);
}
%end


你可能感兴趣的文章

评论区

发表评论

必填

选填

选填

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

热门文章