2018-09-25 MonkeyDev xm
2018-09-25 本文已影响18人
自由快挂
https://www.alonemonkey.com/2018/02/03/unity-reverse-ios/
unsigned char * (*old_decrypt_xxtea)(unsigned char *data,
uint32_t data_len,
unsigned char *key,
uint32_t key_len,
uint32_t *ret_length);
unsigned char * new_decrypt_xxtea(unsigned char *data,
uint32_t data_len,
unsigned char *key,
uint32_t key_len,
uint32_t *ret_length)
{
NSLog(@"hook decrypt xxtea %s", key);
return (*old_decrypt_xxtea)(data, data_len, key, key_len, ret_length);
}
%ctor
{
@autoreleasepool
{
unsigned long xxtea_point_stock = _dyld_get_image_vmaddr_slide(0) + 0x007ed5d7; // 这个地址是 Hopper 中找到的,可能不太正确。
MSHookFunction((void *)xxtea_point_stock, (void *)&new_decrypt_xxtea, (void **)&old_decrypt_xxtea);
}
}
但是出错了
[LUA-print] LUA ERROR: ?:100: attempt to call method 'decryptXXTEA' (a nil value)
[LUA-print]
stack traceback:
?:100: in function 'decryptXXTEA'
2018.09.26:
试一下 zlibVersion,祭出 IDA
image.png
unsigned long ptr = _dyld_get_image_vmaddr_slide(0) + 0x007E19A4;
const char * (*zv)() = (const char*(*)()) ptr;
NSLog(@"get zip version %s", zv());
//👍----------------insert dylib success----------------👍
// get zip version 1.2.5
// 没毛病,所以 xxtea 应该是 hopper 没有获取到正确的地址。
