Help/Support In The Ball Park but cant find my seat (IDA Edit)

Kilmnar · June 27, 2015

I've finally had enough time to sit down and finish my attempt to hack this game....finally got my GDB working again...and now i'm a bit lost. Basically I was aiming for a Spend Some/Get Some kind of thing but at this point i'd even take just loading all the currency in..

GDB pointed me to this offset string where the end result of my currency is being set.

I didn't really want to bother the Set Point plus a lot of the strings didnt seem editable in my favor( I could be wrong)

I looked at the only tutorial i could find on here for actually finding the offset you need to edit but in this case it wasnt helpful.( though it was for my other game)

should i post the entire function for some one to analyze or just the main strings around this?

ipaarchive.com · June 27, 2015

yeah full function because this offset is wrong

Kilmnar · June 27, 2015

yeah full function because this offset is wrong

alright give me a seconds to pull it up...thanks...

yeah full function because this offset is wrong

var_4C = -0x4C

var_48 = -0x48

var_34 = -0x34

var_30 = -0x30

var_2C = -0x2C

var_28 = -0x28

var_24 = -0x24

var_18 = -0x18

__text:00257160

__text:00257160 PUSH {R4-R7,LR}

__text:00257162 ADD R7, SP, #0xC

__text:00257164 PUSH.W {R8,R10,R11}

__text:00257168 SUB.W R4, SP, #0x40

__text:0025716C BIC.W R4, R4, #0xF

__text:00257170 MOV SP, R4

__text:00257172 VST1.64 {D8-D11}, [R4@128]!

__text:00257176 VST1.64 {D12-D15}, [R4@128]

__text:0025717A SUB SP, SP, #0x50

__text:0025717C MOV R4, R0

__text:0025717E MOV R0, R1

__text:00257180 BL _cJSON_Parse

__text:00257184 MOV R5, R0

__text:00257186 MOV R0, #(___gxx_personality_sj0_ptr - 0x257194)

__text:0025718E LDR R1, =(GCC_except_table49_10 - 0x257196)

__text:00257190 ADD R0, PC ; ___gxx_personality_sj0_ptr

__text:00257192 ADD R1, PC ; GCC_except_table49_10

__text:00257194 LDR R0, [R0] ; ___gxx_personality_sj0

__text:00257196 STR R0, [sP,#0x68+var_34]

__text:00257198 ADD R0, SP, #0x68+var_4C

__text:0025719A STR R1, [sP,#0x68+var_30]

__text:0025719C LDR R1, =(sub_257258 - 0x2571AC)

__text:0025719E STR R7, [sP,#0x68+var_2C]

__text:002571A0 ORR.W R1, R1, #1

__text:002571A4 STR.W SP, [sP,#0x68+var_24]

__text:002571A8 ADD R1, PC ; sub_257258

__text:002571AA STR R1, [sP,#0x68+var_28]

__text:002571AC BLX.W __Unwind_SjLj_Register

__text:002571B0 CMP R5, #0

__text:002571B2 BEQ loc_25723C

__text:002571B4 MOVW R2, #(:lower16:(aResult - 0x2571C6)) ; "result"

__text:002571B8 ADD R6, SP, #0x68+var_58

__text:002571BA MOVT.W R2, #(:upper16:(aResult - 0x2571C6)) ; "result"

__text:002571BE MOV.W R0, #0xFFFFFFFF

__text:002571C2 ADD R2, PC ; "result"

__text:002571C4 STR R0, [sP,#0x68+var_48]

__text:002571C6 MOV R0, R6

__text:002571C8 MOV R1, R5

__text:002571CA STR R5, [sP,#0x68+var_5C]

__text:002571CC BL __Z13GetJSONStringP5cJSONPKc ; GetJSONString(cJSON *,char const*)

__text:002571D0 MOVS R0, #1

__text:002571D2 STR R0, [sP,#0x68+var_48]

__text:002571D4 ADD.W R0, R4, #8

__text:002571D8 MOV R1, R6

__text:002571DA STR R4, [sP,#0x68+var_60]

__text:002571DC BLX.W __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSERKS5_ ; std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>::operator=(std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> const&)

__text:002571E0 LDRB.W R0, [sP,#0x68+var_58]

__text:002571E4 TST.W R0, #1

__text:002571E8 BEQ loc_2571EE

__text:002571EA LDR R0, [sP,#0x68+var_50]

__text:002571EC B loc_2571F4

__text:002571EE ; ---------------------------------------------------------------------------

__text:002571EE

__text:002571EE loc_2571EE ; CODE XREF: sVCSpendMsgData::ParseData(char const*,CMaterial *)+88j

__text:002571EE ADD R0, SP, #0x68+var_58

__text:002571F0 ORR.W R0, R0, #1

__text:002571F4

__text:002571F4 loc_2571F4 ; CODE XREF: sVCSpendMsgData::ParseData(char const*,CMaterial *)+8Cj

__text:002571F4 LDR R4, [sP,#0x68+var_5C]

__text:002571F6 MOV R1, #(aSuccess_1 - 0x257202) ; "success"

__text:002571FE ADD R1, PC ; "success"

__text:00257200 BLX.W _strcasecmp

__text:00257204 CBNZ R0, loc_257236

__text:00257206 MOVW R1, #(:lower16:(aBalance - 0x257216)) ; "balance"

__text:0025720A MOVS R0, #2

__text:0025720C MOVT.W R1, #(:upper16:(aBalance - 0x257216)) ; "balance"

__text:00257210 STR R0, [sP,#0x68+var_48]

__text:00257212 ADD R1, PC ; "balance"

__text:00257214 MOV R0, R4

__text:00257216 MOVS R2, #1

__text:00257218 BL __Z10GetJSONIntP5cJSONPKcb ; GetJSONInt(cJSON *,char const*,bool)

__text:0025721C MOV R1, #(__ZN10CGameWorld12s_pGameWorldE_ptr - 0x25722A)

__text:00257224 LDR R2, [sP,#0x68+var_60]

__text:00257226 ADD R1, PC ; __ZN10CGameWorld12s_pGameWorldE_ptr

__text:00257228 LDR R1, [R1] ; CGameWorld::s_pGameWorld

__text:0025722A STR R0, [R2,#4]

__text:0025722C LDR R1, [R1]

__text:0025722E LDR.W R1, [R1,#0x134]

__text:00257232 STR.W R0, [R1,#0x3E8]

__text:00257236

__text:00257236 loc_257236 ; CODE XREF: sVCSpendMsgData::ParseData(char const*,CMaterial *)+A4j

__text:00257236 ADD R0, SP, #0x68+var_58

__text:00257238 BLX.W __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev ; std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>::~basic_string()

__text:0025723C

__text:0025723C loc_25723C ; CODE XREF: sVCSpendMsgData::ParseData(char const*,CMaterial *)+52j

__text:0025723C ADD R0, SP, #0x68+var_4C

__text:0025723E BLX.W __Unwind_SjLj_Unregister

__text:00257242 ADD R4, SP, #0x68+var_18

__text:00257244 VLD1.64 {D8-D11}, [R4@128]!

__text:00257248 VLD1.64 {D12-D15}, [R4@128]

__text:0025724C SUB.W R4, R7, #-var_18

MOV SP, R4

POP.W {R8,R10,R11}

POP {R4-R7,PC}

End of function sVCSpendMsgData::ParseData(char const*,CMaterial *)

AnotherLurker · June 27, 2015

@@Kilmnar is that not sub_x ?

Kilmnar · June 27, 2015

Yea it is

@@Kilmnar is that not sub_x ?

It is

ipaarchive.com · June 27, 2015

Yea it is

It is

its the wrong function

but you can edit some things here already..

Updated June 27, 2015 by iOSv64

Kilmnar · June 27, 2015

That's what I was thinking when I started browsing the functions but my GDB kept sending me there

its the wrong function

but you can edit some things here already..

In what way would I be able to tell I'm in the right function if my GDB directs me to this one every time?

ipaarchive.com · June 27, 2015

That's what I was thinking when I started browsing the functions but my GDB kept sending me there

In what way would I be able to tell I'm in the right function if my GDB directs me to this one every time?

do you have aslr on or off?