Jump to content
Community Announcements, Giveaways & More!

How to make everything free (free store) in IDA for Kill Shot?

NotEriic

By NotEriic
in Help & Support

 Share

15 posts in this topic

Recommended Posts

NotEriic Supporter

NotEriic 374
  •   iPad Mini 4 
  •   13.5

    • Posted
    Posted

    This is the GetPrice function:

     

    __text:001F6CFC
    __text:001F6CFC                 PUSH            {R4-R7,LR}
    __text:001F6CFE                 ADD             R7, SP, #0xC
    __text:001F6D00                 PUSH.W          {R8,R10,R11}
    __text:001F6D04                 SUB.W           SP, SP, #0x390
    __text:001F6D08                 MOV             R11, R2
    __text:001F6D0A                 MOV             R4, R1
    __text:001F6D0C                 MOV             R6, R0
    __text:001F6D0E                 BL              __ZL27SalesAgentStringsInitializev ; SalesAgentStringsInitialize(void)
    __text:001F6D12                 MOVW            R0, #(:lower16:(aTuningdata - 0x1F6D28)) ; "TuningData"
    __text:001F6D16                 MOVS            R2, #0  ; char *
    __text:001F6D18                 MOVT.W          R0, #(:upper16:(aTuningdata - 0x1F6D28)) ; "TuningData"
    __text:001F6D1C                 MOV             R1, #(aSniperTuningPr - 0x1F6D2A) ; "sniper/tuning/prices"
    __text:001F6D24                 ADD             R0, PC  ; "TuningData"
    __text:001F6D26                 ADD             R1, PC  ; "sniper/tuning/prices"
    __text:001F6D28                 MOVS            R5, #0
    __text:001F6D2A                 BL              __ZN9CachedDoc17RetrieveCachedDocEPKcS1_S1_ ; CachedDoc::RetrieveCachedDoc(char const*,char const*,char const*)
    __text:001F6D2E                 CBZ             R0, loc_1F6D50
    __text:001F6D30                 MOVW            R1, #(:lower16:(__ZTI9CachedDoc_ptr - 0x1F6D46))
    __text:001F6D34                 MOVS            R3, #0
    __text:001F6D36                 MOVT.W          R1, #(:upper16:(__ZTI9CachedDoc_ptr - 0x1F6D46))
    __text:001F6D3A                 MOV             R2, #(__ZTI9PricesDoc_ptr - 0x1F6D48)
    __text:001F6D42                 ADD             R1, PC ; __ZTI9CachedDoc_ptr
    __text:001F6D44                 ADD             R2, PC ; __ZTI9PricesDoc_ptr
    __text:001F6D46                 LDR             R1, [R1] ; `typeinfo for'CachedDoc
    __text:001F6D48                 LDR             R2, [R2] ; `typeinfo for'PricesDoc
    __text:001F6D4A                 BLX.W           ___dynamic_cast
    __text:001F6D4E                 MOV             R5, R0
    __text:001F6D50
    __text:001F6D50 loc_1F6D50                              ; CODE XREF: SalesAgent::GetPrice(char const*,char const*,char const*,double)+32j
    __text:001F6D50                 MOV             R0, R5  ; this
    __text:001F6D52                 BL              __ZN12CachedObject10GetJSONMapEv ; CachedObject::GetJSONMap(void)
    __text:001F6D56                 MOVW            R2, #(:lower16:(aData - 0x1F6D66)) ; "Data"
    __text:001F6D5A                 MOV             R1, R0
    __text:001F6D5C                 MOVT.W          R2, #(:upper16:(aData - 0x1F6D66)) ; "Data"
    __text:001F6D60                 ADD             R0, SP, #0x3A8+var_54
    __text:001F6D62                 ADD             R2, PC  ; "Data"
    __text:001F6D64                 BL              __ZN7JSONMapixEPKc ; JSONMap::operator[](char const*)
    __text:001F6D68                 MOVW            R0, #(:lower16:(_StringTable_ptr - 0x1F6D78))
    __text:001F6D6C                 MOV             R1, R6  ; char *
    __text:001F6D6E                 MOVT.W          R0, #(:upper16:(_StringTable_ptr - 0x1F6D78))
    __text:001F6D72                 MOVS            R2, #1  ; bool
    __text:001F6D74                 ADD             R0, PC ; _StringTable_ptr
    __text:001F6D76                 LDR             R5, [R0] ; _StringTable
    __text:001F6D78                 LDR             R0, [R5] ; this
    __text:001F6D7A                 BL              __ZN12_StringTable6insertEPKcb ; _StringTable::insert(char const*,bool)
    __text:001F6D7E                 MOV             R1, #(dword_D01260 - 0x1F6D8A)
    __text:001F6D86                 ADD             R1, PC ; dword_D01260
    __text:001F6D88                 LDR             R2, [R1]
    __text:001F6D8A                 CMP             R0, R2
    __text:001F6D8C                 BEQ             loc_1F6D9E
    __text:001F6D8E                 LDR             R1, [R1,#(dword_D01274 - 0xD01260)]
    __text:001F6D90                 CMP             R0, R1
    __text:001F6D92                 BEQ             loc_1F6E0C
    __text:001F6D94                 STR             R6, [sP,#0x3A8+var_3A0]
    __text:001F6D96                 MOVS            R6, #0
    __text:001F6D98                 STMEA.W         SP, {R5,R11}
    __text:001F6D9C                 B               loc_1F6E7A
    __text:001F6D9E ; ---------------------------------------------------------------------------

    Guest

    Guest

    Posted
    Posted

    All you have to do is

     

    MOV R0, #0 0x0020
BX LR 0x7047
    Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.

    @

    cu_rry Newbie

    cu_rry 10.7k
  •   iPhone 7 Plus 
  •   11.2

    • Posted
    Posted

    All you have to do is

    MOV R0, #0 0x0020
BX LR 0x7047
    Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.@

    Thanks.

    NotEriic Supporter

    NotEriic 374
  •   iPad Mini 4 
  •   13.5

    • Posted
    • Author
    Posted

    All you have to do is

     

    MOV R0, #0 0x0020
BX LR 0x7047
    Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.

    @

    @shmoo Big Thanks, but it doenst work :/

    Only all my Weapons are now unlocked but they costs money/ gold.

    That is not my target

    Guest

    Guest

    Posted
    Posted

    @shmoo Big Thanks, but it doenst work :/

    Only all my Weapons are now unlocked but they costs money/ gold.

    That is not my target

    Breakpoint that function and buy something and tell me if it hits.

    NotEriic Supporter

    NotEriic 374
  •   iPad Mini 4 
  •   13.5

    • Posted
    • Author
    Posted

    Breakpoint that function and buy something and tell me if it hits.

    And how to mke a Break Point in IDA? Sorry its my first Time :dunno:

    Guest

    Guest

    Posted
    Posted

    @z0ne @iOSv64 @@shmoo

     

    I got the Break Point in GDB for:

    MOV R0, #0 and BX LR

     

    and now?...

    When i switch to Kil SHot my Phone Freeze :/

    no, in GDB you attach Kill Shot. So when ssh'ed into your phone:

    gdb
<enter>
at nameofbinhere
<enter>
b *0x1f6d50 //start of the get price function
<enter>
c
<enter>
    Then buy something. If your phone freezes when you buy something that means you have the right one but if not you don't.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
     Share
    Go to topic listing
    ×
    ×
    • Create New...

    Important Information

    We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines