Help/Support How to make everything free (free store) in IDA for Kill Shot?

NotEriic · July 14, 2015

This is the GetPrice function:

__text:001F6CFC
__text:001F6CFC                 PUSH            {R4-R7,LR}
__text:001F6CFE                 ADD             R7, SP, #0xC
__text:001F6D00                 PUSH.W          {R8,R10,R11}
__text:001F6D04                 SUB.W           SP, SP, #0x390
__text:001F6D08                 MOV             R11, R2
__text:001F6D0A                 MOV             R4, R1
__text:001F6D0C                 MOV             R6, R0
__text:001F6D0E                 BL              __ZL27SalesAgentStringsInitializev ; SalesAgentStringsInitialize(void)
__text:001F6D12                 MOVW            R0, #(:lower16:(aTuningdata - 0x1F6D28)) ; "TuningData"
__text:001F6D16                 MOVS            R2, #0 ; char *
__text:001F6D18                 MOVT.W          R0, #(:upper16:(aTuningdata - 0x1F6D28)) ; "TuningData"
__text:001F6D1C                 MOV             R1, #(aSniperTuningPr - 0x1F6D2A) ; "sniper/tuning/prices"
__text:001F6D24                 ADD             R0, PC ; "TuningData"
__text:001F6D26                 ADD             R1, PC ; "sniper/tuning/prices"
__text:001F6D28                 MOVS            R5, #0
__text:001F6D2A                 BL              __ZN9CachedDoc17RetrieveCachedDocEPKcS1_S1_ ; CachedDoc::RetrieveCachedDoc(char const*,char const*,char const*)
__text:001F6D2E                 CBZ             R0, loc_1F6D50
__text:001F6D30                 MOVW            R1, #(:lower16:(__ZTI9CachedDoc_ptr - 0x1F6D46))
__text:001F6D34                 MOVS            R3, #0
__text:001F6D36                 MOVT.W          R1, #(:upper16:(__ZTI9CachedDoc_ptr - 0x1F6D46))
__text:001F6D3A                 MOV             R2, #(__ZTI9PricesDoc_ptr - 0x1F6D48)
__text:001F6D42                 ADD             R1, PC ; __ZTI9CachedDoc_ptr
__text:001F6D44                 ADD             R2, PC ; __ZTI9PricesDoc_ptr
__text:001F6D46                 LDR             R1, [R1] ; `typeinfo for'CachedDoc
__text:001F6D48                 LDR             R2, [R2] ; `typeinfo for'PricesDoc
__text:001F6D4A                 BLX.W           ___dynamic_cast
__text:001F6D4E                 MOV             R5, R0
__text:001F6D50
__text:001F6D50 loc_1F6D50                              ; CODE XREF: SalesAgent::GetPrice(char const*,char const*,char const*,double)+32j
__text:001F6D50                 MOV             R0, R5 ; this
__text:001F6D52                 BL              __ZN12CachedObject10GetJSONMapEv ; CachedObject::GetJSONMap(void)
__text:001F6D56                 MOVW            R2, #(:lower16:(aData - 0x1F6D66)) ; "Data"
__text:001F6D5A                 MOV             R1, R0
__text:001F6D5C                 MOVT.W          R2, #(:upper16:(aData - 0x1F6D66)) ; "Data"
__text:001F6D60                 ADD             R0, SP, #0x3A8+var_54
__text:001F6D62                 ADD             R2, PC ; "Data"
__text:001F6D64                 BL              __ZN7JSONMapixEPKc ; JSONMap::operator[](char const*)
__text:001F6D68                 MOVW            R0, #(:lower16:(_StringTable_ptr - 0x1F6D78))
__text:001F6D6C                 MOV             R1, R6 ; char *
__text:001F6D6E                 MOVT.W          R0, #(:upper16:(_StringTable_ptr - 0x1F6D78))
__text:001F6D72                 MOVS            R2, #1 ; bool
__text:001F6D74                 ADD             R0, PC ; _StringTable_ptr
__text:001F6D76                 LDR             R5, [R0] ; _StringTable
__text:001F6D78                 LDR             R0, [R5] ; this
__text:001F6D7A                 BL              __ZN12_StringTable6insertEPKcb ; _StringTable::insert(char const*,bool)
__text:001F6D7E                 MOV             R1, #(dword_D01260 - 0x1F6D8A)
__text:001F6D86                 ADD             R1, PC ; dword_D01260
__text:001F6D88                 LDR             R2, [R1]
__text:001F6D8A                 CMP             R0, R2
__text:001F6D8C                 BEQ             loc_1F6D9E
__text:001F6D8E                 LDR             R1, [R1,#(dword_D01274 - 0xD01260)]
__text:001F6D90                 CMP             R0, R1
__text:001F6D92                 BEQ             loc_1F6E0C
__text:001F6D94                 STR             R6, [sP,#0x3A8+var_3A0]
__text:001F6D96                 MOVS            R6, #0
__text:001F6D98                 STMEA.W         SP, {R5,R11}
__text:001F6D9C                 B               loc_1F6E7A
__text:001F6D9E ; ---------------------------------------------------------------------------

July 14, 2015

All you have to do is

MOV R0, #0 0x0020
BX LR 0x7047

Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.

@

cu_rry · July 14, 2015

All you have to do is
MOV R0, #0 0x0020
BX LR 0x7047
Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.@

Thanks.

NotEriic · July 15, 2015

All you have to do is
MOV R0, #0 0x0020
BX LR 0x7047
Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.
@

@shmoo Big Thanks, but it doenst work

Only all my Weapons are now unlocked but they costs money/ gold.

That is not my target

July 15, 2015

@shmoo Big Thanks, but it doenst work

Only all my Weapons are now unlocked but they costs money/ gold.

That is not my target

Breakpoint that function and buy something and tell me if it hits.

ipaarchive.com · July 15, 2015

nvm

Updated July 15, 2015 by iOSv64

NotEriic · July 15, 2015

Breakpoint that function and buy something and tell me if it hits.

And how to mke a Break Point in IDA? Sorry its my first Time

castix · July 15, 2015

And how to mke a Break Point in IDA? Sorry its my first Time

In GDB

NotEriic · July 16, 2015

@z0ne @iOSv64 @@shmoo

I got the Break Point in GDB for:

MOV R0, #0 and BX LR

and now?...

When i switch to Kil SHot my Phone Freeze

July 17, 2015

@z0ne @iOSv64 @@shmoo

I got the Break Point in GDB for:

MOV R0, #0 and BX LR

and now?...

When i switch to Kil SHot my Phone Freeze

no, in GDB you attach Kill Shot. So when ssh'ed into your phone:

gdb
<enter>
at nameofbinhere
<enter>
b *0x1f6d50 //start of the get price function
<enter>
c
<enter>

Then buy something. If your phone freezes when you buy something that means you have the right one but if not you don't.

Sign In

Help/Support How to make everything free (free store) in IDA for Kill Shot?

15 posts in this topic

Recommended Posts

NotEriic 374 iPad Mini 4 13.5

Guest

cu_rry 10.7k iPhone 7 Plus 11.2

NotEriic 374 iPad Mini 4 13.5

Guest

ipaarchive.com 11.1k

NotEriic 374 iPad Mini 4 13.5

castix 18.4k iPhone X 12.1.1

NotEriic 374 iPad Mini 4 13.5

Guest

Create an account or sign in to comment

Create an account

Sign in

Our picks

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Important Information

NotEriic 374
iPad Mini 4

13.5

cu_rry 10.7k
iPhone 7 Plus

11.2

NotEriic 374
iPad Mini 4

13.5

NotEriic 374
iPad Mini 4

13.5

castix 18.4k
iPhone X

12.1.1

NotEriic 374
iPad Mini 4

13.5