Help/Support How to make everything free (free store) in IDA for Kill Shot?

[NotEriic 377 iPad Mini 4 13.5]

This is the GetPrice function:

 

__text:001F6CFC
__text:001F6CFC                 PUSH            {R4-R7,LR}
__text:001F6CFE                 ADD             R7, SP, #0xC
__text:001F6D00                 PUSH.W          {R8,R10,R11}
__text:001F6D04                 SUB.W           SP, SP, #0x390
__text:001F6D08                 MOV             R11, R2
__text:001F6D0A                 MOV             R4, R1
__text:001F6D0C                 MOV             R6, R0
__text:001F6D0E                 BL              __ZL27SalesAgentStringsInitializev ; SalesAgentStringsInitialize(void)
__text:001F6D12                 MOVW            R0, #(:lower16:(aTuningdata - 0x1F6D28)) ; "TuningData"
__text:001F6D16                 MOVS            R2, #0  ; char *
__text:001F6D18                 MOVT.W          R0, #(:upper16:(aTuningdata - 0x1F6D28)) ; "TuningData"
__text:001F6D1C                 MOV             R1, #(aSniperTuningPr - 0x1F6D2A) ; "sniper/tuning/prices"
__text:001F6D24                 ADD             R0, PC  ; "TuningData"
__text:001F6D26                 ADD             R1, PC  ; "sniper/tuning/prices"
__text:001F6D28                 MOVS            R5, #0
__text:001F6D2A                 BL              __ZN9CachedDoc17RetrieveCachedDocEPKcS1_S1_ ; CachedDoc::RetrieveCachedDoc(char const*,char const*,char const*)
__text:001F6D2E                 CBZ             R0, loc_1F6D50
__text:001F6D30                 MOVW            R1, #(:lower16:(__ZTI9CachedDoc_ptr - 0x1F6D46))
__text:001F6D34                 MOVS            R3, #0
__text:001F6D36                 MOVT.W          R1, #(:upper16:(__ZTI9CachedDoc_ptr - 0x1F6D46))
__text:001F6D3A                 MOV             R2, #(__ZTI9PricesDoc_ptr - 0x1F6D48)
__text:001F6D42                 ADD             R1, PC ; __ZTI9CachedDoc_ptr
__text:001F6D44                 ADD             R2, PC ; __ZTI9PricesDoc_ptr
__text:001F6D46                 LDR             R1, [R1] ; `typeinfo for'CachedDoc
__text:001F6D48                 LDR             R2, [R2] ; `typeinfo for'PricesDoc
__text:001F6D4A                 BLX.W           ___dynamic_cast
__text:001F6D4E                 MOV             R5, R0
__text:001F6D50
__text:001F6D50 loc_1F6D50                              ; CODE XREF: SalesAgent::GetPrice(char const*,char const*,char const*,double)+32j
__text:001F6D50                 MOV             R0, R5  ; this
__text:001F6D52                 BL              __ZN12CachedObject10GetJSONMapEv ; CachedObject::GetJSONMap(void)
__text:001F6D56                 MOVW            R2, #(:lower16:(aData - 0x1F6D66)) ; "Data"
__text:001F6D5A                 MOV             R1, R0
__text:001F6D5C                 MOVT.W          R2, #(:upper16:(aData - 0x1F6D66)) ; "Data"
__text:001F6D60                 ADD             R0, SP, #0x3A8+var_54
__text:001F6D62                 ADD             R2, PC  ; "Data"
__text:001F6D64                 BL              __ZN7JSONMapixEPKc ; JSONMap::operator[](char const*)
__text:001F6D68                 MOVW            R0, #(:lower16:(_StringTable_ptr - 0x1F6D78))
__text:001F6D6C                 MOV             R1, R6  ; char *
__text:001F6D6E                 MOVT.W          R0, #(:upper16:(_StringTable_ptr - 0x1F6D78))
__text:001F6D72                 MOVS            R2, #1  ; bool
__text:001F6D74                 ADD             R0, PC ; _StringTable_ptr
__text:001F6D76                 LDR             R5, [R0] ; _StringTable
__text:001F6D78                 LDR             R0, [R5] ; this
__text:001F6D7A                 BL              __ZN12_StringTable6insertEPKcb ; _StringTable::insert(char const*,bool)
__text:001F6D7E                 MOV             R1, #(dword_D01260 - 0x1F6D8A)
__text:001F6D86                 ADD             R1, PC ; dword_D01260
__text:001F6D88                 LDR             R2, [R1]
__text:001F6D8A                 CMP             R0, R2
__text:001F6D8C                 BEQ             loc_1F6D9E
__text:001F6D8E                 LDR             R1, [R1,#(dword_D01274 - 0xD01260)]
__text:001F6D90                 CMP             R0, R1
__text:001F6D92                 BEQ             loc_1F6E0C
__text:001F6D94                 STR             R6, [sP,#0x3A8+var_3A0]
__text:001F6D96                 MOVS            R6, #0
__text:001F6D98                 STMEA.W         SP, {R5,R11}
__text:001F6D9C                 B               loc_1F6E7A
__text:001F6D9E ; ---------------------------------------------------------------------------

[Guest]

All you have to do is

 

MOV R0, #0 0x0020
BX LR 0x7047

Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.

@

[cu_rry 10.8k iPhone 7 Plus 11.2]

All you have to do is

MOV R0, #0 0x0020
BX LR 0x7047

Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.@

Thanks.

[NotEriic 377 iPad Mini 4 13.5]

All you have to do is

 

MOV R0, #0 0x0020
BX LR 0x7047

Because what that is telling the GetPrice function to do is to just move zero into R0 (price) and then be done with the function.

@

@shmoo Big Thanks, but it doenst work

Only all my Weapons are now unlocked but they costs money/ gold.

That is not my target

[Guest]

@shmoo Big Thanks, but it doenst work

Only all my Weapons are now unlocked but they costs money/ gold.

That is not my target

Breakpoint that function and buy something and tell me if it hits.

[ipaarchive.com 11.1k]

nvm

Updated July 15, 2015 by iOSv64

[NotEriic 377 iPad Mini 4 13.5]

Breakpoint that function and buy something and tell me if it hits.

And how to mke a Break Point in IDA? Sorry its my first Time

[castix 18.5k iPhone X 12.1.1]

And how to mke a Break Point in IDA? Sorry its my first Time

In GDB

[NotEriic 377 iPad Mini 4 13.5]

@z0ne @iOSv64 @@shmoo

 

I got the Break Point in GDB for:

MOV R0, #0 and BX LR

 

and now?...

When i switch to Kil SHot my Phone Freeze

[Guest]

@z0ne @iOSv64 @@shmoo

 

I got the Break Point in GDB for:

MOV R0, #0 and BX LR

 

and now?...

When i switch to Kil SHot my Phone Freeze

no, in GDB you attach Kill Shot. So when ssh'ed into your phone:

gdb
<enter>
at nameofbinhere
<enter>
b *0x1f6d50 //start of the get price function
<enter>
c
<enter>

Then buy something. If your phone freezes when you buy something that means you have the right one but if not you don't.