2018-09-25 MonkeyDev xm

https://www.alonemonkey.com/2018/02/03/unity-reverse-ios/

unsigned char * (*old_decrypt_xxtea)(unsigned char *data,
                                     uint32_t data_len,
                                     unsigned char *key,
                                     uint32_t key_len,
                                     uint32_t *ret_length);

unsigned char * new_decrypt_xxtea(unsigned char *data,
                                  uint32_t data_len,
                                  unsigned char *key,
                                  uint32_t key_len,
                                  uint32_t *ret_length)
{
    NSLog(@"hook decrypt xxtea %s", key);
    return (*old_decrypt_xxtea)(data, data_len, key, key_len, ret_length);
}

%ctor
{
    @autoreleasepool
    {
        unsigned long xxtea_point_stock = _dyld_get_image_vmaddr_slide(0) + 0x007ed5d7; // 这个地址是 Hopper 中找到的，可能不太正确。
        MSHookFunction((void *)xxtea_point_stock, (void *)&new_decrypt_xxtea, (void **)&old_decrypt_xxtea);
   }
}

但是出错了

[LUA-print] LUA ERROR: ?:100: attempt to call method 'decryptXXTEA' (a nil value)

[LUA-print] 
stack traceback:
    ?:100: in function 'decryptXXTEA'

2018.09.26:
试一下 zlibVersion，祭出 IDA

image.png

    unsigned long ptr = _dyld_get_image_vmaddr_slide(0) + 0x007E19A4;
    const char * (*zv)() = (const char*(*)()) ptr;
    NSLog(@"get zip version %s", zv());

//----------------insert dylib success----------------
// get zip version 1.2.5
// 没毛病，所以 xxtea 应该是 hopper 没有获取到正确的地址。