1. Common tools for Android reverse engineering
For the reverse engineering of Android stand-alone games, especially the Android games developed using the Unity engine, you only need to understand the following tools.
(1)Android Killer
Android Killer is a universal reverse tool for Android, which can decompile the apk to get the smail code. After changing the smail code, the user can repackage the apk to realize the cracking function. It can also convert the apk into an equivalent java language, so as to analyze the program logic and better find the corresponding smail code.
(2) ILSpy (a mobile game developed for Unity)
The function of ILSpy is mainly to decompile the .dll library file encapsulated in the apk by Unity into equivalent CSharp code, so as to observe the logic of the game program and determine the location of modification.
(3) ILDasm (a mobile game developed for Unity)
The function of ILDasm is mainly to decompile the .dll library file packaged by Unity in the apk into equivalent editable IL class assembly instructions.
(4) ILasm (a mobile game developed for Unity)
The role of ILasm is to recompile IL-like assembly instructions into .dll files.
2. Reverse case analysis
1. Unity stand-alone mobile game case 1
Take the Unity stand-alone mobile game "Simulated Life" as an example to illustrate the cracking ideas of Unity mobile games.
(1) Unzip the apk file
Use the decompression software to directly decompress the apk. After decompression is complete, enter the assets\bin\Data\Managed directory (only for Unity mobile games), and find the Assembly-CSharp.dll file (which stores the main logic of the game), such as As shown in the figure:
Then open the "Assembly-CSharp.dll" file in text mode to check whether it is encrypted, as shown in the figure:
Under normal circumstances, the text shown in the figure can be parsed out, indicating that the .dll file is not encrypted, and reverse analysis can be performed directly.
(2) Use ILSpy software to view the C# language equivalent source code to determine the modification location
Open the ILSpy software, choose to open the "Assembly-CSharp.dll" file, the software will automatically decompile the .dll file into C# language, and then we can search for game keywords, such as money (money), level ( level), blood volume (HP) and experience (Exp), etc., in general regular games, the variable naming will be very standard, if you can’t find it, you can only analyze the code hard.
Here is an example of finding the money in the "simulated life" game. After searching for money, there are many results, as shown in the figure
In the search results (marked 2 in the figure), check the codes that are most likely to modify money operations in turn. Here, the "EarnMoneyBonus" class is finally locked, which literally means "earning rewards". Then click in and find that there is Update() and FixedUpdate() function, these two functions are important functions in Unity games, which respectively represent the function (Update) that will be called every frame and the function (FixedUpdate) that will be called every fixed time as the game progresses .
First observe the function in Update, and analyze from the variable name, which will operate on a time-related variable, which has little to do with money, so jump to observe the FixedUpdate function. In the FixedUpdate function, there is no word related to money, but there is a custom Finish function, so continue to look at the Finish function, as shown in the figure.
In it, I finally saw the variable m_moneySum (the total amount of money) related to money. Continue to observe, and there is also m_multiplier (multiplier). These two quantities are assigned to num through a certain calculation relationship:
num=m_moneySum*(m_multiplier-1), and then the code (in 2), some operations are performed with num as a parameter, and then look at code 3, which calls the SetText (set text) function, usually this type of function is It directly affects the display interface, that is to say, this function changes the text displayed in a certain place. Looking at the parameters inside, it is still related to m_moneySum and m_multiplier. Therefore, it can be concluded that changing one of these two values will definitely make Somewhere in the game the text mutated. In order to keep the game playable, it may be better to change m_multiplier (magnification) literally (you can also try to change other variables).
It can be seen that m_multiplier is reassigned to 1 afterward. Here, for obvious effect, try to change it to 1000000 (not directly change the C# code), which is equivalent to confirming that the modified position is the "Finsh" function in the "EarnMoneyBonus" class The "m_multiplier" variable in .
(3) Through the ILDasm plug-in, determine the modification position of the IL assembly instruction
In Visual Studio 2019 and above, the ILDasm plug-in is built in. First, right-click on Managed of the previously decompressed apk and select "Open with Visual Studio (V)". The purpose of this operation is to directly switch the working directory to "Assembly The directory where the -CSharp.dll" file is located saves a lot of operations, as shown in the figure.
After that, you can select "Developer Command Prompt (C)" in Visual Studio's "Tools", "Command Line (L)", as shown in the figure:
Then enter the following command to disassemble the "Assembly-CSharp.dll" file into an IL instruction file:
ildasm Assembly-CSharp.dll
The effect is shown in the figure:
At this time, the GUI interface of the ILDASM plug-in pops up automatically, and the .dll is disassembled into .il, and the next thing to do is to locate the position that needs to be modified in the IL instruction file.
According to the modification position determined above, first find the "EarnMoneyBonus" class, then find the "Finsh" function in it, and finally locate the place where the "m_multiplier" variable is assigned a value of 1.
Finally, we determined that the place that needs to be modified is IL_00ce: ldc.r4 1. If it is changed to IL_00ce: ldc.r4 1000000 , it means that m_multiplier will be assigned a value of 1000000 every time the Finish function is run. It cannot be modified directly here, and it needs to wait Export the text file and then modify it, so first copy the feature string "IL_00d3: stfld float32 EarnMoneyBonus::m_multiplier" to find the location that needs to be modified.
As shown in the figure, in "File (F)", find "Dump (D)", then save it, and name it "Assembly-CSharp.il", as shown in the figure:
(4) Modify the "Assembly-CSharp.il" file
Use any text editor to open the "Assembly-CSharp.il" file and locate the modification position determined in (3) (directly search for the feature string copied earlier), and change it to 1000000, as shown in the figure.
(5) Compile the "Assembly-CSharp.il" file
Use the ILasm plugin to compile the "Assembly-CSharp.il" file into the "Assembly-CSharp.dll" file. As in the previous steps, after opening the command prompt in Visual Studio, use the following command to compile the "Assembly-CSharp.il" file:
ilasm Assembly-CSharp.il /output=Assembly-CSharp_crack.dll /dll
In order not to overwrite the original "Assembly-CSharp.dll" file, the newly compiled file is named "Assembly-CSharp_crack.dll". This file is the main logic file of the cracked Unity game, replacing the " Assembly-CSharp.dll" file, repackage and compile the apk to generate a cracked game installation package.
(6) Recompile Apk with Android Killer
Use Android Killer to open the "Life Simulator" apk, and then enter the project directory projects\installation package name\Project\assets\bin\Data\Managed of the Android Killer installation package, and replace the original Assembly-CSharp_crack.dll with Assembly- CSharp.dll file (after replacement, delete the _crack suffix), as shown in the figure
Then click the compile function in Android Killer to compile and generate a cracked apk, as shown in the figure:
The location of the cracked apk output is projects\installation package name\Bin\xxx.apk.
The effect is as shown in the figure. Every time you click to make money, you get 999999 money, which is consistent with the calculation result of num=m_moneySum*(m_multiplier-1) in the C# source code decompiled earlier, where m_multiplier is the multiplier, which is modified by us as 1000000, and m_moneySum is 1, so every click gets 999999
3. Appendix
The Android Killer and ILSpy software links used in this article are as follows:
Link: https://pan.baidu.com/s/1oiecCQkJVFoucLmwSZfJIA
Extraction code: long
Regarding the ILDasm and ILasm plug-ins, you can download and install Visual Studio 2019 and above, which has these two plug-ins built in. The download address of the VS official website is as follows (the Community is the free version):
Visual Studio: IDE and Code Editor for Software Developers and Teams (microsoft.com)