![]() ![]() Now you just need to code a decryptor/encryptor and customize the whole XML file! Beware that the first 4 bytes in save game are a CRC32 and the next byte is the initial XOR key. And the new save game will use the new value so it means credits, experience, points, hits, guns, etc etc etc. Now the trick is to let the program decrypt the save game, and then modify memory as in the crypt method. Open the game in iPad and quickly launch this command, so we can attach GDB as soon as possible, hopefully before decryption. Gdb –pid = `ps ax | grep Bounty | grep mobile | awk ‘ ’ ` ![]() My dirty method is to launch _GDB with the following command: Since you can’t load it from GDB (it’s not launched into the screen, so you can’t interact with the app), the only solution is to attach GDB. While doing this, I reversed the crypt routine (it’s a simple XOR with a table) so I could write a small decryptor.īut before this, I was trying to breakpoint and modify the decryption. This doesn’t work for some reason, probably some additional checks. I tried to modify one byte from the money, by computing the offset from R0 where it’s located and modifying its value – for example, from 500 to 900. So my idea was to modify memory before it’s encrypted. Do a x/30s $r0 and you can see the plaintext XML file □. Prototype is CBH_XorCrypt::Cipher(char *, int), meaning that R0 holds the unencrypted data and R1 its size. If you breakpoint on the Cipher method and try to buy some bullets, debugger will break. These are binary and seem packed/crypted (by the way, if you want to have fun with virtual fishes and don’t want to wait, you can use the same trick with iQuarium – edit the plist file with the properties, it’s not encrypted nor packed – BBEdit can handle it fine).Ĭhecking around the disassembly (don’t forget you need to decrypt the binary, use Crackulous for example) you find two interesting methods: CBH_XorCrypt::Decypher and CBH_XorCrypt::Cipher ( CSaveManager class is also interesting, it calls the encryption method). This can be found at the Documents/default folder, with the name savebh.dat (by the way, the app has the name BountyHunter.app). The credits information is written into a save game file. A reversing brain is a dangerous brain □. ![]() Of course I was already more interested in exploring a way to remove that limitation than playing (I played a few rounds, it gets boring). After a while you need to buy energy credits so you can proceed in the game. I really like Apple in some points, but this one pisses me off!īack to the interesting juice… I was reading today some articles and I saw the announcement of this game, Contract Killer, based on a freemium business model, in app purchases. Apple should allow a Little Snitch like app, so users can have some control about what is going out of their devices. If I want to firewall your shitty ad-network, let me, don’t try to fight it.Īll this spyware crap is one of the reasons why I’m not fully using the iPad for web browsing and other more personal tasks. The argument of high-availability for such behavior is weak – there are many HA solutions. It sucks, seriously! It sucks so much, that I tried to firewall one of the ad networks and it starts connecting to different Amazon EC instances, more or less like a botnet client (this should be an interesting reversing project). If I was the CSO or CIO I would fight against this, and I mean real hard fighting. I can’t even conceive why the enterprise world will adopt the iPad with these kind of problems. Well, for me it’s damn spyware because I’m not authorizing the apps to send any information, much less unique pieces of information that can identify you forever. One might argue that it’s not spyware, it’s just sending bits of information. ![]() The iPad is a great product but it’s full of “spyware” and that sucks big time. Let me start this post with a little rant. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |