khanghh · December 30, 2021 12:35
diff --git a/hook.js b/hook.js
 const IL2CPPLIB = 'libil2cpp.so'
 const TOLUALIB = 'libtolua.so'
 // $ nm --demangle --dynamic libfoo.so | grep "Class::method("
 //  nm --gD libcocos2djs.so | grep _ZN7cocos2d9FileUtils13decodeGsnDataEPhli

 var baseAddress = null
 var luaState = ptr(0x7561203378)
 var luaL_loadbufferPtr = ptr(0x7557d5092c)
 var lua_pcallPtr = ptr(0x7557d46a04)

 function traceMethod(name, addr) {
  const funcPtr = baseAddress.add(addr)
  console.log(`add trace: ${name} at ${funcPtr}`)
  Interceptor.attach(funcPtr, {
    onEnter: function (args) {
      console.log(`================== ${name} =================`)
      const backTrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n')
      console.log(backTrace)
      console.log(`${args[0]}\t${args[1]}\t${args[2]}`)
    },
    onLeave(retval) {
      console.log(retval)
    }
  })
 }

 function logout() {
  Java.perform(function () {
    var GTLoginManager = Java.use('vng.com.gtsdk.GTLoginManager')
    var Utils = Java.use('vng.com.gtsdk.core.helper.Utils')
    GTLoginManager.logout()
    Utils.removeModel('GTUserInfo5')
    Utils.removeModel('BOOTSTRAP')
    Utils.removeModel('counter_guest_login')
  })
  const luaScript = `
  LoginModule:CloseAllLoginUI();
  LoadingUI:ReLogin();
  AccountPageUI:Open();
  `
  evaluateLua(luaScript)
 }

 function createUserAndJoin() {
  Java.perform(function () {
    var GTLoginManager = Java.use('vng.com.gtsdk.GTLoginManager')
    var Utils = Java.use('vng.com.gtsdk.core.helper.Utils')
    GTLoginManager.login(5)
  })
  setTimeout(() => {
    const luaScript = `
    EventSender.SendEvent(LuaEvent.InitServerListStart, InitServerListType.GET_ONE, LoginManager.currentServer.ServerID)
    `
    evaluateLua(luaScript)
  }, 2000)
 }

 function inject() {
  const nowHairdoId = 18
  const nowFaceId = 1
  const nowZhiye = 4
  const userSex = 1
  const luaScript = `
  _G.AutoHandler = {}
  EventManager:Register(DataEvent.ShowCreateRoleUI, AutoHandler)
  function AutoHandler:OnEvent(p_event, p_param)
    if(p_event == DataEvent.ShowCreateRoleUI) then
      local userName = LoginModule:GetRandName(tonumber(${userSex}))
      LoginModule.CurRoleName = userName
      LoginManager.SetCreateRole(userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId})
      EventSender.SendEvent(LuaEvent.ReqCreateRole,userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId})
      LuaUniverseX.DisconnectServer()
      LoginModule:CloseAllLoginUI()
      LoadingUI:ReLogin()
      AccountPageUI:Open()
    end
  end
  `
  evaluateLua(luaScript)
 }

 function createRole() {
  const nowHairdoId = 18
  const nowFaceId = 1
  const nowZhiye = 4
  const userSex = 1
  const luaScript = `
  local userName = LoginModule:GetRandName(tonumber(${userSex}));
  LoginModule.CurRoleName = userName;
  LoginManager.SetCreateRole(userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId});
  EventSender.SendEvent(LuaEvent.ReqCreateRole,userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId});
  `
  evaluateLua(luaScript)
 }

 function evaluateLua(luaScript) {
  const luaScriptBuf = Memory.allocUtf8String(luaScript)
  const chunkName = Memory.allocUtf8String('inject')
  const luaL_loadbuffer = new NativeFunction(luaL_loadbufferPtr, 'int', ['pointer', 'pointer', 'int32', 'pointer'])
  const lua_pcall = new NativeFunction(lua_pcallPtr, 'int', ['pointer', 'int32', 'int32', 'int32']);
  let exitCode = luaL_loadbuffer(luaState, luaScriptBuf, luaScriptBuf.readCString().length, chunkName)
  console.log(`luaL_loadbuffer: ${exitCode}`)
  if (exitCode == 0) {
    exitCode = lua_pcall(luaState, 0, 0, 0);
    console.log(`lua_pcall: ${exitCode}`)
  }
  console.log(exitCode)
 }

 Interceptor.attach(Module.findExportByName(null, "dlopen"), {
  onEnter: function (args) {
    this.lib = Memory.readUtf8String(args[0])
    // console.log("android_dlopen_ext called with: " + this.lib)
  },
  onLeave: function (retval) {
    if (this.lib.endsWith(IL2CPPLIB)) {
      console.log(`${IL2CPPLIB} loaded !`)
      baseAddress = Module.findBaseAddress(IL2CPPLIB)
      console.log("base addr: ", baseAddress)
      luaState = null
      luaL_loadbufferPtr = null
      lua_pcallPtr = null
      // traceMethod('Send', 0x01D6C62C)
      // traceMethod('Recv', 0x01D6C890)
    }
    else if (this.lib.endsWith(TOLUALIB)) {
      if (!baseAddress) return
      if (luaL_loadbufferPtr) return
      luaL_loadbufferPtr = Module.findExportByName(TOLUALIB, 'luaL_loadbuffer')
      lua_pcallPtr = Module.findExportByName(TOLUALIB, 'lua_pcall')
      Interceptor.attach(luaL_loadbufferPtr, {
        onEnter: function (args) {
          // console.log('================== onEnter ===============')
          // const backTrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
          //   .map(DebugSymbol.fromAddress).join('\n')
          // console.log(backTrace)
          if (!luaState) {
            luaState = args[0]
            console.log(`luaState: ${luaState}`)
            console.log(`luaL_loadbuffer: ${luaL_loadbufferPtr}`)
            console.log(`lua_pcall: ${lua_pcallPtr}`)
          }
        }
      })
    }
  }
 })
	const IL2CPPLIB = 'libil2cpp.so'
	const TOLUALIB = 'libtolua.so'
	// $ nm --demangle --dynamic libfoo.so \| grep "Class::method("
	// nm --gD libcocos2djs.so \| grep _ZN7cocos2d9FileUtils13decodeGsnDataEPhli

	var baseAddress = null
	var luaState = ptr(0x7561203378)
	var luaL_loadbufferPtr = ptr(0x7557d5092c)
	var lua_pcallPtr = ptr(0x7557d46a04)

	function traceMethod(name, addr) {
	const funcPtr = baseAddress.add(addr)
	console.log(`add trace: ${name} at ${funcPtr}`)
	Interceptor.attach(funcPtr, {
	onEnter: function (args) {
	console.log(`================== ${name} =================`)
	const backTrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
	.map(DebugSymbol.fromAddress).join('\n')
	console.log(backTrace)
	console.log(`${args[0]}\t${args[1]}\t${args[2]}`)
	},
	onLeave(retval) {
	console.log(retval)
	}
	})
	}

	function logout() {
	Java.perform(function () {
	var GTLoginManager = Java.use('vng.com.gtsdk.GTLoginManager')
	var Utils = Java.use('vng.com.gtsdk.core.helper.Utils')
	GTLoginManager.logout()
	Utils.removeModel('GTUserInfo5')
	Utils.removeModel('BOOTSTRAP')
	Utils.removeModel('counter_guest_login')
	})
	const luaScript = `
	LoginModule:CloseAllLoginUI();
	LoadingUI:ReLogin();
	AccountPageUI:Open();
	`
	evaluateLua(luaScript)
	}

	function createUserAndJoin() {
	Java.perform(function () {
	var GTLoginManager = Java.use('vng.com.gtsdk.GTLoginManager')
	var Utils = Java.use('vng.com.gtsdk.core.helper.Utils')
	GTLoginManager.login(5)
	})
	setTimeout(() => {
	const luaScript = `
	EventSender.SendEvent(LuaEvent.InitServerListStart, InitServerListType.GET_ONE, LoginManager.currentServer.ServerID)
	`
	evaluateLua(luaScript)
	}, 2000)
	}

	function inject() {
	const nowHairdoId = 18
	const nowFaceId = 1
	const nowZhiye = 4
	const userSex = 1
	const luaScript = `
	_G.AutoHandler = {}
	EventManager:Register(DataEvent.ShowCreateRoleUI, AutoHandler)
	function AutoHandler:OnEvent(p_event, p_param)
	if(p_event == DataEvent.ShowCreateRoleUI) then
	local userName = LoginModule:GetRandName(tonumber(${userSex}))
	LoginModule.CurRoleName = userName
	LoginManager.SetCreateRole(userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId})
	EventSender.SendEvent(LuaEvent.ReqCreateRole,userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId})
	LuaUniverseX.DisconnectServer()
	LoginModule:CloseAllLoginUI()
	LoadingUI:ReLogin()
	AccountPageUI:Open()
	end
	end
	`
	evaluateLua(luaScript)
	}

	function createRole() {
	const nowHairdoId = 18
	const nowFaceId = 1
	const nowZhiye = 4
	const userSex = 1
	const luaScript = `
	local userName = LoginModule:GetRandName(tonumber(${userSex}));
	LoginModule.CurRoleName = userName;
	LoginManager.SetCreateRole(userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId});
	EventSender.SendEvent(LuaEvent.ReqCreateRole,userName,${userSex},${nowZhiye},0,${nowHairdoId},${nowFaceId});
	`
	evaluateLua(luaScript)
	}

	function evaluateLua(luaScript) {
	const luaScriptBuf = Memory.allocUtf8String(luaScript)
	const chunkName = Memory.allocUtf8String('inject')
	const luaL_loadbuffer = new NativeFunction(luaL_loadbufferPtr, 'int', ['pointer', 'pointer', 'int32', 'pointer'])
	const lua_pcall = new NativeFunction(lua_pcallPtr, 'int', ['pointer', 'int32', 'int32', 'int32']);
	let exitCode = luaL_loadbuffer(luaState, luaScriptBuf, luaScriptBuf.readCString().length, chunkName)
	console.log(`luaL_loadbuffer: ${exitCode}`)
	if (exitCode == 0) {
	exitCode = lua_pcall(luaState, 0, 0, 0);
	console.log(`lua_pcall: ${exitCode}`)
	}
	console.log(exitCode)
	}

	Interceptor.attach(Module.findExportByName(null, "dlopen"), {
	onEnter: function (args) {
	this.lib = Memory.readUtf8String(args[0])
	// console.log("android_dlopen_ext called with: " + this.lib)
	},
	onLeave: function (retval) {
	if (this.lib.endsWith(IL2CPPLIB)) {
	console.log(`${IL2CPPLIB} loaded !`)
	baseAddress = Module.findBaseAddress(IL2CPPLIB)
	console.log("base addr: ", baseAddress)
	luaState = null
	luaL_loadbufferPtr = null
	lua_pcallPtr = null
	// traceMethod('Send', 0x01D6C62C)
	// traceMethod('Recv', 0x01D6C890)
	}
	else if (this.lib.endsWith(TOLUALIB)) {
	if (!baseAddress) return
	if (luaL_loadbufferPtr) return
	luaL_loadbufferPtr = Module.findExportByName(TOLUALIB, 'luaL_loadbuffer')
	lua_pcallPtr = Module.findExportByName(TOLUALIB, 'lua_pcall')
	Interceptor.attach(luaL_loadbufferPtr, {
	onEnter: function (args) {
	// console.log('================== onEnter ===============')
	// const backTrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
	// .map(DebugSymbol.fromAddress).join('\n')
	// console.log(backTrace)
	if (!luaState) {
	luaState = args[0]
	console.log(`luaState: ${luaState}`)
	console.log(`luaL_loadbuffer: ${luaL_loadbufferPtr}`)
	console.log(`lua_pcall: ${lua_pcallPtr}`)
	}
	}
	})
	}
	}
	})