Jump to content

HotelStory not complying

GeraldLim

By GeraldLim
in Requests

 Share

Recommended Posts

CmP Experienced

CmP

Posted
Posted

You missed one important detail: 

On 8/16/2021 at 6:14 AM, CmP said:

In my case 32-bit android emulator for Windows was used causing game libraries for x86 to be used. Correspondingly, all library-specific values like offsets that will be shown or mentioned in this post are only applicable to game's library for x86.

The offset from library start to instructions of the function and new values for them that were mentioned are only applicable for library of the game for x86. On your device library for arm64-v8a is expected to be used, so the offset to the function and which instructions to modify in it need to be located exactly in this variant of library.

1
CmP Experienced

CmP

Posted
Posted

Regarding the needed details about "IsMatchHash" function in the variant of the library for arm64-v8a.

The function is located at offset 0x18E078 from the start of the library. Here is the result of decompilation of function's code: 

image.thumb.png.fb6494c7620f432e38262f9bbf844088.png

The assignment on line 23 can be modified to achieve desired result (for function to always return 1). The assignment is performed by this instruction at offset 0x18E0EC from library start ("this" is a label for x0/w0 register): 

image.thumb.png.8b8ff40fc4a66279a6c61a803bfb2fe8.png

Modification of this instruction to MOV W0, #1 (hex bytes: 20 00 80 52) will cause the function to return 1 even when computed hash doesn't match stored hash. This modification of function's behavior is sufficient for bypassing in-memory data integrity check.

1
GeraldLim Rookie

GeraldLim

Posted
  • Author
Posted
12 hours ago, CmP said:

Regarding the needed details about "IsMatchHash" function in the variant of the library for arm64-v8a.

The function is located at offset 0x18E078 from the start of the library. Here is the result of decompilation of function's code: 

image.thumb.png.fb6494c7620f432e38262f9bbf844088.png

The assignment on line 23 can be modified to achieve desired result (for function to always return 1). The assignment is performed by this instruction at offset 0x18E0EC from library start ("this" is a label for x0/w0 register): 

image.thumb.png.8b8ff40fc4a66279a6c61a803bfb2fe8.png

Modification of this instruction to MOV W0, #1 (hex bytes: 20 00 80 52) will cause the function to return 1 even when computed hash doesn't match stored hash. This modification of function's behavior is sufficient for bypassing in-memory data integrity check.

I was finally able to crack it! Thanks so much! 

This was quite an experience for me, I actually only know the basics of assembly thanks to the cheat engine tutorial, but actually modifying code in hex on a mobile device is a first. And also, this is my first time working with encoded values. 

Could you maybe help give me some pointers on how you found the values? (The OP instructions and the XOR keys)

I'd love to learn and be able to do this on my own someday

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.