逆向 | 逃离鸭科夫 frida hook 锁血

逆向 | 逃离鸭科夫锁血hook

赶时间，随便用frida搓了一个，原理是先通过hook找血量地址，再导出函数进行使用。

python端：

from __future__ import print_function    # 这里__future__的目的是引入新版本特性
import frida
import sys
import threading


import time

session = frida.attach('Duckov.exe')

# 读取js脚本
with open('hook.js', 'r', encoding='utf-8') as f:
	js_hook = f.read()

script = session.create_script(js_hook)

def add_hp(args):
	while 1:
		time.sleep(5)
		print('call add hp')
		script.exports.addhp()

t1 = threading.Thread(target=add_hp, args=(0,)) 
def on_message(message,data):
    print(message)
script.on('message', on_message)
script.load()
t1.start()
sys.stdin.read()

js:(一定要取消hook，不然程序会崩)

const ImageBase = Module.findBaseAddress("UnityPlayer.dll");
console.log("ImageBase: " + ImageBase)

const full_hp = 40.0
var found_hp = false
var hp_addr = null

// const rva = 0xACB720;
// var Fish__generate = parseInt(ImageBase, 16) + Fish__generate_RVA;
rpc.exports = {
    // 函数名gethello
    addhp: function(){
        if (found_hp){
            let now_hp = hp_addr.readFloat()
            hp_addr.writeFloat(full_hp)
            console.log(`【${hp_addr} 回血: ${now_hp} -> ${full_hp}】`)
        }else{
            console.log('no hp_addr')
        }
    }
};

Interceptor.attach(ptr(ImageBase.add(0x77ff27)), {
    onEnter(args) {
        if (found_hp == false){
            let p = this.context.rdi
            console.log(this.context.rdi)
            let tmp = this.context.rdi.add(0x28).readPointer()
            console.log(`  > ${tmp}`)
            tmp = tmp.add(0x90).readPointer()
            console.log(`     > ${tmp}`)
            let hp = tmp.add(0x68).readFloat()
            console.log(`        > ${hp}`)
            if (hp == full_hp){
                found_hp = true
                hp_addr = tmp.add(0x68)
                console.log(`hp_addr: ${hp_addr}`)
                Interceptor.detachAll()  // 注销hook
            }

            console.log('----------------------------------')
        }
        
    }
});