Help! IDA PRO hack time in application

Ykrop

Platinian
Original poster
May 20, 2018
19
19
8
35
Russia
hi have one application, china shop of scripts, after i log i have 15 min to test script, after this i can only buy VIP.
I find 3 functions "dtls1_start_timer" "dtls1_stop_timer" "dtls1_is_timer_expired", how i can mod this to get around the limit of 15 minutes?

EXPORT dtls1_start_timer
dtls1_start_timer ; CODE XREF: j_dtls1_start_timer+8↑j
DATA XREF: LOAD:000139A0↑o ...
PUSH {R4,LR}


EXPORT dtls1_start_timer
dtls1_start_timer ; CODE XREF:
j_dtls1_start_timer+8↑j
; DATA XREF:LOAD:000139A0↑o ...
PUSH {R4,LR}
MOV R4, R0
LDR R3, [R0,#0x5C]
LDR.W R2, [R3,#0x2C0]
CBNZ R2, loc_2B57B4
LDR.W R2, [R3,#0x2C4]
CBNZ R2, loc_2B57B4
MOVS R2, #1
STRH.W R2, [R3,#0x2C8]

loc_2B57B4 ; CODE XREF:dtls1_start_timer+A↑j;dtls1_start_timer+10↑j
LDR R0, [R4,#0x5C]
MOVS R1, #0 ; tz
ADD.W R0, R0, #0x2C0 ; tv
BLX gettimeofday
LDR R3, [R4,#0x5C]
MOV R0, R4
LDRH.W R1, [R3,#0x2C8]
LDR.W R2, [R3,#0x2C0]
ADD R2, R1
STR.W R2, [R3,#0x2C0]
BLX j_SSL_get_rbio
LDR R3, [R4,#0x5C]
MOVS R1, #0x2D ; '-'
MOVS R2, #0
ADD.W R3, R3, #0x2C0
POP.W {R4,LR}
B.W sub_2EBB24
; End of function dtls1_start_timer

----------

EXPORT dtls1_stop_timer
dtls1_stop_timer ; CODE XREF:
j_dtls1_stop_timer+8↑j
- .text:002B58B4 ; DATA XREF:LOAD:00013990↑o ...
PUSH {R4,LR}
MOV R4, R0
LDR R0, [R0,#0x5C]
MOVS R1, #0 ; int
MOVS R2, #0xC ; size_t
ADD.W R0, R0, #0x2B4 ; void*
BLX memset
LDR R0, [R4,#0x5C]
MOVS R1, #0 ; int
MOVS R2, #8 ; size_t
ADD.W R0, R0, #0x2C0 ; void*
BLX memset
LDR R3, [R4,#0x5C]
MOVS R2, #1
MOV R0, R4
STRH.W R2, [R3,#0x2C8]
BLX j_SSL_get_rbio
LDR R3, [R4,#0x5C]
MOVS R1, #0x2D ; '-'
MOVS R2, #0
ADD.W R3, R3, #0x2C0
BLX j_BIO_ctrl
MOV R0, R4
POP.W {R4,LR}
B.W sub_2ECC14
; End of function dtls1_stop_timer


----------






- EXPORT dtls1_is_timer_expired
dtls1_is_timer_expired; CODE XREF:j_dtls1_is_timer_expired+8↑j; DATA XREF:LOAD:00013A50↑o ...
var_10 = -0x10
var_C = -0xC
PUSH {R0-R2,LR}
MOV R1, SP
BLX j_dtls1_get_timeout
CBZ R0, loc_2B588E
LDR R3, [SP,#0x10+var_10]
CMP R3, #0
BGT loc_2B588C
LDR R0, [SP,#0x10+var_C]
CMP R0, #0
ITE GT
MOVGT R0, #0
MOVLE R0, #1
B loc_2B588E
;----------------------------------------------------------------
loc_2B588C ; CODE XREF:dtls1_is_timer_expired+E↑j
MOVS R0, #0
loc_2B588E ; CODE XREF:dtls1_is_timer_expired+8↑j ;dtls1_is_timer_expired+1A↑j
ADD SP, SP, #0xC
POP.W {PC}
; End of function dtls1_is_timer_expired
 

NullCoder

Inactive Approved Modder
Jun 8, 2020
110
900
93
21
None
If you have an end timer called you should try NOP B.W sub_2EBB24 which probably refers to this function. Also use pseudocode to make it easier. This is a very good thing that makes hacking easier.
 

Ykrop

Platinian
Original poster
May 20, 2018
19
19
8
35
Russia
If you have an end timer called you should try NOP B.W sub_2EBB24 which probably refers to this function. Also use pseudocode to make it easier. This is a very good thing that makes hacking easier.
tried but still the timer starts
 

Tiahh

Solid & Active Platinian
Jan 12, 2018
75
44
18
37
Hook the address of the function, could you provide the function's pseudocode?
 

Ykrop

Platinian
Original poster
May 20, 2018
19
19
8
35
Russia
Hook the address of the function, could you provide the function's pseudocode?
int __fastcall dtls1_start_timer(int a1)
{
int v2; // r3
int rbio; // r0

v2 = *(_DWORD *)(a1 + 0x5C);
if ( !*(_DWORD *)(v2 + 0x2C0) && !*(_DWORD *)(v2 + 0x2C4) )
*(_WORD *)(v2 + 0x2C8) = 1;
gettimeofday((struct timeval *)(*(_DWORD *)(a1 + 0x5C) + 0x2C0), 0);
*(_DWORD *)(*(_DWORD *)(a1 + 0x5C) + 0x2C0) += *(unsigned __int16 *)(*(_DWORD *)(a1 + 0x5C) + 0x2C8);
rbio = j_SSL_get_rbio(a1);
return j_j_BIO_ctrl(rbio, 0x2D, 0, *(_DWORD *)(a1 + 0x5C) + 0x2C0);
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

int __fastcall dtls1_stop_timer(int a1)
{
int rbio; // r0

memset((void *)(*(_DWORD *)(a1 + 0x5C) + 0x2B4), 0, 0xCu);
memset((void *)(*(_DWORD *)(a1 + 0x5C) + 0x2C0), 0, 8u);
*(_WORD *)(*(_DWORD *)(a1 + 0x5C) + 0x2C8) = 1;
rbio = j_SSL_get_rbio(a1);
j_BIO_ctrl(rbio, 0x2D, 0, *(_DWORD *)(a1 + 0x5C) + 0x2C0);
return j_j_dtls1_clear_record_buffer(a1);
}

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

int __fastcall dtls1_is_timer_expired(int a1, int a2, int a3)
{
int result; // r0
int v4; // [sp+0h] [bp-10h] BYREF
int v5; // [sp+4h] [bp-Ch]
int v6; // [sp+8h] [bp-8h]

v4 = a1;
v5 = a2;
v6 = a3;
result = j_dtls1_get_timeout(a1, &v4);
if ( result )
return v4 <= 0 && v5 <= 0;
return result;
}
 

Tiahh

Solid & Active Platinian
Jan 12, 2018
75
44
18
37
asm = assembly, i need to know if you are on armeabi-v7a or arm64-v8a or what are you on