最后战役X(单机手游)飞天日记：改指令实现修复飞天(包含“飞天”勾选判断)

辛琪

2022-01-28 2022-01-28 约 2364 字预计阅读 5 分钟次阅读

修复单机FPS手游《最后战役X》无法飞天的BUG！

这是本系列文章第五篇，上篇文章已经修复了飞天，但没有对选择框是否勾选进行判断。

最后战役X(单机手游)连跳飞天思路

最后战役X，获取“飞天”选择框选中状态

(失败记录)单机手游《最后战役X》修复飞天BUG：尝试改汇编指令

最后战役X(单机手游)飞天日记：改指令实现修复飞天(不含判断)

目前的代码如图：

对应的汇编指令：

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102


.text:000000000071FF68
.text:000000000071FF68 ; =============== S U B R O U T I N E =======================================
.text:000000000071FF68
.text:000000000071FF68 ; Attributes: bp-based frame
.text:000000000071FF68
.text:000000000071FF68 uidm$$jumap                             ; DATA XREF: .data.rel.ro:0000000000A28828↓o
.text:000000000071FF68
.text:000000000071FF68 var_20          = -0x20
.text:000000000071FF68 var_10          = -0x10
.text:000000000071FF68 var_s0          =  0
.text:000000000071FF68
.text:000000000071FF68 ; __unwind {
.text:000000000071FF68                 STP             X22, X21, [SP,#-0x10+var_20]!
.text:000000000071FF6C                 STP             X20, X19, [SP,#0x20+var_10]
.text:000000000071FF70                 STP             X29, X30, [SP,#0x20+var_s0]
.text:000000000071FF74                 ADD             X29, SP, #0x20
.text:000000000071FF78                 ADRP            X20, #byte_A9D621@PAGE
.text:000000000071FF7C                 LDRB            W8, [X20,#byte_A9D621@PAGEOFF]
.text:000000000071FF80                 MOV             X19, X0
.text:000000000071FF84                 TBNZ            W8, #0, loc_71FFA0
.text:000000000071FF88                 ADRP            X8, #off_A3D7E0@PAGE
.text:000000000071FF8C                 LDR             X8, [X8,#off_A3D7E0@PAGEOFF]
.text:000000000071FF90                 LDR             W0, [X8]
.text:000000000071FF94                 BL              sub_4D2878
.text:000000000071FF98                 MOV             W8, #1
.text:000000000071FF9C                 STRB            W8, [X20,#byte_A9D621@PAGEOFF]
.text:000000000071FFA0
.text:000000000071FFA0 loc_71FFA0                              ; CODE XREF: uidm$$jumap+1C↑j
.text:000000000071FFA0                 ADRP            X21, #off_A57408@PAGE
.text:000000000071FFA4                 LDR             X21, [X21,#off_A57408@PAGEOFF]
.text:000000000071FFA8                 LDR             X8, [X21] ; UnityStandardAssets.Characters.FirstPerson.FirstPersonController_TypeInfo
.text:000000000071FFAC                 LDR             X8, [X8,#0xB8]
.text:000000000071FFB0                 LDR             X20, [X8]
.text:000000000071FFB4                 MOV             W8, #0x41200000 ; Keypatch modified this from:
.text:000000000071FFB4                                         ;   CBNZ X20, loc_71FFC0
.text:000000000071FFB8                 STR             W8, [X20,#0x6C] ; Keypatch modified this from:
.text:000000000071FFB8                                         ;   MOV X0, XZR
.text:000000000071FFBC                 NOP                     ; Keypatch modified this from:
.text:000000000071FFBC                                         ;   BL sub_4F8DDC
.text:000000000071FFC0                 LDRB            W8, [X20,#0x58]
.text:000000000071FFC4                 CBNZ            W8, loc_720050
.text:000000000071FFC8                 LDR             X8, [X21] ; UnityStandardAssets.Characters.FirstPerson.FirstPersonController_TypeInfo
.text:000000000071FFCC                 LDR             X8, [X8,#0xB8]
.text:000000000071FFD0                 LDR             X20, [X8]
.text:000000000071FFD4                 CBNZ            X20, loc_71FFE0
.text:000000000071FFD8                 MOV             X0, XZR
.text:000000000071FFDC                 BL              sub_4F8DDC
.text:000000000071FFE0 ; ---------------------------------------------------------------------------
.text:000000000071FFE0
.text:000000000071FFE0 loc_71FFE0                              ; CODE XREF: uidm$$jumap+6C↑j
.text:000000000071FFE0                 LDR             X20, [X20,#0x78]
.text:000000000071FFE4                 CBNZ            X20, loc_71FFF0
.text:000000000071FFE8                 MOV             X0, XZR
.text:000000000071FFEC                 BL              sub_4F8DDC
.text:000000000071FFF0 ; ---------------------------------------------------------------------------
.text:000000000071FFF0
.text:000000000071FFF0 loc_71FFF0                              ; CODE XREF: uidm$$jumap+7C↑j
.text:000000000071FFF0                 MOV             X1, XZR
.text:000000000071FFF4                 MOV             X0, X20
.text:000000000071FFF8                 BL              UnityEngine.CharacterController$$get_isGrounded
.text:000000000071FFFC                 TBZ             W0, #0, loc_720050
.text:0000000000720000                 LDR             X8, [X21] ; UnityStandardAssets.Characters.FirstPerson.FirstPersonController_TypeInfo
.text:0000000000720004                 LDR             X8, [X8,#0xB8]
.text:0000000000720008                 LDR             X20, [X8]
.text:000000000072000C                 CBNZ            X20, loc_720018
.text:0000000000720010                 MOV             X0, XZR
.text:0000000000720014                 BL              sub_4F8DDC
.text:0000000000720018 ; ---------------------------------------------------------------------------
.text:0000000000720018
.text:0000000000720018 loc_720018                              ; CODE XREF: uidm$$jumap+A4↑j
.text:0000000000720018                 MOV             W8, #1
.text:000000000072001C                 STRB            W8, [X20,#0x58]
.text:0000000000720020                 MOV             W8, #0x41200000 ; Keypatch modified this from:
.text:0000000000720020                                         ;   LDR X20, [X19,#0xA0]
.text:0000000000720024                 STR             W8, [X20,#0x6C] ; Keypatch modified this from:
.text:0000000000720024                                         ;   LDR X19, [X19,#0xB0]
.text:0000000000720028                 NOP                     ; Keypatch modified this from:
.text:0000000000720028                                         ;   CBNZ X20, loc_720034
.text:0000000000720028                                         ; Keypatch modified this from:
.text:0000000000720028                                         ;   NOP
.text:000000000072002C                 LDR             X20, [X19,#0xA0] ; Keypatch modified this from:
.text:000000000072002C                                         ;   MOV X0, XZR
.text:0000000000720030                 LDR             X19, [X19,#0xB0] ; Keypatch modified this from:
.text:0000000000720030                                         ;   BL sub_4F8DDC
.text:0000000000720034                 MOV             X0, X20
.text:0000000000720038                 MOV             X1, X19
.text:000000000072003C                 LDP             X29, X30, [SP,#0x20+var_s0]
.text:0000000000720040                 LDP             X20, X19, [SP,#0x20+var_10]
.text:0000000000720044                 MOV             X2, XZR
.text:0000000000720048                 LDP             X22, X21, [SP+0x20+var_20],#0x30
.text:000000000072004C                 B               UnityEngine.AudioSource$$PlayOneShot
.text:0000000000720050 ; ---------------------------------------------------------------------------
.text:0000000000720050
.text:0000000000720050 loc_720050                              ; CODE XREF: uidm$$jumap+5C↑j
.text:0000000000720050                                         ; uidm$$jumap+94↑j
.text:0000000000720050                 LDP             X29, X30, [SP,#0x20+var_s0]
.text:0000000000720054                 LDP             X20, X19, [SP,#0x20+var_10]
.text:0000000000720058                 LDP             X22, X21, [SP+0x20+var_20],#0x30
.text:000000000072005C                 RET
.text:000000000072005C ; } // starts at 71FF68
.text:000000000072005C ; End of function uidm$$jumap
.text:000000000072005C 

选择框状态的基址偏移：[[[[libil2cpp.so+A8BDD0]+0xB8]]+0x68 ]+ 0xf8

这里的[[libil2cpp.so+A8BDD0]+0xB8]]实际上就是这个函数的参数（uidm对象）。然而，写完本文之后才发现，不需要这个偏移，直接调函数就行了。。。

要把伪代码的第14行改成判断，如果玩家勾选了飞天，就直接跳转到伪代码的第24行，从而绕过0x58是否是1、以及人物是否在地面的判断。

原本的位置肯定不够写，那就把异常处理的指令覆盖掉，把是否在地面的判断挪过去。

这里先是把异常处理的语句NOP掉，为了保险，一共只NOP了6条语句。

挪完之后，上图就变成了这样：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36


.text:000000000071FFBC                 NOP                     ; Keypatch modified this from:
.text:000000000071FFBC                                         ;   BL sub_4F8DDC
.text:000000000071FFC0                 NOP                     ; Keypatch filled range [0x71FFC0:0x71FFD3] (20 bytes), replaced:
.text:000000000071FFC0                                         ;   LDRB W8, [X20,#0x58]
.text:000000000071FFC0                                         ;   CBNZ W8, loc_720050
.text:000000000071FFC0                                         ;   LDR X8, [X21]
.text:000000000071FFC0                                         ;   LDR X8, [X8,#0xB8]
.text:000000000071FFC0                                         ;   LDR X20, [X8]
.text:000000000071FFC4                 NOP
.text:000000000071FFC8                 NOP
.text:000000000071FFCC                 NOP
.text:000000000071FFD0                 NOP
.text:000000000071FFD4                 NOP                     ; Keypatch filled range [0x71FFD4:0x71FFDF] (12 bytes), replaced:
.text:000000000071FFD4                                         ;   CBNZ X20, loc_71FFE0
.text:000000000071FFD4                                         ;   MOV X0, XZR
.text:000000000071FFD4                                         ;   BL sub_4F8DDC
.text:000000000071FFD8                 LDRB            W8, [X20,#0x58] ; Keypatch modified this from:
.text:000000000071FFD8                                         ;   NOP
.text:000000000071FFDC                 CBNZ            W8, loc_720050 ; Keypatch modified this from:
.text:000000000071FFDC                                         ;   NOP
.text:000000000071FFE0                 LDR             X8, [X21] ; Keypatch modified this from:
.text:000000000071FFE0                                         ;   LDR X20, [X20,#0x78]
.text:000000000071FFE4                 LDR             X8, [X8,#0xB8] ; Keypatch filled range [0x71FFE4:0x71FFEF] (12 bytes), replaced:
.text:000000000071FFE4                                         ;   CBNZ X20, loc_71FFF0
.text:000000000071FFE4                                         ;   MOV X0, XZR
.text:000000000071FFE4                                         ;   BL sub_4F8DDC
.text:000000000071FFE4                                         ; Keypatch modified this from:
.text:000000000071FFE4                                         ;   NOP
.text:000000000071FFE8                 LDR             X20, [X8] ; Keypatch modified this from:
.text:000000000071FFE8                                         ;   NOP
.text:000000000071FFEC                 LDR             X20, [X20,#0x78] ; Keypatch modified this from:
.text:000000000071FFEC                                         ;   NOP
.text:000000000071FFF0                 MOV             X1, XZR
.text:000000000071FFF4                 MOV             X0, X20
.text:000000000071FFF8                 BL              UnityEngine.CharacterController$$get_isGrounded
.text:000000000071FFFC                 TBZ             W0, #0, loc_720050

从71FFB4开始写就行了，因为这个地方是上一篇文章时写的指令。那么现在一共有9条指令的位置可以自己处置。

此时X19是参数一。

手写是不可能手写的，那就参照一下uidm$$move函数的指令：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


.text:000000000071F120                 LDR             X20, [X19,#0x68]
.text:000000000071F124                 CBNZ            X20, loc_71F130
.text:000000000071F128                 MOV             X0, XZR
.text:000000000071F12C                 BL              sub_4F8DDC
.text:000000000071F130 ; ---------------------------------------------------------------------------
.text:000000000071F130
.text:000000000071F130 loc_71F130                              ; CODE XREF: uidm$$move+78↑j
.text:000000000071F130                 MOV             X1, XZR
.text:000000000071F134                 MOV             X0, X20
.text:000000000071F138                 BL              UnityEngine.UI.Toggle$$get_isOn
.text:000000000071F13C                 TBZ             W0, #0, loc_71F1D0

这个X20换一换吧，担心影响到其他地方，这里换成X10，

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49


.text:000000000071FFB4                 LDR             X10, [X19,#0x68] ; Keypatch modified this from:
.text:000000000071FFB4                                         ;   CBNZ X20, loc_71FFC0
.text:000000000071FFB4                                         ; Keypatch modified this from:
.text:000000000071FFB4                                         ;   MOV W8, #0x41200000
.text:000000000071FFB8                 MOV             X1, XZR ; Keypatch modified this from:
.text:000000000071FFB8                                         ;   MOV X0, XZR
.text:000000000071FFB8                                         ; Keypatch modified this from:
.text:000000000071FFB8                                         ;   STR W8, [X20,#0x6C]
.text:000000000071FFBC                 MOV             X0, X10 ; Keypatch modified this from:
.text:000000000071FFBC                                         ;   BL sub_4F8DDC
.text:000000000071FFBC                                         ; Keypatch modified this from:
.text:000000000071FFBC                                         ;   NOP
.text:000000000071FFC0                 BL              UnityEngine.UI.Toggle$$get_isOn ; Keypatch filled range [0x71FFC0:0x71FFD3] (20 bytes), replaced:
.text:000000000071FFC0                                         ;   LDRB W8, [X20,#0x58]
.text:000000000071FFC0                                         ;   CBNZ W8, loc_720050
.text:000000000071FFC0                                         ;   LDR X8, [X21]
.text:000000000071FFC0                                         ;   LDR X8, [X8,#0xB8]
.text:000000000071FFC0                                         ;   LDR X20, [X8]
.text:000000000071FFC0                                         ; Keypatch modified this from:
.text:000000000071FFC0                                         ;   NOP
.text:000000000071FFC4                 TBNZ            W0, #0, loc_720000 ; Keypatch modified this from:
.text:000000000071FFC4                                         ;   NOP
.text:000000000071FFC8                 NOP
.text:000000000071FFCC                 NOP
.text:000000000071FFD0                 NOP
.text:000000000071FFD4                 NOP                     ; Keypatch filled range [0x71FFD4:0x71FFDF] (12 bytes), replaced:
.text:000000000071FFD4                                         ;   CBNZ X20, loc_71FFE0
.text:000000000071FFD4                                         ;   MOV X0, XZR
.text:000000000071FFD4                                         ;   BL sub_4F8DDC
.text:000000000071FFD8                 LDRB            W8, [X20,#0x58] ; Keypatch modified this from:
.text:000000000071FFD8                                         ;   NOP
.text:000000000071FFDC                 CBNZ            W8, loc_720050 ; Keypatch modified this from:
.text:000000000071FFDC                                         ;   NOP
.text:000000000071FFE0                 LDR             X8, [X21] ; Keypatch modified this from:
.text:000000000071FFE0                                         ;   LDR X20, [X20,#0x78]
.text:000000000071FFE4                 LDR             X8, [X8,#0xB8] ; Keypatch filled range [0x71FFE4:0x71FFEF] (12 bytes), replaced:
.text:000000000071FFE4                                         ;   CBNZ X20, loc_71FFF0
.text:000000000071FFE4                                         ;   MOV X0, XZR
.text:000000000071FFE4                                         ;   BL sub_4F8DDC
.text:000000000071FFE4                                         ; Keypatch modified this from:
.text:000000000071FFE4                                         ;   NOP
.text:000000000071FFE8                 LDR             X20, [X8] ; Keypatch modified this from:
.text:000000000071FFE8                                         ;   NOP
.text:000000000071FFEC                 LDR             X20, [X20,#0x78] ; Keypatch modified this from:
.text:000000000071FFEC                                         ;   NOP
.text:000000000071FFF0                 MOV             X1, XZR
.text:000000000071FFF4                 MOV             X0, X20
.text:000000000071FFF8                 BL              UnityEngine.CharacterController$$get_isGrounded
.text:000000000071FFFC                 TBZ             W0, #0, loc_720050

经过测试，修复成功！！勾选则可连跳飞天，取消勾选则不可连跳飞天。

随便一个十六进制编辑器编辑libil2cpp.so，或者是CE改内存，都可以体验到效果：

1
2
3


libil2cpp.so 偏移71FFB0

14 01 40 F9 6A 36 40 F9 E1 03 1F AA E0 03 0A AA 4A CE F5 97 E0 01 00 37 1F 20 03 D5 1F 20 03 D5 1F 20 03 D5 1F 20 03 D5 88 62 41 39 A8 03 00 35 A8 02 40 F9 08 5D 40 F9 14 01 40 F9 94 3E 40 F9 E1 03 1F AA E0 03 14 AA E5 CE 00 94 A0 02 00 36 A8 02 40 F9 08 5D 40 F9 14 01 40 F9 74 00 00 B5 E0 03 1F AA 72 63 F7 97 E8 03 00 32 88 62 01 39 08 24 A8 52 88 6E 00 B9 1F 20 03 D5 74 52 40 F9 73 5A 40 F9 E0 03 14 AA E1 03 13 AA FD 7B 42 A9

思路已经放到这里啦，明天(2月7)写飞天修复系列的最后一篇，即修复水滴屏黑边问题。（内容很简单，不要过于期待~）

《最后战役X飞天修复系列》写完后，暂停更新教程类文章，因为大约几个月后就需要找实习了，所以接下来时间重点用于学习android开发。

视频我会继续更新的，但接下来一段时间主要是游戏娱乐视频（比制作教程简单很多），每周更新两个，因为我目前经济状况不太好，每周两个视频，大概能获得至少1.5贝壳的奖励（每周的2个视频需要累计20个赞，不忙的时候可以帮忙点个赞，非常感谢~

作者：赶码人 https://www.bilibili.com/read/cv15134206?spm_id_from=333.999.0.0 出处：bilibili

目录

最后战役X(单机手游)飞天日记：改指令实现修复飞天(包含“飞天”勾选判断)