sl4v/get-gacha.js

## get-gacha.js

{
    onEnter: function (log, args, state) {
        log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")");
        this.args1 = args[1];
        this.args2 = args[2];

        var myfunc = new NativeFunction(Module.findExportByName('libnative-lib.so', 'get_gacha'), 'uint32', ['uint32', 'pointer', 'pointer']);
        log('-----');
        a1 = Memory.alloc(4);
        a2 = Memory.alloc(4);


        var i = 0;
        var flag = [];
        var pos = 0;
        var char = '';
        for (i = 0; i < 300; i++) {
            flag[i]="?";
        }
        for (i = 0; i < 300; i++) {
            myfunc(0xffffff, a1, a2);
            pos = Memory.readUInt(a1);
            char = String.fromCharCode(Memory.readUInt(a2));
            log('pos: ' + pos + ' char: ' + char);
            flag[pos]=char;
        }

        log(flag.join());
        log('-----');
    },

    onLeave: function (log, retval, state) {
        log('onLeave');
        log(hexdump(this.args1, { length: 1 }));
        log(hexdump(this.args2, { length: 1 }));
    }
}

	{
	onEnter: function (log, args, state) {
	log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")");
	this.args1 = args[1];
	this.args2 = args[2];

	var myfunc = new NativeFunction(Module.findExportByName('libnative-lib.so', 'get_gacha'), 'uint32', ['uint32', 'pointer', 'pointer']);
	log('-----');
	a1 = Memory.alloc(4);
	a2 = Memory.alloc(4);


	var i = 0;
	var flag = [];
	var pos = 0;
	var char = '';
	for (i = 0; i < 300; i++) {
	flag[i]="?";
	}
	for (i = 0; i < 300; i++) {
	myfunc(0xffffff, a1, a2);
	pos = Memory.readUInt(a1);
	char = String.fromCharCode(Memory.readUInt(a2));
	log('pos: ' + pos + ' char: ' + char);
	flag[pos]=char;
	}

	log(flag.join());
	log('-----');
	},

	onLeave: function (log, retval, state) {
	log('onLeave');
	log(hexdump(this.args1, { length: 1 }));
	log(hexdump(this.args2, { length: 1 }));
	}
	}