How to "Xiami" as a VIP User (for Mac)

This post serves as an app hacking example only.

Xiami (虾米) is a Chinese music sharing platform that you can listen to music for free (not for downloading). If you open up www.xiami.com, it will detect your visiting IP address, and where it belongs. So here is a screenshot of the message:

Xiami Not Available

I like Xiami since it provides high quality music. The tricky thing here is, if you are a VIP user, i.e. paid user, then they will skip above message. Well, doing a little modification in the app can bypass the VIP check. Therefore, as long as you are a registered user, the app will recognize you as a VIP.

What you need

  • Notice this is for Mac only... (well, windows users have more complicated scenarios)
  • The Xiami app, of course
    • My demo version is xiami-1.3.4-1840
  • 0xED: a very good hex editor

Steps

There aren't many steps.

  1. Right click Xiami.app, select "Show Packet Content"
  2. Open up Contents > MacOS, and you'll see the binary file "Xiami"
  3. Drag that into 0xED (or use 0xED to directly open it)
  4. Locate position 0x10, and you shall see: 
    29 00 00 00 D8 17 00 00

    Change them to:

    28 00 00 00 C8 17 00 00
  5. Locate position 0x925B, and you shall see: 
    8B 05 27 09 20 00 0F BE 04 07

    Change them to:

    31 C0 48 FF C0 90 90 90 90 90
  6. That is it! Just save and reopen the app. After you login, it shall recognize you as VIP!

Behind the trick

Sidenote: It is very interesting that they separate the functionality of online verification and content delivering so we can do this trick.

If you can find the app named Hopper Disassembler (HD), you will understand what I was replacing with. Basically, Xiami verifies whether you are a VIP user or not by a function named "isVIP." The following is the assembly decoded by HD:

push  rbp
mov   rbp, rsp
mov   rax, qword [ds:objc_ivar_offset_XMUser__isVIP]
movsx eax, byte [ds:rdi+rax]
pop   rbp
ret

What it says is to get the response from your user status whether you are VIP, which is moved to rax. What we do is to make sure this rax will give 1 indicating you are VIP no matter you are VIP or not. Therefore, simply change the function to:

push  rbp
mov   rbp, rsp
xor   rax, rax
inc   rax
nop
nop
nop
nop
nop
pop   rbp
ret

Yep, nop is 90.

2 comments

    1. Oh wow this was a while ago when I wrote the tut.. The hack I said works on MacOS only. I have not played with Xiami for a long long time..

      Reply

Leave a comment

Your email address will not be published. Required fields are marked *