This post serves as an app hacking example only.
Xiami (虾米) is a Chinese music sharing platform that you can listen to music for free (not for downloading). If you open up www.xiami.com, it will detect your visiting IP address, and where it belongs. So here is a screenshot of the message:
I like Xiami since it provides high quality music. The tricky thing here is, if you are a VIP user, i.e. paid user, then they will skip above message. Well, doing a little modification in the app can bypass the VIP check. Therefore, as long as you are a registered user, the app will recognize you as a VIP.
What you need
- Notice this is for Mac only... (well, windows users have more complicated scenarios)
- The Xiami app, of course
- My demo version is xiami-1.3.4-1840
- 0xED: a very good hex editor
Steps
There aren't many steps.
- Right click Xiami.app, select "Show Packet Content"
- Open up Contents > MacOS, and you'll see the binary file "Xiami"
- Drag that into 0xED (or use 0xED to directly open it)
- Locate position
0x10
, and you shall see:29 00 00 00 D8 17 00 00
Change them to:
28 00 00 00 C8 17 00 00
- Locate position
0x925B
, and you shall see:8B 05 27 09 20 00 0F BE 04 07
Change them to:
31 C0 48 FF C0 90 90 90 90 90
- That is it! Just save and reopen the app. After you login, it shall recognize you as VIP!
Behind the trick
Sidenote: It is very interesting that they separate the functionality of online verification and content delivering so we can do this trick.
If you can find the app named Hopper Disassembler (HD), you will understand what I was replacing with. Basically, Xiami verifies whether you are a VIP user or not by a function named "isVIP." The following is the assembly decoded by HD:
push rbp mov rbp, rsp mov rax, qword [ds:objc_ivar_offset_XMUser__isVIP] movsx eax, byte [ds:rdi+rax] pop rbp ret
What it says is to get the response from your user status whether you are VIP, which is moved to rax
. What we do is to make sure this rax
will give 1
indicating you are VIP no matter you are VIP or not. Therefore, simply change the function to:
push rbp mov rbp, rsp xor rax, rax inc rax nop nop nop nop nop pop rbp ret
Yep, nop
is 90
.
Can you please tell us about the windows version if this hack? Thank you very much
Oh wow this was a while ago when I wrote the tut.. The hack I said works on MacOS only. I have not played with Xiami for a long long time..