从9.18开始,羊了个羊不再使用明文传输地图信息,改为32位字符串
破解通关方法见:羊了个羊快速通关(已解决名片不显示问题 9.20) https://www.52pojie.cn/thread-1688911-1-1.html
在上一篇帖子中,发现9.18和9.20两版本中,80001
地图的字符串均为32位的046ef1bab26e5b9bfe2473ded237b572
因此猜测这是某些固定内容的md5
要搞清楚原来的内容,先得知道这是用来做什么的
尝试修改第二个字符串为00000000000000000000000000000000
则响应结构为:(注:map_seed值不影响游戏开始,但影响卡牌种类和个数)
{"err_code":0,"err_msg":"","data":{"map_md5":["046ef1bab26e5b9bfe2473ded237b572","00000000000000000000000000000000"],"map_seed":[0,0,0,0]}}
开始游戏,无法正常进行,Charles中出现新的get请求404:
这是之前没见过的,也有可能只在第一次运行时加载了一次
新的请求为:
https://cat-match-static.easygame2021.com/maps/00000000000000000000000000000000.txt
map_md5
中的字符串成为了新的参数
到这里可以确定游戏将地图信息放在了一个txt
文件里
浏览器打开网址:https://cat-match-static.easygame2021.com/maps/046ef1bab26e5b9bfe2473ded237b572.txt
尝试获取第一关信息:
{"levelKey":80001,"levelData":{"1":[{"id":"1-16-16","type":0,"rolNum":16,"rowNum":16,"layerNum":1,"moldType":1,"blockNode":null},{"id":"1-28-16","type":0,"rolNum":28,"rowNum":16,"layerNum":1,"moldType":1,"blockNode":null},{"id":"1-40-16","type":0,"rolNum":40,"rowNum":16,"layerNum":1,"moldType":1,"blockNode":null},{"id":"1-16-32","type":0,"rolNum":16,"rowNum":32,"layerNum":1,"moldType":1,"blockNode":null},{"id":"1-28-32","type":0,"rolNum":28,"rowNum":32,"layerNum":1,"moldType":1,"blockNode":null},{"id":"1-40-32","type":0,"rolNum":40,"rowNum":32,"layerNum":1,"moldType":1,"blockNode":null},{"id":"1-16-48","type":0,"rolNum":16,"rowNum":48,"layerNum":1,"moldType":2,"blockNode":null},{"id":"1-28-48","type":0,"rolNum":28,"rowNum":48,"layerNum":1,"moldType":2,"blockNode":null},{"id":"1-40-48","type":0,"rolNum":40,"rowNum":48,"layerNum":1,"moldType":2,"blockNode":null}],"2":[{"id":"2-16-36","type":0,"rolNum":16,"rowNum":36,"layerNum":2,"moldType":1,"blockNode":null},{"id":"2-28-36","type":0,"rolNum":28,"rowNum":36,"layerNum":2,"moldType":1,"blockNode":null},{"id":"2-40-36","type":0,"rolNum":40,"rowNum":36,"layerNum":2,"moldType":1,"blockNode":null},{"id":"2-16-20","type":1,"rolNum":16,"rowNum":20,"layerNum":2,"moldType":1,"blockNode":null},{"id":"2-28-20","type":1,"rolNum":28,"rowNum":20,"layerNum":2,"moldType":1,"blockNode":null},{"id":"2-40-20","type":1,"rolNum":40,"rowNum":20,"layerNum":2,"moldType":1,"blockNode":null},{"id":"2-16-49","type":0,"rolNum":16,"rowNum":49,"layerNum":2,"moldType":2,"blockNode":null},{"id":"2-28-49","type":0,"rolNum":28,"rowNum":49,"layerNum":2,"moldType":2,"blockNode":null},{"id":"2-40-49","type":0,"rolNum":40,"rowNum":49,"layerNum":2,"moldType":2,"blockNode":null}],"3":[]},"blockTypeData":{"1":1,"2":2,"3":2},"heightNum":10,"widthNum":8}
果然得到了地图信息
接下来考虑如何得到md5,最简单的尝试就是把整个json进行一次md5
这样一来就得到了原来的字符串046ef1bab26e5b9bfe2473ded237b572
了解了得到map_md5
的方法,也就知道了本次更新后加载地图的方式,便可以想到一种修改游戏的方式:自定义一张地图,本地修改游戏源码,将地图信息请求修改到本地,再通过重写响应等方式指向该文件,可以达到修改游戏的目的