HedgeBSD · May 30, 2025 15:31 · ChashkaSCoffee · May 30, 2025 · sadUser-R · May 31, 2025
diff --git a/sushi-exploit.ts b/sushi-exploit.ts
 /// <reference path="frida-gum.ts" />

 const base = Module.getBaseAddress('libg.so');

 class Libc {
    static malloc = new NativeFunction(Module.getExportByName('libc.so', 'malloc'), 'pointer', ['size_t']);
 }

 class HomeMode {
    public static HomeMode_getInstance = new NativeFunction(base.add(0x7C3A68), 'pointer', []); // v61.249
    public static HomeMode_addCommand = new NativeFunction(base.add(0x7C43AC), 'int', ['pointer', 'pointer']);
    static instance = this.HomeMode_getInstance();

    static addCommand(command: NativePointer) {
        this.HomeMode_addCommand(this.instance, command);

        return this.instance;
    }
 }

 class GlobalID {
 	static createGlobalID(tableIndex: number, csvRow: number) {
 		return (csvRow % 1000000 + 1000000 * tableIndex);
 	}
 }

 class LogicDataTables {
    public static LogicDataTables_getDataById = new NativeFunction(base.add(0x8579BC), 'pointer', ['int']); // v61.249

 	static table = {
 		Characters: 16
 	}

 	static getDataById(globalId: number): NativePointer {
 		return this.LogicDataTables_getDataById(globalId);
 	}
 }

 class LogicCommand {
    public static LogicGetSushiCharacterReward_logicGetSushiCharacterReward = new NativeFunction(base.add(0x80F628), 'void', ['pointer']); // v61.249, command ctor

    static getSushiCharacterReward(characterId: number) {
        const logicGetSushiCharacterReward = Libc.malloc(56);
        const characterDataRef = LogicDataTables.getDataById(GlobalID.createGlobalID(LogicDataTables.table.Characters, characterId)); // Getting dataRef by globalId 16000094

        this.LogicGetSushiCharacterReward_logicGetSushiCharacterReward(logicGetSushiCharacterReward);

        logicGetSushiCharacterReward.add(40).writePointer(characterDataRef); // Main ctor parameter, command returns 1000 credits if dataRef isn't proper characterData
        logicGetSushiCharacterReward.add(28).writeInt(2);
        logicGetSushiCharacterReward.add(32).writeU8(1);

        HomeMode.addCommand(logicGetSushiCharacterReward); // Executing command
    }
 }

 LogicCommand.getSushiCharacterReward(94); // 94 is Kaze id in 'characters.csv' (16th data table). ShotgunGirl is 0, Gunslinger is 1, etc...
 // Character must have _unlock slot (even encrypted) in cards.csv
	/// <reference path="frida-gum.ts" />

	const base = Module.getBaseAddress('libg.so');

	class Libc {
	static malloc = new NativeFunction(Module.getExportByName('libc.so', 'malloc'), 'pointer', ['size_t']);
	}

	class HomeMode {
	public static HomeMode_getInstance = new NativeFunction(base.add(0x7C3A68), 'pointer', []); // v61.249
	public static HomeMode_addCommand = new NativeFunction(base.add(0x7C43AC), 'int', ['pointer', 'pointer']);
	static instance = this.HomeMode_getInstance();

	static addCommand(command: NativePointer) {
	this.HomeMode_addCommand(this.instance, command);

	return this.instance;
	}
	}

	class GlobalID {
	static createGlobalID(tableIndex: number, csvRow: number) {
	return (csvRow % 1000000 + 1000000 * tableIndex);
	}
	}

	class LogicDataTables {
	public static LogicDataTables_getDataById = new NativeFunction(base.add(0x8579BC), 'pointer', ['int']); // v61.249

	static table = {
	Characters: 16
	}

	static getDataById(globalId: number): NativePointer {
	return this.LogicDataTables_getDataById(globalId);
	}
	}

	class LogicCommand {
	public static LogicGetSushiCharacterReward_logicGetSushiCharacterReward = new NativeFunction(base.add(0x80F628), 'void', ['pointer']); // v61.249, command ctor

	static getSushiCharacterReward(characterId: number) {
	const logicGetSushiCharacterReward = Libc.malloc(56);
	const characterDataRef = LogicDataTables.getDataById(GlobalID.createGlobalID(LogicDataTables.table.Characters, characterId)); // Getting dataRef by globalId 16000094

	this.LogicGetSushiCharacterReward_logicGetSushiCharacterReward(logicGetSushiCharacterReward);

	logicGetSushiCharacterReward.add(40).writePointer(characterDataRef); // Main ctor parameter, command returns 1000 credits if dataRef isn't proper characterData
	logicGetSushiCharacterReward.add(28).writeInt(2);
	logicGetSushiCharacterReward.add(32).writeU8(1);

	HomeMode.addCommand(logicGetSushiCharacterReward); // Executing command
	}
	}

	LogicCommand.getSushiCharacterReward(94); // 94 is Kaze id in 'characters.csv' (16th data table). ShotgunGirl is 0, Gunslinger is 1, etc...
	// Character must have _unlock slot (even encrypted) in cards.csv