bugku baby unity3d分析思路
本帖最后由 十一七 于 2021-2-5 18:49 编辑** 新手发帖,大佬下手轻点..。 **
这个题,卡很久了,还记得上次来劲搞了好几天没搞出来,心烦直接扔回收站了。
今天打算做题的时候又心血来潮,想要再试一试。
因为先前没有unity3d的逆向经验,网上也没有关于这题的解题分析...于是搜遍百度,Google.拿着前辈们的经验,一点点摸索。
## 概要
### 使用工具
Riru-Il2CppDumper
Android Studio
IDA Pro
Frida
## 正题
### 0x00.从libil2cpp.so入手
关于il2cpp,详情可以参考 (https://blog.csdn.net/chqj_163/article/details/83385494)
为什么要从libil2cpp.so入手,因为源码就包含在其中.
然而光靠IDA根本无从下手,连调用的函数都不清楚。
查看apk的lib目录
libil2cpp放到IDA里,分析比较慢,而且暂时用不到,扔一边。
### 0x01.利用Riru-Il2CppDumper进行dump
相比于Il2CppDumper,使用了Riru框架,在Android环境下对相关释放函数Hook并dump出解密后的metadata.具体的**原理和使用**可以前往项目(https://github.com/Perfare/Riru-Il2CppDumper)查看.
使用 Android Studio 打开
修改game头文件.
使用Gradle进行模块编译.
编译成功后在out目录下会生成模块
在Magisk中安装插件,重启。
打开app,使用adb push出 `data/data/包名/files/dump.cs`
打开dump.cs,能够看到几万行的代码.
找到我们需要分析的函数
> 关于寻找函数我也没什么特别好的办法。
> 只能是通过字段的猜测还有Assembly-CSharp.dll的index进行定位.
既然RVA已经出来了,那么我们就可以使用IDA进行分析。
### 0x02.IDA的静态分析
跳转到地址0x518b54,将函数名改成CheckFlag,F5查看伪代码。将Sub_****函数改为我们已知的名字,方便分析。
```cpp
int __fastcall CheckFlag(int a1, int a2)
{
int v3; // r0
int v4; // r0
int v5; // r4
if ( !byte_69C825 )
{
sub_4B82BC(1279);
byte_69C825 = 1;
}
v3 = dword_698140;
if ( (*(_BYTE *)(dword_698140 + 178) & 1) != 0 && !*(_DWORD *)(dword_698140 + 96) )
{
il2cpp_runtime_class_init_0();
v3 = dword_698140;
}
AESEncrypt(
*(_DWORD *)(v3 + 80),
a2,
*(_DWORD *)(*(_DWORD *)(v3 + 80) + 4000),
*(_DWORD *)(*(_DWORD *)(v3 + 80) + 2364));
v5 = v4;
if ( (*(_BYTE *)(dword_696FB8 + 178) & 1) != 0 && !*(_DWORD *)(dword_696FB8 + 96) )
il2cpp_runtime_class_init_0();
return sub_7D644(0, v5, dword_69B7F0, 0);
```
最后返回的值是调用了**sub_7D644**,代码分析,猜测传入的v5是AES加密后的参数。继续跟。
```cpp
bool __fastcall sub_7D644(int a1, int a2, int a3)
{
int v5; // r0
if ( !byte_693576 )
{
sub_4B82BC(5543);
byte_693576 = 1;
}
v5 = dword_696FB8;
if ( (*(_BYTE *)(dword_696FB8 + 178) & 1) != 0 && !*(_DWORD *)(dword_696FB8 + 96) )
v5 = il2cpp_runtime_class_init_0();
return sub_D15EC(v5, a2, a3);
}
```
没什么关键的处理,继续跟函数**sub_D15EC**。
```cpp
bool __fastcall sub_D15EC(int a1, int a2, int a3)
{
_BOOL4 result; // r0
bool v4; // zf
int v5; // r12
_DWORD *v6; // r2
_DWORD *v7; // lr
bool v8; // zf
int v9; // r1
int v10; // r3
bool v11; // zf
result = 1;
if ( a2 != a3 )
{
v4 = a2 == 0;
result = 0;
if ( a2 )
v4 = a3 == 0;
if ( !v4 )
{
v5 = *(_DWORD *)(a2 + 8);
if ( v5 == *(_DWORD *)(a3 + 8) )
{
v6 = (_DWORD *)(a3 + 12);
v7 = (_DWORD *)(a2 + 12);
if ( v5 <= 7 )
{
LABEL_16:
if ( v5 >= 4 )
{
if ( *v7 != *v6 || v7 != v6 )
return result;
v5 -= 4;
v6 += 2;
v7 += 2;
}
if ( v5 >= 2 )
{
if ( *v7 != *v6 )
return result;
v5 -= 2;
++v6;
++v7;
}
result = 1;
if ( v5 )
result = *(unsigned __int16 *)v7 == *(unsigned __int16 *)v6;
}
else
{
while ( 1 )
{
v8 = *v7 == *v6;
if ( *v7 == *v6 )
v8 = v7 == v6;
if ( !v8 )
break;
v9 = v6;
v10 = v7;
v11 = v10 == v9;
if ( v10 == v9 )
v11 = v7 == v6;
if ( !v11 )
break;
v5 -= 8;
v6 += 4;
v7 += 4;
if ( v5 < 8 )
goto LABEL_16;
}
}
}
}
}
return result;
}
```
伪代码很长...静下心,仔细看下来,看到 `if ( a2 != a3 )`
分析可以结束了。
**a2**是之前经AES加密后的密文,**a3**是**dword_69B7F0**,那么只要**a2**==**a3**,CheckFlag就会返回1.
而传入参数**dword_69B7F0**很可疑,尝试使用 Frida 进行 Hook。
### 0x03.Frida native Hook
Frida这工具就不介绍了,网上资料已经很多了。
直接找到libil2cpp.so 基址,再加上之前dump.cs中得来的偏移量,对未导出函数进行Hook。
Hook的过程有一个坑就是**Hook到的参数是宽字符 **,导致直接使用ReadCString()失效。
使用hexdump进行替代即可解决。
我这里同时Hook了CheckFlag调用到的过程函数,来加深理解。
```typescript
Java.perform(function(){
var soAdrr = Module.findBaseAddress("libil2cpp.so");
send(" "+ soAdrr);
var ptrCheckFlag = soAdrr.add(0x518a24);
send(" " + ptrCheckFlag);
Interceptor.attach(ptrCheckFlag,{
onEnter: function(args){
console.log(("enter ptrCheckFlag args->" + args));
console.log("enter ptrCheckFlag args->\n" +hexdump(args, {
offset: 12,
length: args.toInt32() * 2 + 12
}));
},
onLeave: function(args){
console.log(args.toInt32());
args.replace(1);
console.log(args);
}
})
var ptrAESEncrypt = soAdrr.add(0x518b54);
send(" " + ptrAESEncrypt);
Interceptor.attach(ptrAESEncrypt,{
onEnter: function(args){
console.log(("enter ptrAESEncrypt args-> " + args));
console.log(("enter ptrAESEncrypt args text->\n" + hexdump(args)));
console.log(("enter ptrAESEncrypt args-> password\n" + hexdump(args,{
offset: 12,
length: 12 + 16 * 2
})));
console.log(("enter ptrAESEncrypt args-> iv\n" + hexdump(args,{
offset: 12,
length: 12 + 16 * 2
})));
},
onLeave: function(args){
//send("leave->"+args);
console.log("enter ptrAESEncrypt retvalue->\n" + hexdump(args));
}
})
var ptrD15EC = soAdrr.add(0x0D15EC);
send(" " + ptrD15EC);
Interceptor.attach(ptrD15EC,{
onEnter: function(args){
console.log(("enter ptrD15EC args-> " + (args)));
console.log(("enter ptrD15EC args ->\n" + hexdump(args)));
console.log(("enter ptrD15EC args-> \n" + hexdump(args)));
},
onLeave: function(args){
console.log("enter ptrD15EC retvalue-> " + args);
}
})
})
```
最后的结果
```javascript
message: {'type': 'send', 'payload': ' 0xd67e8000'} data: None
message: {'type': 'send', 'payload': ' 0xd6d00a24'} data: None
message: {'type': 'send', 'payload': ' 0xd6d00b54'} data: None
message: {'type': 'send', 'payload': ' 0xd68b95ec'} data: None
enter ptrCheckFlag args->0xa
enter ptrCheckFlag args->
0123456789ABCDEF0123456789ABCDEF
f33fe91c6d 00 61 00 73 00 6f 00 6e 00 63 00 72 00 61 00m.a.s.o.n.c.r.a.
f33fe92c6b 00 65 00 k.e.
enter ptrAESEncrypt args-> 0xf340f000
enter ptrAESEncrypt args text->
0123456789ABCDEF0123456789ABCDEF
f33fe91080 65 ee f2 00 00 00 00 0a 00 00 00 6d 00 61 00.e..........m.a.
f33fe92073 00 6f 00 6e 00 63 00 72 00 61 00 6b 00 65 00s.o.n.c.r.a.k.e.
f33fe93000 00 00 00 00 00 00 00 80 65 ee f2 00 00 00 00.........e......
f33fe94009 00 00 00 6d 00 61 00 73 00 6f 00 6e 00 63 00....m.a.s.o.n.c.
f33fe95072 00 61 00 6b 00 00 00 00 00 00 00 00 00 00 00r.a.k...........
f33fe96080 65 ee f2 00 00 00 00 0a 00 00 00 6d 00 61 00.e..........m.a.
f33fe97073 00 6f 00 6e 00 63 00 72 00 61 00 6b 00 65 00s.o.n.c.r.a.k.e.
f33fe98000 00 00 00 00 00 00 00 80 65 ee f2 00 00 00 00.........e......
f33fe99009 00 00 00 53 00 65 00 6c 00 65 00 63 00 74 00....S.e.l.e.c.t.
f33fe9a041 00 6c 00 6c 00 00 00 00 00 00 00 00 00 00 00A.l.l...........
f33fe9b080 65 ee f2 00 00 00 00 0a 00 00 00 63 00 6f 00.e..........c.o.
f33fe9c06c 00 6c 00 65 00 63 00 74 00 69 00 6f 00 6e 00l.l.e.c.t.i.o.n.
f33fe9d000 00 00 00 00 00 00 00 80 65 ee f2 00 00 00 00.........e......
f33fe9e00b 00 00 00 55 00 6e 00 69 00 74 00 79 00 45 00....U.n.i.t.y.E.
f33fe9f06e 00 67 00 69 00 6e 00 65 00 00 00 00 00 00 00n.g.i.n.e.......
f33fea0080 65 ee f2 00 00 00 00 0b 00 00 00 53 00 79 00.e..........S.y.
enter ptrAESEncrypt args-> password
0123456789ABCDEF0123456789ABCDEF
ef4b71bc39 00 31 00 63 00 37 00 37 00 35 00 66 00 61 009.1.c.7.7.5.f.a.
ef4b71cc30 00 66 00 36 00 61 00 31 00 63 00 62 00 61 000.f.6.a.1.c.b.a.
ef4b71dc
enter ptrAESEncrypt args-> iv
0123456789ABCDEF0123456789ABCDEF
ef4b3eac35 00 38 00 66 00 33 00 61 00 34 00 34 00 35 005.8.f.3.a.4.4.5.
ef4b3ebc39 00 33 00 39 00 61 00 65 00 62 00 37 00 39 009.3.9.a.e.b.7.9.
ef4b3ecc
enter ptrAESEncrypt retvalue->
0123456789ABCDEF0123456789ABCDEF
f340184080 65 ee f2 00 00 00 00 18 00 00 00 55 00 65 00.e..........U.e.
f340185074 00 37 00 7a 00 67 00 49 00 43 00 4a 00 75 00t.7.z.g.I.C.J.u.
f340186075 00 4f 00 70 00 48 00 5a 00 50 00 74 00 56 00u.O.p.H.Z.P.t.V.
f340187078 00 6d 00 4a 00 41 00 3d 00 3d 00 00 00 00 00x.m.J.A.=.=.....
f340188080 65 ee f2 00 00 00 00 18 00 00 00 55 00 65 00.e..........U.e.
f340189074 00 37 00 7a 00 67 00 49 00 43 00 4a 00 75 00t.7.z.g.I.C.J.u.
f34018a075 00 4f 00 70 00 48 00 5a 00 50 00 74 00 56 00u.O.p.H.Z.P.t.V.
f34018b078 00 6d 00 4a 00 41 00 3d 00 3d 00 00 00 00 00x.m.J.A.=.=.....
f34018c080 65 ee f2 00 00 00 00 18 00 00 00 55 00 65 00.e..........U.e.
f34018d074 00 37 00 7a 00 67 00 49 00 43 00 4a 00 75 00t.7.z.g.I.C.J.u.
f34018e075 00 4f 00 70 00 48 00 5a 00 50 00 74 00 56 00u.O.p.H.Z.P.t.V.
f34018f078 00 6d 00 4a 00 41 00 3d 00 3d 00 00 00 00 00x.m.J.A.=.=.....
f340190080 65 ee f2 00 00 00 00 17 00 00 00 45 00 76 00.e..........E.v.
f340191065 00 6e 00 74 00 2f 00 47 00 72 00 61 00 70 00e.n.t./.G.r.a.p.
f340192068 00 69 00 63 00 20 00 52 00 61 00 79 00 63 00h.i.c. .R.a.y.c.
f340193061 00 73 00 74 00 65 00 72 00 00 00 00 00 00 00a.s.t.e.r.......
enter ptrD15EC args-> 0xf2ee6580
enter ptrD15EC args ->
0123456789ABCDEF0123456789ABCDEF
f340184080 65 ee f2 00 00 00 00 18 00 00 00 55 00 65 00.e..........U.e.
f340185074 00 37 00 7a 00 67 00 49 00 43 00 4a 00 75 00t.7.z.g.I.C.J.u.
f340186075 00 4f 00 70 00 48 00 5a 00 50 00 74 00 56 00u.O.p.H.Z.P.t.V.
f340187078 00 6d 00 4a 00 41 00 3d 00 3d 00 00 00 00 00x.m.J.A.=.=.....
f340188080 65 ee f2 00 00 00 00 18 00 00 00 55 00 65 00.e..........U.e.
f340189074 00 37 00 7a 00 67 00 49 00 43 00 4a 00 75 00t.7.z.g.I.C.J.u.
f34018a075 00 4f 00 70 00 48 00 5a 00 50 00 74 00 56 00u.O.p.H.Z.P.t.V.
f34018b078 00 6d 00 4a 00 41 00 3d 00 3d 00 00 00 00 00x.m.J.A.=.=.....
f34018c080 65 ee f2 00 00 00 00 18 00 00 00 55 00 65 00.e..........U.e.
f34018d074 00 37 00 7a 00 67 00 49 00 43 00 4a 00 75 00t.7.z.g.I.C.J.u.
f34018e075 00 4f 00 70 00 48 00 5a 00 50 00 74 00 56 00u.O.p.H.Z.P.t.V.
f34018f078 00 6d 00 4a 00 41 00 3d 00 3d 00 00 00 00 00x.m.J.A.=.=.....
f340190080 65 ee f2 00 00 00 00 17 00 00 00 45 00 76 00.e..........E.v.
f340191065 00 6e 00 74 00 2f 00 47 00 72 00 61 00 70 00e.n.t./.G.r.a.p.
f340192068 00 69 00 63 00 20 00 52 00 61 00 79 00 63 00h.i.c. .R.a.y.c.
f340193061 00 73 00 74 00 65 00 72 00 00 00 00 00 00 00a.s.t.e.r.......
enter ptrD15EC args->
0123456789ABCDEF0123456789ABCDEF
f340cc3080 65 ee f2 00 00 00 00 2c 00 00 00 77 00 30 00.e......,...w.0.
f340cc405a 00 79 00 55 00 5a 00 41 00 48 00 68 00 6e 00Z.y.U.Z.A.H.h.n.
f340cc5031 00 36 00 2f 00 4d 00 52 00 57 00 69 00 65 001.6./.M.R.W.i.e.
f340cc6036 00 33 00 6c 00 4b 00 2b 00 50 00 75 00 56 006.3.l.K.+.P.u.V.
f340cc7070 00 5a 00 4f 00 62 00 75 00 2f 00 4e 00 70 00p.Z.O.b.u./.N.p.
f340cc8051 00 2f 00 45 00 2f 00 75 00 63 00 70 00 6c 00Q./.E./.u.c.p.l.
f340cc9063 00 3d 00 00 00 00 00 80 65 ee f2 00 00 00 00c.=......e......
f340cca02b 00 00 00 74 00 79 00 70 00 65 00 20 00 69 00+...t.y.p.e. .i.
f340ccb073 00 20 00 6e 00 6f 00 74 00 20 00 61 00 20 00s. .n.o.t. .a. .
f340ccc073 00 75 00 62 00 63 00 6c 00 61 00 73 00 73 00s.u.b.c.l.a.s.s.
f340ccd020 00 6f 00 66 00 20 00 4d 00 75 00 6c 00 74 00 .o.f. .M.u.l.t.
f340cce069 00 63 00 61 00 73 00 74 00 64 00 65 00 6c 00i.c.a.s.t.d.e.l.
f340ccf065 00 67 00 61 00 74 00 65 00 00 00 00 00 00 00e.g.a.t.e.......
f340cd0080 65 ee f2 00 00 00 00 2b 00 00 00 4f 00 6e 00.e......+...O.n.
f340cd106c 00 79 00 20 00 73 00 69 00 6e 00 67 00 6c 00l.y. .s.i.n.g.l.
f340cd2065 00 20 00 64 00 69 00 6d 00 65 00 6e 00 73 00e. .d.i.m.e.n.s.
enter ptrD15EC retvalue-> 0x0
0
0x1
enter ptrD15EC args-> 0xf2ee6580
enter ptrD15EC args ->
0123456789ABCDEF0123456789ABCDEF
ef4ddde080 65 ee f2 00 00 00 00 10 00 00 00 43 00 6f 00.e..........C.o.
ef4dddf06e 00 67 00 72 00 61 00 74 00 75 00 6c 00 61 00n.g.r.a.t.u.l.a.
ef4dde0074 00 69 00 6f 00 6e 00 73 00 21 00 00 00 00 00t.i.o.n.s.!.....
ef4dde1080 65 ee f2 00 00 00 00 0f 00 00 00 45 00 72 00.e..........E.r.
ef4dde2072 00 6f 00 72 00 20 00 6c 00 6f 00 61 00 64 00r.o.r. .l.o.a.d.
ef4dde3069 00 6e 00 67 00 20 00 27 00 00 00 00 00 00 00i.n.g. .'.......
ef4dde4080 65 ee f2 00 00 00 00 0f 00 00 00 41 00 73 00.e..........A.s.
ef4dde5073 00 65 00 6d 00 62 00 6c 00 79 00 2d 00 43 00s.e.m.b.l.y.-.C.
ef4dde6053 00 68 00 61 00 72 00 70 00 00 00 00 00 00 00S.h.a.r.p.......
ef4dde7080 65 ee f2 00 00 00 00 0e 00 00 00 55 00 6e 00.e..........U.n.
ef4dde8069 00 74 00 79 00 45 00 6e 00 67 00 69 00 6e 00i.t.y.E.n.g.i.n.
ef4dde9065 00 2e 00 55 00 49 00 00 00 00 00 00 00 00 00e...U.I.........
ef4ddea080 65 ee f2 00 00 00 00 0f 00 00 00 55 00 6e 00.e..........U.n.
ef4ddeb069 00 74 00 79 00 45 00 6e 00 67 00 69 00 6e 00i.t.y.E.n.g.i.n.
ef4ddec065 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 00 00e...d.l.l.......
ef4dded080 65 ee f2 00 00 00 00 0f 00 00 00 55 00 6e 00.e..........U.n.
enter ptrD15EC args->
0123456789ABCDEF0123456789ABCDEF
ef4ddde080 65 ee f2 00 00 00 00 10 00 00 00 43 00 6f 00.e..........C.o.
ef4dddf06e 00 67 00 72 00 61 00 74 00 75 00 6c 00 61 00n.g.r.a.t.u.l.a.
ef4dde0074 00 69 00 6f 00 6e 00 73 00 21 00 00 00 00 00t.i.o.n.s.!.....
ef4dde1080 65 ee f2 00 00 00 00 0f 00 00 00 45 00 72 00.e..........E.r.
ef4dde2072 00 6f 00 72 00 20 00 6c 00 6f 00 61 00 64 00r.o.r. .l.o.a.d.
ef4dde3069 00 6e 00 67 00 20 00 27 00 00 00 00 00 00 00i.n.g. .'.......
ef4dde4080 65 ee f2 00 00 00 00 0f 00 00 00 41 00 73 00.e..........A.s.
ef4dde5073 00 65 00 6d 00 62 00 6c 00 79 00 2d 00 43 00s.e.m.b.l.y.-.C.
ef4dde6053 00 68 00 61 00 72 00 70 00 00 00 00 00 00 00S.h.a.r.p.......
ef4dde7080 65 ee f2 00 00 00 00 0e 00 00 00 55 00 6e 00.e..........U.n.
ef4dde8069 00 74 00 79 00 45 00 6e 00 67 00 69 00 6e 00i.t.y.E.n.g.i.n.
ef4dde9065 00 2e 00 55 00 49 00 00 00 00 00 00 00 00 00e...U.I.........
ef4ddea080 65 ee f2 00 00 00 00 0f 00 00 00 55 00 6e 00.e..........U.n.
ef4ddeb069 00 74 00 79 00 45 00 6e 00 67 00 69 00 6e 00i.t.y.E.n.g.i.n.
ef4ddec065 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 00 00e...d.l.l.......
ef4dded080 65 ee f2 00 00 00 00 0f 00 00 00 55 00 6e 00.e..........U.n.
enter ptrD15EC retvalue-> 0x1
```
我输入的文本为`masoncrake` Hook到 AES加密的key为 91c775fa0f6a1cba ,iv为 58f3a445939aeb79 ,加密后的base64密文为:Uet7zgICJuuOpHZPtVxmJA==
这些都不是重点,重点是我们把flag的密文拿到了 **w0ZyUZAHhn16/MRWie63lK+PuVpZObu/NpQ/E/ucplc=**
用解密工具解密,成功!得到flag
> **N1CTF{h4ppy_W1TH_1l2cpp}**
## 写在最后
看起来分析也很简单,实际上踩得的坑太多了,花了将近一天的时间。
也算是积攒一点unity逆向方面的知识吧。相比于cocos2dx,对加固后的unity3d游戏的分析难度相当。 谢谢楼主分享! riru_il2cpp用过都说好 大佬,请问应该用哪个版本的gradle,我gradle编译总是失败, 霍洛 发表于 2021-2-16 14:06
大佬,请问应该用哪个版本的gradle,我gradle编译总是失败,
用的6.0.1 本帖最后由 霍洛 于 2021-2-16 18:12 编辑
霍洛 发表于 2021-2-16 14:06
大佬,请问应该用哪个版本的gradle,我gradle编译总是失败,
萌新弱弱的说下解决办法:
首先是没有配置好ndk,在file,settings,appearance & Behavior,System Settings,Android SDK,SDK Tools,勾选show Details,我安装了21.4版本的ndk。
打开Il2CppDumper的project以后,在file,project structure,SDK location,选择NDK location,选择刚才安装的版本。
这样编译还是有错误,然后在build.gradle中compileSdkVersion targetSdkVersion的下一行加上buildToolsVersion "28.0.3"
之后就编译成功了
另外:我使用的是android studio4,然后gradle用的6.8.2
(还要装老版本的riru,,, 想问下riru版本是啥,我这边编译好在magisk安装提示我Riru is not installed 下页s 发表于 2021-2-21 19:28
想问下riru版本是啥,我这边编译好在magisk安装提示我Riru is not installed
我试了23之前的版本,可以安装,但是进应用闪退,打不开,还不知道怎么解决 霍洛 发表于 2021-2-23 09:32
我试了23之前的版本,可以安装,但是进应用闪退,打不开,还不知道怎么解决
我用的21.2版本成功了 下页s 发表于 2021-2-21 19:28
想问下riru版本是啥,我这边编译好在magisk安装提示我Riru is not installed
这个问题我也遇到过,新版本貌似装不上,后来是换了老版本才解决,参考版本V21.3
页:
[1]
2