最近在练习i2cpp
然后发现以下错误
然后打开
global-metadata
发现文件头不是 "AF 1B B1 FA";//global-metadata.dat头部特征 那么就可以判断 global-metadata加密了 那么只能实机内存抠了
先逆向反编译apk
随手找个so
然后注入frIDAgadget// 因为目的实机锁定了不能root,无法直接frida 所以只能用gadget 我是用pyton注入的 python h:\pj\frida\inject.py h:\pj\frida\libPxrPlatform.so libtutu64.so //后面的gadget我为了防检测 改名了
把注入之后的 重新拷回去 连带我改名的gadget一起 重编译打包 推送到实机安装
运行之后 就来到扣内存环节了 我用的脚本如下
[Java] 纯文本查看 复制代码 /*
获取解密后的global-metadata.dat
github:https://github.com/350030173/global-metadata_dump
用法:
frida -U -l global-metadata_dump.js packagename
导出的文件在/data/data/yourPackageName/global-metadata.dat
*/
//
//get_self_process_name()获取当前运行进程包名
//参考:https://github.com/lasting-yang/frida_dump/blob/master/dump_dex_class.js
function get_self_process_name()
{
var openPtr = Module.getExportByName('libc.so', 'open');
var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
var readPtr = Module.getExportByName("libc.so", "read");
var read = new NativeFunction(readPtr, "int", ["int", "pointer", "int"]);
var closePtr = Module.getExportByName('libc.so', 'close');
var close = new NativeFunction(closePtr, 'int', ['int']);
var path = Memory.allocUtf8String("/proc/self/cmdline");
var fd = open(path, 0);
if (fd != -1)
{
var buffer = Memory.alloc(0x1000);
var result = read(fd, buffer, 0x1000);
close(fd);
result = ptr(buffer).readCString();
return result;
}
return "-1";
}
var pattern = "AF 1B B1 FA";//global-metadata.dat头部特征
function TUMemory()
{
Java.perform(function ()
{
console.log("头部标识:" + pattern);
var addrArray = Process.enumerateRanges("r--");//使用函数 Process.enumerateRanges('r--') 枚举读出可以读出的内存区块
for (var i = 0; i < addrArray.length; i++)
{
var addr = addrArray[i];
Memory.scan(addr.base, addr.size, pattern,
{
onMatch: function (address, size)
{
console.log('搜索到 ' + pattern + " 地址是:" + address.toString());
console.log(hexdump(address,
{
offset: 0,
// length: 0x110,
length: 1164,
header: true,
ansi: true
}
));
//0x108,0x10C如果不行,换 0x100,0x104
/*
var DefinitionsOffset = parseInt(address, 16) + 0x108;
var DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));
var DefinitionsCount = parseInt(address, 16) + 0x10C;
var DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));
if (DefinitionsCount_size < 10)
{
DefinitionsOffset = parseInt(address, 16) + 0x100;
DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));
DefinitionsCount = parseInt(address, 16) + 0x104;
DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));
}
*/
//0x108,0x10C如果不行,换 0x100,0x104
var DefinitionsOffset = parseInt(address, 16) + 0x100;
var DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));
var DefinitionsCount = parseInt(address, 16) + 0x104;
var DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));
if (DefinitionsCount_size < 10)
{
DefinitionsOffset = parseInt(address, 16) + 0x100;
DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));
DefinitionsCount = parseInt(address, 16) + 0x104;
DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));
}
//根据两个偏移得出global-metadata大小
var global_metadata_size = DefinitionsOffset_size + DefinitionsCount_size
var global_metadata_size = 7543688
console.log("大小:", global_metadata_size);
/*
var file = new File("/data/data/" + get_self_process_name() + "/global-metadata.dat", "wb");
file.write(Memory.readByteArray(address, global_metadata_size));
file.flush();
file.close();
console.log('路径:' + "/data/data/" + get_self_process_name() + "/global-metadata.dat");
console.log('导出完毕...');
*/
var file = new File("/storage/emulated/0/Android/data/" + get_self_process_name() + "/global-metadata.dat", "wb");
file.write(Memory.readByteArray(address, global_metadata_size));
file.flush();
file.close();
console.log('路径:' + "/storage/emulated/0/Android/data/" + get_self_process_name() + "/global-metadata.dat");
console.log('导出完毕...');
},
onComplete: function ()
{
//console.log("搜索完毕")
}
}
);
}
}
);
}
setImmediate(TUMemory);
这个脚本是我在网上拿的脚本改的
主要改动地方
1、输入路径 由于没有root 所以改到了公共路径
2、原脚本执行有问题,文件的大小改成自己手动输入大小
这里简单解释下如何算大小 用010打开metadata 找到unity的metadata bt模版运行一下
100h和104h 的值相加就是文件大小也就是 我上面脚本的7543688
然后运行已经注入的apk 用frida -U -l h:\pj\frida\dao.js gadget 执行一下我们改好的脚本
这样就扣出来了,用扣出来的metadata
再次执行Il2CppDumper就正常解析了
| 
[复制链接]
发表于 2023-8-20 18:59
|
发表于 2023-8-21 22:45
