Closed mohdali closed 4 years ago
mohdali
commented
4 years ago Hi @Perfare can you please look at this? Any chance the addresses from global-metadata.dat are parsed wrongly?
I was able to decompile older versions of this game without any issues. However, it seems they applied some anti hacking techniques and now the code doesn't make any sensein IDA.
I have tried with latest version of il2CppDumper nd IDA 7.2 also.
Appreciate if you can help.
Perfare
commented
4 years ago Before loading with ida, you need to edit the dumped so file, use 010editor, edit each program_header_table, and set the value of p_offset to the value of p_vaddr.
mohdali
commented
4 years ago Thanks for the reply! I will try that.
So if I understood correctly. The program header table for the dumped file looked like this.
Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x00000034 0x00000034 0x000e0 0x000e0 R 0x4 LOAD 0x000000 0x00000000 0x00000000 0x34fb014 0x34fb014 R E 0x1000 LOAD 0x34fb860 0x034fc860 0x034fc860 0x485e84 0x56b798 RW 0x1000 DYNAMIC 0x37aaef0 0x037abef0 0x037abef0 0x00108 0x00108 RW 0x4 NOTE 0x000134 0x00000134 0x00000134 0x000bc 0x000bc R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10 EXIDX 0x2de576c 0x02de576c 0x02de576c 0x10e218 0x10e218 R 0x4
I will need to make it become like this:
Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x00000034 0x00000034 0x000e0 0x000e0 R 0x4 LOAD 0x000000 0x00000000 0x00000000 0x34fb014 0x34fb014 R E 0x1000 LOAD 0x34fc860 0x034fc860 0x034fc860 0x485e84 0x56b798 RW 0x1000 DYNAMIC 0x37abef0 0x037abef0 0x037abef0 0x00108 0x00108 RW 0x4 NOTE 0x000134 0x00000134 0x00000134 0x000bc 0x000bc R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10 EXIDX 0x2de576c 0x02de576c 0x02de576c 0x10e218 0x10e218 R 0x4
Is that correct?
I will still need to rebase the program in IDA (using manual load) to use the starting address of 08000000, right?
mohdali
commented
4 years ago Hi, @Perfare,
I tried changing the PHT header but it doesn't change much.
What I'm looking for is to find the code for a method called get_CNK() which I think contains code to generate the db key.
In an older version of the game that was not protected. I could easily decompile that method from the game files and see how the key is generated. However, when working with the memory dump I get a very basic function that cannot be correct. And the references are all messed up.
I really appreciate if you can help to point me where is the correct address of this method in the memory dump. Then I can try to find the right way to decompile it using IDA.
I'm attaching the memory dump and the metadata file. Also the modified PHT version.
Perfare
commented
4 years ago I checked the file and it confuses methodIndex so the function address is wrong. You can edit the processFields of the py script to leave only ScriptMetadata, it seems that this item is not confused. Then find the function address by reference to the variable. If you just want the return value of the function get_CNK, you can try to hook this function at runtime, Use the exported function of libil2cpp.so. Through
il2cpp_domain_get
il2cpp_domain_get_assemblies
il2cpp_assembly_get_image
il2cpp_class_from_name
il2cpp_class_get_method_from_nameTo get the correct function address. But it involves many aspects.
In fact, I'm already working on a project that dump data at runtime, because now there are more and more protection against Il2Cpp, but now I don’t have much time to write code, hope i can finish it soon.
mohdali
commented
4 years ago Hi @Perfare and thank you for checking and clarifying.
I understand there are some more protections that prevent dumping the correct addresses directly.
I will try your suggestions and see how far I can go.
Just to clarify, To use the library at runtime you mean is to create a c++ program that calls the exported functions and find the address right? Or do I need to attach a debugger of some sort to the game while it is running? I have tried some debuggers but the game detects and shuts down.
Hope you can finish the new tool soon 😇. And thanks again for your support.
Perfare
commented
4 years ago Yes, if you want to hook functions, you need to write a C program, call these exported functions, and then inject it into the game process. The injection tool can use Riru, which can bypass game protection.
mohdali
commented
4 years ago Thank you. I have tried earlier to install Riru but it is a bit complicated. Do you know if I can make it work in an emulator? Nox or Memu? I will try to setup an temp phone as well but it is going to take me some time.
I will inform you if I could make any progress.
Perfare
commented
4 years ago Riru requires magisk, I don’t think the emulator can easily install magisk. If you have installed magisk, it is very easy to install Riru.
mohdali
commented
4 years ago @Perfare Thank you. I managed to find an old phone that I was able to install Magisk on.
I'm gonna try to install Riru and try. Wish me luck :)
I know the topic is now deviating from il2CppDumper scope. Can I keep discussing with you here? Can you still help me with Riru coding? Please let me know.
mohdali
commented
4 years ago @Perfare I managed to find what I was looking for using Riru!
Thanks a lot for your support. Your suggestions really put me on the right path.
Appreciate your help. Hope to stay in touch.
I will close this question for now.
Perfare
commented
4 years ago @mohdali Hi, my project has been basically completed, welcome to try and give me feedback. https://github.com/Perfare/Riru-Il2CppDumper
mohdali
commented
4 years ago @mohdali Hi, my project has been basically completed, welcome to try and give me feedback. https://github.com/Perfare/Riru-Il2CppDumper
@Perfare Great news! Sure I will give it a try.
I'm able to dump libil2cpp.so and global-metadata.dat from memory using game guardian. I'm also able to generate dump.cs and IDA script using Il2CppDumper. However, when I try to load into IDA (6.8) it is not very helpful as the code seem fragmented and no string literals are being recognized, etc. Can you guide me how to deal with memory dumped library in IDA?
dump.zip