Guswidura 发表于 2022-12-11 15:53:12

[Tutorial] How to crack Unity Games

For beginner, you can refer to
https://gbatemp.net/threads/a-small-tutorial-on-asm-hacks-cheats-for-unity-games.606330/
and crack the games
However, if the il2cppdumper does not work in auto mode, we need to find the codeRegister addresses out manually

Here is a script that handle those il2cppdumper does not work in auto mode


Note:
Always use main. elfinstead of mainnsofor Unity Games
NSO should be extract to ELF first, since there is a bug in il2cppdumper with LZ4

Also, in some Unity Game version, such as v27.1 and v24.2, the il2cppdumper wrongly shift the CodeRegistration address by -0x8 and -0x18 respectively
So when you get an error, you need to try increasing the CodeRegistration address by +8 or +18 etc.


idaPython Scripthttps://gbatemp.net/attachments/1649832772928-png.306012/


Python:
# This Script is Programmed by Eiffel2018# Tested in IDA PRO v7.5+ with Python 3.9.x# Operate with a clean NSO (or main.elf)import idc,ida_search,ida_segment,ida_kernwin,ida_funcsgdb = ida_segment.get_segm_by_name('main') != NoneBase= ida_segment.get_segm_by_name('main').start_ea if gdb else ida_segment.get_segm_by_name('.text').start_eaCodeStart = Base+0x30CodeEnd = ida_segment.get_segm_by_name('main').end_ea if gdb else ida_segment.get_segm_by_name('.rodata').start_eaDataStart = ida_segment.get_segm_by_name('main_data').start_ea if gdb else ida_segment.get_segm_by_name('.rodata').start_eaDataEnd = ida_segment.get_segm_by_name('main_data').end_ea if gdb else ida_segment.get_segm_by_name('.init_array').end_eadef cls():    ida_kernwin.activate_widget(ida_kernwin.find_widget("Output window"), True);    ida_kernwin.process_ui_action("msglist:Clear");def isFound(opAddr):    return opAddr != BADADDRdef notFound(opAddr):    return opAddr == BADADDRdef isCode(targetAddr):    return is_code(get_full_flags(targetAddr))def makeFunc(addr):    if not(CodeEnd>addr>CodeStart): return    addr=addr//4*4    while idaapi.get_func(addr)==None or not(isCode(addr)):      funcStart=get_func_attr(get_prev_func(addr),FUNCATTR_END)      while get_wide_dword(funcStart) in (0,0xD503201F,0xE7FFDEFE): funcStart+=4      print('Making Function at %X'%(funcStart))      del_items(funcStart)      if not(ida_funcs.add_func(funcStart)):            funcEnd=find_func_end(funcStart)            if notFound(funcEnd) or funcEnd<funcStart:                funcEnd=funcStart+4                while print_insn_mnem(funcEnd) not in ('RET','B','BR') and funcEnd<CodeEnd and not(get_wide_dword(funcEnd) in (0,0xD503201F,0xE7FFDEFE)): funcEnd+=4                if print_insn_mnem(funcEnd) in ('RET','B','BR'): funcEnd+=4                ida_funcs.add_func(funcStart,funcEnd)                auto_wait()def getFuncStart(targetAddr):    makeFunc(targetAddr)    return get_func_attr(targetAddr,FUNCATTR_START)def getFuncEnd(targetAddr):    makeFunc(targetAddr)    return get_func_attr(targetAddr,FUNCATTR_END)def AOB(pattern,searchStart=CodeStart,searchEnd=CodeEnd):    return ida_search.find_binary(searchStart, searchEnd, pattern, 0, SEARCH_DOWN|SEARCH_NEXT)def searchNextASM(addr,command,operand=None):    funcEnd=getFuncEnd(addr)    while addr<funcEnd:      if operand==None:            if print_insn_mnem(addr)==command: break      else:            if print_insn_mnem(addr)==command and operand==print_operand(addr,0): break      addr+=4    return addr if addr<funcEnd else BADADDRdef searchPrevASM(addr,command,operand=None):    funcStart=getFuncStart(addr)    while addr>=funcStart:      if operand==None:            if print_insn_mnem(addr)==command: break      else:            if print_insn_mnem(addr)==command and operand==print_operand(addr,0): break      addr-=4    return addr if addr>=funcStart else BADADDRcls()nnMain=get_name_ea(0,'nnMain')addr=AOB('E0 03 00 32 ? ? ? 97 ? ? ? 97 ? ? ? 97',nnMain,getFuncEnd(nnMain))if notFound(addr): addr=AOB('20 00 80 52 ? ? ? 97 ? ? ? 97 ? ? ? 97',nnMain,getFuncEnd(nnMain))if notFound(addr): warning('Pattern not found')funcAddr=get_operand_value(addr+12,0)X0Addr=searchNextASM(funcAddr,'ADRP','X0')if notFound(X0Addr): warning('Logic Error')X0Addr2=searchNextASM(X0Addr,'LDR','X0')if notFound(X0Addr2): warning('Logic Error')X0=get_operand_value(X0Addr,1)+get_operand_value(X0Addr2,1)X1Addr=searchNextASM(funcAddr,'ADRP','X1')if notFound(X1Addr): warning('Logic Error')X1Addr2=searchNextASM(X0Addr,'LDR','X1')if notFound(X1Addr2): warning('Logic Error')X1=get_operand_value(X1Addr,1)+get_operand_value(X1Addr2,1)jumpto(X0)print('CodeRegistration=%X\nMetadataRegistration=%X'%(get_qword(X0),get_qword(X1)))


页: [1]
查看完整版本: [Tutorial] How to crack Unity Games