找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 649|回复: 0

[教程] [Tutorial] How to crack Unity Games

[复制链接]

该用户从未签到

5

主题

72

回帖

241

积分

游戏段位 · 白银

积分
241
发表于 2022-12-11 15:53:12 | 显示全部楼层 |阅读模式
For beginner, you can refer to
https://gbatemp.net/threads/a-small-tutorial-on-asm-hacks-cheats-for-unity-games.606330/
and crack the games
However, if the il2cppdumper does not work in auto mode, we need to find the codeRegister addresses out manually

Here is a script that handle those il2cppdumper does not work in auto mode


Note:
Always use main. elf  instead of main  nso  for Unity Games
NSO should be extract to ELF first, since there is a bug in il2cppdumper with LZ4

Also, in some Unity Game version, such as v27.1 and v24.2, the il2cppdumper wrongly shift the CodeRegistration address by -0x8 and -0x18 respectively
So when you get an error, you need to try increasing the CodeRegistration address by +8 or +18 etc.


idaPython Script


[size=1.2]Python:
# This Script is Programmed by Eiffel2018# Tested in IDA PRO v7.5+ with Python 3.9.x# Operate with a clean NSO (or main.elf)import idc,ida_search,ida_segment,ida_kernwin,ida_funcsgdb = ida_segment.get_segm_by_name('main') != NoneBase= ida_segment.get_segm_by_name('main').start_ea if gdb else ida_segment.get_segm_by_name('.text').start_eaCodeStart = Base+0x30CodeEnd = ida_segment.get_segm_by_name('main').end_ea if gdb else ida_segment.get_segm_by_name('.rodata').start_eaDataStart = ida_segment.get_segm_by_name('main_data').start_ea if gdb else ida_segment.get_segm_by_name('.rodata').start_eaDataEnd = ida_segment.get_segm_by_name('main_data').end_ea if gdb else ida_segment.get_segm_by_name('.init_array').end_eadef cls():    ida_kernwin.activate_widget(ida_kernwin.find_widget("Output window"), True);    ida_kernwin.process_ui_action("msglist:Clear");def isFound(opAddr):    return opAddr != BADADDRdef notFound(opAddr):    return opAddr == BADADDRdef isCode(targetAddr):    return is_code(get_full_flags(targetAddr))def makeFunc(addr):    if not(CodeEnd>addr>CodeStart): return    addr=addr//4*4    while idaapi.get_func(addr)==None or not(isCode(addr)):        funcStart=get_func_attr(get_prev_func(addr),FUNCATTR_END)        while get_wide_dword(funcStart) in (0,0xD503201F,0xE7FFDEFE): funcStart+=4        print('Making Function at %X'%(funcStart))        del_items(funcStart)        if not(ida_funcs.add_func(funcStart)):            funcEnd=find_func_end(funcStart)            if notFound(funcEnd) or funcEnd<funcStart:                funcEnd=funcStart+4                while print_insn_mnem(funcEnd) not in ('RET','B','BR') and funcEnd<CodeEnd and not(get_wide_dword(funcEnd) in (0,0xD503201F,0xE7FFDEFE)): funcEnd+=4                if print_insn_mnem(funcEnd) in ('RET','B','BR'): funcEnd+=4                ida_funcs.add_func(funcStart,funcEnd)                auto_wait()def getFuncStart(targetAddr):    makeFunc(targetAddr)    return get_func_attr(targetAddr,FUNCATTR_START)def getFuncEnd(targetAddr):    makeFunc(targetAddr)    return get_func_attr(targetAddr,FUNCATTR_END)def AOB(pattern,searchStart=CodeStart,searchEnd=CodeEnd):    return ida_search.find_binary(searchStart, searchEnd, pattern, 0, SEARCH_DOWN|SEARCH_NEXT)def searchNextASM(addr,command,operand=None):    funcEnd=getFuncEnd(addr)    while addr<funcEnd:        if operand==None:            if print_insn_mnem(addr)==command: break        else:            if print_insn_mnem(addr)==command and operand==print_operand(addr,0): break        addr+=4    return addr if addr<funcEnd else BADADDRdef searchPrevASM(addr,command,operand=None):    funcStart=getFuncStart(addr)    while addr>=funcStart:        if operand==None:            if print_insn_mnem(addr)==command: break        else:            if print_insn_mnem(addr)==command and operand==print_operand(addr,0): break        addr-=4    return addr if addr>=funcStart else BADADDRcls()nnMain=get_name_ea(0,'nnMain')addr=AOB('E0 03 00 32 ? ? ? 97 ? ? ? 97 ? ? ? 97',nnMain,getFuncEnd(nnMain))if notFound(addr): addr=AOB('20 00 80 52 ? ? ? 97 ? ? ? 97 ? ? ? 97',nnMain,getFuncEnd(nnMain))if notFound(addr): warning('Pattern not found')funcAddr=get_operand_value(addr+12,0)X0Addr=searchNextASM(funcAddr,'ADRP','X0')if notFound(X0Addr): warning('Logic Error')X0Addr2=searchNextASM(X0Addr,'LDR','X0')if notFound(X0Addr2): warning('Logic Error')X0=get_operand_value(X0Addr,1)+get_operand_value(X0Addr2,1)X1Addr=searchNextASM(funcAddr,'ADRP','X1')if notFound(X1Addr): warning('Logic Error')X1Addr2=searchNextASM(X0Addr,'LDR','X1')if notFound(X1Addr2): warning('Logic Error')X1=get_operand_value(X1Addr,1)+get_operand_value(X1Addr2,1)jumpto(X0)print('CodeRegistration=%X\nMetadataRegistration=%X'%(get_qword(X0),get_qword(X1)))


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|手机版|小黑屋|深圳斯威奶牛科技有限公司 ( 粤ICP备14034528号-1 )|网站地图

GMT+8, 2024-11-15 07:50 , Processed in 0.056368 second(s), 23 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表