Il2cpp逆向:global-metadata解密

2023-02-14 19:22:56 浏览数 (2)

前言

  关于Il2cpp的资料网上有很多,简而言之,Il2cpp就是unity用来代替原来的基于Mono虚拟机的一种新的打包方式,它先生成IL(中间语言),然后再转换成Cpp文件,提高运行效率的同时增加了安全性。原本基于Mono的打包方式极其容易被逆向,现在市面上的新游戏基本上都是用Il2cpp的方式打包的,当然Il2cpp的逆向教程也很多,但是都是千篇一律,教你用国内大佬写的Il2cppDumper去dump就完事,毫无技术含量。事实上,由于这个工具太过出名,很多游戏厂商都采取了对抗措施,导致就算你照着教程来,大多数情况下也不会成功的。因此打算学习一下Il2cpp相关的攻防技术,于是在网上找了一个Il2cpp的CTF题来练手。题目来源:n1ctf-2018

baby unity3d

  题目要求很明确,输入正确的flag即可。既然已经知道它是一个用了Il2cpp的unity程序了,那么就直接去找它的libil2cpp.so以及global-metadata.dat文件,然后尝试用Il2cppDumper进行解析,当然肯定会解析失败。解析失败的原因肯定是出在这两个文件中,至少有一个文件是被加密了,导致无法正常解析。这题比较基础,只加密了global-metadata.dat文件,可以将global-metadata.dat拖入010Editor查看,正常的global-metadata.dat开头的四个字节应该是AF 1B B1 FA,而这题的global-metadata.dat显然被加密过了,因此只需要将其解密即可完成解析,后面的flag问题就迎刃而解。

  想要解密global-metadata.dat我们有两种思路,一种是dump解密结果,另一种是分析加密算法。对于第一种思路,这里有个frida脚本

代码语言:javascript复制
function frida_Memory(pattern)
{
Java.perform(function ()
{
    console.log("头部标识:"   pattern);
    var addrArray = Process.enumerateRanges("r--");
    for (var i = 0; i < addrArray.length; i  )
    {
        var addr = addrArray[i];
        Memory.scan(addr.base, addr.size, pattern,
        {
            onMatch: function (address, size)
            {
                console.log('搜索到 '   pattern   " 地址是:"   address.toString());
                console.log(hexdump(address,
                    {
                        offset: 0,
                        length: 64,
                        header: true,
                        ansi: true
                    }
                    ));
                //0x108,0x10C如果不行,换0x100,0x104
                var DefinitionsOffset = parseInt(address, 16)   0x108;
                var DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset));

                var DefinitionsCount = parseInt(address, 16)   0x10C;
                var DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount));

                //根据两个偏移得出global-metadata大小
                var global_metadata_size = DefinitionsOffset_size   DefinitionsCount_size
                    console.log("大小:", global_metadata_size);
                var file = new File("/data/data/"   get_self_process_name()   "/global-metadata.dat", "wb");
                file.write(Memory.readByteArray(address, global_metadata_size));
                file.flush();
                file.close();
                console.log('导出完毕...');
            },
            onComplete: function ()
            {
                //console.log("搜索完毕")
            }
        }
        );
    }
}
);
}
setImmediate(frida_Memory("AF 1B B1 FA")); //global-metadata.dat头部特征

  大概流程就是通过魔术来定位到文件在内存中的起始地址,然后通过解析文件头来计算出文件的大小,最后进行dump。该脚本的适用条件是global-metadata.dat在解密后必须要有正常的魔术即AF 1B B1 FA否则定位,同时文件头信息要正确否则无法计算文件大小。这个脚本有一定的参考价值,然而对于这题起不到作用,脚本执行后没有找到起始地址,看来即使解密后,内存中也没有AF 1B B1 FA存在。所以这种通用的dump方式应该是不行了,只能找到global-metadata.dat的加载函数,待其解密完成后再进行dump,所以我们需要对global-metadata.dat的加载流程进行分析。

global-metadata.dat加载流程

  这篇文章IL2CPP Tutorial: Finding loaders for obfuscated global-metadata.dat files对global-metadata.dat加载流程有很详细的介绍,非常值得一读。我这边简要概括下,在libil2cpp.so里面有个il2cpp_init函数是加载函数调用链中的第一个函数,整个调用链是这样的

代码语言:javascript复制
il2cpp_init
  -> il2cpp::vm::Runtime::Init
    -> il2cpp::vm::MetadataCache::Initialize
      -> il2cpp::vm::MetadataLoader::LoadMetadataFile

  我们可以在libil2cpp.so里面搜索il2cpp_init或者整个调用链里的关键字来定位到其中一个函数,最简单的是通过搜索global-metadata.dat来直接定位到MetadataCache::Initialize,但是这题不行,因为出题人特意把global-metadata.dat这个字符串加密了,所以搜索不到。所以这边我们搜索il2cpp_init来对照源码往下定位到MetadataCache::Initialize

  假如说上面几个函数一个都没找到该怎么办,其实上面那篇文章也有提到,在libunity.so里面会对il2cpp_init做符号解析,得到它的地址。具体参考上面那篇文章就行。另外那篇文章中有个例子是il2cpp_init被做了ROT-5处理,函数名变成了nq2huu_nsny,然后我发现在我自己找的一些case里搜索nq2huu_nsny也能找到,所以这个nq2huu_nsny也值得一试。

il2cpp_init

代码语言:javascript复制
int __fastcall il2cpp_init(int a1)
{
  setlocale(6, "");
  return sub_4C4770(a1, "v2.0.50727");
}

sub_4C4770

代码语言:javascript复制
int __fastcall sub_4C4770(int a1)
{
.......

  v1 = nullsub_3();
  v2 = nullsub_1(v1);
  v3 = sub_514E34(v2);
  dword_695A80 = (int)"2.0";
  v4 = sub_4F8468(v3);
  v5 = sub_5171B8(v4);
  v6 = sub_4B5564(v5);
  v7 = sub_501A60(v6);
  v8 = sub_4FA8B8(v7);
  v9 = sub_4E0D84(v8);
  sub_4D566C(v9);
  memset(&dword_695AB0, 0, 0x13Cu);
  v10 = sub_5017E4("mscorlib.dll");
  dword_695AB0 = il2cpp_assembly_get_image_0(v10);
  dword_695AB4 = ((int (*)(void))il2cpp_class_from_name_0)();
  dword_695ABC = il2cpp_class_from_name_0(dword_695AB0, "System", "Void");
  dword_695AC0 = il2cpp_class_from_name_0(dword_695AB0, "System", "Boolean");
  dword_695AB8 = il2cpp_class_from_name_0(dword_695AB0, "System", "Byte");
  dword_695AC4 = il2cpp_class_from_name_0(dword_695AB0, "System", &unk_5BA5E1);
  dword_695AC8 = il2cpp_class_from_name_0(dword_695AB0, "System", "Int16");
  dword_695ACC = il2cpp_class_from_name_0(dword_695AB0, "System", &unk_5BA5E7);
  dword_695AD0 = il2cpp_class_from_name_0(dword_695AB0, "System", "Int32");

......

一个个点进去看,发现sub_4B5564其实就是MetadataCache::Initialize

代码语言:javascript复制
void sub_4B5564()
{
  void *v0; // r4
  int v1; // r4
  unsigned int v2; // r7
  int v3; // r0
  int v4; // lr
  int v5; // r2
  int v6; // r4
  int v7; // r3
  _DWORD *v8; // r1
  int v9; // r6
  int v10; // r0
  unsigned int v11; // r3
  int v12; // r7
  int v13; // r1
  unsigned int v14; // r1
  unsigned int v15; // r9
  int v16; // r6
  unsigned __int16 v17; // r0
  unsigned __int16 *v18; // r6
  int v19; // t1
  _DWORD *v20; // r7
  unsigned __int16 v21; // r4
  int v22; // r2
  int v23; // r1
  int v24; // r0
  int v25; // r6
  int v26; // r7
  int v27; // r1
  int v28; // [sp 8h] [bp-48h]
  unsigned int v29; // [sp Ch] [bp-44h]
  int v30; // [sp 10h] [bp-40h]
  int v31; // [sp 14h] [bp-3Ch]
  int v32[2]; // [sp 18h] [bp-38h] BYREF
  int v33; // [sp 20h] [bp-30h] BYREF
  int v34; // [sp 24h] [bp-2Ch]
  double v35; // [sp 28h] [bp-28h] BYREF
  int v36; // [sp 30h] [bp-20h]

  v0 = (void *)sub_4B5518("CLKFILrMETIDITInDIT", 19);
  dword_6959CC = sub_513060();
  free(v0);
  dword_6959D0 = dword_6959CC;
  v28 = dword_6959CC   *(_DWORD *)(dword_6959CC   184);
  if ( *(_DWORD *)(dword_6959CC   188) >= 0x44u )
  {
    v1 = dword_6959CC   *(_DWORD *)(dword_6959CC   184);
    v2 = 0;
    do
    {
      sub_5019F8(v1);
      v1  = 68;
        v2;
    }
    while ( v2 < *(_DWORD *)(dword_6959D0   188) / 0x44u );
  }
  dword_6959D4 = sub_5169D4(*(_DWORD *)(dword_6959C4   24), 4);
  dword_6959D8 = sub_5169D4(*(_DWORD *)(dword_6959D0   164) / 0x68u, 4);
  dword_6959DC = sub_5169D4(*(_DWORD *)(dword_6959D0   52) / 0x38u, 4);
  dword_6959E0 = sub_5169D4(*(_DWORD *)(dword_6959C4   32), 4);
  dword_6959E4 = *(_DWORD *)(dword_6959D0   180) / 0x18u;
  v3 = sub_5169D4(dword_6959E4, 28);
  dword_6959E8 = v3;
  if ( dword_6959E4 >= 1 )
  {
    v4 = dword_6959CC;
    v5 = 0;
    v6 = dword_6959D0;
    v7 = 12;
    v8 = (_DWORD *)(*(_DWORD *)(dword_6959D0   176)   dword_6959CC   12);
    while ( 1 )
    {
      v9 = v3   v7;
        v5;
      *(_DWORD *)(v9 - 12) = v4   *(_DWORD *)(v6   24)   *(v8 - 3);
      *(_DWORD *)(v9 - 8) = *(v8 - 2);
      *(_DWORD *)(v9 - 4) = *(v8 - 1);
      *(_DWORD *)(v3   v7) = *v8;
      *(_DWORD *)(v9   4) = v8[1];
      *(_DWORD *)(v9   12) = v8[2];
      if ( v5 >= dword_6959E4 )
        break;
      v7  = 28;
      v8  = 6;
      v6 = dword_6959D0;
      v4 = dword_6959CC;
      v3 = dword_6959E8;
    }
  }
  sub_4B5A28();
  v35 = 0.0;
  v36 = 0;
  v10 = dword_6959D0;
  if ( *(_DWORD *)(dword_6959D0   188) >= 0x44u )
  {
    v11 = 0;
    v31 = dword_6959CC   *(_DWORD *)(dword_6959D0   160);
    do
    {
      v12 = 0;
      v13 = *(_DWORD *)(v28   68 * v11);
      if ( v13 != -1 )
        v12 = dword_6959E8   28 * v13;
      v30 = v12;
      v14 = *(_DWORD *)(v12   12);
      if ( v14 )
      {
        v15 = 0;
        v29 = v11;
        do
        {
          v16 = v31   104 * (*(_DWORD *)(v12   8)   v15);
          v19 = *(unsigned __int16 *)(v16   80);
          v18 = (unsigned __int16 *)(v16   80);
          v17 = v19;
          if ( v19 )
          {
            v20 = (_DWORD *)(v31   104 * (*(_DWORD *)(v12   8)   v15)   52);
            v21 = 0;
            do
            {
              v22 = *(_DWORD *)(dword_6959D0   48);
              v34 = *v20   v21;
              v23 = *(_DWORD *)(dword_6959CC   v22   56 * v34   24);
              if ( v23 == -1 )
              {
                v33 = 0;
              }
              else
              {
                v33 = *(_DWORD *)(*(_DWORD *)(dword_6959C0   4)   4 * v23);
                if ( v33 )
                {
                  sub_4B5CFC(&v35, &v33);
                  v17 = *v18;
                }
              }
                v21;
            }
            while ( v21 < (unsigned int)v17 );
            v12 = v30;
            v14 = *(_DWORD *)(v30   12);
          }
            v15;
        }
        while ( v15 < v14 );
        v11 = v29;
        v10 = dword_6959D0;
      }
        v11;
    }
    while ( v11 < *(_DWORD *)(v10   188) / 0x44u );
  }
  v24 = dword_6959C4;
  if ( *(int *)(dword_6959C4   16) >= 1 )
  {
    v25 = 0;
    v26 = 0;
    do
    {
      v27 = *(_DWORD *)(v24   20);
      v32[1] = *(_DWORD *)(*(_DWORD *)(v24   36)   12 * *(_DWORD *)(v27   v25));
      v32[0] = *(_DWORD *)(*(_DWORD *)(dword_6959C0   20)   4 * *(_DWORD *)(v27   v25   4));
      sub_4B5CFC(&v35, v32);
      v24 = dword_6959C4;
      v25  = 12;
        v26;
    }
    while ( v26 < *(_DWORD *)(dword_6959C4   16) );
  }
  sub_4C70FC(&v35);
  if ( LODWORD(v35) )
    operator delete((void *)LODWORD(v35));
}

其中这个sub_4B5518("CLKFILrMETIDITInDIT", 19);就是将字符串解密成global-metadata.dat的位置。

代码语言:javascript复制
_BYTE *__fastcall sub_4B5518(char *a1, int a2)
{
  _BYTE *result; // r0
  int v5; // r1
  _BYTE *v6; // r2
  char v7; // t1

  result = malloc(a2   1);
  if ( a2 >= 1 )
  {
    v5 = a2;
    v6 = result;
    do
    {
      v7 = *a1  ;
      --v5;
      *v6   = (v7 - 2) ^ 0x26;
    }
    while ( v5 );
  }
  result[a2] = 0;
  return result;
}

然后sub_513060则实际上就是MetadataLoader::LoadMetadataFile

代码语言:javascript复制
int __fastcall sub_513060(const char *a1)
{
  void *v2; // r0
  int v3; // r4
  int v4; // r6
  size_t v5; // r5
  int v6; // r8
  unsigned int *v7; // r2
  int v8; // r1
  void *v9; // r0
  void *v10; // r0
  unsigned int *v12; // r2
  int v13; // r1
  unsigned int *v14; // r2
  int v15; // r1
  int v16; // [sp Ch] [bp-4Ch] BYREF
  int v17[2]; // [sp 10h] [bp-48h] BYREF
  int v18; // [sp 18h] [bp-40h] BYREF
  int v19[2]; // [sp 1Ch] [bp-3Ch] BYREF
  int v20; // [sp 24h] [bp-34h] BYREF
  int v21; // [sp 28h] [bp-30h] BYREF
  int v22[2]; // [sp 2Ch] [bp-2Ch] BYREF
  int v23[2]; // [sp 34h] [bp-24h] BYREF

  sub_4C5B40(&v20);
  v19[0] = (int)"Metadata";
  v19[1] = 8;
  v22[0] = v20;
  v22[1] = *(_DWORD *)(v20 - 12);
  sub_4C7F74(&v21, v22, v19);
  v2 = (void *)(v20 - 12);
  if ( (_UNKNOWN *)(v20 - 12) != &unk_6A25F4 )
  {
    v7 = (unsigned int *)(v20 - 4);
    __dmb(0xBu);
    do
      v8 = __ldrex(v7);
    while ( __strex(v8 - 1, v7) );
    __dmb(0xBu);
    if ( v8 <= 0 )
      j_operator delete(v2);
  }
  v17[0] = (int)a1;
  v17[1] = strlen(a1);
  v23[0] = v21;
  v23[1] = *(_DWORD *)(v21 - 12);
  sub_4C7F74(&v18, v23, v17);
  v3 = 0;
  v16 = 0;
  v4 = sub_4CDA80(&v18, 3, 1, 1, 0, &v16);
  if ( !v16 )
  {
    v5 = sub_4CDE4C(v4, &v16);
    if ( !v16 )
    {
      v6 = sub_5163A8(v4, 0, 0);
      sub_4CDCF4(v4, &v16);
      if ( v16 )
      {
        v3 = 0;
        sub_516540(v6, 0);
      }
      else
      {
        v3 = sub_512FDC(v6, v5);
      }
    }
  }
  v9 = (void *)(v18 - 12);
  if ( (_UNKNOWN *)(v18 - 12) != &unk_6A25F4 )
  {
    v12 = (unsigned int *)(v18 - 4);
    __dmb(0xBu);
    do
      v13 = __ldrex(v12);
    while ( __strex(v13 - 1, v12) );
    __dmb(0xBu);
    if ( v13 <= 0 )
      j_operator delete(v9);
  }
  v10 = (void *)(v21 - 12);
  if ( (_UNKNOWN *)(v21 - 12) != &unk_6A25F4 )
  {
    v14 = (unsigned int *)(v21 - 4);
    __dmb(0xBu);
    do
      v15 = __ldrex(v14);
    while ( __strex(v15 - 1, v14) );
    __dmb(0xBu);
    if ( v15 <= 0 )
      j_operator delete(v10);
  }
  return v3;
}

对比源码发现这个sub_512FDC就是解密函数

代码语言:javascript复制
char *__fastcall sub_512FDC(int a1, size_t size)
{
  char *result; // r0
  size_t v5; // r2

  result = (char *)malloc(size);
  if ( size )
  {
    v5 = 0;
    do
    {
      *(_DWORD *)&result[v5 & 0xFFFFFFFC] = *(_DWORD *)(a1   (v5 & 0xFFFFFFFC)) ^ dword_5DCF6C[(v5   v5 / 0x84) % 0x84];
      v5  = 4;
    }
    while ( v5 < size );
  }
  return result;
}

写出解密脚本

代码语言:javascript复制
import struct
f = open('global-metadata.dat', 'rb')
a = ""
a = f.read()
key = [0xF83DA249, 0x15D12772, 0x40C50697, 0x984E2B6B, 0x14EC5FF8, 0xB2E24927,
       0x3B8F77AE, 0x472474CD, 0x5B0CE524, 0xA17E1A31, 0x6C60852C, 0xD86AD267, 0x832612B7, 0x1CA03645, 0x5515ABC8,
       0xC5FEFF52, 0xFFFFAC00, 0x0FE95CB6, 0x79CF43DD, 0xAA48A3FB, 0xE1D71788, 0x97663D3A, 0xF5CFFEA7, 0xEE617632,
       0x4B11A7EE, 0x040EF0B5, 0x0606FC00, 0xC1530FAE, 0x7A827441, 0xFCE91D44, 0x8C4CC1B1, 0x7294C28D, 0x8D976162,
       0x8315435A, 0x3917A408, 0xAF7F1327, 0xD4BFAED7, 0x80D0ABFC, 0x63923DC3, 0xB0E6B35A, 0xB815088F, 0x9BACF123,
       0xE32411C3, 0xA026100B, 0xBCF2FF58, 0x641C5CFC, 0xC4A2D7DC, 0x99E05DCA, 0x9DC699F7, 0xB76A8621, 0x8E40E03C,
       0x28F3C2D4, 0x40F91223, 0x67A952E0, 0x505F3621, 0xBAF13D33, 0xA75B61CC, 0xAB6AEF54, 0xC4DFB60D, 0xD29D873A,
       0x57A77146, 0x393F86B8, 0x2A734A54, 0x31A56AF6, 0x0C5D9160, 0xAF83A19A, 0x7FC9B41F, 0xD079EF47, 0xE3295281,
       0x5602E3E5, 0xAB915E69, 0x225A1992, 0xA387F6B2, 0x7E981613, 0xFC6CF59A, 0xD34A7378, 0xB608B7D6, 0xA9EB93D9,
       0x26DDB218, 0x65F33F5F, 0xF9314442, 0x5D5C0599, 0xEA72E774, 0x1605A502, 0xEC6CBC9F, 0x7F8A1BD1, 0x4DD8CF07,
       0x2E6D79E0, 0x6990418F, 0xCF77BAD9, 0xD4FE0147, 0xFEF4A3E8, 0x85C45BDE, 0xB58F8E67, 0xA63EB8D7, 0xC69BD19B,
       0xDA442DCA, 0x3C0C1743, 0xE6F39D49, 0x33568804, 0x85EB6320, 0xDA223445, 0x36C4A941, 0xA9185589, 0x71B22D67,
       0xF59A2647, 0x3C8B583E, 0xD7717DED, 0xDF05699C, 0x4378367D, 0x1C459339, 0x85133B7F, 0x49800CE2, 0x3666CA0D,
       0xAF7AB504, 0x4FF5B8F1, 0xC23772E3, 0x3544F31E, 0x0F673A57, 0xF40600E1, 0x7E967417, 0x15A26203, 0x5F2E34CE,
       0x70C7921A, 0xD1C190DF, 0x5BB5DA6B, 0x60979C75, 0x4EA758A4, 0x078FE359, 0x1664639C, 0xAE14E73B, 0x2070FF03]
with open('decrypt', 'wb') as fp:
    n = 0
    while n < len(a):
        num = struct.unpack("<I", a[n:n   4])[0]
        num = num ^ key[(n   n // 0x84) % 0x84]
        d = struct.pack('I', num)
        fp.write(d)
        n = n   4

解密完成后发现还是不能用Il2cppDumper,将解密后的文件放到010editor里发现魔数不对,改成AF 1B B1 FA就行了,原来他把魔数校验的那一步给去掉了,所以可以改魔数,这样就可以防止用前面提到的通用frida脚本来dump了。

题解

  用Il2cppDumper解析完成后发现它有个下面几个函数

代码语言:javascript复制
public Void .ctor() { }
// RVA: 0x518834 VA: 0xc575a834
private Void Start() { }
// RVA: 0x518838 VA: 0xc575a838
private Void Update() { }
// RVA: 0x51883c VA: 0xc575a83c
public Void Click() { }
// RVA: 0x518a24 VA: 0xc575aa24
private Boolean CheckFlag(String input) { }
// RVA: 0x518b54 VA: 0xc575ab54
public static String AESEncrypt(String text, String password, String iv) { }
// RVA: 0x518ee4 VA: 0xc575aee4
public static String AESDecrypt(String text, Byte[] password, Byte[] iv) { }
// RVA: 0x5191f0 VA: 0xc575b1f0
private static Void .cctor() { }

CheckFlag的偏移是0x518a24,把libil2cpp.so放IDA里然后按G跳转过去,查看函数

代码语言:javascript复制
int __fastcall sub_518A24(int a1, int a2)
{
  int v3; // r0
  int v4; // r4

  if ( !byte_69C825 )
  {
    sub_4B82BC(1279);
    byte_69C825 = 1;
  }
  v3 = dword_698140;
  if ( (*(_BYTE *)(dword_698140   178) & 1) != 0 && !*(_DWORD *)(dword_698140   96) )
  {
    il2cpp_runtime_class_init_0();
    v3 = dword_698140;
  }
  v4 = sub_518B54(
         *(_DWORD *)(v3   80),
         a2,
         *(_DWORD *)(*(_DWORD *)(v3   80)   4000),
         *(_DWORD *)(*(_DWORD *)(v3   80)   2364));
  if ( (*(_BYTE *)(dword_696FB8   178) & 1) != 0 && !*(_DWORD *)(dword_696FB8   96) )
    il2cpp_runtime_class_init_0();
  return sub_7D644(0, v4, dword_69B7F0, 0);
}

这里这个sub_518B54函数其实就是AESDecrypt,可以用Il2cppDumper的IDA脚本来还原函数名,这边就偷懒不还原了,大概的代码逻辑就是将你的输入做一下加密然后和flag进行对比,所以我们打印一下AES的key以及flag做一下解密就行了。

其他方法

有几个比较先进的工具可以帮助我们对Il2cpp进行逆向分析,用来解这题也非常方便

  • Zygisk-Il2CppDumper:一个Magisk插件,可以动态dump函数名和函数偏移,最初需要自己配置安卓开发环境,现在作者改用github Action,直接fork一份填个包名就能编译使用,很方便。
  • frida-il2cpp-bridge:一个frida库,功能非常强大,不仅有动态dump函数名和函数偏移的功能,还有trace、hook等多种功能,非常值得尝试。

Reference

unity3d il2cpp原理解析及逆向分析 IL2CPP Tutorial: Finding loaders for obfuscated global-metadata.dat files Unity之IL2CPP解析 Baby unity3D Il2cpp源码

0 人点赞