unity3d引擎的游戏的脚本DUMP及HOOK方案优化
Posted asmcvc
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了unity3d引擎的游戏的脚本DUMP及HOOK方案优化相关的知识,希望对你有一定的参考价值。
对unity3d引擎的游戏,重要的资源就是C#脚本,脚本是被打包到APK的assets目录下的一些dll文件,有的APP可能会对其加密,运行的时候再动态解密。可以通过HOOK libmono.so中的函数mono_image_open_from_data_with_name就可以DUMP出原始内容,如果加入的有其他加解密代码,可以进一步地对解密函数进行HOOK,也是可以DUMP出内容的。
下面这个是以天天飞车为例进行的分析,先看一段LOG:
01-06 17:27:39.045 9550-9550/? I/Xposed: java.lang.Runtime loadLibrary() afterHookedMethod: tprt
01-06 17:27:39.155 9550-9550/? I/Xposed: Hid process: de.robv.android.xposed.installer
01-06 17:27:39.155 9550-9550/? I/Xposed: Hid process: com.netease.l10:PushService
01-06 17:27:39.155 9550-9550/? D/TssSDK: process_name: com.tencent.game.SSGame
01-06 17:27:39.155 9550-9550/? D/dalvikvm: Trying to load lib /data/app-lib/com.tencent.game.SSGame-1/libtprt.so 0x422f8cc0
01-06 17:27:39.155 9550-9550/? D/dalvikvm: Shared lib '/data/app-lib/com.tencent.game.SSGame-1/libtprt.so' already loaded in same CL 0x422f8cc0
01-06 17:27:39.155 9550-9550/? I/Xposed: java.lang.Runtime loadLibrary() afterHookedMethod: tprt
01-06 17:27:39.165 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libtersafe.so
01-06 17:27:39.655 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libmono.so
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: libmono.so
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: [newdlopen] hook libmono.so
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: [dumplua] libmono.so handle: 0x726c3924
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name_0 found: 0x7698fc4c
01-06 17:27:39.750 9550-9550/? I/Xposed: java.lang.Runtime loadLibrary() afterHookedMethod: main
01-06 17:27:39.755 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libmono.so
01-06 17:27:39.755 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libunity.so
01-06 17:27:39.775 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: libc.so
用IDA查看libmain.so发现有加载mono的逻辑,但是实际HOOK发现在main之前就已经加载了mono,原因是libtersafe.so里面有加载mono的逻辑,因为tersafe在main之前加载,所以才导致了mono比main更早地被加载了。通过上面的LOG时间顺序可以看出来。
而且这个mono并不是通过java层代码加载的,因此我们之前的xposed通过HOOK Runtime的load及loadLibrary是无法拦截mono的加载的(之前分析cocos的时候是通过拦截game这个so加载的时候注入的SO)。
//当目标SO加载时再注入
private void hookLoadSharedLibrary(final XC_LoadPackage.LoadPackageParam lpparam, final String hostSoName)
if (TextUtils.isEmpty(hostSoName) == true)
return;
/*
xposed不能HOOK java.lang.System loadLibrary函数,参考:[Hooking System.loadLibrary causes crash. #87] https://github.com/rovo89/XposedBridge/issues/87
*/
XC_MethodHook.Unhook unhook = findAndHookMethod(Runtime.class, "loadLibrary", String.class, ClassLoader.class, new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
//XposedBridge.log("java.lang.Runtime loadLibrary() beforeHookedMethod: " + param.args[0]);
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable
super.afterHookedMethod(param);
String target = (String) param.args[0];
XposedBridge.log("java.lang.Runtime loadLibrary() afterHookedMethod: " + target);
if (target.equals(hostSoName))
loadInjectSoFile(lpparam);
);
if (unhook != null)
XposedBridge.log("java.lang.Runtime loadLibrary() hook ok");
else
XposedBridge.log("java.lang.Runtime loadLibrary() hook failed");
findAndHookMethod(Runtime.class, "load", String.class, new XC_MethodHook()
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable
//XposedBridge.log("java.lang.Runtime load() beforeHookedMethod: " + param.args[0]);
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable
super.afterHookedMethod(param);
XposedBridge.log("java.lang.Runtime load() beforeHookedMethod: " + param.args[0]);
);
因为这里的mono是被别其他的SO在初始化的时候(JNI_OnLoad)通过dlopen加载的,所以就导致了在xposed中无法拦截目标SO的加载事件,很容易漏网。那么该怎么办呢?
- 想法一:如果APP有SO(一个或多个),即使有个别SO是在其他SO的JNI_OnLoad中通过dlopen加载的,那么至少要有一个SO是要通过java层代码加载。那就要面临一个问题,到底应该拦截哪个SO呢?就像上面的那个例子一样,本来以为只要拦截main这个so的加载,但是tersafe被加载的时候mono就已经被加载了。而且每次要具体分析哪个SO加载了目标SO,还是有点麻烦的,不够通用。
- 想法二:在xopsed层不拦截Runtime的load及loadLibrary函数了,只要拦截到APP启动,就load注入SO,也就是第一时间把SO注入到目标APP中去。然后被注入的SO HOOK掉dlopen函数来拦截目标SO的加载,当目标SO加载时(libmono.so或libgame.so)再去做其他HOOK操作。由于Runtime的load及loadLibrary函数最终还是要调用到JNI层的dlopen函数,因此该方法可行,且不会漏掉SO的加载。
想法二可行是可行,但是会引来两个个问题:
- 问题一:注入SO由于过早地被加载到目标进程,在JNI_OnLoad中动态获取目标APP的包名会失效。
- 问题二:dlopen被HOOK,自己的代码需要调用的时候需谨慎,以免进入死循环。
解决办法
- 问题一:注入SO由于过早地被加载到目标进程,在JNI_OnLoad中动态获取目标APP的包名会失效。下面代码中getPackagePath的是获取/data/data/com.youzu.android.snsgz类似路径的。
extern "C" jint JNI_OnLoad(JavaVM* vm, void* reserved)
JNIEnv* env = NULL;
jint result = -1;
LOGD("[dumplua] %s begin", __FUNCTION__);
if( vm->GetEnv((void**)&env, JNI_VERSION_1_6) != JNI_OK)
LOGE("utility GetEnv error");
return result;
g_thisenv = env;
g_bDataPathGot = getPackagePath(env, g_strDataPath);
LOGD("[dumplua] data path: %s", g_strDataPath.c_str());
hook();
LOGD("[dumplua] %s end", __FUNCTION__);
return JNI_VERSION_1_6;
解决办法:先缓存一个JNIEnv指针,记录路径是否获取成功的状态。等到后面保存文件的时候再判断一下,如果之前没有成功获取到路径,那么在保存文件之前获取一下即可。
string getNextFilePath(const char *fileExt)
char buff[100] = 0;
++g_nCount;
if ( g_bDataPathGot==false )
g_bDataPathGot = getPackagePath(g_thisenv, g_strDataPath);
sprintf(buff, "%s/cache/%d%s", g_strDataPath.c_str(), g_nCount, fileExt);
return buff;
动态获取包名的代码可以参考:android jni签名验证(一)
- 问题二:dlopen被HOOK,自己的代码需要调用dlopen的时候需谨慎,以免进入死循环。
解决办法:缓存目标SO的句柄,后期直接使用,规避对dlopen的调用或者调用olddlopen。参考:如何hook dlopen和dlsym底层函数
void* (*olddlopen)(const char* filename, int myflags) = NULL;
void* newdlopen(const char* filename, int myflags)
LOGD("the dlopen name =: %s",filename);
void *handle = olddlopen(filename, myflags);
if ( strcmp(filename, "libmono.so")==0 )
if ( g_bU3dHooked==false )
//libmono.so加载了,但是发现之前并没有HOOK成功
g_handlelibMonoSo = handle;
LOGD("[%s] hook libmono.so", __FUNCTION__);
g_bU3dHooked = hookU3D();
else if ( strcmp(filename, "libgame.so")==0 )
if ( g_bCocosHooked==false )
g_handlelibGameSo = handle;
LOGD("[%s] hook libgame.so", __FUNCTION__);
g_bCocosHooked = hookCocos();
return handle;
bool hookU3D()
void *handle = NULL;
if ( g_handlelibMonoSo==NULL )
if ( olddlopen==NULL )
handle = dlopen("libmono.so", RTLD_NOW);
else
handle = olddlopen("libmono.so", RTLD_NOW);
if (handle == NULL)
LOGE("[dumplua]dlopen err: %s.", dlerror());
return false;
else
handle = g_handlelibMonoSo;
LOGD("[dumplua] libmono.so handle: %p", handle);
void *mono_image_open_from_data_with_name = dlsym(handle, "mono_image_open_from_data_with_name");
if (mono_image_open_from_data_with_name == NULL)
LOGE("[dumplua] mono_image_open_from_data_with_name not found!");
LOGE("[dumplua] dlsym err: %s.", dlerror());
else
LOGD("[dumplua] mono_image_open_from_data_with_name found: %p", mono_image_open_from_data_with_name);
MSHookFunction(mono_image_open_from_data_with_name, (void *)&mono_image_open_from_data_with_name_mod, (void **)&mono_image_open_from_data_with_name_orig);
return true;
这里是拦截的天天飞车的LOG信息:
01-06 17:19:41.075 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/UnityEngine.dll, len: 310272, buff: MZ�
01-06 17:19:41.345 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/Assembly-CSharp-firstpass.dll, len: 2926592, buff: MZ�
01-06 17:19:41.625 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/Assembly-CSharp.dll, len: 7148544, buff: MZ�
01-06 17:19:41.690 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/UnityEngine.UI.dll, len: 171520, buff: MZ�
01-06 17:19:41.690 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/poly2tri.dll, len: 43008, buff: MZ�
以上是关于unity3d引擎的游戏的脚本DUMP及HOOK方案优化的主要内容,如果未能解决你的问题,请参考以下文章