nevermoe / unity_metadata_loader Goto Github PK

License: GNU General Public License v2.0

C++ 74.57% Python 0.15% CMake 0.01% C 9.73% Objective-C 15.53%

unity_metadata_loader's Introduction

unity_metadata_loader

This project will load strings and method/class names in global-metadata.dat to IDA.

Introduction

As most game hackers may know, if you use IL2CPP to compile an Unity game, all the strings used in your original source code will be stored separately in another file call global-metadata.dat so that you are not able to find any strings when you load the game binary to IDA. Moreover, as the game is compiled to native assembly, all the symbols like class names or function names are removed from the binary. This significantly makes the static analysis of these games more difficult and is usually considered to be un-hackable. However, with this IDA plugin, you are able to recover all the class names, method names and string constants and mapping them to IDA. Hacking unity games becomes incredibly easy.

Please refer to these two blogs for detailed information:

还原使用IL2CPP编译的unity游戏的symbol（一）

还原使用IL2CPP编译的unity游戏的symbol（二）

Installation & Usage

It's difficult to make a stable auto load funcition, so instead, I provide two helper function LocateMethodPointers() and LocateStringLiterals() to help you locate the address of g_MethodPointers and g_MetadataUsages. But you have to decide by yourself which adresses are the true addresses from the provided candidate

Copy Release/unity_decoder.exe to the same directory as your binary to be analyzed.
Copy unity_loader.py to any directory. (I recommned to copy it to the same directory as your binary to be analyzed.)
Copy global-metadata.dat to the same directory as your binary to be analyzed. It's located in Data/Managed/Metadata/global-metadata.dat in the ipa file or apk file.
Double click unity_decoder.exe and you will get two files: method_name.txt and string_literal.txt
Load unity_loader.py using File->Script File.
Enter LocateMethodPointers() in IDA console. This function will give you several possible candidate location of method pointers like this:

candidate: 0x6f00b0, candidate end: 0x6f1fd4, method numbers: 1993
candidate: 0x70ae4c, candidate end: 0x70b224, method numbers: 246
candidate: 0x70bee8, candidate end: 0x717e60, method numbers: 12254

Open the method_name.txt file generated at step 4, the first line is the method pointers' numbers. Find the closest number to the suggested candidate. Sometimes the method pointers are seperated to multiple candidates, then you have to add them up.

Navigate to the candidate address you believe to be the true address and enter LoadMethods() in IDA console.
To Load string literals, similar to loading method pointers, enter LocateStringLiterals() and then LoadStringLiterals().

Demo

Note: The v24's binary layout is different to the following picture.

Before recovering the symbols:

After recovering the symbols:

Notice

Now you are able to compile this project directly because I added libil2cpp header files.

This branch "v24" now only support 32bit Android build.

For metadata v23 support, see this fork: https://github.com/kenjiaiko/unity_metadata_loader

unity_metadata_loader's People

Contributors

Stargazers

Watchers

Forkers

peterdocter holmeschou jimmyjones97 nhumber huntpig lpcdma cs8425 lingochan rainyx houshuo totetotetotem 1683942030 tonyangl jeason1997 zhangjitao sterling0x1 more-a aihacker ta01st tylearymf xautzbl wvware kenjiaiko kuteteen fude hengle kernullist ndp1100 whb224117 ghluzhiyuan avatarchik extremdrone x3sphiorx zj831007 dothezz gg-coder889 leinlin piggyknight ouguochong elongame sola-solo socraticbliss bigfacecat2017 haorenshazina z576250965 takitez alchemistkim s-you trmatthe whztt07 jumbowu yuknight hushao711 elmelik hhbo waylandgod therealjunior hanbim520 linyanghao loveezu jeffli678 freesaf bingo-bin yangzilong fly8888 moojx mrjonyk samuel-jeong jspzyhl ericzry xx0w amesianx supernghia89 breathleas unisunis 4ch12dy guipengliao luoxixuan jbstudio425 cryoberg dannisliang incrediableslacker malhaar nasa03 hsl9999 djlw78 pitust weilai12 yukar1z0e unusable reanimatingthenew stickycookie supercuglong facelessc shuixi2013 houweifeng 00mjk reverse-dusk amspeople guo-m

unity_metadata_loader's Issues

it's doing nothing

i copied it into the same folder as global-metadata.dat, executed it and got the output metadata version is: 24 and a empty file string_literal.txt got created...

oh you make something to hack peoples code?

oh you want to hack peoples code?

No module named ida_idp

I'm trying to load python script in IDA but i'm getting an error about "No module named ida_idp" (see screenshot). I followed the excat steps
I'm using Python 2.7.12 on Windows 10 x64

Strings in wrong offsets

I had spent my time trying to find out why my hacked functions are not working. Now i found out that the script placed strings in wrong offsets

This is UserData$$get_gold right?

But the real UserData$$get_gold is actually sub_CS8304. I found it by searching hex that i copied from older version.

I'm using Python 2.7, IDA Pro 6.8 and fixed the script that a member mentioned

Here is .so and .dat file if you want to test
http://usersdownload.com/xxn0b5vyuvji.html

Wrong metadata usage list offset?

Dealing with this global-metadata.dat file:
https://www.sendspace.com/file/ji1e05

Getting weird values in this code section (inside InitializeMethodMetadata):

const Il2CppMetadataUsageList* metadataUsageLists = MetadataOffset<const Il2CppMetadataUsageList*>(s_GlobalMetadata, s_GlobalMetadataHeader->metadataUsageListsOffset, index);

uint32_t start = metadataUsageLists->start;
uint32_t count = metadataUsageLists->count;


std::cout << "InitializeMethodMetadata(start=" <<  start << ", count=" << count << ')' <<  std::endl;

Program output:

InitializeMethodMetadata(start=158, count=1073751607)
il2cpp_dumper: main.cpp:249: void InitializeMethodMetadata(uint32_t): Assertion `s_GlobalMetadataHeader->metadataUsagePairsCount >= 0 && offset <= static_cast<uint32_t>(s_GlobalMetadataHeader->metadataUsagePairsCount)' failed.

Analysis of the il2cpp binary:
After applying the Il2cppGlobalMetadataHeader struct, the divisions don't make sense.
For example: typeDefintionCount / 92 when sizeof(Il2cppTypeDefintion) != 92

(The il2cpp binary is 32 bit)

Global metadata file version is 24.

The script does not execute the exe file due to invalid path

I played with the script trying to find out why it won't execute the exe file.

The path is wrong os.system(path+'/unity_decoder.exe'). it will return 1

For Windows 10, it must be os.system('"'+path+'\unity_decoder.exe"'). it will return 0 but the exe does not create the .txt file

I don't pull requests because i'm unsure if the path was made for other OS. I just to let you know.

'data_rel_ro' reference before assignment Error

File "", line 1, in
File "C:/Users/Elliot/Desktop/OurWorld/2.0.1/unity_loader.py", line 115, in LocateMethodPointers
addr = data_rel_ro
UnboundLocalError: local variable 'data_rel_ro' referenced before assignment

A better way to find g_MethodPointers

The current approach is not very reliable in binaries compiled with different version Unity. Instead we can find a long pointer list, and then lookup the cross-references to it, which should be in either Il2CppMetadataRegistration or Il2CppCodeRegistration (let's call it struct A). In order to know exactly what struct A is, we can then have a look at xrefs to A.
Then we can get to the following function:
inline void il2cpp_codegen_register (const Il2CppCodeRegistration* const codeRegistration, const Il2CppMetadataRegistration* const metadataRegistration)
Now we know where those fields are according to the corresponding version of libil2cpp.
This approach is much more accurate than the old one. Hope helps. :)

issues with some global-metadata.dat

Ive tried a few and some never gives me the two files that its suppose to output. Why is that? what can i do to fix that?

Problem of the Debug Version unity_decoder.exe

You did a greate job on recovering symbols from the global-metadata.dat
The Debug version executable file compiled by VC2015 have some unusual dependence.
Could you please compile and upload a Release version Instead.

Assertion fails for v24 metadata.

Along with #16, definitely feels like something is off with this version. Some string literals are dumped correctly (~45k out of ~114k), but method information fails.

metadataUsageListsOffset = 94a9a0
InitializeMethodMetadata(start=142360, count=2)
il2cpp_dumper.bak: main.cpp:50: const char* GetStringFromIndex(StringIndex): Assertion `index <= s_GlobalMetadataHeader->stringCount' failed.
Aborted (core dumped)

I've attached the zipfile containing the metadata.

I attempted to debug and continue past the assertion for a best effort dump, but ran into a lot segfaults and weird outcomes:

metadata version is: 24
3919292
usagePairCount: 41541
stringLiteralCount: 114360
sizeof(Il2CppStringLiteral)=8
metadataUsageListsOffset = 94a9a0
InitializeMethodMetadata(start=0, count=2)
metadataUsageListsOffset = 94a9a0
...
Finished metadata init
Wrote 44990 literal strings
Reading method metadata
...
Getting definition for index 51
Found method name: blyName$$ionsFromChildren
Getting definition for index 52
Found method name: blyName$$Lookup
Getting definition for index 53
Getting definition for index 54
Getting definition for index 55
Found method name: blyName$$mscorlib.dll
Getting definition for index 56
Found method name: blyName$$
Ignoring method with index 100663357
Getting definition for index 57
Found method name: blyName$$\x0\x0\x0\x0\x0\x4\x0\x0\x0\x0\x0\x0\x0"
Getting definition for index 58

metadata.zip