{"id":108,"date":"2020-09-21T15:12:44","date_gmt":"2020-09-21T07:12:44","guid":{"rendered":"http:\/\/pareto.fun\/?p=108"},"modified":"2021-08-10T00:32:34","modified_gmt":"2021-08-09T16:32:34","slug":"%e6%9f%90%e5%8e%82so%e5%88%86%e6%9e%90%e5%8a%a0%e5%af%86%e8%bf%87%e7%a8%8b%e5%88%86%e6%9e%90","status":"publish","type":"post","link":"http:\/\/pareto.fun\/?p=108","title":{"rendered":"\u67d0\u5382so\u52a0\u5bc6\u8fc7\u7a0b\u5206\u6790"},"content":{"rendered":"\n

\u9996\u5148\u5206\u6790il2cpp.so \u88ab\u52a0\u5bc6\uff0c\u5728\u4f9d\u8d56\u5e93\u4e2d\u5b58\u5728\u4e00\u4e2a\u975e\u516c\u6709\u5e93\u7684so\u5f15\u53d1\u4e86\u6000\u7591\uff0c<\/p>\n\n\n\n

libtprt.so ,\u53ef\u80fd\u662f\u7528\u6765\u89e3\u5bc6\u7684\uff0c\u65e2\u7136\u4f1a\u89e3\u5bc6\uff0c\u90a3\u4e48\u4e00\u5b9a\u4f1a\u8c03\u7528 mprotect \u4fee\u6539\u5185\u5b58\u5c5e\u6027\u3002<\/p>\n\n\n\n

\"image-20200921120219464\"<\/figure>\n\n\n\n

\u518d\u770blibtprt.so \u7684dynamic segment<\/p>\n\n\n\n

\"image-20200921132154879\"<\/figure>\n\n\n\n

\u6709\u4e2a\u53ef\u7591\u7684\u6bb5.tptext \u3002<\/p>\n\n\n\n

\u5728so\u4e2d\u627emprotect\u51fd\u6570\u3002\u627e\u5230\u4ee5\u4e0b\u7684\u51fd\u6570\uff0c\u5728\u5bf9tptext\u6bb5\u8fdb\u884c\u89e3\u5bc6\u3002\u521a\u597d\u8c03\u7528\u8be5\u51fd\u6570\u8fc7\u7a0b\u51fa\u73b0\u5728init_array \uff0c\u57fa\u672c\u786e\u5b9a\u662f\u5728\u89e3\u5bc6\u3002<\/p>\n\n\n\n

\"image-20200921131843045\"<\/figure>\n\n\n\n

\u5728IDA\u4f7f\u7528\u811a\u672c\u5bf9so\u7684tptext\u6bb5\u8fdb\u884c\u89e3\u5bc6\u3002<\/p>\n\n\n\n

import idc
def xor(begin_addr , len):
    retInt=0
    for i  in range(0,0xc78):
        curAd = begin_addr + i
        curByte = idc.Byte(curAd)
        idc.PatchByte(curAd , curByte^0xb8)
        <\/pre>\n\n\n\n
il2cpp size\u592a\u5927\uff0c\u4e3a\u4e86\u5206\u6790\u65b9\u4fbf\u6362\u6210\u53e6\u4e00\u4e2a\u4f9d\u8d56tprt.so\u7684so\u201cGameCore.so\u201d \uff0c \u5148\u770b<\/p>\n\n\n\n
\"image-20200921144714606\"<\/figure>\n\n\n\n
libGameCore.so \u7684init_proc \uff0c \u901a\u8fc7\u504f\u79fb\u5b9a\u4f4d\u5230\u5f85\u8c03\u7528\u51fd\u6570\u5730\u5740\u30020x2449B58.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8d1f\u8d23\u89e3\u5bc6text segment\u3002\u53d1\u73b0\u4f7f\u7528\u4e86g_tprt_pfn_array \uff0c\u8ffd\u8e2a\u53d1\u73b0\u8fd9\u4e2a\u53d8\u91cf\u4e3atprt.so \u7684\u5bfc\u51fa\u53d8\u91cf\u3002<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
g_tprt_pfn_array \u5b58\u653e\u4e86\u8fde\u7eed\u51fd\u6570\u7684\u51fd\u6570\u3002<\/p>\n\n\n\n
\"image-20200921150654663\"<\/figure>\n\n\n\n
\u8c03\u7528decry_so\uff08”.text”,0,3\uff09 \u6765\u89e3\u5bc6\uff0c\u52a0\u5bc6\u65b9\u6cd5\u5f88\u7b80\u5355\u540c\u6837\u4e5f\u662f\u5f02\u6216\u8fd0\u7b97\uff0c\u4f46\u662f\u4f46\u662f\u4ee3\u7801\u6bb5\u53ef\u80fd\u5f88\u5927\uff0c\u4e3a\u4e86\u63d0\u9ad8\u6548\u7387\u505a\u4e86\u95f4\u65ad\u52a0\u5bc6\uff0c\u6bcf\u96944k\u505a\u4e00\u6b21\u52a0\u5bc6\u3002<\/p>\n\n\n\n
\u6bd4\u5982libil2cpp.so \u52a0\u5bc6\u4e86text section \u548crodata section \uff0c\u9488\u5bf9text section \uff0c\u9996\u5148\u662f\u83b7\u53d6text\u6bb5\u8d77\u59cb\u5730\u5740_start\uff0c\u7136\u540e\u52a0\u5bc6\u7684\u7b2c\u4e00\u4e2a\u7a7a\u95f4\u5927\u5c0f\u5219\u4e3a 0x1000 + (0x1000 – _start) \uff0c\u4e4b\u540e\u4fbf \u6bcf4k\u505a\u4e00\u6b21\u52a0\u5bc6\uff0c\u76f4\u5230text\u7ed3\u5c3e\u3002<\/p>\n\n\n\n
rodata section\u5219\u505a\u5b8c\u5168\u52a0\u5bc6\u3002<\/p>\n\n\n\n
http:\/\/kmanong.top\/kmn\/qxw\/form\/article?id=17265&cate=126<\/a><\/p>
https:\/\/bbs.pediy.com\/thread-253443.htm<\/a><\/p>
https:\/\/zhuanlan.zhihu.com\/p\/28462760<\/a> ADRL\u6307\u4ee4\u4ecb\u7ecd<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
\u9996\u5148\u5206\u6790il2cpp.so \u88ab\u52a0\u5bc6\uff0c\u5728\u4f9d\u8d56\u5e93\u4e2d\u5b58\u5728\u4e00\u4e2a\u975e\u516c\u6709\u5e93\u7684so\u5f15\u53d1\u4e86\u6000\u7591\uff0c libtprt.s […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[11,9],"tags":[],"_links":{"self":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts\/108"}],"collection":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=108"}],"version-history":[{"count":4,"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts\/108\/revisions"}],"predecessor-version":[{"id":278,"href":"http:\/\/pareto.fun\/index.php?rest_route=\/wp\/v2\/posts\/108\/revisions\/278"}],"wp:attachment":[{"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pareto.fun\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}