逆向 | 逃离鸭科夫 unity mono游戏hook
依旧是处理上一个博客的问题,这次直接用扫内存提jit的方式来找到目标函数,然后进行hook。
之后做详细视频发b站,这里就贴个代码。
好久不手搓硬编码和inlinehook犯了好多错,整个思路一团混乱,不过总算是最后弄对了,下次就思路清晰了。
依旧是frida来操作,方便。
不能信AI的代码,要自己去校验段protect,可能会有问题,AI会想当然的传参数然后没有成功获取到段执行权限(破口大骂)。
P.S.cheatengine的mono功能可以很好的利用,非常好使!事半功倍!!
py:
from __future__ import print_function # 这里__future__的目的是引入新版本特性
import frida
import sys
import threadingimport timesession = frida.attach('Duckov.exe')# ---------------------------------------------old ver
# 读取js脚本
# with open('hook.js', 'r', encoding='utf-8') as f:
# js_hook = f.read()# script = session.create_script(js_hook)# def add_hp(args):
# while 1:
# time.sleep(5)
# print('call add hp')
# script.exports.addhp()# t1 = threading.Thread(target=add_hp, args=(0,))
# def on_message(message,data):
# print(message)
# script.on('message', on_message)
# script.load()
# t1.start()
# sys.stdin.read()
# -----------------------------------------------with open('hook_new.js', 'r', encoding='utf-8') as f:js_hook = f.read()
script = session.create_script(js_hook)def on_message(message,data):print(message)
script.on('message', on_message)
script.load()
sys.stdin.read()
js:
function hexToLittleEndianBytes(hexStr) {// 1. 移除0x前缀,确保只保留十六进制字符const pureHex = hexStr.replace(/^0x/i, '');// 2. 补全偶数位(十六进制字符串长度必须为偶数,才是完整字节)const evenHex = pureHex.length % 2 === 1 ? '0' + pureHex : pureHex;// 3. 小端序:从字符串末尾(低位)开始,每2个字符取1字节const bytes = [];for (let i = evenHex.length - 2; i >= 0; i -= 2) {// 截取2个字符(注意:substring(start, end),end是排他的)const byteHex = evenHex.substring(i, i + 2);// 转换为十进制字节值(0-255)const byteValue = parseInt(byteHex, 16);bytes.push(byteValue);}return bytes;
}function scan(pattern) {const locations = new Set();// console.log(Process.enumerateMallocRanges())console.log("-----start scan-----")var sections = Process.enumerateRanges("rwx")console.log(sections)console.log("----------")for (const r of sections) {console.log(`${r.base} : ${r.size} : ${r.protection} : ${r.file}`)for (const match of Memory.scanSync(r.base, r.size, pattern)) {locations.add(match.address.toString());}}var matches = Array.from(locations).map(ptr);console.log('Found', matches.length, 'matches');console.log(matches)return matches
}// Health.hurt函数
var Health_hurt_func = scan('55 48 8B EC 48 81 EC 90 06 00 00 48 89 5D C8')[0]
console.log(Health_hurt_func)// 手搓inlinehook
const codeSize = 1024;
const codeMemory = Memory.alloc(codeSize);
Memory.protect(codeMemory, codeSize, "rwx");
var codeMemoryBytes = hexToLittleEndianBytes(codeMemory.toString());
var Health_hurt_funcBytes = hexToLittleEndianBytes(Health_hurt_func.add(15).toString());var codeBuffer = [0x52,
0x48,0x8b,0x51,0x50,
0x83,0xfa,0x00,
0x75,0x07,
0x5a,
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,
0xc3,
0x5a,
0x55,
0x48,0x8b,0xec,
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0]
// 修改跳转地址
for (let _i = 0; _i < Health_hurt_funcBytes.length; _i ++){codeBuffer[37+_i] = Health_hurt_funcBytes[_i]
}
console.log(codeBuffer)
codeMemory.writeByteArray(codeBuffer) // 注入代码
console.log(`inject code addr: ${codeMemory}`)
console.log(codeMemory.toString())// 修改hook地址
//修改原函数
var jmp_code = [
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
]
for (let _j = 0; _j < codeMemoryBytes.length; _j ++){jmp_code[2+_j] = codeMemoryBytes[_j]
}
console.log(jmp_code)
// 启动hook
Health_hurt_func.writeByteArray(jmp_code)/*
思路:
0x52,
0x48,0x8b,0x51,0x50,
0x83,0xfa,0x00,
0x75,0x07,
0x5a,
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,
0xc3,
0x5a,
0x55,
0x48,0x8b,0xec,
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0---
0x52, push rdx
0x48,0x8b,0x51,0x50, mov rdx, [rcx+50]
0x83,0xfa,0x00, cmp edx, 0
0x75,0x09, jne $9
0x5a, pop rdx
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00, mov rax, 1
0xc3, ret
0x5a, pop rdx
0x55, push rbp // yuan函数开头
0x48,0x8b,0xec, mov rbp, rsp
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8, // 共15个字节
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, //跳回去mov rax, 0xxxxxxxxxxxx
0xff,0xe0 jmp rax
------------------------
var jmp_code = [
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
]*/// var origin_code = Health_hurt_func.readByteArray(15)// hook不好返回
// Interceptor.attach(ptr(Health_hurt_func),{
// onEnter: function(args){
// console.log('[*] Health_hurt_func !!!')
// var _rcx = this.context.rcx
// var team = _rcx.add(0x50).readU64()
// console.log(`team: ${team}`)
// if (team == 0x100000000){
// console.log("is player!")
// // args.returnValue = 1
// this.context.rax = ptr("0")
// this.return()
// }
// console.log("\n-----------------------\n")
// },
// // onLeave: function(retval){
// // console.log("retval: "+retval)
// // }
// });
![*题解:P3960 [NOIP 2017 提高组] 列队](http://pic.xiahunao.cn/*题解:P3960 [NOIP 2017 提高组] 列队)
)
)
