background introduction
With the development of mobile games, the Unity3D engine has gradually become the mainstream game development solution, and the traditional cocos 2D games have gradually been replaced. God of Destruction, National Idol, National Assault and other games. With the continuous output of Unity3D games, the security requirements of games are getting higher and higher. Here we summarize some methods and ideas used in reverse engineering, as well as some auxiliary tools, and do some knowledge popularization.
Identifying Unity games
The apk package on the Android platform can be decompressed directly to see if there is a ./assets/bin/Data/Managed directory, and you can also check some so contained under the lib folder. If there are libmono, libunity and other modules, you can basically confirm that it is a unity game. .
The main logic module code written in C# on the Android platform is statically edited and stored in the Assembly-CSharp.dll file. Because of unity's cross-platform, the Android platform is a game compiled by unity, and the corresponding IOS platform is also compiled by unity. If you want to see whether it is a unity game directly from IOS, you can extract the main module in the game to see if there are functions such as unity.
Crack the train of thought
The following lists some ideas for the cracked version. If you can directly set a breakpoint and modify the register in the function header, you can directly modify the register test. If you encounter something that cannot be directly modified, use the second method to inject the modified Assembly-CSharp.dll Go to the game and let the game execute our modified code. In addition, the binary implementation can be dynamically and statically modified.
1. Modify the unity game logic code and compile it into assembly code related values
(1) Modify the parameters passed in, that is, registers, generally functions such as set
(2) Try not to modify the memory or opcode in the assembly code, you can directly change the register if you can change the register
2. Decompile Assembly-CSharp.dll and directly modify the C# source code of unity
(1) Modify the return value of the function
(2) Delete the function body directly, leaving only the ret instruction
(3) Modify the corresponding function and process the variable
(4) Add some call processing in the corresponding function, active call
3. Analyze the source code and directly modify the code
(1) Find the breakpoint modification register under the corresponding assembly instruction by analyzing the decompiled source code of unity
(2) Directly modify the binary code of the IL code by directly statically analyzing the dll
4. Dump the original dll code at the function position of the loaded dll, which can bypass the dll encryption and modify the source code
(1) hook the mono_image_open_from_data_full function, dump the dll, and use IDA to cooperate with jdb to suspend the process and dump the breakpoint at the function position. The specific modification scheme of the source code is the same as "two" and "three".
Common tool
1. IDA tool
A tool that can perform dynamic debugging and static analysis. It can set breakpoints at appropriate positions, modify specified registers, and write IDC scripts to cooperate with analysis. Not much introduction
2. ILSpy
Decompile and analyze dll code, cross-reference, save the decompiled code in source code form, and provide code to DirFind and other string search and location tools to locate the code location
三、 .NET Reflector + Reflexil
Decompile and analyze the dll code, make up for some functional defects of ILSpy, and can analyze the wrong CLR file header, some dll files that cannot be displayed in ILSpy, if only because the dll header is modified, put it in .NET Reflector can be analyzed. Reflexil is a plug-in of .NET Reflector, which can decompile and recompile IL code, which is convenient and practical for visualization.
4. Ilasm and ildasm
Ildasm can decompile dll, dump the decompiled il code, and Ilasm can repack the il code, use the command ilasm /dll *.il.
Commonly used IL code binary
(1) nop binary is 0x00
(2) ldc.i4.0 binary is 0x16
(3) ldc.i4.1 binary is 0x17
(4) ret binary is 0x2A
(5) ldc.r4 binary is 0x22, followed by four bytes
Case 1: Breakpoint under the function header (any damage caused by the anti-terrorism attack by the whole people)
Use ILSpy to decompile the unity game source code, find a function that affects damage in it, and find that the first parameter of the passed parameter is the damage value, then we use the breakpoint tool to set a breakpoint at the head of the FPlayerPawn::TakeDamage function, and then Modify the r1 register and continue running.
Case 2: Use IDA to set a breakpoint in the function header (Wukong subdues the devil to modify the blood value arbitrarily)
Using the source code of the unity game decompiled by ILSpy, find a function set_curHP that affects the blood volume setting, use the IDA tool to adjust the address to the next breakpoint, and modify the value of the r1 register.
Judging from the current situation, Unity engine games are still unsafe compared to cocos games. After all, many Unity games directly expose the dll. Even if the dll is not exposed, the dll can be directly dumped for decompilation and analysis. source code. The unity game can start from the assembly layer or the source code. In the assembly layer, you can directly find the compiled address of the function and then set a breakpoint; if you modify the source code, you need to inject the compiled dll into mono to load dll's place.