Click above ↑ ↑ ↑ blue word [ protocol analysis and restoration ] to follow us
" Learn the algorithm reverse of unity3d game. "
Everyone should have the impression that before analyzing the spinach application, I wrote the reverse of a simple cocos2d game:
Cocos2d game jsc file format decryption, SpideMonkey adventure
Gaming Application Audi Chess and Cards Protocol Crack Analysis and Secret
Analysis and cracking of encryption protocol of Tuyou Doudizhu
Recently, I have come into contact with the reverse engineering of some Unity3D games. This is a different branch of the game. I would like to share it with you here. This article is a purely technical description, and I have the opportunity to discuss it with the actual game.
Speaking of Unity3D, this is a very widely used game engine, of course, not limited to games. Many games on the market use this engine. The official website says that the monthly downloads of Unity3D games are in the billions.
For example this game:
And IL2CPP is the core of the current Unity3D game engine. For details, please refer to related articles. I won’t write in detail here. For game reverse engineering, IL2CPP includes the specific implementation algorithm of the game. Analyzing a game is basically in the To analyze the IL2CPP library, for example, on the Android platform, it is to analyze libil2cpp.so.
01
—
how to analyze
For Unity3D games on the Android platform, you will see the following assert/bin/Data directory and files after unpacking:
Among them, global-metadata.dat is the main body of the resource file, and establishes a relationship with the file whose hash value is the name below.
In addition, there is the libil2cpp.so library file in the so library directory:
This file is equivalent to the specific implementation of the game, which reads global-metadata.dat, and accesses the file named by the hash value to obtain resources such as strings.
Generally, the reverse of IL2CPP's Unity3D game only needs to be carried out according to global-metadata.dat and libil2cpp.so. In theory, you can always find the desired algorithm function by looking at the functions of the libil2cpp.so library one by one. .
Of course, there is no need to look at it like this, right, hehe.
For unhardened IL2CPP Unity3D games, there is a very convenient tool - Il2CppDumper, which is very simple to use, and can cooperate with IDA to make the function name meaningful, no longer monotonous sub_xxx, can speed up the positioning speed, of course, you It can also be used with NET tools such as ILSpy.
There are more people engaged in reverse engineering, and the Unity3D game of IL2CPP has entered the era of reinforcement. There are often two encryption methods, one is the packing of libil2cpp.so, and the other is the encryption of global-metadata.dat, which becomes It's complicated, there is no definite rule, you have to follow step by step, step by step, it takes a lot of time and energy, if it's not a big game, the analysis is a bit uneconomical, so I won't expand here.
02
—
some words of experience
Many IL2CPP games have similar implementation logic. They are all carried by HTTP or HTTPS, and the URL parameters have a checksum. This kind is generally MD5 with salt, but the salt is slightly different. If you can use Il2CppDumper, you only need to find the relevant MD5 function and hook it. Use Frida is enough, such as this:
If Il2CppDumper is not available, and global-metadata.dat is encrypted again, but libil2cpp.so is not packed, you can convert all libil2cpp.so to pseudocode, and then search the full text according to the characteristic number of the algorithm, swish a few times, You can locate where you need it, of course, you have to be patient.
That's all for this, it's quite boring, I hope it can be helpful to everyone.
Don't forget to click "Looking", "Like" and "Share"
The new rule, to receive tweets in time, you must first star the official account
Don't forget to star or you will miss out
Long press to follow and communicate all the time.