从N1CTF2018 baby unity3d入门il2cpp逆向分析<\/h1>

前置知识<\/h2>

il2cpp基础概念<\/h3>

il2cpp是Unity引擎的脚本后端实现，将C#代码编译为C++代码<\/li>

主要包含两个关键文件：

libil2cpp.so：包含核心逻辑的二进制文件<\/li>

global-metadata.dat：包含元数据信息<\/li> <\/ul> <\/li> <\/ul>

必要工具<\/h3>

Il2CppDumper：用于解析il2cpp结构的工具

GitHub地址：https:\/\/github.com\/Perfare\/Il2CppDumper<\/li> <\/ul> <\/li>
IDA Pro：用于逆向分析so文件<\/li>
dnSpy：用于查看C#反编译代码<\/li>

frida-il2cpp-bridge：用于动态分析

GitHub地址：https:\/\/github.com\/vfsfitvnm\/frida-il2cpp-bridge<\/li> <\/ul> <\/li> <\/ul>

解题步骤<\/h2>

1. 文件提取与初步分析<\/h3>

解包APK获取关键文件：<\/p>

libil2cpp.so<\/li>
global-metadata.dat（通常被加密）<\/li> <\/ul> <\/li>

识别global-metadata.dat加密：<\/p>

文件头不是正常的"AF 1B B1 FA"<\/li>

需要从libil2cpp.so中寻找解密逻辑<\/li> <\/ul> <\/li> <\/ol>

2. 定位解密函数<\/h3>

调用链分析<\/h4>

il2cpp_init
  -> il2cpp::vm::Runtime::Init
    -> il2cpp::vm::MetadataCache::Initialize
      -> il2cpp::vm::MetadataLoader::LoadMetadataFile
<\/code><\/pre>
IDA分析技巧<\/h4>

从il2cpp_init开始跟踪<\/li>
识别关键函数：

sub_47C770对应Runtime::Init<\/li>
sub_4B5564对应MetadataCache::Initialize<\/li>
<\/ul>
<\/li>
关键字符串线索：

"CLKFIL\rMETIDITI\nDIT"是加密后的"global-metadata.dat"<\/li>
<\/ul>
<\/li>
<\/ol>
解密函数识别<\/h4>

sub_512FDC是核心解密函数<\/li>
解密算法：每4字节与key数组异或

key数组位置：0x518A24<\/li>
key数组大小：0x84个DWORD<\/li>
<\/ul>
<\/li>
<\/ul>
3. 解密global-metadata.dat<\/h3>
解密代码示例<\/h4>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    FILE *<\/span>file;
<\/span><\/span>    unsigned<\/span> char<\/span> *<\/span>buf;
<\/span><\/span>    size_t fileSize;
<\/span><\/span>    
<\/span><\/span>    file =<\/span> fopen("global-metadata.dat"<\/span>, "rb"<\/span>);
<\/span><\/span>    fseek(file, 0<\/span>, SEEK_END);
<\/span><\/span>    fileSize =<\/span> ftell(file);
<\/span><\/span>    rewind(file);
<\/span><\/span>    buf =<\/span> (unsigned<\/span> char<\/span> *<\/span>)malloc(fileSize);
<\/span><\/span>    fread(buf, 1<\/span>, fileSize, file);
<\/span><\/span>    fclose(file);
<\/span><\/span>
<\/span><\/span>    unsigned<\/span> int<\/span> key[] =<\/span> {0xF83DA249<\/span>, 0x15D12772<\/span>, \/* ...完整key数组... *\/<\/span>};
<\/span><\/span>    
<\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> fileSize; i+=<\/span>4<\/span>){
<\/span><\/span>        *<\/span>((unsigned<\/span> int<\/span> *<\/span>)(buf +<\/span> i)) ^=<\/span> key[(i +<\/span> i\/<\/span>0x84<\/span>) %<\/span>0x84<\/span>];
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    FILE *<\/span>file_write =<\/span> fopen("output.bin"<\/span>, "wb"<\/span>);
<\/span><\/span>    fwrite(buf, 1<\/span>, fileSize, file_write);
<\/span><\/span>    fclose(file_write);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解密后处理<\/h4>

修复文件头为"AF 1B B1 FA"<\/li>
<\/ul>
4. 使用Il2CppDumper解析<\/h3>


运行Il2CppDumper：<\/p>

输入：libil2cpp.so和解密后的global-metadata.dat<\/li>
输出：

Assembly-CSharp.dll（可用dnSpy查看）<\/li>
dump.cs（包含函数偏移信息）<\/li>
script.json（用于IDA脚本）<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

IDA符号恢复：<\/p>

使用ida_py3.py脚本加载script.json<\/li>
自动恢复函数和类名<\/li>
<\/ul>
<\/li>
<\/ol>
5. 关键函数分析<\/h3>
CheckFlag函数<\/h4>

偏移：0x518A24<\/li>
参数：

text：a2<\/li>
password：TypeInfo+80 + 4000<\/li>
iv：TypeInfo+80 + 2364<\/li>
flag密文：StringLiteral_2814<\/li>
<\/ul>
<\/li>
<\/ul>
加密流程<\/h4>

对输入进行AESEncrypt<\/li>
与存储的flag密文比较<\/li>
<\/ol>
6. 动态分析技巧<\/h3>
使用frida-il2cpp-bridge<\/h4>

Hook AESEncrypt获取参数：<\/li>
<\/ol>
import<\/span> "frida-il2cpp-bridge"<\/span>;
<\/span><\/span>
<\/span><\/span>Il2Cpp<\/span>.perform<\/span>(() => {
<\/span><\/span>    const<\/span> assembly<\/span> =<\/span> Il2Cpp<\/span>.domain<\/span>.assembly<\/span>("Assembly-CSharp"<\/span>).image<\/span>;
<\/span><\/span>    assembly<\/span>.class<\/span>('Check'<\/span>).method<\/span>('AESEncrypt'<\/span>).implementation<\/span> =<\/span> function<\/span>(){
<\/span><\/span>        console<\/span>.log<\/span>(arguments<\/span>[0<\/span>]); \/\/ 密文
<\/span><\/span><\/span><\/span>        console<\/span>.log<\/span>(arguments<\/span>[1<\/span>]); \/\/ password
<\/span><\/span><\/span><\/span>        console<\/span>.log<\/span>(arguments<\/span>[2<\/span>]); \/\/ iv
<\/span><\/span><\/span><\/span>        return<\/span> this<\/span>.method<\/span>('AESEncrypt'<\/span>).invoke<\/span>(arguments<\/span>[0<\/span>],arguments<\/span>[1<\/span>],arguments<\/span>[2<\/span>]);
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>
Hook字符串比较获取flag密文：<\/li>
<\/ol>
import<\/span> "frida-il2cpp-bridge"<\/span>;
<\/span><\/span>
<\/span><\/span>Il2Cpp<\/span>.perform<\/span>(() => {
<\/span><\/span>    const<\/span> SystemString<\/span> =<\/span> Il2Cpp<\/span>.corlib<\/span>.class<\/span>("System.String"<\/span>);
<\/span><\/span>    var<\/span> compare<\/span> =<\/span> SystemString<\/span>.method<\/span>('Equals'<\/span>);
<\/span><\/span>    compare<\/span>.implementation<\/span> =<\/span> function<\/span>(){
<\/span><\/span>        console<\/span>.log<\/span>(`arg[0]: <\/span>${<\/span>arguments<\/span>[0<\/span>]}<\/span>`<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>(`arg[1]: <\/span>${<\/span>arguments<\/span>[1<\/span>]}<\/span>`<\/span>);
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>
直接调用解密函数：<\/li>
<\/ol>
import<\/span> "frida-il2cpp-bridge"<\/span>;
<\/span><\/span>
<\/span><\/span>Il2Cpp<\/span>.perform<\/span>(() => {
<\/span><\/span>    function<\/span> getBytes<\/span>(str<\/span>){
<\/span><\/span>        return<\/span> Il2Cpp<\/span>.corlib<\/span>.class<\/span>("System.Text.UTF8Encoding"<\/span>).new<\/span>()
<\/span><\/span>               .method<\/span>('GetBytes'<\/span>,1<\/span>).invoke<\/span>(Il2Cpp<\/span>.string<\/span>(str<\/span>));
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    const<\/span> assembly<\/span> =<\/span> Il2Cpp<\/span>.domain<\/span>.assembly<\/span>("Assembly-CSharp"<\/span>).image<\/span>;
<\/span><\/span>    const<\/span> text<\/span> =<\/span> Il2Cpp<\/span>.string<\/span>('w0ZyUZAHhn16\/MRWie63lK+PuVpZObu\/NpQ\/E\/ucplc='<\/span>);
<\/span><\/span>    const<\/span> password<\/span> =<\/span> getBytes<\/span>('91c775fa0f6a1cba'<\/span>);
<\/span><\/span>    const<\/span> iv<\/span> =<\/span> getBytes<\/span>('58f3a445939aeb79'<\/span>);
<\/span><\/span>    const<\/span> val<\/span> =<\/span> assembly<\/span>.class<\/span>('Check'<\/span>).method<\/span>('AESDecrypt'<\/span>).invoke<\/span>(text<\/span>,password<\/span>,iv<\/span>);
<\/span><\/span>    console<\/span>.log<\/span>(val<\/span>); \/\/ 输出解密后的flag
<\/span><\/span><\/span><\/span>});
<\/span><\/span><\/code><\/pre>关键数据<\/h2>

flag密文：w0ZyUZAHhn16\/MRWie63lK+PuVpZObu\/NpQ\/E\/ucplc=<\/code><\/li>
password：91c775fa0f6a1cba<\/code><\/li>
iv：58f3a445939aeb79<\/code><\/li>
<\/ul>
总结<\/h2>

il2cpp逆向核心在于解析加密的global-metadata.dat<\/li>
解密通常采用异或等简单算法，关键在定位解密函数<\/li>
静态分析结合动态调试（frida）能有效提高效率<\/li>
Il2CppDumper是解析il2cpp结构的必备工具<\/li>
注意关键字符串和函数调用链的分析<\/li>
<\/ol>