朱皮特的博客 自由的飞翔

unity3d引擎的游戏的脚本DUMP及HOOK方案优化

2017-03-01
朱皮特
阅读量:

对unity3d引擎的游戏,重要的资源就是C#脚本,脚本是被打包到APK的assets目录下的一些dll文件,有的APP可能会对其加密,运行的时候再动态解密。可以通过HOOK libmono.so中的函数mono_image_open_from_data_with_name就可以DUMP出原始内容,如果加入的有其他加解密代码,可以进一步地对解密函数进行HOOK,也是可以DUMP出内容的。

下面这个是以天天飞车为例进行的分析,先看一段LOG:

01-06 17:27:39.045 9550-9550/? I/Xposed: java.lang.Runtime loadLibrary() afterHookedMethod: tprt
01-06 17:27:39.155 9550-9550/? I/Xposed: Hid process: de.robv.android.xposed.installer
01-06 17:27:39.155 9550-9550/? I/Xposed: Hid process: com.netease.l10:PushService
01-06 17:27:39.155 9550-9550/? D/TssSDK: process_name: com.tencent.game.SSGame
01-06 17:27:39.155 9550-9550/? D/dalvikvm: Trying to load lib /data/app-lib/com.tencent.game.SSGame-1/libtprt.so 0x422f8cc0
01-06 17:27:39.155 9550-9550/? D/dalvikvm: Shared lib '/data/app-lib/com.tencent.game.SSGame-1/libtprt.so' already loaded in same CL 0x422f8cc0
01-06 17:27:39.155 9550-9550/? I/Xposed: java.lang.Runtime loadLibrary() afterHookedMethod: tprt
01-06 17:27:39.165 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libtersafe.so
01-06 17:27:39.655 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libmono.so
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: libmono.so
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: [newdlopen] hook libmono.so
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: [dumplua] libmono.so handle: 0x726c3924
01-06 17:27:39.660 9550-9550/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name_0 found: 0x7698fc4c

01-06 17:27:39.750 9550-9550/? I/Xposed: java.lang.Runtime loadLibrary() afterHookedMethod: main
01-06 17:27:39.755 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libmono.so
01-06 17:27:39.755 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: /data/app-lib/com.tencent.game.SSGame-1/libunity.so
01-06 17:27:39.775 9550-9550/? D/SUBSTRATEHOOK: the dlopen name =: libc.so

用IDA查看libmain.so发现有加载mono的逻辑,但是实际HOOK发现在main之前就已经加载了mono,原因是libtersafe.so里面有加载mono的逻辑,因为tersafe在main之前加载,所以才导致了mono比main更早地被加载了。通过上面的LOG时间顺序可以看出来。

而且这个mono并不是通过java层代码加载的,因此我们之前的xposed通过HOOK Runtime的load及loadLibrary是无法拦截mono的加载的(之前分析cocos的时候是通过拦截game这个so加载的时候注入的SO)。

//当目标SO加载时再注入
private void hookLoadSharedLibrary(final XC_LoadPackage.LoadPackageParam lpparam, final String hostSoName) {
    if (TextUtils.isEmpty(hostSoName) == true) {
        return;
    }

    /*
      xposed不能HOOK java.lang.System loadLibrary函数,参考:[Hooking System.loadLibrary causes crash. #87] https://github.com/rovo89/XposedBridge/issues/87
     */
    XC_MethodHook.Unhook unhook = findAndHookMethod(Runtime.class, "loadLibrary", String.class, ClassLoader.class, new XC_MethodHook() {
        @Override
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
            //XposedBridge.log("java.lang.Runtime loadLibrary() beforeHookedMethod: " + param.args[0]);
        }

        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            super.afterHookedMethod(param);
            String target = (String) param.args[0];
            XposedBridge.log("java.lang.Runtime loadLibrary() afterHookedMethod: " + target);
            if (target.equals(hostSoName)) {
                loadInjectSoFile(lpparam);
            }
        }
    });

    if (unhook != null) {
        XposedBridge.log("java.lang.Runtime loadLibrary() hook ok");
    } else {
        XposedBridge.log("java.lang.Runtime loadLibrary() hook failed");
    }

    findAndHookMethod(Runtime.class, "load", String.class, new XC_MethodHook() {
        @Override
        protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
            //XposedBridge.log("java.lang.Runtime load() beforeHookedMethod: " + param.args[0]);
        }

        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            super.afterHookedMethod(param);
            XposedBridge.log("java.lang.Runtime load() beforeHookedMethod: " + param.args[0]);
        }
    });
}                                                             

因为这里的mono是被别其他的SO在初始化的时候(JNI_OnLoad)通过dlopen加载的,所以就导致了在xposed中无法拦截目标SO的加载事件,很容易漏网。那么该怎么办呢?

  • 想法一:如果APP有SO(一个或多个),即使有个别SO是在其他SO的JNI_OnLoad中通过dlopen加载的,那么至少要有一个SO是要通过java层代码加载。那就要面临一个问题,到底应该拦截哪个SO呢?就像上面的那个例子一样,本来以为只要拦截main这个so的加载,但是tersafe被加载的时候mono就已经被加载了。而且每次要具体分析哪个SO加载了目标SO,还是有点麻烦的,不够通用。
  • 想法二:在xopsed层不拦截Runtime的load及loadLibrary函数了,只要拦截到APP启动,就load注入SO,也就是第一时间把SO注入到目标APP中去。然后被注入的SO HOOK掉dlopen函数来拦截目标SO的加载,当目标SO加载时(libmono.so或libgame.so)再去做其他HOOK操作。由于Runtime的load及loadLibrary函数最终还是要调用到JNI层的dlopen函数,因此该方法可行,且不会漏掉SO的加载。

想法二可行是可行,但是会引来两个个问题:

  • 问题一:注入SO由于过早地被加载到目标进程,在JNI_OnLoad中动态获取目标APP的包名会失效。
  • 问题二:dlopen被HOOK,自己的代码需要调用的时候需谨慎,以免进入死循环。

解决办法

  • 问题一:注入SO由于过早地被加载到目标进程,在JNI_OnLoad中动态获取目标APP的包名会失效。下面代码中getPackagePath的是获取/data/data/com.youzu.android.snsgz类似路径的。
    extern "C" jint JNI_OnLoad(JavaVM* vm, void* reserved)  
    {
      JNIEnv* env = NULL;
      jint result = -1;  
      LOGD("[dumplua] %s begin", __FUNCTION__);
      if( vm->GetEnv((void**)&env, JNI_VERSION_1_6) != JNI_OK) {
          LOGE("utility GetEnv error");
          return result;
      }
    
      g_thisenv = env;
      g_bDataPathGot = getPackagePath(env, g_strDataPath);
      LOGD("[dumplua] data path: %s", g_strDataPath.c_str());
      hook();
    
      LOGD("[dumplua] %s end", __FUNCTION__);
      return JNI_VERSION_1_6;  
    }
    

    解决办法:先缓存一个JNIEnv指针,记录路径是否获取成功的状态。等到后面保存文件的时候再判断一下,如果之前没有成功获取到路径,那么在保存文件之前获取一下即可。

    string getNextFilePath(const char *fileExt) {
      char buff[100] = {0};
      ++g_nCount;
      if ( g_bDataPathGot==false ) {
          g_bDataPathGot = getPackagePath(g_thisenv, g_strDataPath);
      }
      sprintf(buff, "%s/cache/%d%s", g_strDataPath.c_str(), g_nCount, fileExt);
      return buff;
    }
    

    动态获取包名的代码可以参考:android jni签名验证(一)

  • 问题二:dlopen被HOOK,自己的代码需要调用dlopen的时候需谨慎,以免进入死循环。

解决办法:缓存目标SO的句柄,后期直接使用,规避对dlopen的调用或者调用olddlopen。参考:如何hook dlopen和dlsym底层函数

void* (*olddlopen)(const char* filename, int myflags) = NULL;
void* newdlopen(const char* filename, int myflags) {
	LOGD("the dlopen name =: %s",filename);
	void *handle = olddlopen(filename, myflags);

	if ( strcmp(filename, "libmono.so")==0 ) {
		if ( g_bU3dHooked==false ) {
			//libmono.so加载了,但是发现之前并没有HOOK成功
			g_handlelibMonoSo = handle;
			LOGD("[%s] hook libmono.so", __FUNCTION__);
			g_bU3dHooked = hookU3D();
		}
	}else if ( strcmp(filename, "libgame.so")==0 ) {
		if ( g_bCocosHooked==false ) {
			g_handlelibGameSo = handle;
			LOGD("[%s] hook libgame.so", __FUNCTION__);
			g_bCocosHooked = hookCocos();
		}
	}
	return handle;
}



bool hookU3D() {
	void *handle = NULL;
	if ( g_handlelibMonoSo==NULL ) {
		if ( olddlopen==NULL ) {
			handle = dlopen("libmono.so", RTLD_NOW);
		}else{
			handle = olddlopen("libmono.so", RTLD_NOW);
		}
		if (handle == NULL) {
			LOGE("[dumplua]dlopen err: %s.", dlerror());
			return false;
		}
	}else{
		handle = g_handlelibMonoSo;
		LOGD("[dumplua] libmono.so handle: %p", handle);
	}

	void *mono_image_open_from_data_with_name = dlsym(handle, "mono_image_open_from_data_with_name");
	if (mono_image_open_from_data_with_name == NULL){
		LOGE("[dumplua] mono_image_open_from_data_with_name not found!");
		LOGE("[dumplua] dlsym err: %s.", dlerror());
	}else{
		LOGD("[dumplua] mono_image_open_from_data_with_name found: %p", mono_image_open_from_data_with_name);
		MSHookFunction(mono_image_open_from_data_with_name, (void *)&mono_image_open_from_data_with_name_mod, (void **)&mono_image_open_from_data_with_name_orig);
	}

	return true;
}

这里是拦截的天天飞车的LOG信息:

01-06 17:19:41.075 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/UnityEngine.dll, len: 310272, buff: MZ�
01-06 17:19:41.345 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/Assembly-CSharp-firstpass.dll, len: 2926592, buff: MZ�
01-06 17:19:41.625 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/Assembly-CSharp.dll, len: 7148544, buff: MZ�
01-06 17:19:41.690 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/UnityEngine.UI.dll, len: 171520, buff: MZ�
01-06 17:19:41.690 1286-1397/? D/SUBSTRATEHOOK: [dumplua] mono_image_open_from_data_with_name, name: /data/app/com.tencent.game.SSGame-1.apk/assets/bin/Data/Managed/poly2tri.dll, len: 43008, buff: MZ�

稍微复杂点的qn游戏的mono_image_open_from_data_with_name被修改过,添加了一个mono_image_open_from_data_with_name_0函数,在里面做进一步的操作,但是mono_image_open_from_data_with_name_0并没有导出,可以通过两个函数的偏移差来动态计算。

  • IDA里分别查看两个函数的地址,并记下偏移差:001E1888 - 00190A7C = 50E0C
  • 代码先获取mono_image_open_from_data_with_name的地址,再加上偏移差(50E0C),然后进行HOOK ``` int (*mono_image_open_from_data_with_name_orig)(char *data, int data_len, int a3, int a4, int a5, int a6, char a7, int a8) = NULL; int mono_image_open_from_data_with_name_mod(char *data, int data_len, int a3, int a4, int a5, int a6, char a7, int a8) { LOGD(“[dumplua] mono_image_open_from_data_with_name, len: %d, buff: %s”, data_len, data); int ret = mono_image_open_from_data_with_name_orig(data, data_len, a3, a4, a5, a6, a7, a8); //saveFile(data, data_len, getNextFilePath(“.dll”).c_str()); return ret; }

MSHookFunction((void *)((char *)(mono_image_open_from_data_with_name) +0x50E0C), (void *)&mono_image_open_from_data_with_name_mod, (void **)&mono_image_open_from_data_with_name_orig); ```


Comments

Content