在逆向BH3,使用Riru-Il2CppDumper恢复符号文件,发现无法成功。分析代码发现Perfare大佬的思路是Hook dlopen获取加载库的句柄,然后利用各种导出函数实现Dump。
但是,我通过Frida Hook了dlopen 发现libil2cpp.so似乎不是通过dlopen加载的。发现了保护程序libtersafe.so。网上看到说可以尝试读取linker中的solist,但不知道怎么操作。
**日志:
Frida Hook dlopen的结果(已去重)
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libAkGuitarDistortion.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libAkPitchShifter.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libAkRecorder.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libAkSoundEngine.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libAkStereoDelay.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libAkTimeStretch.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libGCloudVoice.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libtersafe2.so
/data/app/~~khUXffJN9YalNGhlsUZpEA==/com.miHoYo.enterprise.NGHSoD-Bw8CL5J-HAk9mDVeK_xOVw==/lib/arm64/libulua.so
/data/app/~~wSqqPC_WlW7vwZk2j4JwFw==/com.google.android.trichromelibrary_469209834-mQ5a7AuM8x9KepdHEHgIfw==/base.apk!/lib/arm64-v8a/libmonochrome_64.so
libadreno_app_profiles.so
libandroid.so
libc.so
libEGL.so
libEGL_adreno.so
libGLESv1_CM_adreno.so
libGLESv2.so
libGLESv2_adreno.so
libmediandk.so
libOpenSLES.so
libtersafe.so
libtersafe2.so
Riru模块的日志(卡在获取句柄处无法继续)
f52x:/ # logcat | grep Perfare
01-28 12:03:41.602 790 790 I Perfare : detect game: com.miHoYo.enterprise.NGHSoD
01-28 12:03:41.673 32321 32349 I Perfare : hack thread: 32349
01-28 12:03:41.674 32321 32349 I Perfare : api level: 30
01-28 12:03:41.776 32321 32349 I Perfare : do_dlopen at: 0x7f9c3e6558
01-28 12:03:41.776 32321 32349 I Perfare : __loader_dlopen at: 0x7f9c3e218c
**代码:
Hook dlopen 的 Frida代码
Java.perform(function(){
var found = false
while (!found){
try {
var dlopen = Module.findExportByName(null, "dlopen");
found = true;
}
catch(error) {
}
}
console.log(dlopen);
if(dlopen != null){
Interceptor.attach(dlopen,{
onEnter: function(args){
var soName = args[0].readCString();
// console.log(soName);
if(soName.indexOf("libil2cpp.so") != -1){
console.log('LOL');
}
},
onLeave: function(retval){
}
});
}
})
Riru-Il2CppDumper: https://github.com/Perfare/Riru-Il2CppDumper
关闭VersionAbove2018dot3、define VersionAbove2021dot1
UnityVersion 2017.2.1f1
Android Studio 编译
** 任何其他描述:
一直不能成功Dump。但是有一次突然成功了,之后又再也没成功过…
** 环境:
Android 11(Magisk + Riru) Android API 30
