[Tutorial] How to crack Unity Games
For beginner, you can refer tohttps://gbatemp.net/threads/a-small-tutorial-on-asm-hacks-cheats-for-unity-games.606330/
and crack the games
However, if the il2cppdumper does not work in auto mode, we need to find the codeRegister addresses out manually
Here is a script that handle those il2cppdumper does not work in auto mode
Note:
Always use main. elfinstead of mainnsofor Unity Games
NSO should be extract to ELF first, since there is a bug in il2cppdumper with LZ4
Also, in some Unity Game version, such as v27.1 and v24.2, the il2cppdumper wrongly shift the CodeRegistration address by -0x8 and -0x18 respectively
So when you get an error, you need to try increasing the CodeRegistration address by +8 or +18 etc.
idaPython Scripthttps://gbatemp.net/attachments/1649832772928-png.306012/
Python:
# This Script is Programmed by Eiffel2018# Tested in IDA PRO v7.5+ with Python 3.9.x# Operate with a clean NSO (or main.elf)import idc,ida_search,ida_segment,ida_kernwin,ida_funcsgdb = ida_segment.get_segm_by_name('main') != NoneBase= ida_segment.get_segm_by_name('main').start_ea if gdb else ida_segment.get_segm_by_name('.text').start_eaCodeStart = Base+0x30CodeEnd = ida_segment.get_segm_by_name('main').end_ea if gdb else ida_segment.get_segm_by_name('.rodata').start_eaDataStart = ida_segment.get_segm_by_name('main_data').start_ea if gdb else ida_segment.get_segm_by_name('.rodata').start_eaDataEnd = ida_segment.get_segm_by_name('main_data').end_ea if gdb else ida_segment.get_segm_by_name('.init_array').end_eadef cls(): ida_kernwin.activate_widget(ida_kernwin.find_widget("Output window"), True); ida_kernwin.process_ui_action("msglist:Clear");def isFound(opAddr): return opAddr != BADADDRdef notFound(opAddr): return opAddr == BADADDRdef isCode(targetAddr): return is_code(get_full_flags(targetAddr))def makeFunc(addr): if not(CodeEnd>addr>CodeStart): return addr=addr//4*4 while idaapi.get_func(addr)==None or not(isCode(addr)): funcStart=get_func_attr(get_prev_func(addr),FUNCATTR_END) while get_wide_dword(funcStart) in (0,0xD503201F,0xE7FFDEFE): funcStart+=4 print('Making Function at %X'%(funcStart)) del_items(funcStart) if not(ida_funcs.add_func(funcStart)): funcEnd=find_func_end(funcStart) if notFound(funcEnd) or funcEnd<funcStart: funcEnd=funcStart+4 while print_insn_mnem(funcEnd) not in ('RET','B','BR') and funcEnd<CodeEnd and not(get_wide_dword(funcEnd) in (0,0xD503201F,0xE7FFDEFE)): funcEnd+=4 if print_insn_mnem(funcEnd) in ('RET','B','BR'): funcEnd+=4 ida_funcs.add_func(funcStart,funcEnd) auto_wait()def getFuncStart(targetAddr): makeFunc(targetAddr) return get_func_attr(targetAddr,FUNCATTR_START)def getFuncEnd(targetAddr): makeFunc(targetAddr) return get_func_attr(targetAddr,FUNCATTR_END)def AOB(pattern,searchStart=CodeStart,searchEnd=CodeEnd): return ida_search.find_binary(searchStart, searchEnd, pattern, 0, SEARCH_DOWN|SEARCH_NEXT)def searchNextASM(addr,command,operand=None): funcEnd=getFuncEnd(addr) while addr<funcEnd: if operand==None: if print_insn_mnem(addr)==command: break else: if print_insn_mnem(addr)==command and operand==print_operand(addr,0): break addr+=4 return addr if addr<funcEnd else BADADDRdef searchPrevASM(addr,command,operand=None): funcStart=getFuncStart(addr) while addr>=funcStart: if operand==None: if print_insn_mnem(addr)==command: break else: if print_insn_mnem(addr)==command and operand==print_operand(addr,0): break addr-=4 return addr if addr>=funcStart else BADADDRcls()nnMain=get_name_ea(0,'nnMain')addr=AOB('E0 03 00 32 ? ? ? 97 ? ? ? 97 ? ? ? 97',nnMain,getFuncEnd(nnMain))if notFound(addr): addr=AOB('20 00 80 52 ? ? ? 97 ? ? ? 97 ? ? ? 97',nnMain,getFuncEnd(nnMain))if notFound(addr): warning('Pattern not found')funcAddr=get_operand_value(addr+12,0)X0Addr=searchNextASM(funcAddr,'ADRP','X0')if notFound(X0Addr): warning('Logic Error')X0Addr2=searchNextASM(X0Addr,'LDR','X0')if notFound(X0Addr2): warning('Logic Error')X0=get_operand_value(X0Addr,1)+get_operand_value(X0Addr2,1)X1Addr=searchNextASM(funcAddr,'ADRP','X1')if notFound(X1Addr): warning('Logic Error')X1Addr2=searchNextASM(X0Addr,'LDR','X1')if notFound(X1Addr2): warning('Logic Error')X1=get_operand_value(X1Addr,1)+get_operand_value(X1Addr2,1)jumpto(X0)print('CodeRegistration=%X\nMetadataRegistration=%X'%(get_qword(X0),get_qword(X1)))
页:
[1]