IL2CPP: Automatically decrypt XORed strings

2020-12-06 16:51:14 +01:00
parent 6cf7e63d2c
commit 12e9492161
1 changed files with 40 additions and 0 deletions
--- a/Il2CppInspector.Common/IL2CPP/Metadata.cs
+++ b/Il2CppInspector.Common/IL2CPP/Metadata.cs
@@ -143,9 +143,49 @@ namespace Il2CppInspector

            // Get all metadata string literals
            Position = Header.stringOffset;
+
+            // Naive implementation: this works for normal IL2CPP metadata but isn't good enough when the strings are encrypted
            while (Position < Header.stringOffset + Header.stringCount)
                Strings.Add((int)Position - Header.stringOffset, ReadNullTerminatedString());

+            // To check for encryption, find every single string start position by scanning all of the definitions
+            var stringOffsets =
+                                Images.Select(x => x.nameIndex)
+                        .Concat(Assemblies.Select(x => x.aname.nameIndex))
+                        .Concat(Assemblies.Select(x => x.aname.cultureIndex))
+                        .Concat(Events.Select(x => x.nameIndex))
+                        .Concat(Fields.Select(x => x.nameIndex))
+                        .Concat(Methods.Select(x => x.nameIndex))
+                        .Concat(Params.Select(x => x.nameIndex))
+                        .Concat(Properties.Select(x => x.nameIndex))
+                        .Concat(Types.Select(x => x.nameIndex))
+                        .Concat(Types.Select(x => x.namespaceIndex))
+                        .Concat(GenericParameters.Select(x => x.nameIndex))
+                        .OrderBy(x => x)
+                        .Distinct()
+                        .ToList();
+
+            // Now confirm that all the keys are present
+            // If they aren't, that means one or more of the null terminators wasn't null, indicating potential encryption
+            // Only do this if we need to because it's very slow
+            if (stringOffsets.Except(Strings.Keys).Any()) {
+
+                // Start again
+                Strings.Clear();
+                Position = Header.stringOffset;
+
+                // Read in all of the strings as if they are fixed length rather than null-terminated
+                foreach (var offset in stringOffsets.Zip(stringOffsets.Skip(1), (a, b) => (current: a, next: b))) {
+                    var encryptedString = ReadBytes(offset.next - offset.current - 1);
+
+                    // The null terminator is the XOR key
+                    var xorKey = ReadByte();
+
+                    var decryptedString = Encoding.GetString(encryptedString.Select(b => (byte) (b ^ xorKey)).ToArray());
+                    Strings.Add(offset.current, decryptedString);
+                }
+            }
+
            // Get all managed code string literals
            var stringLiteralList = ReadArray<Il2CppStringLiteral>(Header.stringLiteralOffset, Header.stringLiteralCount / Sizeof(typeof(Il2CppStringLiteral)));