chizui/Il2CppInspectorRedux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ghidra script improvements (#7)

Browse Source 
* Always set image base to 0 for Ghidra

* Script improvements

Everything here is for Ghidra:
* Use `%` instead of f-string (Ghidra still uses python 2.7, meanwhile f-strings were added in 3.6)
* Handle errors when applying type (Ghidra throws exception unlike IDA)
* Don't trigger decompiler (analysis will be faster)
* Revert back string literals

* Set image base to zero only for ELF

I don't know about PE with Ghidra

* Update README for disassemblers

* IDA 7.6 required due `ida_ida.inf_is_32bit_exactly()`

* Ghidra now don't launch decompiler for whole binary

* Set image base to 0 in script

Remove %IMAGE_BASE% since we don't use it anymore

* Create XREFs for Ghidra

Now you can jump from `MethodInfo` to actual method

* Fix demangler for Ghidra

Ghidra's demangler can process only functions in auto analysis. Now both `TypeInfo` and `MethodInfo` are displayed properly

---------

Co-authored-by: commonuserlol <commonuserlol@users.noreply.github.com>
This commit is contained in:
commonuserlol
2024-08-10 22:00:41 +03:00
committed by GitHub
parent 61087849bd
commit 665e70324f
5 changed files with 74 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@@ -20,9 +20,9 @@ This is a continuation of [Il2CppInspector, by djkaty](https://github.com/djkaty
- Made ValueTypes use their non-boxed variants when used as the this parameter
- Added labeling of FieldInfo/FieldRva MetadataUsages and their respective values as comments
- Implemented name mangling to properly display generics and other normally-replaced characters
- Much faster processing compared to the old version
* Overhauled IDA script:
- Added a progress indicator box with the current step, progress, and elapsed time
- Much faster processing compared to the old version
- Automatic disabling and re-enabling of autoanalysis
- Automatic unloading of conflicting type libraries
- Addition of custom fake string segment to show string literal contents in decompiler
@@ -321,6 +321,10 @@ The `--seperate-attributes` switch directs Il2CppInspector to put assembly-level
### Adding metadata to your IDA workflow
**NOTE:** IDA 7.6+ is required, but 7.7 is recommended.
**NOTE:** Run script as-soon-as-possible after IDA loads binary into database
Simply run Il2CppInspector with the `-p` switch to choose the IDA script output file. Load your binary file into IDA, press Alt+F7 and select the generated script. Observe the Output Window while IDA analyzes the file - this may take a long time.
Three files are generated by Il2CppInspector for IDAPython: the Python script itself, a JSON metadata file and a C++ type header file (this is `cpp/appdata/il2cpp-types.h` by default if you used the CLI, or `il2cpp.h` if you used the GUI). These files must be present for the script to run successfully.
@@ -356,9 +360,11 @@ Three files are generated by Il2CppInspector for Ghidra: the Python script itsel
If you know which version of Unity the binary was compiled with, you can improve the output by specifying this with `--unity-version`, for example `--unity-version 2019.3.1f1`. You can also supply any asset file from the application to detect the Unity version with `--unity-version-from-asset`. Otherwise Il2CppInspector will make an educated guess based on the contents of the binary.
**NOTE:** For best results, choose No when Ghidra asks if you would like to perform auto-analysis when the binary is first loaded. If you receive a `Conflicting data exists at address` error when running the script below, re-load the binary into the project and choose No at the auto-analysis prompt.
**NOTE:** Always choose No when Ghidra asks to perform analysis
**NOTE:** To significantly speed up analysis for ELF files, set the image base to zero (`0x00000000`) in the load options for the binary. For compatibility reasons, executing the Ghidra Python script on an ELF file will change the file's image base to zero for you if necessary, however if the current image base is non-zero this may take a very long time to complete. Other file formats will retain the same image base.
**NOTE:** For ELF files, set the image base to zero (`0x00000000`) in the load options for the binary. For compatibility reasons, executing the Ghidra Python script on an ELF file will change the file's image base to zero for you if necessary, however if the current image base is non-zero this may take a very long time to complete. Other file formats will retain the same image base.
**NOTE:** To improve analysis time, from the _Code Browser_, choose _Edit -> Tool options -> Auto Analysis_ and change _Max Threads_ to your CPU core count. Click _OK_ and restart _Code Browser_
To import metadata into an existing Ghidra project:
@@ -373,6 +379,7 @@ To import metadata into an existing Ghidra project:
6. If you have used scripts from Il2CppInspector for other binaries, ensure the Python files are named differently, or disable use of the previous script folder(s).
7. Click Refresh to make the script appear in _Script Manager_.
8. Right-click the script and choose _Run_. This may take a while to complete.
9. After initial auto analysis done, run it again to be sure about correct decompilation
![Ghidra import help](docs/Ghidra_Guide.png)