chizui/Il2CppInspectorRedux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

IL2CPP: Abstract API export name decryption to plugin

Browse Source
This commit is contained in:
Katy Coe
2021-01-12 04:48:44 +01:00
parent 0b8a42d9a2
commit c94fec41d7
1 changed files with 10 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
Il2CppInspector.Common/IL2CPP/Il2CppBinary.cs
View File

@@ -96,7 +96,6 @@ namespace Il2CppInspector
Image = stream; Image = stream;
OnStatusUpdate = statusCallback; OnStatusUpdate = statusCallback;
StatusUpdate($"Analyzing IL2CPP data for {Image.Format}/{Image.Arch} image");
DiscoverAPIExports(); DiscoverAPIExports();
} }
@@ -104,7 +103,6 @@ namespace Il2CppInspector
Image = stream; Image = stream;
OnStatusUpdate = statusCallback; OnStatusUpdate = statusCallback;
StatusUpdate($"Analyzing IL2CPP data for {Image.Format}/{Image.Arch} image");
DiscoverAPIExports(); DiscoverAPIExports();
TryPrepareMetadata(codeRegistration, metadataRegistration); TryPrepareMetadata(codeRegistration, metadataRegistration);
} }
@@ -273,6 +271,8 @@ namespace Il2CppInspector
// Plugin hook to pre-process binary // Plugin hook to pre-process binary
isModified |= PluginHooks.PreProcessBinary(this).IsStreamModified; isModified |= PluginHooks.PreProcessBinary(this).IsStreamModified;
StatusUpdate($"Analyzing IL2CPP data for {Image.Format}/{Image.Arch} image");
// Do basic validatation that MetadataRegistration and CodeRegistration are sane // Do basic validatation that MetadataRegistration and CodeRegistration are sane
/* /*
* GlobalMethodPointers (<= 24.1) must be a series of pointers in il2cpp or .text, and in sequential order * GlobalMethodPointers (<= 24.1) must be a series of pointers in il2cpp or .text, and in sequential order
@@ -402,35 +402,18 @@ namespace Il2CppInspector
// (therefore ignoring extern imports) // (therefore ignoring extern imports)
// Some binaries have functions starting "il2cpp_z_" - ignore these too // Some binaries have functions starting "il2cpp_z_" - ignore these too
private void DiscoverAPIExports() { private void DiscoverAPIExports() {
var exports = Image.GetExports()?.ToList(); var exports = Image.GetExports()?
.Where(e => (e.Name.StartsWith("il2cpp_") || e.Name.StartsWith("_il2cpp_") || e.Name.StartsWith("__il2cpp_"))
&& !e.Name.Contains("il2cpp_z_"));
if (exports == null) if (exports == null)
return; return;
var exportRgx = new Regex(@"^_+"); var exportRgx = new Regex(@"^_+");
// Handle name rot encryption found in some binaries foreach (var export in exports)
var anyEncrypted = false;
for (var rotKey = 0; rotKey <= 25; rotKey++) {
var possibleExports = exports.Select(e => new {
Name = string.Join("", e.Name.Select(x => (char) (x >= 'a' && x <= 'z'? (x - 'a' + rotKey) % 26 + 'a' : x))),
VirtualAddress = e.VirtualAddress
}).ToList();
var foundExports = possibleExports
.Where(e => (e.Name.StartsWith("il2cpp_") || e.Name.StartsWith("_il2cpp_") || e.Name.StartsWith("__il2cpp_"))
&& !e.Name.Contains("il2cpp_z_"))
.Select(e => e);
if (foundExports.Any() && rotKey != 0 && !anyEncrypted) {
Console.WriteLine("Found encrypted export names - decrypting");
anyEncrypted = true;
}
foreach (var export in foundExports)
if (Image.TryMapVATR(export.VirtualAddress, out _)) if (Image.TryMapVATR(export.VirtualAddress, out _))
APIExports.Add(exportRgx.Replace(export.Name, ""), export.VirtualAddress); APIExports.Add(exportRgx.Replace(export.Name, ""), export.VirtualAddress);
} }
} }
} }
}