逆向 | 逃离鸭科夫 unity mono游戏hook

逆向 | 逃离鸭科夫 unity mono游戏hook

依旧是处理上一个博客的问题，这次直接用扫内存提jit的方式来找到目标函数，然后进行hook。
之后做详细视频发b站，这里就贴个代码。
好久不手搓硬编码和inlinehook犯了好多错，整个思路一团混乱，不过总算是最后弄对了，下次就思路清晰了。
依旧是frida来操作，方便。
不能信AI的代码，要自己去校验段protect，可能会有问题，AI会想当然的传参数然后没有成功获取到段执行权限（破口大骂）。

P.S.cheatengine的mono功能可以很好的利用，非常好使！事半功倍！！

py:

from __future__ import print_function    # 这里__future__的目的是引入新版本特性
import frida
import sys
import threading


import time

session = frida.attach('Duckov.exe')

# ---------------------------------------------old ver
# 读取js脚本
# with open('hook.js', 'r', encoding='utf-8') as f:
# 	js_hook = f.read()

# script = session.create_script(js_hook)

# def add_hp(args):
# 	while 1:
# 		time.sleep(5)
# 		print('call add hp')
# 		script.exports.addhp()

# t1 = threading.Thread(target=add_hp, args=(0,)) 
# def on_message(message,data):
#     print(message)
# script.on('message', on_message)
# script.load()
# t1.start()
# sys.stdin.read()
# -----------------------------------------------

with open('hook_new.js', 'r', encoding='utf-8') as f:
	js_hook = f.read()
script = session.create_script(js_hook)




def on_message(message,data):
    print(message)
script.on('message', on_message)
script.load()
sys.stdin.read()

js:

function hexToLittleEndianBytes(hexStr) {
    // 1. 移除0x前缀，确保只保留十六进制字符
    const pureHex = hexStr.replace(/^0x/i, '');
    
    // 2. 补全偶数位（十六进制字符串长度必须为偶数，才是完整字节）
    const evenHex = pureHex.length % 2 === 1 ? '0' + pureHex : pureHex;
    
    // 3. 小端序：从字符串末尾（低位）开始，每2个字符取1字节
    const bytes = [];
    for (let i = evenHex.length - 2; i >= 0; i -= 2) {
        // 截取2个字符（注意：substring(start, end)，end是排他的）
        const byteHex = evenHex.substring(i, i + 2);
        // 转换为十进制字节值（0-255）
        const byteValue = parseInt(byteHex, 16);
        bytes.push(byteValue);
    }
    return bytes;
}

function scan(pattern) {
    const locations = new Set();
    // console.log(Process.enumerateMallocRanges())
    console.log("-----start scan-----")
    var sections = Process.enumerateRanges("rwx")
    console.log(sections)
    console.log("----------")
    for (const r of sections) {
        console.log(`${r.base} : ${r.size} : ${r.protection} : ${r.file}`)
        for (const match of Memory.scanSync(r.base, r.size, pattern)) {
            locations.add(match.address.toString());
        }
    }
    
    var matches = Array.from(locations).map(ptr);
    console.log('Found', matches.length, 'matches');
    console.log(matches)
    return matches
}




// Health.hurt函数
var Health_hurt_func = scan('55 48 8B EC 48 81 EC 90 06 00 00 48 89 5D C8')[0]
console.log(Health_hurt_func)


// 手搓inlinehook
const codeSize = 1024;
const codeMemory = Memory.alloc(codeSize);
Memory.protect(codeMemory, codeSize, "rwx");
var codeMemoryBytes = hexToLittleEndianBytes(codeMemory.toString());
var Health_hurt_funcBytes = hexToLittleEndianBytes(Health_hurt_func.add(15).toString());

var codeBuffer = [0x52,
0x48,0x8b,0x51,0x50,
0x83,0xfa,0x00,
0x75,0x07,
0x5a,
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,
0xc3,
0x5a,
0x55,
0x48,0x8b,0xec,
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0]
// 修改跳转地址
for (let _i = 0; _i < Health_hurt_funcBytes.length; _i ++){
    codeBuffer[37+_i] = Health_hurt_funcBytes[_i]
}
console.log(codeBuffer)
codeMemory.writeByteArray(codeBuffer)   // 注入代码
console.log(`inject code addr: ${codeMemory}`)
console.log(codeMemory.toString())

// 修改hook地址
//修改原函数
var jmp_code = [
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
]
for (let _j = 0; _j < codeMemoryBytes.length; _j ++){
    jmp_code[2+_j] = codeMemoryBytes[_j]
}
console.log(jmp_code)
// 启动hook
Health_hurt_func.writeByteArray(jmp_code)

/*
思路：
0x52,
0x48,0x8b,0x51,0x50,
0x83,0xfa,0x00,
0x75,0x07,
0x5a,
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,
0xc3,
0x5a,
0x55,
0x48,0x8b,0xec,
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0


---
0x52,                       push rdx
0x48,0x8b,0x51,0x50,           mov rdx, [rcx+50]
0x83,0xfa,0x00,            cmp edx, 0
0x75,0x09,                 jne $9
0x5a,             pop rdx
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,        mov rax, 1
0xc3,                ret
0x5a,              pop rdx
0x55,               push rbp // yuan函数开头
0x48,0x8b,0xec,         mov rbp, rsp
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,                    // 共15个字节
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, //跳回去mov rax, 0xxxxxxxxxxxx
0xff,0xe0           jmp rax
------------------------
var jmp_code = [
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
]

*/


// var origin_code = Health_hurt_func.readByteArray(15)







// hook不好返回
// Interceptor.attach(ptr(Health_hurt_func),{
//     onEnter: function(args){
//         console.log('[*] Health_hurt_func !!!')
//         var _rcx = this.context.rcx
//         var team = _rcx.add(0x50).readU64()
//         console.log(`team: ${team}`)
//         if (team == 0x100000000){
//             console.log("is player!")
//             // args.returnValue = 1
//             this.context.rax = ptr("0")
//             this.return()
//         }
//         console.log("\n-----------------------\n")
//     },
//     // onLeave: function(retval){
//     //     console.log("retval: "+retval)
//     // }
// });