Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generating Ghidra/IDA scripts like Il2CppDumper #322

Open
LeonLeonPotato opened this issue Jun 27, 2023 · 8 comments
Open

Generating Ghidra/IDA scripts like Il2CppDumper #322

LeonLeonPotato opened this issue Jun 27, 2023 · 8 comments
Labels
feature New feature or request

Comments

@LeonLeonPotato
Copy link

It would help reverse engineering the source code instead of having to guess based on trace and dump.cs
@commonuserlol
Copy link

actually il2cppdumper just copy ready2use script. for example you can use script from #113, but it sets only method name, for fields, strings, etc metadata dump still needed

@vfsfitvnm
Copy link
Owner

Agree, but I doubt I'll work on this anytime soon. I made few attempts in the past, but I always gave up at a certain point.
PS: I won't (personally) support IDA (can't test/use it).

If you want to contribute, this is your chance 😄

@vfsfitvnm vfsfitvnm added the feature New feature or request label Jun 29, 2023
@vfsfitvnm
Copy link
Owner

For instance, the solution would consist in generating a machine readable metadata file (i.e. a json file or a db) so that we can use the target disassembler scripting language to load the metadata into the project.

OT: We could make things even bigger by using the very same metadata to generate some sort of type safe typescript bindings, so that:

Il2Cpp.corlib.class("System.Int32").new();

becomes:

new mscorlib.System.Int32();

@commonuserlol
Copy link

Agree, but I doubt I'll work on this anytime soon. I made few attempts in the past, but I always gave up at a certain point. PS: I won't (personally) support IDA (can't test/use it).

If you want to contribute, this is your chance smile

actually i dont have idea how to find metadata in memory.. im tried this on 3 apps (android), but no one found metadata... also im tried this one but cannot find il2cpp_build_metadata export

@vfsfitvnm
Copy link
Owner

il2cpp_build_metadata was a CModule function I implemented by my own.
By "metadata" I didn't mean global-metadata.dat, but just a machine readable file that contains any metadata of the application we can retrieve (just like global-metadata.dat). It's just like Il2Cpp::dump, but generate a json file instead of a pseudo cs file.

@commonuserlol
Copy link

yes i understood this, but first need to find metadata in memory.. i have one idea and I'll try implement it soon as I can

@commonuserlol
Copy link

yeah, im generated pseudo metadata .json file, now need figure how to correctly generate .h file and apply c++ signatures..

@commonuserlol
Copy link

unfortunately I have very little knowledge about the internals of il2cpp so I'll leave it here, maybe it will be useful to someone for further development (this is not the final version)
and yes, the code is not really good
src/il2cpp/dump.ts

let Metadata = {
                "ScriptMethod": [],
                "ScriptString": [],
                "ScriptMetadata": [],
                "Addresses": [] //not used right now
            };

            for (const assembly of Il2Cpp.domain.assemblies) {
                inform(`dumping ${assembly.name}...`);

                for (const klass of assembly.image.classes) {
                    
                    for (const method of klass.methods) {

                        //@ts-ignore
                        Metadata.ScriptMethod.push({
                            "Address": method.relativeVirtualAddress.toUInt32(),
                            "Name": `${method.class.type.name}$$${method.name}`,
                            "Signature": "soon",
                            "TypeSignature": "soon"
                        });
                    }
                    
                    for (const field of klass.fields) {
                        //@ts-ignore
                        Metadata.ScriptMetadata.push({
                            "Address": klass.handle.sub(Il2Cpp.module.base).add(field.offset).toUInt32(),
                            "Name": field.type.name,
                            "Signature": "soon"
                        });
                    }
                }
            }

            //NOTE: this wont dump ALL strings, only which in memory right now
            inform("dumping strings...");
            for (const str of (Il2Cpp.gc.choose(Il2Cpp.corlib.class("System.String")))) {

                //@ts-ignore
                Metadata.ScriptString.push({
                    "Address": str.handle.sub(Il2Cpp.module.base).toUInt32(),
                    "Value": (new Il2Cpp.String(str)).content ?? ""
                });
            }
            file.write(JSON.stringify(Metadata, null, 4));
            file.flush();
            file.close();
            ok(`dump saved to ${destination}`);

@vfsfitvnm vfsfitvnm mentioned this issue Aug 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vfsfitvnm @LeonLeonPotato @commonuserlol