il2cpp动态api还原
Zygisk-Il2CppDumper需要这些api
il2cpp_method_get_param_name il2cpp_class_is_enum simple il2cpp_property_get_set_method il2cpp_class_get_parent il2cpp_property_get_name il2cpp_class_get_properties il2cpp_method_get_flags il2cpp_string_new il2cpp_field_static_get_value il2cpp_get_corlib il2cpp_image_get_name il2cpp_domain_get il2cpp_image_get_class il2cpp_domain_get_assemblies il2cpp_method_get_param il2cpp_field_get_flags il2cpp_class_is_valuetype il2cpp_class_from_type il2cpp_field_get_offset il2cpp_field_get_type il2cpp_method_get_name il2cpp_assembly_get_image il2cpp_method_get_return_type il2cpp_class_get_method_from_name il2cpp_type_is_byref il2cpp_class_get_interfaces il2cpp_thread_attach il2cpp_class_from_system_type il2cpp_class_get_namespace il2cpp_image_get_class_count il2cpp_class_get_flags il2cpp_property_get_get_method il2cpp_class_from_name il2cpp_class_get_name il2cpp_class_get_methods il2cpp_class_get_fields il2cpp_field_get_name il2cpp_class_get_type il2cpp_method_get_param_count il2cpp_type_get_name
字符串:"UnhandledException”
来到il2cpp_unhandled_exception_0
__int64 __fastcall il2cpp_unhandled_exception_0(_QWORD *a1) { _QWORD *v2; // x20 __int64 result; // x0 __int64 v4; // [xsp+8h] [xbp-18h] BYREF il2cpp_domain_get_0(); v2 = (_QWORD *)sub_15197F4(); v4 = 0LL; result = il2cpp_class_get_field_from_name_0(qword_5E012A8, "UnhandledException"); if ( *a1 == qword_5E01298 ) return result; result = il2cpp_field_get_value_0(*v2, result, &v4); if ( v4 ) return sub_14CCF0C(v2, v4, a1); return result; }
进去14CCF0C
__int64 __fastcall sub_14CCF0C(__int64 *a1, _QWORD *a2, __int64 a3) { __int64 method_from_name_0; // x0 __int64 v6[2]; // [xsp+0h] [xbp-20h] BYREF __int64 v7; // [xsp+18h] [xbp-8h] BYREF v7 = 0LL; v6[0] = *a1; v6[1] = sub_14CCF6C(a3); method_from_name_0 = il2cpp_class_get_method_from_name_0(*a2, "Invoke", 0xFFFFFFFFLL); return sub_14CC404(method_from_name_0, a2, v6, &v7);
点进sub_14CCF6C
__int64 __fastcall sub_14CCF6C(__int64 a1) { __int64 v2; // x20 __int64 v3; // x21 __int64 v4; // x19 __int64 v6[2]; // [xsp+0h] [xbp-30h] BYREF char v7; // [xsp+1Ch] [xbp-14h] BYREF v7 = 1; v2 = il2cpp_class_from_name_0(qword_5E011A8, "System", "UnhandledExceptionEventArgs"); sub_14B23C0(v2); v3 = sub_14B2904(v2, ".ctor", 2LL, 6LL); v6[0] = a1; v6[1] = (__int64)&v7; v4 = sub_14F42B4(v2); sub_14CC404(v3, v4, (__int64)v6, 0LL); return v4; }
搜索"The type initializer for '%s' threw an exception.”
有了这些锚点,再对着有符号的libil2cpp把.text段的函数一个一个还原就可以了
完整还原后mapping
版本v1.0.1 240121
il2cpp_method_get_param_name _sub_EB351D86A il2cpp_class_is_enum _sub_EB5B0C034 il2cpp_property_get_set_method _sub_67A34BBDC il2cpp_class_get_parent _sub_E1CE2E271 il2cpp_property_get_name _sub_67A24BBDA il2cpp_class_get_properties _sub_819E1124A il2cpp_method_get_flags _sub_EB351D868 il2cpp_string_new _sub_67A24BBF4 il2cpp_field_static_get_value _sub_EB5ABD7E5 il2cpp_get_corlib _sub_733756E6B il2cpp_image_get_name _sub_67A24BC13 il2cpp_domain_get _sub_EB4A7A400 il2cpp_image_get_class _sub_67A24BC17 il2cpp_domain_get_assemblies _sub_EB3CC7036 il2cpp_method_get_param _sub_EB351D865 il2cpp_field_get_flags _sub_EB5ABD0DA il2cpp_class_is_valuetype _sub_67C6602ED il2cpp_class_from_type _sub_816D94D45 il2cpp_field_get_offset _sub_EB5ABD0DD il2cpp_field_get_type _sub_EB5ABD0DF il2cpp_method_get_name _sub_EB351D85F il2cpp_assembly_get_image _sub_72C750C61 il2cpp_method_get_return_type _sub_EB351D85D il2cpp_class_get_method_from_name _sub_816D99683 il2cpp_type_is_byref _sub_67A24BC0C il2cpp_class_get_interfaces _sub_819E5C0F3 il2cpp_thread_attach _sub_67A24BBFB il2cpp_class_from_system_type _sub_6F666C045 il2cpp_class_get_namespace _sub_816D95D97 il2cpp_image_get_class_count _sub_67A24BC16 il2cpp_class_get_flags _sub_67B8FADEE il2cpp_property_get_get_method _sub_67A24BBDB il2cpp_class_from_name _sub_EB5ABD0D1 il2cpp_class_get_name _sub_816D95ACB il2cpp_class_get_methods _sub_818DAD403 il2cpp_class_get_fields _sub_819DD57B3 il2cpp_field_get_name _sub_EB5ABD0DB il2cpp_class_get_type _sub_816D94C03 il2cpp_method_get_param_count _sub_EB351D864 il2cpp_type_get_name _sub_67A24BC0B
ab解密
''.join(map(str, [c - b'a'[0] if i % 2 == 0 else c - b'0'[0] for i,c in enumerate(t)]))
CrcHashString: 5e/35/923d100124184202a63b14ae8096.ab j0c0d1b5d3j0c0d1 CrcHashString: 5e/36/1061ac8e5b133a5dcda67c7aed88.ab j9f6i5a2h2j9f6i5 9956850272 CrcHashString: 5e/37/60020a1b1ccdbdcbcd82342731e0.ab h9e6j3a0f7j4g9d0 794693005 CrcHashString: 5e/38/18b8cf1e43fc2c3b9bfbe6cf42d1.ab g9a3g1d5i1g9a3g1 6903613581 CrcHashString: 5e/38/c988484a583c613168eeb8437199.ab c1b6d4h0b2c1b6d4 2116347012 CrcHashString: 5e/39/4e372614206d06dc36e94726544d.ab i7h0i3e3b2i7h0i3 8770834312 CrcHashString: 5e/39/a61bcc47a1a6c1747810cc98990c.ab d1e7i6i4j3d1e7i6 CrcHashString: 5e/39/a71da2b05d7d3b8681b30ad65d34.ab h6b6g6i4b7g1g6g8 CrcHashString: 5e/3c/29110dc141adfe544701546ee1b9.ab c8h5j6d0g2i7f9g3 CrcHashString: 5e/3c/5190cc8007455dcf4f0c3743c3e0.ab c5j2f3g8c5j2f3g8 CrcHashString: 5e/3c/facc2dd1da4a8b12d7efeaed92d0.ab h2f7j9d5i1h2f7j9 CrcHashString: 5e/3e/8184875dd4e52c1640070f9ec9ce.ab e0d4f1h1g1e0d4f1 CrcHashString: 5e/3e/9564265e3833c72fea2622b03a0f.ab h1h0f5d5f3h1h0f5 CrcHashString: 5e/40/413d13640502d776e27971005866.ab f1g9f1e0b3f1g9f1 CrcHashString: 5e/42/5734a6e8918e06115e6aa6fe525a.ab h3j2d9i8e1h3j2d9 CrcHashString: 5e/44/b6166158e559e0a80befff5464ab.ab f2d7c4e7g5c3h2e4 CrcHashString: 5e/44/c4bc7fb0b527b839c95116455da9.ab d7f4a5j5e2d7f4a5 CrcHashString: 5e/46/5a552f6f1961745df68e62720817.ab d4g6h7b4b4d4g6h7 CrcHashString: 5e/46/83dfbcb9d3384ec5c1baf12a6dcf.ab e1h6c3b1a3e1h6c3