{"id":1522,"date":"2025-10-26T16:13:26","date_gmt":"2025-10-26T08:13:26","guid":{"rendered":"https:\/\/blog.shangwendada.top\/?p=1522"},"modified":"2025-11-04T11:19:42","modified_gmt":"2025-11-04T03:19:42","slug":"%e8%ae%b0%e5%bd%95%e4%b8%80%e6%ac%a1unity%e5%8a%a0%e5%9b%ba%e7%9a%84%e6%8e%a2%e7%b4%a2","status":"publish","type":"post","link":"https:\/\/blog.shangwendada.top\/index.php\/2025\/10\/26\/%e8%ae%b0%e5%bd%95%e4%b8%80%e6%ac%a1unity%e5%8a%a0%e5%9b%ba%e7%9a%84%e6%8e%a2%e7%b4%a2\/","title":{"rendered":"\u8bb0\u5f55\u4e00\u6b21Unity\u52a0\u56fa\u7684\u63a2\u7d22"},"content":{"rendered":"

\u524d\u8a00<\/h2>\n

\u6b63\u503c\u67d0\u6bd4\u8d5b\u51fa\u9898\uff0c\u4e00\u9053\u56f0\u96be\u9898\u4e0d\u77e5\u9053\u8981\u600e\u4e48\u51fa\u624d\u597d\uff0c\u7a81\u7136\u60f3\u8d77\u4e86il2cpp\u5728\u5b89\u5353\u5e73\u53f0\u7684\u52a0\u5bc6\uff0c\u4f46\u662f\u672c\u4eba\u53c8\u4e0d\u592a\u4f1a\u8fd9\u65b9\u9762\uff0c\u53ea\u597d\u4ece\u5b66\u4e60\u4e00\u4e0bil2cpp\u7684\u539f\u7406\u5e76\u4e14\u5c1d\u8bd5\u8fdb\u884c\u52a0\u56fa\uff0c\u672c\u6587\u8bb0\u5f55\u6211\u7684\u51fa\u9898\u8fc7\u7a0b\u3002<\/p>\n

\u6574\u4f53\u542f\u52a8\u4e0e libil2cpp.so \u88ab\u8f7d\u5165\u7684\u6d41\u7a0b<\/h2>\n

\u8981\u76f4\u5230\u5982\u4f55\u4fdd\u62a4libil2cpp.so\u9996\u5148\u9700\u8981\u77e5\u9053\u8fd9\u4e2aso\u6587\u4ef6\u662f\u5728\u4ec0\u4e48\u65f6\u5019\u88ab\u8f7d\u5165\u7684\uff0c\u6839\u636eil2cpp\u5b89\u5353\u7aef\u7684\u542f\u52a8\u6d41\u7a0b\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\u8f7d\u5165\u4f4d\u7f6e\uff0c\u5176\u6d41\u7a0b\u56fe\u5982\u4e0b\uff1a<\/p>\n

\n \n<\/p>\n

\u5728\u6b64\u5904\u6211\u4eec\u53ef\u4ee5\u770b\u5230libunity.so\u901a\u8fc7dlopen\u52a0\u8f7dlibil2cpp.so<\/p>\n

global-metadata.dat \u7684\u52a0\u8f7d\u65f6\u673a\u4e0e\u5206\u652f\u6d41\u7a0b<\/h2>\n

\u5149\u4fdd\u62a4il2cpp.so\u5927\u62b5\u662f\u4e0d\u591f\u7684\uff0c\u5f88\u591a\u52a0\u56fa\u65b9\u6848\u80af\u5b9a\u90fd\u4f1a\u9009\u62e9\u52a0\u5bc6global-metadata.dat\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u770b\u770bil2cpp.so\u4e2d\u8d1f\u8d23\u52a0\u8f7dglobal-metadata.dat\u7684\u4ee3\u7801\u4f4d\u7f6e\u5427\uff0c\u5982\u4e0b\u662f\u52a0\u8f7dmetadata\u7684\u6d41\u7a0b\u56fe
\n

\"file\"<\/div>
\n\u6e90\u7801\u5206\u6790\u53ef\u77e5\u52a0\u8f7dglobal-metadata.dat\u7684\u4ee3\u7801\u4f4d\u7f6e\u5728<\/p>\n
E:\\Unity Edit\\2020.3.48f1c1\\Editor\\Data\\il2cpp\\libil2cpp\\vm\\MetadataLoader.cpp<\/code><\/pre>\n
\u5177\u4f53\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
    os::FileHandle* handle = os::File::Open(resourceFilePath, kFileModeOpen, kFileAccessRead, kFileShareRead, kFileOptionsNone, &error);\n    if (error != 0)\n    {\n        utils::Logging::Write("ERROR: Could not open %s", resourceFilePath.c_str());\n        return NULL;\n    }\n\n    void* fileBuffer = utils::MemoryMappedFile::Map(handle);<\/code><\/pre>\n
\u52a0\u56faglobal-metadata.dat<\/h2>\n
\u4e00\u4e9b\u5c0f\u95ee\u9898<\/h3>\n
\u6b63\u5982\u4e0a\u6587\u6240\u63d0\u5230\u7684\uff0c\u52a0\u56faglobal-metadata.dat\u4e3b\u8981\u662f\u5728<\/p>\n
E:\\Unity Edit\\2020.3.48f1c1\\Editor\\Data\\il2cpp\\libil2cpp\\vm\\MetadataLoader.cpp<\/code><\/pre>\n
\uff0c\u7406\u8bba\u4e0a\u4fee\u6539\u4e86\u6b64\u5904\u7684\u4ee3\u7801\u4e4b\u540e\uff0c\u518d\u5199\u4e00\u4e2a\u811a\u672c\u53bb\u52a0\u5bc6metadata\u518d\u6253\u5305\u56de\u53bb\uff0c\u5c31\u53ef\u4ee5\u8fd0\u884c\u4e86\uff0c\u4f46\u662f\u5982\u679c\u76f4\u63a5\u4fee\u6539MetadataLoader.cpp\u4f1a\u5bfc\u81f4\u540e\u9762\u5982\u679c\u4e0d\u9700\u8981\u52a0\u56fa\u7684\u9879\u76ee\u6bcf\u4e00\u6b21\u7f16\u8bd1\u90fd\u9700\u8981\u52a0\u5bc6global-metadata.dat\u624d\u80fd\u8fd0\u884c\uff0c\u8fd9\u6837\u7684\u8bdd\u5c82\u4e0d\u662f\u975e\u5e38\u7684\u4e0d\u65b9\u4fbf<\/p>\n
\u9879\u76ee\u6784\u5efa\u65f6\u81ea\u52a8\u52a0\u56faglobal-metadata.dat<\/h3>\n
\u81ea\u7136\uff0c\u8fd9\u91cc\u5148\u8bf4\u4e00\u4e0b\u4e00\u4e2a\u53ef\u80fd\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u4e5f\u662f\u6211\u5728NSSCTF 4th\u4e2d\u51fa\u8fc7\u7684\u4e00\u4e2apyinstaller\u6253\u5305\u9879\u76ee\u52a0\u56fa\u7684\u539f\u7406\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6e\u4e00\u4e2a\u6807\u8bb0\uff0c\u6bd4\u5982MHY0\uff0c\u6211\u4eec\u518d\u9b54\u6539MetadataLoader\u7684\u65f6\u5019\u901a\u8fc7\u8bc6\u522b\u662f\u5426\u5b58\u5728MHY0\u8fd9\u4e2a\u6807\u8bc6\u7b26\u6765\u786e\u5b9a\u662f\u5426\u9700\u8981\u89e3\u5bc6\uff0c\u8fd9\u6837\u5c31\u4e0d\u4f1a\u5f71\u54cd\u540e\u7eed\u6253\u5305\u7684\u9879\u76ee\u76f4\u63a5\u8fd0\u884c\u3002<\/p>\n
\u5f53\u7136\uff0c\u8fd8\u6709\u66f4\u52a0\u4f18\u79c0\u7684\u529e\u6cd5\uff0c\u6211\u4eec\u770b\u5230\u5982\u4e0bGitHub\u9879\u76ee\uff1a
\nhttps:\/\/github.com\/badApple001\/Il2cppEncrtypt<\/a><\/p>\n
\u6211\u4eec\u5728Unity Hub\u7f16\u5199\u5b8c\u4e3b\u4f53\u4ee3\u7801\u4e4b\u540e\u5c31\u53ef\u4ee5\u5f00\u59cb\u8003\u8651\u52a0\u56fa\u4e86\uff0c\u63a5\u4e0b\u6765\u8bb2\u8ff0\u4e00\u4e0bIl2cppEncrtypt \u8fd9\u4e2a\u9879\u76ee\u6784\u5efa\u65f6\u52a0\u56fa\u7684\u539f\u7406\u3002<\/p>\n
Unity\u6709\u4e00\u4e2a\u5f88\u6709\u610f\u601d\u7684\u673a\u5236\u53eb\u505aEditor Scripting \uff08Unity \u7f16\u8f91\u5668\u6269\u5c55\u7cfb\u7edf\uff09\u66a8\u6240\u6709\u653e\u5728 Assets\/Editor\/ \u6216\u4efb\u4f55\u4ee5 Editor \u547d\u540d\u7684\u6587\u4ef6\u5939\u91cc\u7684\u811a\u672c\uff0c\u90fd\u4f1a\u88ab\u7f16\u8bd1\u8fdb\u4e00\u4e2a \u7f16\u8f91\u5668\u4e13\u7528\u7684\u7a0b\u5e8f\u96c6\uff08Editor Assembly\uff09\uff0c\u4e0d\u4f1a\u8fdb\u5165\u6253\u5305\u7684\u6e38\u620f\u3002<\/p>\n
\u4e0e\u6b64\u540c\u65f6\uff0cUnity\u8fd8\u5b58\u5728IPostprocessBuildWithReport\u8fd9\u4e2a\u63a5\u53e3\u6709\u4ec0\u4e48\u7528\u5462\uff0c\u6765\u770b\u4e00\u4e0b\u4ecb\u7ecd<\/p>\n
IPostprocessBuildWithReport\uff1aUnity \u7684\u6784\u5efa\u7ba1\u7ebf\u63a5\u53e3\uff0cOnPostprocessBuild \u4f1a\u5728\u6784\u5efa\u5b8c\u6210\u540e\u81ea\u52a8\u88ab\u8c03\u7528\uff0c\u53c2\u6570\u662f BuildReport\uff0c\u5305\u542b\u6784\u5efa\u7ed3\u679c\u3001\u8f93\u51fa\u8def\u5f84\u3001\u5e73\u53f0\u7b49\u4fe1\u606f\u3002<\/p>\n
\uff08\u4e0a\u9762\u7684\u5b57\u90a3\u4e48\u591a\u770b\u7684\u602a\u67af\u71e5\u7684\u5427\uff0c\u8ba9GPT\u751f\u6210\u4e86\u4e00\u5f20\u56fe\uff0c\u6da6\u8272\u4e00\u4e0b\uff0c\u770b\u4e2a\u4e50\u5475<\/p>\n
\n  \n<\/p>\n
\n  \n<\/p>\n
\u540c\u65f6\u5728\u8fd9\u4e2a\u63a5\u53e3\u7684\u4e0a\u4e0b\u6587\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u83b7\u53d6\u5230\u6253\u5305\u7684\u8def\u5f84\uff0c\u4ece\u800c\u8fdb\u884c\u5bf9global-metadata.dat\u7684\u52a0\u56fa<\/p>\n
\u90a3\u4e48\u5176\u5b9e\u6211\u4eec\u5c31\u53ef\u4ee5\u6269\u5c55\u8fd9\u4e2a\u63a5\u53e3\uff0c\u5e76\u4e14\u91cd\u5199OnPostprocessBuild\uff0c\u5c31\u53ef\u4ee5\u5b9e\u73b0\u5728\u6784\u5efa\u9879\u76ee\u7684\u65f6\u5019\u4e00\u5e76\u5b8c\u6210\u5bf9global-metadata.dat\u52a0\u56fa\u4e86\u3002<\/p>\n
\u4ee5\u4e0b\u4ee3\u7801\u6458\u81eaIl2cppEncrtypt\uff1a<\/p>\n
    void IPostprocessBuildWithReport.OnPostprocessBuild( BuildReport report )\n    {\n        SetDisplayLog( LogMessageFromCpp );\n\n        if ( report.summary.platform == UnityEditor.BuildTarget.Android )\n        {\n            Debug.Log(report.summary.outputPath);\n            EncryptionCode( Marshal.StringToHGlobalAnsi( report.summary.outputPath ) );\n            OverrideLoader( Marshal.StringToHGlobalAnsi( report.summary.outputPath ) );\n        }\n        else if ( report.summary.platform == UnityEditor.BuildTarget.iOS )\n        {\n\n        }\n        Debug.Log( "\u6267\u884c\u6269\u5c55\u7a0b\u5e8f\u5b8c\u6210" );\n    }<\/code><\/pre>\n
\u5bfc\u51fa\u9879\u76ee\u5e76\u8986\u76d6\u9879\u76ee\u5185global-metadata.dat\uff0c\u7f16\u8bd1\u9b54\u6539\u7684il2cpp.so<\/h3>\n
\u8bda\u7136\uff0c\u5982\u679c\u6211\u4eec\u76f4\u63a5\u4f7f\u7528Unity Hub\u7f16\u8bd1\u4e00\u4e2a\u53ef\u4ee5\u76f4\u63a5\u8fd0\u884c\u7684unity app\u7684\u8bdd\u9ed8\u8ba4\u4f7f\u7528\u7684\u662fUnity Editor\u4e2d\u7684\u4ee3\u7801\uff0c\u8fd9\u4e2a\u5341\u5206\u5751\u7239\uff0c\u4e5f\u8bb8\u662f\u6211\u4e0d\u77e5\u9053\u5982\u4f55\u4fee\u6539\uff0c\u53cd\u6b63\u6700\u540e\u8bd5\u4e86\u5f88\u4e45\u4e5f\u662f\u6ca1\u62db\u4e86\u3002<\/p>\n
\u5bfc\u51faUnity \u9879\u76ee\u4e4b\u540e\u901a\u8fc7Android Studio\u76f4\u63a5\u7f16\u8bd1\uff1a<\/p>\n
\u5bfc\u51fa\u9879\u76ee\u5728\u88c5\u597d\u5b89\u5353\u7684SDK\u4e4b\u540e\uff0cBuild Setting\u754c\u9762\uff0c\u76f4\u63a5\u5c31\u53ef\u4ee5\u770b\u5230\u5bfc\u51fa\u4e86\u3002<\/p>\n
\"file\"<\/div><\/p>\n
\u5bfc\u51fa\u4e4b\u540e\u5728\u5bfc\u51fa\u76ee\u5f55\u4e0b\u53ef\u4ee5\u770b\u5230\u4e24\u4e2a\u5305launcher\u548cunityLibrary\uff0c\u5176\u4e2dunityLibrary\u4e3b\u8981\u52a0\u8f7dil2cpp\u7684\u5185\u5bb9<\/p>\n
\"file\"<\/div><\/p>\n
\u540c\u65f6\u6211\u4eec\u68c0\u67e5\u4e00\u4e0bMetadata\u662f\u5426\u52a0\u5bc6
\n\u5176\u4f4d\u7f6e\u5728\u4e8e<\/p>\n
unityLibrary\\src\\main\\assets\\bin\\Data\\Managed\\Metadata<\/code><\/pre>\n
\"file\"<\/div><\/p>\n
\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u539f\u672c\u5e94\u8be5\u662f\u6709\u610f\u4e49\u7684symbol\uff0c\u4f46\u6b64\u523b\u53d8\u6210\u4e86\u4e71\u7801\uff0c\u5373Metadata\u6210\u529f\u88ab\u52a0\u5bc6<\/p>\n
\u63a5\u4e0b\u6765\u6211\u4eec\u9700\u8981\u5728\u9879\u76ee\u4e2d\u7684loader\u5199\u5165\u89e3\u5bc6\u4ee3\u7801\uff0c\u4f46\u4f60\u4f1a\u53d1\u73b0Android studio \u597d\u50cf\u65e0\u6cd5\u5b8c\u7f8e\u8bc6\u522b\u5230\u5173\u4e8eil2cpp.so\u7684\u4ee3\u7801\uff0c\u6211\u4eec\u9700\u8981\u624b\u52a8\u5728<\/p>\n
unityLibrary\\src\\main\\Il2CppOutputProject\\IL2CPP\\libil2cpp\\vm\\MetadataLoader.cpp<\/code><\/pre>\n
\u4e2d\u4fee\u6539\uff0c\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u662f\u786e\u4fdd\u548c\u6211\u4eec\u52a0\u5bc6\u4ee3\u7801\u4e00\u81f4\uff0c\u4e0d\u7136\u4f1a\u5bfc\u81f4\u5d29\u6e83\u3002<\/p>\n
\u5982\u4e0b\u4ee3\u7801\u4e2d\u6240\u793a\uff0c\u4e3b\u8981\u7684\u70b9\u4e5f\u5c31\u662f\u5728\u62ff\u5230fileBuffer \u4e4b\u540e\u505a\u89e3\u5bc6\u5373\u53ef\u3002<\/p>\n
void *il2cpp::vm::MetadataLoader::LoadMetadataFile(const char *fileName)\n{\n#if IL2CPP_TARGET_ANDROID && IL2CPP_TINY_DEBUGGER && !IL2CPP_TINY_FROM_IL2CPP_BUILDER\n    std::string resourcesDirectory = utils::PathUtils::Combine(utils::StringView<char>("Data"), utils::StringView<char>("Metadata"));\n\n    std::string resourceFilePath = utils::PathUtils::Combine(resourcesDirectory, utils::StringView<char>(fileName, strlen(fileName)));\n\n    int size = 0;\n    return loadAsset(resourceFilePath.c_str(), &size, malloc);\n#elif IL2CPP_TARGET_JAVASCRIPT && IL2CPP_TINY_DEBUGGER && !IL2CPP_TINY_FROM_IL2CPP_BUILDER\n    return g_MetadataForWebTinyDebugger;\n#else\n    std::string resourcesDirectory = utils::PathUtils::Combine(utils::Runtime::GetDataDir(), utils::StringView<char>("Metadata"));\n\n    std::string resourceFilePath = utils::PathUtils::Combine(resourcesDirectory, utils::StringView<char>(fileName, strlen(fileName)));\n\n    int error = 0;\n    os::FileHandle *handle = os::File::Open(resourceFilePath, kFileModeOpen, kFileAccessRead, kFileShareRead, kFileOptionsNone, &error);\n    if (error != 0)\n    {\n        utils::Logging::Write("ERROR: Could not open %s", resourceFilePath.c_str());\n        return NULL;\n    }\n\n    void *fileBuffer = g_cacheFileHeader = utils::MemoryMappedFile::Map(handle);\n\n    int ero;\n    int64_t length = os::File::GetLength(handle, &ero);\n    void *decBuffer = g_cacheDecodeHeader = PromiseAntiencryption(fileBuffer, length);\n\n    os::File::Close(handle, &error);\n    if (error != 0)\n    {\n        utils::MemoryMappedFile::Unmap(fileBuffer);\n        fileBuffer = NULL;\n        return NULL;\n    }\n\n    return decBuffer;\n#endif\n}<\/code><\/pre>\n
\u81f3\u6b64\u6210\u529f\u7684\u5b8c\u6210\u4e86Metadata\u7684\u52a0\u5bc6\uff0c\u4f46\u662f\u8fd9\u591f\u5417\uff0c\u663e\u7136\u8fdc\u8fdc\u4e0d\u591f\uff0c\u6211\u4eec\u51c6\u5907\u5f00\u59cb\u4e0b\u4e00\u6b65\u63a2\u7d22\uff0c\u52a0\u5bc6libil2cpp.so<\/p>\n
\u52a0\u56fail2cpp.so<\/h2>\n
\u4e00\u4e9b\u5c0f\u5c0f\u95ee\u9898<\/h3>\n
\u5728\u4e0a\u6587\u4e2d\u63d0\u5230\u4e86\uff0clibil2cpp.so \u662f\u88ablibunity.so\u52a0\u8f7d\u7684\uff0c\u4f46\u662f\u6211\u4eec\u5728libUnity\u7684\u7f16\u8bd1\u811a\u672c\u4e2d\u53ef\u4ee5\u770b\u89c1\u4f3c\u4e4ebuild.gradle\u662f\u6ca1\u6709\u7f16\u8bd1libunity.so\u7684\u903b\u8f91\u7684\uff0c\u4ee3\u7801\u5982\u4e0b<\/p>\n
def BuildIl2Cpp(String workingDir, String targetDirectory, String architecture, String abi, String configuration) {\n    exec {\n        commandLine(workingDir + "\/src\/main\/Il2CppOutputProject\/IL2CPP\/build\/deploy\/netcoreapp3.1\/il2cpp.exe",\n            "--compile-cpp",\n            "--incremental-g-c-time-slice=3",\n            "--avoid-dynamic-library-copy",\n            "--profiler-report",\n            "--libil2cpp-static",\n            "--platform=Android",\n            "--architecture=" + architecture,\n            "--configuration=" + configuration,\n            "--outputpath=" + workingDir + targetDirectory + abi + "\/libil2cpp.so",\n            "--cachedirectory=" + workingDir + "\/build\/il2cpp_"+ abi + "_" + configuration + "\/il2cpp_cache",\n            "--additional-include-directories=" + workingDir + "\/src\/main\/Il2CppOutputProject\/IL2CPP\/external\/bdwgc\/include",\n            "--additional-include-directories=" + workingDir + "\/src\/main\/Il2CppOutputProject\/IL2CPP\/libil2cpp\/include",\n            "--tool-chain-path=" + android.ndkDirectory,\n            "--map-file-parser=" + workingDir + "\/src\/main\/Il2CppOutputProject\/IL2CPP\/MapFileParser\/MapFileParser.exe",\n            "--generatedcppdir=" + workingDir + "\/src\/main\/Il2CppOutputProject\/Source\/il2cppOutput",\n            "--baselib-directory=" + workingDir + "\/src\/main\/jniStaticLibs\/" + abi,\n            "--dotnetprofile=unityaot")\n        environment "ANDROID_SDK_ROOT", getSdkDir()\n    }\n    delete workingDir + targetDirectory + abi + "\/libil2cpp.sym.so"\n    ant.move(file: workingDir + targetDirectory + abi + "\/libil2cpp.dbg.so", tofile: workingDir + "\/symbols\/" + abi + "\/libil2cpp.so")\n}\n<\/code><\/pre>\n
\u540c\u65f6\u6211\u4eec\u7f16\u8bd1\u4e00\u6b21\u9879\u76ee\u4e5f\u4f1a\u53d1\u73b0JniLibs\u7684\u76ee\u5f55\u51fa\u73b0\u4e86\u65f6\u95f4\u5dee<\/p>\n
\"file\"<\/div><\/p>\n
\u79cd\u79cd\u8ff9\u8c61\u4e5f\u8bf4\u660e\u4e86libunity.so\u4f3c\u4e4e\u4e0d\u518d\u6211\u4eec\u53ef\u63a7\u8303\u56f4\u5185\uff0c\u7ecf\u8fc7\u641c\u7d22\u5f97\u77e5\u8fd9\u4e2aunity.so\u662f\u6838\u5fc3\u5f15\u64ce\uff0c\u5c5e\u4e8eUnity\u7684\u95ed\u6e90\u90e8\u5206\uff0c\u56e0\u6b64\u6211\u4eec\u6ca1\u6709\u529e\u6cd5\u901a\u8fc7\u4fee\u6539unity.so\u6765\u62e6\u622ail2cpp\u7684\u52a0\u8f7d\u4ece\u800c\u5b9e\u73b0\u52a8\u6001\u89e3\u5bc6\u3002<\/p>\n
\u901a\u8fc7Hook\u62e6\u622ail2cpp.so\u52a0\u8f7d\u6d41\u7a0b<\/h3>\n
\u65e2\u7136\u65e0\u6cd5\u4ece\u4ee3\u7801\u5c42\u9762\u8fdb\u884c\u4fee\u6539ilbunity.so\uff0c\u90a3\u4e48\u6839\u636e\u4e0a\u6587\u63d0\u5230\u7684il2cpp.so\u88ab\u52a0\u8f7d\u6d41\u7a0b\uff0c\u6700\u540e\u52a0\u8f7dlibunity.so\u80af\u5b9a\u662f\u8981\u8d70dlopen\u7684\uff0c\u90a3\u4e48\u662f\u4e0d\u662f\u8bf4\u6211\u4eec\u53ea\u9700\u8981\u5728\u8fd9\u4e4b\u524d\u6ce8\u518c\u4e00\u4e2ahook\uff0c\u4f46dlopen\u6253\u5f00\u7684\u662flibil2cpp\u7684\u65f6\u5019\u6211\u4eec\u8fdb\u884c\u52a0\u5bc6\u5462\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u5f00\u59cb\u5c1d\u8bd5<\/p>\n
\u8fd9\u91cc\u7684Hook\u6709\u5f88\u591a\u65b9\u6cd5\uff0cGithub\u5df2\u7ecf\u5f00\u6e90\u4e86\u5f88\u591a\u597d\u7528\u7684Hook\u6846\u67b6\uff0c\u6211\u8fd9\u91cc\u4f7f\u7528dobby hook
\nhttps:\/\/github.com\/jmpews\/Dobby?tab=readme-ov-file<\/a><\/p>\n
dobby hook\u7f16\u8bd1\u597d\u540e\u4f7f\u7528\u975e\u5e38\u7684\u7b80\u5355\u554a
\n\u6211\u7684\u5efa\u8bae\u662f\u7f16\u8bd1\u6210\u9759\u6001\u94fe\u63a5\u5e93
\nlibdobby.a\uff0cdobby.h
\n\u9759\u6001\u94fe\u63a5\u5e93\u7f16\u8bd1\u4e4b\u540e\u4f1a\u76f4\u63a5\u878d\u5165\u5230\u7f16\u8bd1\u51fa\u6765\u7684so\u4e2d\uff0c\u8fd9\u6837\u4e0d\u5bb9\u6613\u88ab\u770b\u51fa\u6765\u7528\u4e86hook\u6846\u67b6\u3002<\/p>\n
\u5982\u4f55\u5728\u9879\u76ee\u4e2d\u4f7f\u7528dobby hook\u5462\uff1f<\/p>\n
\u9996\u5148\u5c06libdobby.a\u653e\u5230Jnilibs\u4e2d\uff0c\u7136\u540e\u628adobby.h\u653e\u5230include\u4e2d
\n\u63a5\u4e0b\u6765\u7ed9\u4e00\u4efd\u6211\u7684Cmakelist.txt \u81ea\u884c\u7406\u89e3\u4e00\u4e0b\uff0c\u5176\u4e2d\u52a0\u5165\u4e86\u5bf9\u9759\u6001\u94fe\u63a5\u5e93\u7b26\u53f7\u7684\u53bb\u9664<\/p>\n
cmake_minimum_required(VERSION 3.10.2)\n\nproject("just")\n\n# ========================\n# \u6e90\u6587\u4ef6\n# ========================\nadd_library(${CMAKE_PROJECT_NAME} SHARED\n        just.cpp\n        detectFrida.cpp\n        )\n\n# ========================\n# \u5305\u542b\u8def\u5f84\n# ========================\ninclude_directories(\n        dobby\n)\n\n# ========================\n# \u5bfc\u5165\u9759\u6001\u5e93 libdobby.a\n# ========================\nadd_library(local_dobby STATIC IMPORTED)\nset_target_properties(local_dobby PROPERTIES\n        IMPORTED_LOCATION ${CMAKE_CURRENT_SOURCE_DIR}\/..\/jniLibs\/arm64-v8a\/libdobby.a\n        )\n\n# ========================\n# \u7f16\u8bd1\u4f18\u5316\u4e0e\u7b26\u53f7\u9690\u85cf\n# ========================\ntarget_compile_options(${CMAKE_PROJECT_NAME} PRIVATE\n        -fvisibility=hidden\n        -fvisibility-inlines-hidden\n        -fdata-sections\n        -ffunction-sections\n        -O3\n        )\n\n# \u5b8f\uff1a\u53ef\u7528\u4e8e\u6807\u8bb0\u663e\u5f0f\u5bfc\u51fa\u7684\u51fd\u6570\ntarget_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE EXPORT_SYMBOLS)\n\n# \u63a7\u5236\u7b26\u53f7\u53ef\u89c1\u6027\nset_target_properties(${CMAKE_PROJECT_NAME} PROPERTIES\n        CXX_VISIBILITY_PRESET hidden\n        VISIBILITY_INLINES_HIDDEN ON\n        POSITION_INDEPENDENT_CODE ON\n        )\n\n# ========================\n# \u751f\u6210 version script (\u63a7\u5236\u5bfc\u51fa\u7b26\u53f7)\n# ========================\nset(EXPORTS_FILE "${CMAKE_CURRENT_BINARY_DIR}\/exports.map")\nfile(WRITE ${EXPORTS_FILE} "{\n    global:\n        Java_*;\n        JNI_OnLoad;\n        JNI_OnUnload;\n    local:\n        *;\n};\n")\n\n# ========================\n# \u4fee\u6b63\u540e\u7684\u94fe\u63a5\u53c2\u6570\uff08\u53bb\u6389\u5206\u53f7\u95ee\u9898\uff09\n# ========================\nset(MY_EXTRA_LINKER_FLAGS\n        "-Wl,--version-script=${EXPORTS_FILE}"\n        "-Wl,--exclude-libs,ALL"\n        "-Wl,--gc-sections"\n        "-s"\n        )\n\n# \u628a\u5217\u8868\u8f6c\u6362\u4e3a\u7a7a\u683c\u5206\u9694\u5b57\u7b26\u4e32\uff08\u9632\u6b62 CMake \u7528 ;\uff09\nstring(REPLACE ";" " " MY_EXTRA_LINKER_FLAGS_STR "${MY_EXTRA_LINKER_FLAGS}")\n\n# \u8ffd\u52a0\u5230\u5171\u4eab\u5e93\u94fe\u63a5\u53c2\u6570\nset(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${MY_EXTRA_LINKER_FLAGS_STR}")\n\nmessage(STATUS "CMAKE_SHARED_LINKER_FLAGS = ${CMAKE_SHARED_LINKER_FLAGS}")\n\n# ========================\n# \u94fe\u63a5\u9636\u6bb5\n# ========================\ntarget_link_libraries(${CMAKE_PROJECT_NAME}\n        android\n        local_dobby\n        log\n        )\n<\/code><\/pre>\n
\u7f16\u8bd1\u5b8cdobby hook\u4e4b\u540e\u6211\u4eec\u4f1a\u53d1\u73b0\u5bfc\u51fa\u6765\u7684\u9879\u76ee\u662f\u6ca1\u6709\u81ea\u5df1\u7684cpp\u4ee3\u7801\u7684\uff0c\u6211\u4eec\u9700\u8981\u81ea\u5df1\u6dfb\u52a0<\/p>\n
\"file\"<\/div><\/p>\n
\u8fd9\u4e00\u6b65Android Studio \u4f1a\u5e2e\u6211\u4eec\u5b8c\u6210<\/p>\n
\u4f46\u662f \u5230\u4e86\u8fd9\u4e00\u6b65 \uff0c\u5982\u679c\u7528Unity Editor\u76ee\u5f55\u91cc\u7684NDK\u7684\u8bdd\uff0c\u7f16\u8bd1\u7684\u65f6\u5019\u4f1a\u5404\u79cd\u62a5\u9519\uff0c\u8fd9\u4e2a\u5c31\u975e\u5e38\u79bb\u8c31\u4e86\uff0c\u5e94\u4e3a\u8def\u5f84\u4e2d\u5e26\u7a7a\u683c\uff0c\u5e76\u4e14Java \u7248\u672c \u4ee5\u53candk\u7248\u672c\u79cd\u79cd\u95ee\u9898\uff0c\u5bfc\u81f4\u5728\u8fd9\u4e00\u6b65\u5361\u4e86\u5f88\u4e45\uff0c\u4f46\u6700\u540e\u8fd8\u662f\u6210\u529f\u7684\u7f16\u8bd1\u51fa\u6765\u4e86\uff0c(\u4e5f\u8bb8\u4f60\u4e0d\u4f1a\u51fa\u73b0\u8fd9\u4e2aBUG)<\/p>\n
\u53e6\u5916Cmake\u7684\u7248\u672c\u4e5f\u4f1a\u5f71\u54cd\uff0c\u6211\u5728\u7528\u9ad8\u7248\u672c\u7684Cmake\u7684\u65f6\u5019\u4e00\u76f4\u5728\u62a5\u9519\uff0c\u5947\u5947\u602a\u602a\u7684\uff0c\u8fd9\u91cc\u628alauncher\u7684build.gradle\u5206\u4eab\u51fa\u6765\uff0c\u5927\u5bb6\u9047\u5230\u5947\u5947\u602a\u602a\u7684\u62a5\u9519\u4e5f\u53ef\u4ee5\u53c2\u8003\u53c2\u8003<\/p>\n
\/\/ GENERATED BY UNITY. REMOVE THIS COMMENT TO PREVENT OVERWRITING WHEN EXPORTING AGAIN\n\napply plugin: 'com.android.application'\n\ndependencies {\n    implementation project(':unityLibrary')\n    }\n\nandroid {\n    compileSdkVersion 33\n    buildToolsVersion '30.0.2'\n\n    compileOptions {\n        sourceCompatibility JavaVersion.VERSION_1_8\n        targetCompatibility JavaVersion.VERSION_1_8\n    }\n\n    defaultConfig {\n        minSdkVersion 28\n        targetSdkVersion 33\n        applicationId 'com.DefaultCompany.just'\n        ndk {\n            abiFilters 'arm64-v8a'\n        }\n        versionCode 1\n        versionName '1.0'\n    }\n    externalNativeBuild {\n        cmake {\n            version "3.10.2"\n            path = "src\/main\/cpp\/CMakeLists.txt"\n        }\n    }\n    aaptOptions {\n        noCompress = ['.ress', '.resource', '.obb'] + unityStreamingAssets.tokenize(', ')\n        ignoreAssetsPattern = "!.svn:!.git:!.ds_store:!*.scc:.*:!CVS:!thumbs.db:!picasa.ini:!*~"\n    }\n\n    lintOptions {\n        abortOnError false\n    }\n\n    buildTypes {\n        debug {\n            minifyEnabled false\n            proguardFiles getDefaultProguardFile('proguard-android.txt')\n            signingConfig signingConfigs.debug\n            jniDebuggable true\n        }\n        release {\n            minifyEnabled false\n            proguardFiles getDefaultProguardFile('proguard-android.txt')\n            signingConfig signingConfigs.debug\n        }\n    }\n\n    packagingOptions {\n        doNotStrip '*\/arm64-v8a\/*.so'\n    }\n\n    bundle {\n        language {\n            enableSplit = false\n        }\n        density {\n            enableSplit = false\n        }\n        abi {\n            enableSplit = true\n        }\n    }\n}\n<\/code><\/pre>\n
\u63a5\u4e0b\u6765\u5c31\u662f\u6b63\u5f0f\u5f00\u59cb\u5199Hook \u4ee3\u7801\u4e86<\/p>\n
\u6211\u4eec\u5728Unity palyer\u4e2d\u9700\u8981\u52a0\u8f7d\u6211\u4eec\u7528\u4e8e\u52a0\u56fa\u7684lib\u5e93\uff0c\u540e\u901a\u8fc7JNI_Onload \u6216\u8005 init_array \u90fd\u53ef\u4ee5\uff0c\u4f46JNI_Onload\u53ea\u6709System.loadLibary\u624d\u6709\u6548\uff0c\u5982\u679c\u662fso\u4e2ddlopen \u6bd4\u5982\u81ea\u5b9a\u4e49linker\u7684\u8bdd\u662f\u9700\u8981\u81ea\u5df1\u7ed9JNI_Onload\u4f20\u9012JVM\u5e76\u4e14\u81ea\u5df1\u8c03\u7528\u7684\uff0c\u5176\u5b9e\u6700\u63a8\u8350\u7684\u8fd8\u662f\u5378\u8f7dinit_array\uff0c\u7ed9\u6211\u4eec\u7684\u52a0\u8f7d\u51fd\u6570\u4fee\u9970\u6210\u6784\u9020\u51fd\u6570\u5373\u53ef\u3002<\/p>\n
UnityPlayerActivity \u4e2d\u8f7d\u5165\u52a0\u56faSO\u6587\u4ef6\uff1a
\n
\"file\"<\/div><\/p>\n
\u901a\u8fc7\u6784\u9020\u51fd\u6570\u6765\u8c03\u7528Init_Hook\uff1a<\/p>\n
__attribute__((constructor))\nstatic void OnLoad() {\n    LOGI("libjust.so loaded \u2014 initializing hook...");\n    InitHook();\n}\n<\/code><\/pre>\n
\u4f7f\u7528 dobby hook \u6765 hook lib\u5e93\u7684\u5bfc\u51fa\u7b26\u53f7\u6211\u4eec\u9996\u5148\u53ef\u4ee5\u901a\u8fc7dlopen \u8fd9\u4e2alib\u5e93\uff0c\u7136\u540e\u901a\u8fc7dlsym\u6765\u901a\u8fc7\u7b26\u53f7\u83b7\u53d6\u6211\u4eec\u9700\u8981hook\u7684\u5bfc\u5165\u51fd\u6570\u7684\u5730\u5740\uff0c\u968f\u540e\u521d\u59cb\u5316hook\u5373\u53ef\uff0c\u8fd9\u91cc\u5c55\u793a\u4e00\u4e0b\u6211\u4eechook libdl.so \u83b7\u53d6dlopen \u5730\u5740\u7684\u529e\u6cd5\u3002<\/p>\n
Init_Hook \u5b9e\u73b0\u4ee3\u7801\uff1a<\/p>\n
    void* libdl = dlopen("libdl.so", RTLD_NOW);\n    if (!libdl) {\n        LOGE("InitHook: dlopen(libdl.so) failed");\n        return;\n    }\n\n    void* sym_dlopen = dlsym(libdl, "dlopen");\n    if (sym_dlopen) {\n        if (DobbyHook(sym_dlopen, (void*)my_dlopen, (void**)&orig_dlopen) == 0) {\n            LOGI("InitHook: Hooked dlopen");\n        } else {\n            LOGE("InitHook: DobbyHook dlopen failed");\n        }\n    } else {\n        LOGE("InitHook: dlsym dlopen failed");\n    }<\/code><\/pre>\n
\u8fd9\u91cc\u6211\u4eec\u77e5\u9053dlopen\u7684\u53c2\u6570\u683c\u5f0f\uff1adlopen("path\/to\/libX.so", flags)\uff0c\u4f3c\u4e4e\u6211\u4eec\u8fd9\u6837Hook\u53ea\u80fd\u591f\u83b7\u53d6\u5230\u52a0\u8f7dso\u7684\u8def\u5f84\uff0c\u5982\u679c\u6211\u4eec\u8bfb\u53d6\u8def\u5f84\u52a8\u6001\u89e3\u5bc6\u7684\u8bdd\uff0c\u89e3\u5bc6\u7684so\u5c31\u843d\u5730\u4e86\uff0c\u8fd9\u5e76\u4e0d\u662f\u4e00\u79cd\u597d\u65b9\u6cd5\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u601d\u8003\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u7684\u529e\u6cd5\u3002<\/p>\n
\u53e6\u5916\u63d0\u4e00\u5634\uff0c\u5927\u591a\u6570\u52a0\u56fa\u5382\u5546\u5728\u6b64\u5904\u53ef\u80fd\u5c31\u66ff\u6362\u6210\u81ea\u5df1\u7684linker\u4e86\uff0c\u8981\u5199\u4e00\u4e2a\u7a33\u5b9a\u7684linker\u5bf9\u4e8e\u6211\u76ee\u524d\u7684\u5b9e\u529b\u6765\u8bf4\u8fd8\u662f\u5dee\u70b9\u610f\u601d\uff0c\u6240\u4ee5\u8fd9\u6b21\u65f6\u95f4\u6211\u91c7\u7528\u6574\u4f53\u52a0\u5bc6\u7684\u65b9\u6848\uff0c\u800c\u4e0d\u662f\u7528\u96be\u5ea6\u66f4\u9ad8\u7684linker\u3002<\/p>\n
\u8a00\u5f52\u6b63\u4f20\u6211\u4eec\u8981\u91c7\u7528\u7684\u6280\u672f\u4e3amemfd\uff08memfd \u662f\u5185\u6838\u63d0\u4f9b\u7684\u4e00\u79cd\u7279\u6b8a\u6587\u4ef6\u63cf\u8ff0\u7b26\u673a\u5236\uff0c\u5b83\u521b\u5efa\u7684\u6587\u4ef6\u4e0d\u5728\u78c1\u76d8\u4e0a\uff0c\u800c\u662f\u5728\u5185\u5b58\u4e2d\u3002\uff09<\/p>\n
\u6362\u53e5\u8bdd\u8bf4\uff0c\u8fd9\u4e2a\u6587\u4ef6\u662f\u201c\u5b58\u5728\u4e8e\u5185\u5b58\u91cc\u7684\u4e34\u65f6\u6587\u4ef6\u201d\uff0c\u4f46\u662f\u5bf9\u7cfb\u7edf\u6765\u8bf4\u5b83\u4f9d\u7136\u662f\u4e00\u4e2a\u5408\u6cd5\u7684\u6587\u4ef6\u5bf9\u8c61\uff0c\u53ef\u4ee5\u88ab dlopen \u6216 android_dlopen_ext \u8bc6\u522b\u5e76\u52a0\u8f7d\u3002<\/p>\n
memfd_create \u8fd4\u56de\u7684\u662f\u4e00\u4e2a\u6587\u4ef6\u63cf\u8ff0\u7b26\uff08fd\uff09\uff0c\u4f60\u53ef\u4ee5\u5bf9\u5b83 write \u5199\u6570\u636e\u3001lseek\u3001\u751a\u81f3 mmap\u3002
\n\u5f53\u6211\u4eec\u628a\u89e3\u5bc6\u540e\u7684 ELF \u6570\u636e\u5199\u8fdb\u8fd9\u4e2a memfd \u4e4b\u540e\uff0c\u5c31\u7b49\u4ef7\u4e8e\u5f80\u4e00\u4e2a\u771f\u5b9e\u6587\u4ef6\u91cc\u5199\u5165\u4e86\u4e00\u4efd so\u3002
\n\u800c\u5185\u6838\u53c8\u5728 \/proc\/self\/fd\/ \u4e0b\u63d0\u4f9b\u4e86\u4e00\u4e2a\u4f2a\u8def\u5f84\u6620\u5c04\uff0c\u6bd4\u5982 \/proc\/self\/fd\/37\uff0c\u6307\u5411\u8fd9\u4e2a fd\u3002
\n\u6240\u4ee5\u5f53\u6211\u4eec\u5728 dlopen \u4e2d\u4f20\u5165\u8fd9\u4e2a\u8def\u5f84\u65f6\uff0cloader \u5b9e\u9645\u4e0a\u662f\u53bb\u8bfb\u6211\u4eec\u5185\u5b58\u4e2d\u7684 ELF \u6570\u636e\uff0c\u8fd9\u6837\u6574\u4e2a\u52a0\u8f7d\u8fc7\u7a0b\u5b8c\u5168\u8131\u79bb\u4e86\u78c1\u76d8\u3002<\/p>\n
\u56e0\u6b64\u6211\u4eec\u80fd\u5728 Hook \u7684\u65f6\u5019\u201c\u5077\u6881\u6362\u67f1\u201d\u2014\u2014\u5148\u62e6\u622a\u4f4f\u76ee\u6807 so \u7684\u52a0\u8f7d\uff0c\u518d\u628a\u5b83\u66ff\u6362\u6210\u4ece memfd \u4e2d\u52a0\u8f7d\u3002
\n\u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\uff0c\u52a8\u6001\u94fe\u63a5\u5668\u5b8c\u5168\u4e0d\u4f1a\u5bdf\u89c9\u5230\u533a\u522b\uff0c\u56e0\u4e3a\u5bf9\u5b83\u6765\u8bf4\uff0c\u53ea\u8981\u80fd\u8bfb\u5230\u7b26\u5408 ELF \u683c\u5f0f\u7684\u5185\u5bb9\uff0c\u5b83\u5c31\u80fd\u7167\u5e38\u52a0\u8f7d\u3002<\/p>\n
\uff08\u8001\u89c4\u77e9\uff0cGPT\u6765\u4e00\u5f20\uff0c\u65b9\u4fbf\u7406\u89e3<\/p>\n
\"file\"<\/div><\/p>\n
\u63a5\u4e0b\u6765\u662f\u6211\u7684\u5b8c\u6574\u4ee3\u7801\u5b9e\u73b0<\/p>\n
\/\/ \u7528\u4e8e\u8868\u793a\u6211\u4eec\u662f\u5426\u628a\u89e3\u5bc6\u6570\u636e\u5199\u8fdb\u4e86 memfd\nstruct PreparedMem {\n    int fd;\n    bool used_memfd;\n    PreparedMem(): fd(-1), used_memfd(false) {}\n};\n\n\/\/ \u5f53\u4e14\u4ec5\u5f53 filename \u53ef\u76f4\u63a5 open\uff08\u5305\u542b '\/' \u6216 access \u53ef\u8bfb\uff09\u65f6\uff0c\u8bfb\u53d6\u6587\u4ef6\u3001RC4 \u89e3\u5bc6\u5e76\u5199\u5165 memfd\uff08\u4e0d\u843d\u5730\uff09\nstatic PreparedMem prepare_memfd_if_local_path(const char* filename) {\n    PreparedMem ret;\n    if (!filename) return ret;\n\n    bool has_slash = strchr(filename, '\/') != nullptr;\n    if (!has_slash) {\n        if (access(filename, R_OK) != 0) {\n            \/\/ basename \u4e14\u4e0d\u53ef\u76f4\u63a5\u8bbf\u95ee \u2014 \u653e\u8fc7 loader \u53bb\u5bfb\u627e\u5b9e\u9645\u8def\u5f84\n            return ret;\n        }\n    }\n\n    int fd = open(filename, O_RDONLY);\n    if (fd < 0) {\n     \/\/   LOGE("prepare_memfd_if_local_path: open(%s) failed: %s", filename, strerror(errno));\n        return ret;\n    }\n\n    uint8_t header[4] = {0};\n    ssize_t rn = pread(fd, header, sizeof(header), 0);\n    if (rn == (ssize_t)sizeof(header) && is_elf_header(header, sizeof(header))) {\n        close(fd);\n       \/\/ LOGI("prepare_memfd_if_local_path: %s is already ELF", filename);\n        return ret;\n    }\n\n    struct stat st;\n    if (fstat(fd, &st) != 0 || st.st_size <= 0) {\n       \/\/ LOGE("prepare_memfd_if_local_path: fstat failed or zero-size for %s", filename);\n        close(fd);\n        return ret;\n    }\n\n    size_t size = (size_t)st.st_size;\n    std::vector<uint8_t> buf(size);\n    ssize_t got = pread(fd, buf.data(), size, 0);\n    close(fd);\n    if (got != (ssize_t)size) {\n       \/\/ LOGE("prepare_memfd_if_local_path: read failed %zd\/%zu", got, size);\n        return ret;\n    }\n\n  \/\/  LOGI("prepare_memfd_if_local_path: %s appears encrypted (len=%zu), decrypting to memfd...", filename, size);\n    \/\/ \u7528\u7eaf RC4 \u89e3\u5bc6\uff08\u4e0e\u4f60 Python \u811a\u672c\u4e00\u81f4\uff09\n    rc4_crypt(buf.data(), buf.size(), (const uint8_t*)RC4_KEY, strlen(RC4_KEY));\n\n    int memfd = try_memfd_create("dec_il2cpp");\n    if (memfd < 0) {\n       \/\/ LOGE("prepare_memfd_if_local_path: memfd_create failed");\n        return ret;\n    }\n\n    ssize_t wrote = write(memfd, buf.data(), buf.size());\n    if (wrote != (ssize_t)buf.size()) {\n       \/\/ LOGE("prepare_memfd_if_local_path: write memfd failed %zd\/%zu", wrote, buf.size());\n        close(memfd);\n        return ret;\n    }\n    lseek(memfd, 0, SEEK_SET);\n\n    \/\/ \u9a8c\u8bc1 memfd \u9996 4 \u5b57\u8282\u662f ELF\uff08\u4ec5\u4f5c debug \u4fdd\u8bc1\uff09\n    uint8_t check_head[4] = {0};\n    ssize_t rn2 = pread(memfd, check_head, sizeof(check_head), 0);\n    if (rn2 == (ssize_t)sizeof(check_head)) {\n        if (is_elf_header(check_head, 4)) {\n           \/\/ LOGI("prepare_memfd_if_local_path: memfd contains valid ELF header");\n        } else {\n\/\/            LOGE("prepare_memfd_if_local_path: memfd header NOT ELF: %02x %02x %02x %02x",\n\/\/                 check_head[0], check_head[1], check_head[2], check_head[3]);\n            \/\/ \u4f46\u4ecd\u7ee7\u7eed\u8ba9 loader\u5c1d\u8bd5\uff08\u4ee5\u4fbf\u6253\u5370\u9519\u8bef\uff09\uff0c\u4e0d\u7acb\u5373\u5173\u95ed memfd here.\n        }\n    }\n\n    ret.fd = memfd;\n    ret.used_memfd = true;\n    LOGI("prepare_memfd_if_local_path: decrypted content written to memfd fd=%d", memfd);\n    return ret;\n}\n\n\/\/ \u4f7f\u7528 memfd \u52a0\u8f7d\uff1a\u4f18\u5148\u4f7f\u7528 android_dlopen_ext + ANDROID_DLEXT_USE_LIBRARY_FD\u3002\n\/\/ \u6ce8\u610f\uff1a\u4e0d\u8981\u5728 loader \u8c03\u7528\u524d\u5173\u95ed fd\uff0cloader \u8fd4\u56de\u540e\u518d close\u3002\nstatic void* load_from_memfd(const char* orig_path, int flag, PreparedMem &pm) {\n    if (!pm.used_memfd || pm.fd < 0) return nullptr;\n    void* handle = nullptr;\n\n    if (orig_android_dlopen_ext) {\n        android_dlextinfo info;\n        memset(&info, 0, sizeof(info));\n        \/\/ \u8bbe\u7f6e flags \u4e3a\u8bf7\u6c42\u4ece fd \u52a0\u8f7d\n        info.flags = ANDROID_DLEXT_USE_LIBRARY_FD;\n        \/\/ \u5c06 memfd \u653e\u8fdb\u6b63\u786e\u5b57\u6bb5\n#if defined(HAVE_ANDROID_DLEXT_H)\n        \/\/ \u5f53\u7cfb\u7edf\u5934\u5df2\u5305\u542b\u65f6\u5b57\u6bb5\u5e03\u5c40\u4e0e\u7cfb\u7edf\u4e00\u81f4\n        info.library_fd = pm.fd;\n#else\n        \/\/ \u5f53\u4f7f\u7528\u6211\u4eec\u7684\u517c\u5bb9 typedef \u65f6\u540c\u6837\u5199\u5165 library_fd\n        info.library_fd = pm.fd;\n#endif\n        handle = orig_android_dlopen_ext(orig_path, flag, &info);\n        if (handle) {\n            LOGI("load_from_memfd: loaded via android_dlopen_ext (fd=%d)", pm.fd);\n        } else {\n            LOGE("load_from_memfd: android_dlopen_ext failed: %s", dlerror());\n        }\n    } else if (orig_dlopen) {\n        \/\/ fallback: dlopen("\/proc\/self\/fd\/N")\n        char procpath[64];\n        snprintf(procpath, sizeof(procpath), "\/proc\/self\/fd\/%d", pm.fd);\n        handle = orig_dlopen(procpath, flag);\n        if (handle) {\n            LOGI("load_from_memfd: loaded via dlopen(procfd) (fd=%d)", pm.fd);\n        } else {\n            LOGE("load_from_memfd: dlopen(procfd) failed: %s", dlerror());\n        }\n    } else {\n        LOGE("load_from_memfd: no original loader available");\n    }\n\n    return handle;\n}\n\n\/\/ Hooked dlopen\nextern "C" void* my_dlopen(const char* filename, int flag) {\n    LOGI("my_dlopen intercept: %s", filename ? filename : "NULL");\n\n    PreparedMem pm = prepare_memfd_if_local_path(filename);\n    void* handle = nullptr;\n\n    if (pm.used_memfd && pm.fd >= 0) {\n        handle = load_from_memfd(filename, flag, pm);\n        \/\/ loader \u8fd4\u56de\u540e\u624d close fd\n        close(pm.fd);\n        pm.fd = -1;\n        pm.used_memfd = false;\n        if (handle) return handle;\n    }\n\n    if (orig_dlopen) {\n        handle = orig_dlopen(filename, flag);\n    } else {\n        LOGE("my_dlopen: orig_dlopen is null");\n    }\n    return handle;\n}\n<\/code><\/pre>\n
\u81f3\u6b64\uff0c\u6211\u4eec\u5b9e\u73b0\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u52a0\u5bc6lib2cpp.so\u7684\u529f\u80fd\uff0c\u6b63\u5982\u6211\u5982\u4e0a\u4ee3\u7801\uff0c\u6211\u4eec\u8fd8\u52a0\u5165\u4e86ELF\u5934\u6821\u9a8c\uff0c\u8fd9\u6837\u6211\u4eec\u5728debug\u7684\u65f6\u5019\u4e00\u6837\u53ef\u4ee5\u8fd0\u884c\u3002<\/p>\n
\u5bf9Unity IL\u8f6c\u51fa\u6765\u7684CPP\u4ee3\u7801\u505a\u6df7\u6dc6<\/h3>\n
\u8fd9\u4e00\u6b65\u7684\u8bdd\u5b8c\u5168\u53ef\u4ee5\u4f7f\u7528ollvm\u6765\u7f16\u8bd1\uff0c\u4f46\u662f\u6709\u6ca1\u6709\u66f4\u7b80\u5355\u7684\u5462\uff0c\u663e\u7136\u662f\u6709\u7684<\/p>\n
\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u73b0\u6210\u7684\u9879\u76ee
\nhttps:\/\/github.com\/ac3ss0r\/obfusheader.h<\/a>
\n\u901a\u8fc7\u5934\u6587\u4ef6\u6765\u5bf9\u9879\u76ee\u4ee3\u7801\u8fdb\u884c\u6df7\u6dc6<\/p>\n
\u9879\u76ee\u751f\u6210\u7684\u6e90\u4ee3\u7801\u7684\u4f4d\u7f6e\u5728<\/p>\n
unityLibrary\\src\\main\\Il2CppOutputProject\\Source\\il2cppOutput\\Assembly-CSharp.cpp<\/code><\/pre>\n
\u6211\u4eec\u76f4\u63a5\u5bfc\u5165obfusheader.h\u5373\u53ef\uff0c\u4f46\u662f\u8fd9\u91cc\u53ef\u80fdobfusheader.h\u7684\u90e8\u5206\u5199\u6cd5\u4f1a\u4e0e\u4f60\u7684\u7f16\u8bd1\u7248\u672c\u51b2\u7a81\uff0c\u9700\u8981\u4eba\u4e3a\u4fee\u6539\u7684\u60c5\u51b5\uff0c\u8fd9\u91cc\u4f60\u7ed3\u5408AI\u548c\u62a5\u9519\u770b\u770b\u54ea\u4e9b\u8bed\u6cd5\u9700\u8981\u4fee\u6539\u5373\u53ef\uff0c\u591a\u5c1d\u8bd5\u51e0\u6b21\u3002<\/p>\n
\u7ed3\u5c3e\uff08\u9644\u9006\u5411\u8fc7\u7a0b<\/h2>\n
\u81f3\u6b64\u4e5f\u5c31\u5b8c\u6210\u4e86\u4e00\u4e2a\u7b80\u5355\u7684Unity\u52a0\u56fa\uff0c\u4ece\u840c\u751f\u8fd9\u4e2a\u60f3\u6cd5\u5230\u5b9e\u73b0\u524d\u524d\u540e\u540e\u82b1\u4e86\u51e0\u5929\uff0c\u4e0a\u73ed\u8fde\u7eed\u65f6\u95f4\u6bd4\u8f83\u77ed\uff0c\u4f46\u73b0\u5728AI\u53d1\u5c55\u8d8b\u52bf\u611f\u89c9\u5b66\u4e60\u7684\u6210\u672c\u8d8a\u6765\u8d8a\u4f4e\u4e86\uff0c\u4e2d\u9014\u4e5f\u5404\u79cd\u7f16\u8bd1\u62a5\u9519\u7ed9\u6211\u6574\u7684\u72af\u6076\u5fc3\u8fc7\uff0c\u4f46\u597d\u5728\u90fd\u89e3\u51b3\u4e86\u3002<\/p>\n
\u6700\u540e\u9644\u4e0a\u8fd9\u9053\u9898\u7684\u9006\u5411\u8fc7\u7a0b\u5427<\/p>\n
\u9006\u5411\u8fc7\u7a0b<\/h3>\n
il2cpp\u7684app\u5c1d\u8bd5il2cpp dumper<\/p>\n
\"file\"<\/div><\/p>\n
\u76f4\u63a5\u62a5\u9519<\/p>\n
\u53d1\u73b0libil2cpp.so\u662f\u88ab\u52a0\u5bc6\u7684<\/p>\n
\"file\"<\/div><\/p>\n
\u5728just.so \u4e2d\u53d1\u73b0\u4e86\u662fhook\u4e86dlpen<\/p>\n
\"file\"<\/div><\/p>\n
\u627e\u5230dobbyhook\u771f\u5b9e\u51fd\u6570\u5e76\u7ed9\u4ed6\u547d\u540d<\/p>\n
\"file\"<\/div><\/p>\n
\"file\"<\/div><\/p>\n
\u6ce8\u518c\u7684hook\u5728\u8fd9\u91cc<\/p>\n
\"file\"<\/div><\/p>\n
\u9006\u5411\u53d1\u73b0\u662frc4^0x33<\/p>\n
\"file\"<\/div>
\n\u5bc6\u94a5\u662f\u8fd9\u4e2a<\/p>\n
\"file\"<\/div><\/p>\n
\"file\"<\/div><\/p>\n
\u89e3\u5bc6Libil2cpp.so<\/p>\n
#!\/usr\/bin\/env python3\n"""\nrc4_encrypt.py\n\nUsage:\n    python rc4_encrypt.py encrypt  input.so  output.so.enc\n    python rc4_encrypt.py decrypt  input.so.enc  output.so.dec\n\nThis script performs RC4 encryption\/decryption (same operation).\nKey: "nihaounity" by default (you can change or pass your own key).\n"""\n\nimport sys\nimport os\n\nDEFAULT_KEY = b"nihaounity"\n\ndef rc4(data: bytes, key: bytes) -> bytes:\n    """Simple RC4 implementation (KSA + PRGA)."""\n    # Key-scheduling algorithm (KSA)\n    S = list(range(256))\n    j = 0\n    key_len = len(key)\n    if key_len == 0:\n        raise ValueError("Key must not be empty")\n    for i in range(256):\n        j = (j + S[i] + key[i % key_len]) & 0xFF\n        S[i], S[j] = S[j], S[i]\n\n    # Pseudo-random generation algorithm (PRGA)\n    i = 0\n    j = 0\n    out = bytearray(len(data))\n    for n in range(len(data)):\n        i = (i + 1) & 0xFF\n        j = (j + S[i]) & 0xFF\n        S[i], S[j] = S[j], S[i]\n        K = S[(S[i] + S[j]) & 0xFF]^ 0x33\n        out[n] = data[n] ^ K\n    return bytes(out)\n\ndef process_file(mode: str, in_path: str, out_path: str, key: bytes):\n    if not os.path.isfile(in_path):\n        print(f"Input file not found: {in_path}")\n        sys.exit(2)\n\n    # Read input file\n    with open(in_path, "rb") as f:\n        data = f.read()\n\n    # RC4 transform\n    transformed = rc4(data, key)\n\n    # Write output file (mode preserved with 0o644)\n    tmp_out = out_path + ".tmp"\n    with open(tmp_out, "wb") as f:\n        f.write(transformed)\n    os.replace(tmp_out, out_path)\n    os.chmod(out_path, 0o644)\n    print(f"{mode.title()} finished: {in_path} -> {out_path}")\n\ndef print_usage_and_exit():\n    print("Usage:")\n    print("  python rc4_encrypt.py encrypt input.so output.so.enc")\n    print("  python rc4_encrypt.py decrypt input.so.enc output.so.dec")\n    print("Optional: set RC4 key via environment variable RC4_KEY (bytes), or edit DEFAULT_KEY in script.")\n    sys.exit(1)\n\ndef main():\n    if len(sys.argv) != 4:\n        print_usage_and_exit()\n\n    mode = sys.argv[1].lower()\n    input_path = sys.argv[2]\n    output_path = sys.argv[3]\n\n    if mode not in ("encrypt", "decrypt"):\n        print_usage_and_exit()\n\n    # Allow overriding key via env var (as hex or raw). If RC4_KEY_HEX set, use hex decode.\n    env_key_hex = os.environ.get("RC4_KEY_HEX")\n    env_key_raw = os.environ.get("RC4_KEY")\n    if env_key_hex:\n        try:\n            key = bytes.fromhex(env_key_hex)\n        except Exception as e:\n            print("Invalid RC4_KEY_HEX:", e)\n            sys.exit(3)\n    elif env_key_raw:\n        key = env_key_raw.encode("utf-8")\n    else:\n        key = DEFAULT_KEY\n\n    process_file(mode, input_path, output_path, key)\n\nif __name__ == "__main__":\n    main()\n<\/code><\/pre>\n
\u68c0\u67e5metadata\u53ef\u4ee5\u53d1\u73b0\u662f\u52a0\u5bc6\u7684<\/p>\n
\"file\"<\/div>
\n\u90a3\u4e48\u53ea\u80fd\u53bbil2cpp\u91cc\u9762\u770b\u4e86\uff0c\u90a3\u4e48metadata-loader\uff08il2cpp\u5b98\u65b9\u6e90\u4ee3\u7801\uff09\u4e2d\u6709\u4e00\u4e2a\u5b57\u7b26\u4e32\u53ef\u4ee5\u5e2e\u52a9\u6211\u4eec\u5b9a\u4f4d\u903b\u8f91<\/p>\n
\"file\"<\/div><\/p>\n
\"file\"<\/div><\/p>\n
\u6240\u4ee5\u76f4\u63a5\u53ef\u4ee5\u770b\u5230else\u540e\u9762\u7684\u903b\u8f91\u5c31\u662f\u5f00\u59cb\u8f7d\u5165metadata\u4e86<\/p>\n
\"file\"<\/div><\/p>\n
\u770b\u5230\u89e3\u5bc6\u903b\u8f91\uff0c\u76f4\u63a5\u5199\u89e3\u5bc6\u811a\u672c<\/p>\n
#!\/usr\/bin\/env python3\n"""\nil2cpp-style file "decryption" script that mirrors PromiseAntiencryption in C.\n\nUsage:\n    python il2cpp_decrypt.py input_encrypted_file output_decrypted_file\n"""\n\nimport sys\nimport struct\nfrom pathlib import Path\n\nSAFE_SIZE = 1024  # \u4e0e C \u91cc\u4e00\u81f4\n\ndef decrypt_file(in_path: str, out_path: str, little_endian: bool = True):\n    data = Path(in_path).read_bytes()\n    total_len = len(data)\n\n    if total_len < SAFE_SIZE + 4:\n        raise ValueError("\u6587\u4ef6\u8fc7\u77ed\uff0c\u65e0\u6cd5\u5305\u542b\u5b89\u5168\u533a\u548c mask header")\n\n    endian = "<" if little_endian else ">"\n    u32 = endian + "I"\n\n    # \u5728 safe_size \u504f\u79fb\u5904\u8bfb\u53d6 header uint32\uff0c\u4f4e 16 \u4f4d\u4e3a kl\n    header_val = struct.unpack_from(u32, data, SAFE_SIZE)[0]\n    kl = header_val & 0xffff\n    if kl <= 0:\n        raise ValueError(f"\u975e\u6cd5\u7684 kl: {kl}")\n\n    # \u8ba1\u7b97\u504f\u79fb\n    mask_header_offset = SAFE_SIZE  # header \u5728\u8fd9\u91cc\n    mask_array_offset = mask_header_offset + 4  # \u7d27\u8ddf header\n    enc_data_offset = SAFE_SIZE + 4 * (kl + 1)  # header + kl \u4e2a uint32 \u540e\u9762\u5c31\u662f\u52a0\u5bc6\u6570\u636e\n\n    if total_len < enc_data_offset:\n        raise ValueError("\u6587\u4ef6\u592a\u77ed\uff0c\u65e0\u6cd5\u5305\u542b\u58f0\u660e\u7684 mask \u6570\u7ec4\u548c\u52a0\u5bc6\u6570\u636e")\n\n    # \u8bfb\u53d6 mask \u6570\u7ec4\uff08kl \u4e2a uint32\uff09\n    mask = []\n    for i in range(kl):\n        off = mask_array_offset + 4 * i\n        mask.append(struct.unpack_from(u32, data, off)[0])\n\n    # \u52a0\u5bc6\u6570\u636e\u957f\u5ea6\uff08\u5b57\u8282\uff09\n    enc_len = total_len - enc_data_offset\n    # C \u4ee3\u7801\u4ee5 4 \u5b57\u8282\u4e3a\u5355\u4f4d\u5904\u7406 => \u5982\u679c\u4e0d\u662f 4 \u7684\u500d\u6570\uff0c\u6309\u53ef\u7528\u957f\u5ea6\u5904\u7406\uff08\u4e0e C \u4ee3\u7801\u4e00\u81f4\u6027\u4f9d\u8d56\u4e8e\u6e90\u6587\u4ef6\uff09\n    enc_len_trunc = enc_len - (enc_len % 4)\n\n    # \u6784\u9020\u8f93\u51fa\uff1a\u5148\u5199 safe \u533a\uff08\u539f\u6837 copy\uff09\uff0c\u7136\u540e\u5199\u89e3\u5bc6\u540e\u7684\u6570\u636e\n    out_bytes = bytearray()\n    out_bytes += data[0:SAFE_SIZE]\n\n    # \u89e3\u5bc6\u5faa\u73af\uff08\u6bcf 4 \u5b57\u8282\uff09\n    # i \u8868\u793a\u76f8\u5bf9\u4e8e enc_data_offset \u7684\u5b57\u8282\u504f\u79fb\uff080,4,8,...\uff09\n    for i in range(0, enc_len_trunc, 4):\n        # index = (i + (i \/\/ kl)) % kl  \uff08\u6ce8\u610f C \u4e2d i\/kl \u4e3a\u6574\u9664\uff09\n        idx = (i + (i \/\/ kl)) % kl\n        mask_word = mask[idx]\n        enc_word = struct.unpack_from(u32, data, enc_data_offset + i)[0]\n        plain_word = mask_word ^ enc_word\n        out_bytes += struct.pack(u32, plain_word)\n\n    # \u5982\u679c enc_len \u4e0d\u662f 4 \u7684\u500d\u6570\uff0cC \u7248\u672c\u5b9e\u9645\u4e0a\u4e0d\u4f1a\u5904\u7406\u672b\u5c3e\u4e0d\u8db3 4 \u5b57\u8282\u7684\u90e8\u5206\uff08\u56e0\u4e3a\u5b83\u6b65\u957f\u4e3a4\uff09\n    # \u4e3a\u4e86\u5b89\u5168\uff0c\u8fd9\u91cc\u628a\u539f\u59cb\u6b8b\u4f59\u5b57\u8282\u5ffd\u7565\uff08\u4e0e C \u884c\u4e3a\u4e00\u81f4\uff09\u3002\u5982\u9700\u4fdd\u7559\u672a\u5904\u7406\u5c3e\u90e8\uff0c\u53ef\u53d6\u6d88\u4e0b\u9762\u6ce8\u91ca\u3002\n    # if enc_len % 4 != 0:\n    #     out_bytes += data[enc_data_offset + enc_len_trunc : enc_data_offset + enc_len]\n\n    # \u8f93\u51fa\u5230\u6587\u4ef6\n    Path(out_path).write_bytes(bytes(out_bytes))\n    print(f"\u5df2\u5199\u51fa\u89e3\u5bc6\u7ed3\u679c: {out_path}  (\u8f93\u51fa\u5927\u5c0f {len(out_bytes)} \u5b57\u8282)")\n\ndef main():\n    if len(sys.argv) != 3:\n        print("\u7528\u6cd5: python il2cpp_decrypt.py input_encrypted_file output_decrypted_file")\n        sys.exit(2)\n    in_f = sys.argv[1]\n    out_f = sys.argv[2]\n    try:\n        decrypt_file(in_f, out_f, little_endian=True)\n    except Exception as e:\n        print("\u89e3\u5bc6\u5931\u8d25:", e)\n        sys.exit(1)\n\nif __name__ == "__main__":\n    main()\n<\/code><\/pre>\n
\"file\"<\/div><\/p>\n
\u89e3\u5bc6\u540e\u7684\u6539\u540d\u56deglobal-metadata.dat<\/p>\n
\u7136\u540e\u4f7f\u7528il2cppdumper<\/p>\n
\"file\"<\/div><\/p>\n
dump\u6210\u529f\u8f7d\u5165\u7b26\u53f7,\u7136\u540e\u627e\u5230flagcheck\uff0c\u76f4\u63a5\u770b\u903b\u8f91<\/p>\n
\"file\"<\/div><\/p>\n
\"file\"<\/div><\/p>\n
\u5bc6\u6587\u5728\u8fd9\u91cc\u4e0b\u65ad\u70b9\u83b7\u53d6<\/p>\n
\"file\"<\/div><\/p>\n
\"file\"<\/div><\/p>\n
\u81ea\u7136Tea\u7684key\u4e5f\u9700\u8981\u8c03\u8bd5\u83b7\u53d6\u6216\u8005frida Hook<\/p>\n
\"file\"<\/div><\/p>\n
\u4f46\u9700\u8981\u8fc7Frida check<\/p>\n
\u6216\u8005\u6839\u636eil2cpp\u7279\u6027<\/p>\n
\u6570\u636e\u5728\u8fd9\u91cc\u521d\u59cb\u5316<\/p>\n
\"file\"<\/div><\/p>\n
\"file\"<\/div><\/p>\n
4\u4e2aint\u662ftea key<\/p>\n
40\u4e2abyte\u662f\u5bc6\u6587<\/p>\n
C8E4E9E3F34C25560172B0D40B6DF4823260AA87EC6866054AA4691711E5D7BF<\/p>\n
\u627e\u5230\u54c8\u5e0c<\/p>\n
\u5728il2cppdumper\u751f\u6210\u7684dump.cs\u4e2d\u67e5\u627e<\/p>\n
\"file\"<\/div><\/p>\n
\u627e\u5230offset\uff0c\u7136\u540e\u76f4\u63a5\u9759\u6001dump<\/p>\n
#!\/usr\/bin\/env python3\nimport argparse\nimport os\nimport sys\nfrom pathlib import Path\nimport textwrap\nimport binascii\n\nDEFAULTS = [\n    # (offset, size, shortname)\n    (0xF901D, 40, "29FC2CC7_40"),   # your __StaticArrayInitTypeSize=40 29FC2...\n    (0xF9045, 16, "C8E4E9E3_16"),   # your __StaticArrayInitTypeSize=16 C8E4...\n]\n\ndef parse_extra(s):\n    # format: offset:size:name  (offset can be hex with 0x)\n    parts = s.split(":")\n    if len(parts) < 2:\n        raise ValueError("extra must be offset:size[:name]")\n    off = int(parts[0], 0)\n    size = int(parts[1], 0)\n    name = parts[2] if len(parts) >= 3 else f"blob_{off:X}"\n    return (off, size, name)\n\ndef to_csharp_byte_array(b: bytes, per_line=16):\n    hexs = [f"0x{c:02X}" for c in b]\n    lines = []\n    for i in range(0, len(hexs), per_line):\n        lines.append(", ".join(hexs[i:i+per_line]))\n    joined = (",\\n    ").join(lines)\n    return "new byte[] {\\n    " + joined + "\\n};"\n\ndef main():\n    p = argparse.ArgumentParser(description="Extract raw blobs from global-metadata.dat by offset+size.")\n    p.add_argument("--meta", "-m", required=True, help="Path to global-metadata.dat")\n    p.add_argument("--outdir", "-o", default="extracted_private_impl", help="Output directory")\n    p.add_argument("--extra", "-e", action="append", help="Extra offset:size[:name] (hex allowed), repeatable")\n    p.add_argument("--defaults", action="store_true", help="Also extract script's built-in defaults")\n    args = p.parse_args()\n\n    meta_path = Path(args.meta)\n    if not meta_path.is_file():\n        print("Error: metadata file not found:", meta_path)\n        sys.exit(2)\n\n    outdir = Path(args.outdir)\n    outdir.mkdir(parents=True, exist_ok=True)\n\n    targets = []\n    if args.defaults or not args.extra:\n        # Add defaults if requested or if no extras provided\n        targets.extend(DEFAULTS)\n\n    if args.extra:\n        for s in args.extra:\n            try:\n                t = parse_extra(s)\n            except Exception as ex:\n                print("Failed to parse extra:", s, ex)\n                sys.exit(2)\n            targets.append(t)\n\n    print(f"Reading metadata: {meta_path}")\n    with open(meta_path, "rb") as f:\n        metadata = f.read()\n\n    meta_len = len(metadata)\n    print(f"Metadata length: {meta_len} bytes\\n")\n\n    for off, size, name in targets:\n        if off < 0 or off >= meta_len:\n            print(f"[!] Offset 0x{off:X} out of range (file size {meta_len}): skipping {name}")\n            continue\n        # defensive: don't read past EOF\n        read_size = min(size, meta_len - off)\n        if read_size <= 0:\n            print(f"[!] Nothing to read at 0x{off:X} for {name}")\n            continue\n\n        blob = metadata[off:off+read_size]\n        binfname = outdir \/ f"{name}_0x{off:X}_len{read_size}.bin"\n        with open(binfname, "wb") as out:\n            out.write(blob)\n\n        print(f"[+] Extracted {name}: offset=0x{off:X}, size={read_size} -> {binfname}")\n        # print hex preview (first 256 bytes)\n        preview = binascii.hexlify(blob[:256]).decode()\n        spaced = " ".join(preview[i:i+2] for i in range(0, len(preview), 2))\n        print("    preview:", spaced if spaced else "(empty)")\n        # print as C# initializer\n        cs = to_csharp_byte_array(blob)\n        print("\\n    C# byte[] initializer:\\n")\n        print(textwrap.indent(cs, "    "))\n        print("\\n" + ("-"*60) + "\\n")\n\n    print("Done. Files saved under:", outdir.resolve())\n\nif __name__ == "__main__":\n    main()\n<\/code><\/pre>\n
\"file\"<\/div><\/p>\n
\u8fd8\u539f\u51fa\u6765\u7684\u52a0\u5bc6\u903b\u8f91\u5c31\u5982\u4e0b<\/p>\n
#include<cstdio>\n#include<cmath>\n#include<map>\n#include<vector>\n#include<queue>\n#include<stack>\n#include<set>\n#include<string>\n#include<cstring>\n#include<list>\n#include<stdlib.h>\nusing namespace std;\ntypedef int status;\ntypedef int selemtype;\n\nunsigned int Key[7] = {0x12345678, 0x09101112, 0x13141516, 0x15161718};\n\nvoid tea_encrypt(uint32_t *v, uint32_t *k) {\n    printf("%X %X\\n",v[0],v[1]);\n    uint32_t v0 = v[0], v1 = v[1], sum = 0, i;\n    uint32_t delta = 0x61C88647;\n\n    for (i = 0; i < 16; i++) {\n        v0 += ((v1 << 4) + k[0]) ^ (v1 + sum) ^ ((v1 >> 5) + k[1]);\n        v1 += ((v0 << 4) + k[2]) ^ (v0 + sum) ^ ((v0 >> 5) + k[3]);\n        sum -= delta;\n    }\n\n    v[0] = v0;\n    v[1] = v1;\n}\n\nunsigned char Cipher[256] = "flag{unitygame_I5S0ooFunny_Isnotit?????}";\nunsigned int Tmp[4] = {0};\nint main() {\n    unsigned int *p1 = (unsigned int *)(Cipher);\n    unsigned int *p2 = (unsigned int *)(Cipher + 4);\n    printf("%s\\n", Cipher);\n\n    Tmp[0] = *p1, Tmp[1] = *p2;\n    tea_encrypt(Tmp, Key);\n    printf("%X %X\\n", *p1, *p2);\n    *p1 = Tmp[0];\n    *p2 = Tmp[1];\n    for (int i = 2 ; i < strlen((char*) Cipher) \/ 4 ; i += 2 ) {\n        tea_encrypt(Tmp, Key);\n\n        *p1 = Tmp[0];\n        *p2 = Tmp[1];\n\/\/      printf("%X %X\\n", *p1, *p2);\n        unsigned int *p3 = (unsigned int *)(Cipher + i * 4);\n        unsigned int *p4 = (unsigned int *)(Cipher + i * 4 + 4);\n        *p3 ^= *p1;\n        *p4 ^= *p2;\n    };\n    for (int i = 0 ; i < 40 ; i ++ ) {\n        printf("0x%X,", Cipher[i]);\n    }\n\n}<\/code><\/pre>\n
\u5199\u89e3\u5bc6\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n
#include <cstdio>\n#include <cstring>\n#include <cstdint>\n#include <iostream>\n\nusing namespace std;\n\nunsigned int Key[6] = {0x12345678, 0x09101112, 0x13141516, 0x15161718};\n\nvoid tea_decrypt(uint32_t *v, uint32_t *k) {\n\/\/  printf("%X %X\\n",v[0],v[1]);\n    uint32_t v0 = v[0], v1 = v[1], sum = 0, i;\n    uint32_t delta = 0x61C88647;\n    for (int i = 0 ; i < 16 ; i ++ ) sum -= 0x61C88647;\n    for (i = 0; i < 16; i++) {\n        sum += delta;\n        v1 -= ((v0 << 4) + k[2]) ^ (v0 + sum) ^ ((v0 >> 5) + k[3]);\n        v0 -= ((v1 << 4) + k[0]) ^ (v1 + sum) ^ ((v1 >> 5) + k[1]);\n\n    }\n\n    v[0] = v0;\n    v[1] = v1;\n}\n\nunsigned int Tmp[4] = {0};\n\nint main() {\n    unsigned char EncryptedCipher[45] = {\n0xAF,0x58,0x64,0x40,0x9D,0xB9,0x21,0x67,0xAE,0xB5,0x29,0x4,0x9E,0x86,0xC5,0x43,0x23,0xF,0xBF,0xA6,0xB2,0xAE,0x4A,0xB5,0xC5,0x69,0xB7,0xA8,0x3,0xD1,0xAE,0xCF,0xC6,0x2C,0x5B,0x7F,0xA2,0x86,0x1E,0x1A,   };\n    unsigned int *p1 = (unsigned int *)(EncryptedCipher);\n    unsigned int *p2 = (unsigned int *)(EncryptedCipher + 4);\n    for (int i = 8 ; i >= 2 ; i -= 2) {\n\n        unsigned int *p3 = (unsigned int *)(EncryptedCipher + i * 4);\n        unsigned int *p4 = (unsigned int *)(EncryptedCipher + i * 4 + 4);\n        *p3 ^= *p1;\n        *p4 ^= *p2;\n        puts((char*)EncryptedCipher);\n        Tmp[0] = *p1, Tmp[1] = *p2;\n        tea_decrypt(Tmp, Key);\n        *p1 = Tmp[0], *p2 = Tmp[1];\n\n    }\n    Tmp[0] = *p1, Tmp[1] = *p2;\n    tea_decrypt(Tmp, Key);\n    *p1 = Tmp[0], *p2 = Tmp[1];\n    puts((char*)EncryptedCipher);\n\n}<\/code><\/pre>\n
\u62ff\u5230flag\uff1aflag{unitygame_I5S0ooFunny_Isnotit?????}<\/p>\n
\u81f3\u6b64\u5168\u6587\u5b8c\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u8a00 \u6b63\u503c\u67d0\u6bd4\u8d5b\u51fa\u9898\uff0c\u4e00\u9053\u56f0\u96be\u9898\u4e0d\u77e5\u9053\u8981\u600e\u4e48\u51fa\u624d\u597d\uff0c\u7a81\u7136\u60f3\u8d77\u4e86il2cpp\u5728\u5b89\u5353\u5e73\u53f0\u7684\u52a0\u5bc6\uff0c\u4f46\u662f\u672c\u4eba\u53c8\u4e0d\u592a\u4f1a\u8fd9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1522","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/1522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/comments?post=1522"}],"version-history":[{"count":26,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/1522\/revisions"}],"predecessor-version":[{"id":1584,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/1522\/revisions\/1584"}],"wp:attachment":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/media?parent=1522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/categories?post=1522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/tags?post=1522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}