当前位置：网站首页>[Frida practice] "one line" code teaches you to obtain all Lua scripts in wegame platform

[Frida practice] "one line" code teaches you to obtain all Lua scripts in wegame platform

2022-07-07 09:40:00 【Night owls chasing dreams】

List of articles

Reading guide

development environment

	Version number	describe
operating system	Win11-21H2	Internal version number 22000.588
Python	Python3.7.1
frida.exe	15.0.18

Preliminary knowledge

luaL_loadbuffer

The function prototype (https://www.lua.org/manual/5.1/manual.html#luaL_loadbuffer)：

int luaL_loadbuffer (lua_State *L,				// Lua Handle 
                     const char *buff,			// lua Script 
                     size_t sz,					// lua Number of script bytes 
                     const char *name);			//  Mark （ Through analysis, we can find that here is the file name ）

Load the buffer as Lua block . This function is used to load lua_load The block in the buffer pointed to . name Is the block name , For debugging information and error messages .

WeGame Is used in Lua51.dll, It exports two functions luaL_loadbuffer and luaL_loadbufferx, adopt IDA Analysis can guess ,luaL_loadbufferx Just compare luaL_loadbuffer Multiple parameters a5, The other parameters are the same .
Insert picture description here

frida Interceptor Interceptor

frida Of Interceptor Module ,attach The function prototype is Interceptor.attach(target, callbacks[, data]), Realize the parameter target Conduct hook The operation of , The following is a simple parameter analysis ：

target: This is a NativePointer, Specify the address of the function you want to block calls . We can go through Module.getExportByName() To get the export function of the executable file as this parameter ,frida Automatic processing .
callbacks: seeing the name of a thing one thinks of its function , This is a hook Collection of callback functions for , It contains hook Before and hook The last two callback functions .
- onEnter(args): Parameters of the callback function args by hook The parameter array of the function , Each parameter is a NativePointer object , We can get parameter information here , Or tamper with the parameter content .
- onLeave(retval): The call is completed Objective function After treatment , Parameters retval It's a NativePointer object , yes Objective function The return value of , We can modify the pointer content to hook Purpose .
data: Optional parameters , Ignore... For the time being .

Example ：

Interceptor.attach(Module.getExportByName('libc.so', 'read'), {
    
  onEnter(args) {
    
    this.fileDescriptor = args[0].toInt32();

	// this Context information ： Contains register information context、 Return value address returnAddress、 Threads ID threadId etc. 
    console.log('Context information:');
    console.log('Context : ' + JSON.stringify(this.context));
    console.log('Return : ' + this.returnAddress);
    console.log('ThreadId : ' + this.threadId);
    console.log('Depth : ' + this.depth);
    console.log('Errornr : ' + this.err);
  },
  onLeave(retval) {
    
    if (retval.toInt32() > 0) {
    
      /* do something with this.fileDescriptor */
    }
  }
});

ps: callbacks It's an object ,frida In the implementation , At initialization time , Fill the object Context information , This is why this You can visit context、returnAddress、threadId These content .

ps2: I've been tangled up before onEnter Variables generated in , How the onLeave Use in , Actually, directly through this That's all right. this.tempVal=333;. It's all right js Basic understanding and application of .

NativeFunction Create directory

frida call dll function , adopt NativeFunction Create a function object , Set the parameters and return values of the response .

This article USES WinExec The function is called cmd In the command mkdir Directive to create a directory , See the following code for the specific implementation .

ps: You can also use c Function system, Its prototype is as follows ：

Analysis methods

Suspend startup WeGame

In order to ensure hook be-all lua, Need to suspend startup WeGame, Use command frida -f Application full path You can suspend and start the target process , Command line example ：

D:\Python\Python371\Scripts\frida.exe -f "G:\Program Files (x86)\WeGame\wegame.exe"

WeGame Administrator permission is required to start , Otherwise it will be reported 0x000002e4 The startup of failed error .
Insert picture description here

hook function luaL_loadbufferx Save all js

var fnWinExec = new NativeFunction(
	Module.findExportByName('Kernel32.dll', 'WinExec'),
	'int', 
	['pointer', 'int'],
	'stdcall'
);

function ez_fnWinExec(jsStr) {
    
    console.log( 'ez_fnWinExec: ', jsStr );
	
	var cStrPointer = Memory.allocUtf8String(jsStr);
	fnWinExec(cStrPointer, 0);
}

Interceptor.attach(Module.getExportByName('Lua51.dll', 'luaL_loadbufferx'), {
    
  onEnter(args) {
    
  	//  Array deconstruction assignment is not allowed ！！！
  	// var [_,a,b]=[0,1,3]
    // var [L, buff, sz, name] = args;
    var buff = args[1];
    var sz = args[2];
    var name = args[3];
    console.log( name.readCString(), sz.toInt32(), buff );

	//  Filter non lua file 
	if (!name.readCString().endsWith('.lua')){
    
		return;
	}
	
	var pth = 'D:\\_TMP\\wegame\\' + name.readCString();
	//  Create folder 
	var dir_ = pth.substr(0, pth.lastIndexOf('\\')+1);
	ez_fnWinExec('cmd.exe /c mkdir '+ dir_);
    //  Save the file 
    var f = new File(pth, 'wb');
    var data = buff.readByteArray(sz.toInt32());
    f.write(data);
    f.close();
  },
  onLeave(retval) {
    
  }
});

At first, I thought that there was no need to call functions WinExec, After optimization, it can be written as “ a line ” Code , Later, I found multilevel directories , You have to create your own directory , Add a pile of code ...
therefore , It is no longer “ a line ” The code implements .