当前位置:网站首页>[Frida practice] "one line" code teaches you to obtain all Lua scripts in wegame platform
[Frida practice] "one line" code teaches you to obtain all Lua scripts in wegame platform
2022-07-07 09:40:00 【Night owls chasing dreams】
List of articles
Reading guide
development environment
Version number | describe | |
---|---|---|
operating system | Win11-21H2 | Internal version number 22000.588 |
Python | Python3.7.1 | |
frida.exe | 15.0.18 | |
Preliminary knowledge
luaL_loadbuffer
The function prototype (https://www.lua.org/manual/5.1/manual.html#luaL_loadbuffer):
int luaL_loadbuffer (lua_State *L, // Lua Handle
const char *buff, // lua Script
size_t sz, // lua Number of script bytes
const char *name); // Mark ( Through analysis, we can find that here is the file name )
Load the buffer as Lua block . This function is used to load lua_load The block in the buffer pointed to . name Is the block name , For debugging information and error messages .
WeGame Is used in Lua51.dll, It exports two functions luaL_loadbuffer
and luaL_loadbufferx
, adopt IDA Analysis can guess ,luaL_loadbufferx
Just compare luaL_loadbuffer
Multiple parameters a5
, The other parameters are the same .
frida Interceptor Interceptor
frida Of Interceptor Module ,attach The function prototype is Interceptor.attach(target, callbacks[, data])
, Realize the parameter target
Conduct hook The operation of , The following is a simple parameter analysis :
target:
This is a NativePointer, Specify the address of the function you want to block calls . We can go throughModule.getExportByName()
To get the export function of the executable file as this parameter ,frida Automatic processing .callbacks:
seeing the name of a thing one thinks of its function , This is a hook Collection of callback functions for , It contains hook Before and hook The last two callback functions .onEnter(args):
Parameters of the callback function args by hook The parameter array of the function , Each parameter is aNativePointer
object , We can get parameter information here , Or tamper with the parameter content .onLeave(retval):
The call is completedObjective function
After treatment , Parametersretval
It's aNativePointer
object , yesObjective function
The return value of , We can modify the pointer content to hook Purpose .
data:
Optional parameters , Ignore... For the time being .
Example :
Interceptor.attach(Module.getExportByName('libc.so', 'read'), {
onEnter(args) {
this.fileDescriptor = args[0].toInt32();
// this Context information : Contains register information context、 Return value address returnAddress、 Threads ID threadId etc.
console.log('Context information:');
console.log('Context : ' + JSON.stringify(this.context));
console.log('Return : ' + this.returnAddress);
console.log('ThreadId : ' + this.threadId);
console.log('Depth : ' + this.depth);
console.log('Errornr : ' + this.err);
},
onLeave(retval) {
if (retval.toInt32() > 0) {
/* do something with this.fileDescriptor */
}
}
});
ps: callbacks It's an object ,frida In the implementation , At initialization time , Fill the object
Context information
, This is why this You can visitcontext、returnAddress、threadId
These content .
ps2: I've been tangled up before
onEnter
Variables generated in , How theonLeave
Use in , Actually, directly through this That's all right.this.tempVal=333;
. It's all right js Basic understanding and application of .
NativeFunction Create directory
frida call dll function , adopt NativeFunction
Create a function object , Set the parameters and return values of the response .
This article USES WinExec
The function is called cmd In the command mkdir
Directive to create a directory , See the following code for the specific implementation .
ps: You can also use c Function
system
, Its prototype is as follows :
Analysis methods
Suspend startup WeGame
In order to ensure hook be-all lua, Need to suspend startup WeGame, Use command frida -f Application full path
You can suspend and start the target process , Command line example :
D:\Python\Python371\Scripts\frida.exe -f "G:\Program Files (x86)\WeGame\wegame.exe"
WeGame Administrator permission is required to start , Otherwise it will be reported 0x000002e4
The startup of failed error .
hook function luaL_loadbufferx Save all js
var fnWinExec = new NativeFunction(
Module.findExportByName('Kernel32.dll', 'WinExec'),
'int',
['pointer', 'int'],
'stdcall'
);
function ez_fnWinExec(jsStr) {
console.log( 'ez_fnWinExec: ', jsStr );
var cStrPointer = Memory.allocUtf8String(jsStr);
fnWinExec(cStrPointer, 0);
}
Interceptor.attach(Module.getExportByName('Lua51.dll', 'luaL_loadbufferx'), {
onEnter(args) {
// Array deconstruction assignment is not allowed !!!
// var [_,a,b]=[0,1,3]
// var [L, buff, sz, name] = args;
var buff = args[1];
var sz = args[2];
var name = args[3];
console.log( name.readCString(), sz.toInt32(), buff );
// Filter non lua file
if (!name.readCString().endsWith('.lua')){
return;
}
var pth = 'D:\\_TMP\\wegame\\' + name.readCString();
// Create folder
var dir_ = pth.substr(0, pth.lastIndexOf('\\')+1);
ez_fnWinExec('cmd.exe /c mkdir '+ dir_);
// Save the file
var f = new File(pth, 'wb');
var data = buff.readByteArray(sz.toInt32());
f.write(data);
f.close();
},
onLeave(retval) {
}
});
At first, I thought that there was no need to call functions
WinExec
, After optimization, it can be written as “ a line ” Code , Later, I found multilevel directories , You have to create your own directory , Add a pile of code ...
therefore , It is no longer “ a line ” The code implements .
Reference material
- [frida] 00_ Brief introduction and use https://blog.csdn.net/kinghzking/article/details/123225580
- Lua Introduction to game reverse and cracking methods https://blog.csdn.net/liujiayu2/article/details/81942010
- qq Group : Night owl dream chasing technology exchange skirt /953949723
**ps:** The content in this article is only used for technical exchange , Do not use for illegal activities .
边栏推荐
猜你喜欢
[4g/5g/6g topic foundation-146]: Interpretation of white paper on 6G overall vision and potential key technologies-1-overall vision
flex弹性布局
Information Security Experiment 4: implementation of IP packet monitoring program
Using JWT to realize login function
其实特简单,教你轻松实现酷炫的数据可视化大屏
Jmeters use
Loxodonframework quick start
網易雲微信小程序
How to speed up video playback in browser
MongoDB怎么实现创建删除数据库、创建删除表、数据增删改查
随机推荐
如何成为一名高级数字 IC 设计工程师(1-6)Verilog 编码语法篇:经典数字 IC 设计
Unity shader (learn more about vertex fragment shaders)
華為HCIP-DATACOM-Core_03day
Variable parameter of variable length function
NETCORE 3.1 solves cross domain problems
第一讲:鸡蛋的硬度
沙龙预告|GameFi 领域的瓶颈和解决方案
VSCode+mingw64
【frida实战】“一行”代码教你获取WeGame平台中所有的lua脚本
liunx命令
基于智慧城市与储住分离数字家居模式垃圾处理方法
Interface test API case, data and interface separation
Elaborate on MySQL mvcc multi version control
H5网页播放器EasyPlayer.js如何实现直播视频实时录像?
Schema-validation: wrong column type encountered in column XXX in table XXX
进程间的通信方式
数据建模中利用3σ剔除异常值进行数据清洗
Vs2013 generate solutions super slow solutions
How to use clipboard JS library implements copy and cut function
Unittest simple project