{"id":1631,"date":"2025-12-30T09:41:45","date_gmt":"2025-12-30T01:41:45","guid":{"rendered":"https:\/\/swordofmorning.com\/?p=1631"},"modified":"2025-12-30T09:41:45","modified_gmt":"2025-12-30T01:41:45","slug":"reverse-01","status":"publish","type":"post","link":"https:\/\/swordofmorning.com\/index.php\/2025\/12\/30\/reverse-01\/","title":{"rendered":"\u9006\u5411 01 \u63d0\u53d6\u6570\u636e"},"content":{"rendered":"

  \u5047\u8bbe\u6211\u4eec\u73b0\u5728\u6709\u4e00\u4e2a\u5982\u6b64\u7684\u60c5\u666f\uff1a<\/p>\n

    \n
  1. \u6211\u4eec\u6709\u4e00\u4e2a\u6e38\u620f\u91c7\u7528\u4e86U3D\u4f5c\u4e3a\u5f15\u64ce\uff1b<\/li>\n
  2. \u6211\u4eec\u60f3\u8981\u901a\u8fc7Il2CppDumper<\/a>\u6765\u63d0\u53d6\u5176\u6570\u636e\u3002<\/li>\n<\/ol>\n

    \u4e00\u3001\u51c6\u5907\u5de5\u4f5c<\/h2>\n

      \u9996\u5148\uff0c\u6211\u4eec\u9700\u8981\u5728Il2CppDumper<\/a>\u4e2d\u4e0b\u8f7drelease\uff1b\u7136\u540e\u67e5\u770b\u6211\u4eec\u9884\u671f\u9006\u5411\u7684\u6e38\u620f\uff0c\u786e\u4fdd\u5176\u4e2d\u5b58\u5728\uff1a<\/p>\n

      \n
    1. GameAssembly.dll<\/code>\uff0c\u6216\u662f\u5176\u4ed6\u7c7b\u4f3c\u7684\u540d\u79f0\u7684DLL\uff1b<\/li>\n
    2. global-metadata.dat<\/code>\uff0c\u4e00\u822c\u4f4d\u4e8e\\il2cpp_data\\Metadata<\/code>\u4e0b\u3002<\/li>\n<\/ol>\n

        \u5728\u51c6\u5907\u4e86\u4e0a\u8ff0\u5de5\u5177\u4e4b\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u76f4\u63a5\u8fd0\u884cIl2CppDumper.exe<\/code>\uff0c\u9996\u5148\u9009\u62e9GameAssembly.dll<\/code>\uff0c\u7136\u540e\u9009\u62e9global-metadata.dat<\/code>\u3002\u5982\u679c\u63d0\u53d6\u6210\u529f\u5219\u5b8c\u6210\u4e86\u8fd9\u4e00\u9636\u6bb5\u7684\u4efb\u52a1\uff1b\u5982\u679c\u51fa\u73b0\u62a5\u9519\uff0c\u5219\u8bf4\u660e\u6570\u636e\u53ef\u80fd\u5b58\u5728\u52a0\u5bc6\uff0c\u65e0\u6cd5\u76f4\u63a5\u63d0\u53d6\u3002<\/p>\n

      \u4e8c\u3001\u89e3\u5bc6\u6216\u63d0\u53d6<\/h2>\n

        \u4e0a\u8ff0\u9519\u8bef\u4e00\u822c\u662f\u5bf9global-metadata.dat<\/code>\u52a0\u5bc6\u5bfc\u81f4\u7684\uff0c\u6211\u4eec\u6709\u5982\u4e0b\u4e24\u8005\u65b9\u5f0f\u53ef\u4ee5\u5bf9\u5176\u89e3\u5bc6\uff1a<\/p>\n

        \n
      1. \u4f7f\u7528Il2CppInspector<\/a>\u63d0\u53d6metadata\uff0c\u5982\u679c\u662f\u5e38\u89c1\u7684\u6e38\u620f\uff0c\u4e00\u822c\u4e5f\u6709\u5bf9\u5e94\u7684\u63d2\u4ef6\u53ef\u4ee5\u4f7f\u7528\uff1b<\/li>\n
      2. \u76f4\u63a5\u4ece\u5185\u5b58\u4e2ddump\u51fametadata\u3002<\/li>\n<\/ol>\n

          \u8fd9\u91cc\u6211\u4eec\u76f4\u63a5\u4f7f\u7528\u7b2c\u4e8c\u79cd\u65b9\u5f0f\uff0c\u5c1d\u8bd5\u4ece\u5185\u5b58\u4e2ddump\u3002\u8fd9\u91cc\u6211\u4eec\u9996\u5148\u5728\u5341\u516d\u8fdb\u5236\u4e0b\u67e5\u770bglobal-metadata.dat<\/code>\uff0c\u786e\u4fdd\u5176\u5f00\u5934\u90e8\u5206\u662f\u5982\u6b64\u7684\u5185\u5bb9\uff1a<\/p>\n

        AF 1B B1 FA XX XX XX XX<\/code><\/pre>\n
        \u5176\u4e2d\u524d\u56db\u4f4dAF 1B B1 FA<\/code>\u7528\u4e8e\u5e2e\u52a9\u6211\u4eec\u5b9a\u4f4d\u5185\u5b58\u5730\u5740\uff0c\u540e\u56db\u4f4d\u5219\u662f\u7248\u672c\u53f7\u3002\u6211\u4eec\u4f7f\u7528\u5982\u4e0b\u7684python\u7a0b\u5e8f\u8fdb\u884c\u63d0\u53d6\uff1a<\/p>\n
        # Dump global-metadata.dat from memory\n\nimport pymem\nimport pymem.process\nimport pymem.pattern\nimport os\nimport sys\n\nclass MetadataDumper:\n    def __init__(self, process_name: str, target_size_bytes: int):\n        self.process_name = process_name\n        # Read original size + 1MB to prevent overflow\n        self.dump_size = target_size_bytes + (1 * 1024 * 1024) \n        self.pm = None\n\n    def attach(self):\n        try:\n            self.pm = pymem.Pymem(self.process_name)\n            print(f"[+] Successfully attached to process: {self.process_name} (PID: {self.pm.process_id})")\n        except Exception as e:\n            print(f"[-] Cannot find or attach to process '{self.process_name}'. Please ensure the game is running.")\n            sys.exit(1)\n\n    def scan_and_dump_all(self):\n        print("[*] Starting to scan memory for *all* global-metadata signatures...")\n\n        # Signature: magic number\n        signature = b'\\xAF\\x1B\\xB1\\xFA'\n\n        try:\n            # Key modification: return_multiple=True, find all matches\n            results = pymem.pattern.pattern_scan_all(self.pm.process_handle, signature, return_multiple=True)\n\n            if not results:\n                print("[-] No signature found in memory. Header might be erased or encryption method changed.")\n                return\n\n            print(f"[!] Found {len(results)} potential addresses. Starting extraction...")\n\n            for index, address in enumerate(results):\n                print(f"\\n--- Processing address {index + 1}: {hex(address)} ---")\n                self.dump_to_file(address, index)\n\n        except Exception as e:\n            print(f"[-] Error during scanning: {e}")\n\n    def dump_to_file(self, address, index):\n        try:\n            # Try direct read\n            data = self.pm.read_bytes(address, self.dump_size)\n            self._save(data, index, address)\n\n        except pymem.exception.MemoryReadError:\n            print(f"[-] Address {hex(address)} read failed (Error 299), trying safe read...")\n            self._safe_dump(address, index)\n        except Exception as e:\n            print(f"[-] Unknown error: {e}")\n\n    def _safe_dump(self, start_address, index):\n        buffer = bytearray()\n        chunk_size = 1024 \n        current_addr = start_address\n        bytes_read = 0\n\n        while bytes_read < self.dump_size:\n            try:\n                chunk = self.pm.read_bytes(current_addr, chunk_size)\n                buffer.extend(chunk)\n                current_addr += chunk_size\n                bytes_read += chunk_size\n            except Exception:\n                break\n\n        if len(buffer) > 1024 * 1024: \n            self._save(buffer, index, start_address)\n        else:\n            print("[-] Data too small, skipping save.")\n\n    def _save(self, data, index, address):\n        # Filename includes address for identification\n        filename = f"dump_{index}_{hex(address)}.dat"\n        with open(filename, "wb") as f:\n            f.write(data)\n        print(f"[+] Saved: {filename} (size: {len(data)} bytes)")\n        self._check_if_decrypted(data)\n\n    def _check_if_decrypted(self, data):\n        """\n        Simple heuristic check: look for common plaintext strings\n        """\n        # Check if data contains "UnityEngine" or "System" - common class names\n        # Decrypted Metadata should show many plaintext class names\n        sample = data[:1024 * 1024] # Only check first 1MB\n        if b'UnityEngine' in sample or b'm_scor' in sample or b'System.String' in sample:\n            print(f"    [*] Hint: This file looks like decrypted! (Found plaintext strings)")\n        else:\n            print(f"    [!] Hint: This file still appears to be encrypted\/garbled.")\n\nif __name__ == "__main__":\n    TARGET_PROCESS = "_Program_.exe" \n    # Your original file size\n    ORIGINAL_FILE_SIZE = 32880320 \n\n    dumper = MetadataDumper(TARGET_PROCESS, ORIGINAL_FILE_SIZE)\n    dumper.attach()\n    dumper.scan_and_dump_all()<\/code><\/pre>\n
        \u8fd9\u91cc\u6709\u4e24\u4e2a\u8981\u70b9\uff1a<\/p>\n
          \n
        1. \u5c06TARGET_PROCESS<\/code>\u66ff\u6362\u6210\u5bf9\u5e94\u7684\u8fdb\u7a0b\u540d\uff1b<\/li>\n
        2. \u6dfb\u52a0\u4e00\u4e2aORIGINAL_FILE_SIZE<\/code>\u7528\u4e8e\u63a7\u5236\u6587\u4ef6\u5927\u5c0f\u3002<\/li>\n<\/ol>\n
            \u5728Dump\u4e4b\u540e\uff0c\u6211\u4eec\u5f97\u5230\u7684\u6587\u4ef6\u5927\u5c0f\u5f80\u5f80\u548c\u539f\u59cb\u6587\u4ef6\u5bf9\u4e0d\u4e0a\uff0c\u73b0\u5728\u6211\u4eec\u5bf9\u9f50\u8fdb\u884c\u624b\u52a8\u4fee\u7406\uff1a<\/p>\n
            \n
          1. \u786e\u4fdd\u6587\u4ef6\u957f\u5ea6\u548c\u539fmetadata\u6587\u4ef6\u4e00\u81f4(\u5220\u9664\u6587\u4ef6\u672b\u5c3e\u591a\u4f59\u76840x00<\/code>)\uff1b<\/li>\n
          2. \u786e\u4fdd\u7248\u672c\u53f7\u662f\u6b63\u5e38\u7684(\u6211\u8fd9\u91cc\u9009\u62e9\u5c06\u5176\u8c03\u6574\u4e3a18 00 00 00<\/code>)\u3002<\/li>\n<\/ol>\n
            \u5728\u5b8c\u6210\u4e86\u4e0a\u8ff0\u4e24\u9879\u64cd\u4f5c\u540e\uff0c\u6211\u4eec\u5c06dump.dat<\/code>\u548c\u539f\u6765\u7684global-metadata.dat<\/code>\u5bf9\u6bd4\u68c0\u67e5\uff1a<\/p>\n
              \n
            1. \u6587\u4ef6\u957f\u5ea6\u90fd\u662f1F5B6BF<\/code>\uff1b<\/li>\n
            2. \u6587\u4ef6\u7684Magic Number\u90fd\u662fAF 1B B1 FA<\/code>\uff1b<\/li>\n
            3. \u6587\u4ef6\u7684\u7248\u672c\u53f7\u4fee\u8ba2\u4e3a18 00 00 00<\/code>\u3002<\/li>\n<\/ol>\n
              \u4e09\u3001\u63d0\u53d6<\/h2>\n
                \u5b8c\u6210\u4e86(\u4e8c)\u4e2d\u7684\u4fee\u6539\u4e4b\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7Il2CppDumper<\/a>\u63d0\u53d6\u5176\u6570\u636e\u3002\u63d0\u53d6\u540e\u7684\u6570\u636e\u5176\u4e2d\u4e3b\u8981\u5173\u6ce8\uff1a<\/p>\n
                \n
              1. DummyDll\/Assembly-CSharp.dll<\/code>\uff0c\u5305\u542b\u4e86\u6e38\u620f\u4e2dC#\u51fd\u6570\u7684\u5185\u5b58\u504f\u79fb\uff1b<\/li>\n
              2. script.json<\/code>\uff0c\u5982\u679c\u91c7\u7528\u4e86xLua<\/code>\u7b49\u811a\u672c\uff0c\u4e00\u822c\u5728\u8fd9\u91cc\u67e5\u770b\u3002<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
                  \u5047\u8bbe\u6211\u4eec\u73b0\u5728\u6709\u4e00\u4e2a\u5982\u6b64\u7684\u60c5\u666f\uff1a \u6211\u4eec\u6709\u4e00\u4e2a\u6e38\u620f\u91c7\u7528\u4e86U3D\u4f5c\u4e3a\u5f15\u64ce\uff1b \u6211\u4eec\u60f3\u8981\u901a\u8fc7Il2CppDumper …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[346],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/posts\/1631"}],"collection":[{"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/comments?post=1631"}],"version-history":[{"count":1,"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/posts\/1631\/revisions"}],"predecessor-version":[{"id":1632,"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/posts\/1631\/revisions\/1632"}],"wp:attachment":[{"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/media?parent=1631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/categories?post=1631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swordofmorning.com\/index.php\/wp-json\/wp\/v2\/tags?post=1631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}