当前位置：首页 > news >正文

逆向 | 逃离鸭科夫 unity mono游戏hook

news 2026/5/11 21:35:45

逆向 | 逃离鸭科夫 unity mono游戏hook

依旧是处理上一个博客的问题，这次直接用扫内存提jit的方式来找到目标函数，然后进行hook。
之后做详细视频发b站，这里就贴个代码。
好久不手搓硬编码和inlinehook犯了好多错，整个思路一团混乱，不过总算是最后弄对了，下次就思路清晰了。
依旧是frida来操作，方便。
不能信AI的代码，要自己去校验段protect，可能会有问题，AI会想当然的传参数然后没有成功获取到段执行权限（破口大骂）。

P.S.cheatengine的mono功能可以很好的利用，非常好使！事半功倍！！

py:

from __future__ import print_function    # 这里__future__的目的是引入新版本特性
import frida
import sys
import threadingimport timesession = frida.attach('Duckov.exe')# ---------------------------------------------old ver
# 读取js脚本
# with open('hook.js', 'r', encoding='utf-8') as f:
# 	js_hook = f.read()# script = session.create_script(js_hook)# def add_hp(args):
# 	while 1:
# 		time.sleep(5)
# 		print('call add hp')
# 		script.exports.addhp()# t1 = threading.Thread(target=add_hp, args=(0,)) 
# def on_message(message,data):
#     print(message)
# script.on('message', on_message)
# script.load()
# t1.start()
# sys.stdin.read()
# -----------------------------------------------with open('hook_new.js', 'r', encoding='utf-8') as f:js_hook = f.read()
script = session.create_script(js_hook)def on_message(message,data):print(message)
script.on('message', on_message)
script.load()
sys.stdin.read()

js:

function hexToLittleEndianBytes(hexStr) {// 1. 移除0x前缀，确保只保留十六进制字符const pureHex = hexStr.replace(/^0x/i, '');// 2. 补全偶数位（十六进制字符串长度必须为偶数，才是完整字节）const evenHex = pureHex.length % 2 === 1 ? '0' + pureHex : pureHex;// 3. 小端序：从字符串末尾（低位）开始，每2个字符取1字节const bytes = [];for (let i = evenHex.length - 2; i >= 0; i -= 2) {// 截取2个字符（注意：substring(start, end)，end是排他的）const byteHex = evenHex.substring(i, i + 2);// 转换为十进制字节值（0-255）const byteValue = parseInt(byteHex, 16);bytes.push(byteValue);}return bytes;
}function scan(pattern) {const locations = new Set();// console.log(Process.enumerateMallocRanges())console.log("-----start scan-----")var sections = Process.enumerateRanges("rwx")console.log(sections)console.log("----------")for (const r of sections) {console.log(`${r.base} : ${r.size} : ${r.protection} : ${r.file}`)for (const match of Memory.scanSync(r.base, r.size, pattern)) {locations.add(match.address.toString());}}var matches = Array.from(locations).map(ptr);console.log('Found', matches.length, 'matches');console.log(matches)return matches
}// Health.hurt函数
var Health_hurt_func = scan('55 48 8B EC 48 81 EC 90 06 00 00 48 89 5D C8')[0]
console.log(Health_hurt_func)// 手搓inlinehook
const codeSize = 1024;
const codeMemory = Memory.alloc(codeSize);
Memory.protect(codeMemory, codeSize, "rwx");
var codeMemoryBytes = hexToLittleEndianBytes(codeMemory.toString());
var Health_hurt_funcBytes = hexToLittleEndianBytes(Health_hurt_func.add(15).toString());var codeBuffer = [0x52,
0x48,0x8b,0x51,0x50,
0x83,0xfa,0x00,
0x75,0x07,
0x5a,
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,
0xc3,
0x5a,
0x55,
0x48,0x8b,0xec,
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0]
// 修改跳转地址
for (let _i = 0; _i < Health_hurt_funcBytes.length; _i ++){codeBuffer[37+_i] = Health_hurt_funcBytes[_i]
}
console.log(codeBuffer)
codeMemory.writeByteArray(codeBuffer)   // 注入代码
console.log(`inject code addr: ${codeMemory}`)
console.log(codeMemory.toString())// 修改hook地址
//修改原函数
var jmp_code = [
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
]
for (let _j = 0; _j < codeMemoryBytes.length; _j ++){jmp_code[2+_j] = codeMemoryBytes[_j]
}
console.log(jmp_code)
// 启动hook
Health_hurt_func.writeByteArray(jmp_code)/*
思路：
0x52,
0x48,0x8b,0x51,0x50,
0x83,0xfa,0x00,
0x75,0x07,
0x5a,
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,
0xc3,
0x5a,
0x55,
0x48,0x8b,0xec,
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0---
0x52,                       push rdx
0x48,0x8b,0x51,0x50,           mov rdx, [rcx+50]
0x83,0xfa,0x00,            cmp edx, 0
0x75,0x09,                 jne $9
0x5a,             pop rdx
0x48,0xc7,0xc0,0x01,0x00,0x00,0x00,        mov rax, 1
0xc3,                ret
0x5a,              pop rdx
0x55,               push rbp // yuan函数开头
0x48,0x8b,0xec,         mov rbp, rsp
0x48,0x81,0xec,0x90,0x06,0x00,0x00,
0x48,0x89,0x5d,0xc8,                    // 共15个字节
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, //跳回去mov rax, 0xxxxxxxxxxxx
0xff,0xe0           jmp rax
------------------------
var jmp_code = [
0x48,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
]*/// var origin_code = Health_hurt_func.readByteArray(15)// hook不好返回
// Interceptor.attach(ptr(Health_hurt_func),{
//     onEnter: function(args){
//         console.log('[*] Health_hurt_func !!!')
//         var _rcx = this.context.rcx
//         var team = _rcx.add(0x50).readU64()
//         console.log(`team: ${team}`)
//         if (team == 0x100000000){
//             console.log("is player!")
//             // args.returnValue = 1
//             this.context.rax = ptr("0")
//             this.return()
//         }
//         console.log("\n-----------------------\n")
//     },
//     // onLeave: function(retval){
//     //     console.log("retval: "+retval)
//     // }
// });

查看全文

http://www.jsqmd.com/news/37042/