Jump to content
  • 1

DUMP !!! Solve: Hot-update/hot-fix Unity 3D game can't be dumped fully


Question

Posted

My Purpose :  

Dumping the game to get the dump.cs, which including all class name, field, methods and the most important "offset" etc. So certain memory hack can be made (or script).

My Question:

When a game using hot-update,  e.g. via HybridCLR , so normal-dump-method when we use the Il2CppDumper ( neither based on andriod or Windows, or using Zygisk etc) can not dump the FULL file out. Here normal-dump-method means below three methods:

1、extract game apk file and get  " global-metadata.dat file" and "IL2cpp.so file", then dump.

2、Using GG in game memory to directly export the "global-metadata.dat memory" to ***** .bin file(then rename to global-metadata.dat)  and "IL2cpp.so memory" to ***** . bin file, then dump.

3、Using GG in game memory via magic letter (464C457Fh - il2cpp / FAB11BAFh - metadata) to export the   " global-metadata.dat file" and "IL2cpp.so file", then dump.

We can not dump full, Because when game using hot-update, normally the "hotfix.dll" (e.g.) injected is separate from the original files, and new information which contained in the "hotfix.dll" is not in the original il2cpp.so file. It leads the result we can not get any useful info when we using normal-dump-method. 

One solution:

Using GG in game memory via puting the DOS-PE header Letter " MZ "(magic head in decimal 9460301 ) , and export all the C# DLL file to *****.bin file. Then using "get_dll_from_dumped_bin.exe" tool to convert all the *****.bin file you exported from the running game to *****.bin file.  We can find the "hotfix.bin" (maybe different name) file.  You can use Dnspy or other similar tool to check. All information we need is inside. 

MY FINALL QUESTION:

After we get the "hotfix.bin" file, how can we dump it to get the dump.cs ? I mean how can we get the ingame memory class, filed, method and the most important offset ? 

 

 

 

2 answers to this question

Recommended Posts

  • 0
Posted

Some update till now...

I kept to learn the basic knowledge for IL2CPP and Unity 3D HOTFIX project. Which leads me to understand more about the hotfix process, especially when we are facing the CLR running mechanism, which exactly what I questioned using the HybridCLR method to hot update. 

It turns out that we can not dump the injected "hotfix.dll" file (this is the correct one, sy I mistype above) with memory offset. Cos all the function is runing on CLR timely.

There is a simple way to figure it out whether it is using CLR by using the reverse lookup lua script to check the namespace: class: field etc. You will find it weird like most offset are the same.

One solution (I am on this way now) 

Get the hotfix.dll out as what I mentioned above. Searching the right class, field, function etc. Which then can be used in GameGuardian hacking and Frida Hook. I am still learning how to reach the next steps.

 

 

  • 0
Posted (edited)
On 1/5/2024 at 4:23 PM, ryanhn717 said:

-

There is a simple way to figure it out whether it is using CLR by using the reverse lookup lua script to check the namespace: class: field etc. You will find it weird like most offset are the same.

-

I actually just figure it out last night, even the game is hot fixed, all the field offsets are running normally in memory. Normally means we can get the correct field offsets like we do in other game without hotfix. So it not like what I mentioned above. the reason to "You will find it weird like most offset are the same" only simply because I used the "tools". If we check the field structure, we can get the correct offsets then.  

4.jpg

3.jpg

2.jpg

111147DC0B.jpg

Edited by ryanhn717
add one more pict

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.