def find_first_instr(addr, instr):
caddr = addr
# should break us out of a loop, but atm we will
# just break and return
seen_addrs = set()
while caddr != idc.BADADDR and not caddr in seen_addrs:
seen_addrs.add(caddr)
disasm = idc.GetDisasm(caddr)
if disasm is None:
return None
if disasm.find(instr) > -1:
return caddr
caddr = idc.RfirstB(caddr)
return None
def get_resolve():
# il2cpp::vm::InternalCalls::Resolve
resolve = idc.LocByName('_ZN6il2cpp2vm13InternalCalls7ResolveEPKc')
addr = idc.RfirstB(resolve)
while addr != idc.BADADDR:
name = idc.Name(addr)
if name == '__ZN6il2cpp2vm13InternalCalls7ResolveEPKc':
return addr
addr = idc.RnextB(resolve, addr)
return idc.BADADDR
def analyze_invoke_unityengine():
print('analyze_invoke_unityengine')
resolve = get_resolve()
print(' %X: %s' % (resolve, idc.Name(resolve)))
if resolve != idc.BADADDR:
return
addr = idc.RfirstB(resolve)
while addr != idc.BADADDR:
analyze_invoke(addr)
addr = idc.RnextB(resolve, addr)
def analyze_invoke_library():
print('analyze_invoke_library')
resolve = idc.LocByName('._ZN6il2cpp2vm14PlatformInvoke7ResolveERK16PInvokeArguments')
print(' %X: %s' % (resolve, idc.Name(resolve)))
if resolve == idc.BADADDR:
return
addr = idc.RfirstB(resolve)
while addr != idc.BADADDR:
analyze_invoke2(addr)
addr = idc.RnextB(resolve, addr)
def analyze_reg():
print('analyze_reg')
name = '._ZN6il2cpp2vm13MetadataCache8RegisterEPK22Il2CppCodeRegistrationPK26Il2CppMetadataRegistrationPK20Il2CppCodeGenOptions'
addr = idc.LocByName(name)
addr = idc.RfirstB(addr)
if addr == idc.BADADDR:
return (idc.BADADDR, idc.BADADDR)
func_st = idc.GetFunctionAttr(addr, idc.FUNCATTR_START)
func_en = idc.GetFunctionAttr(addr, idc.FUNCATTR_END)
funcname = idc.GetFunctionName(func_st)
addr = func_st
args = []
idc.MakeNameEx(func_st, 'INIT_IL2CPP', idc.SN_NOWARN | idc.SN_AUTO)
print(' %X: %s' % (func_st, idc.Name(func_st)))
while addr != idc.BADADDR and addr < func_en:
mnem = idc.GetMnem(addr)
#print(' %08X: %s' % (addr, mnem))
if mnem == 'lea' or mnem == 'mov':
oprand1 = idc.GetOpnd(addr, 1)
match = nameref_re.search(oprand1)
#print(' %s' % (oprand1))
if match is not None:
args.append(match.group())
if len(args) == 3:
code_reg = idc.LocByName(args[2])
meta_reg = idc.Dword(idc.LocByName(args[1]))
print(' code_reg = %08X' % (code_reg))
print(' meta_reg = %08X' % (meta_reg))
return (code_reg, meta_reg)
addr = idc.NextHead(addr, func_en)
return (idc.BADADDR, idc.BADADDR)