函数地址查找
/** * 根据 ImageName , ClassName , functionName , argsCount 找到对应 function 的地址 * 最后一个参数 isRealAddr 用作显示静态分析地址还是当前内存地址(带这个参数则只返回地址,不带则列表信息) * find_method("UnityEngine.UI","Text","get_text",0) * find_method("UnityEngine.UI","Text","get_text",0,false) */ function find_method(imageName,className,functionName,argsCount,isRealAddr) [Pixel XL::XXX]-> find_method("UnityEngine.UI","Text","get_text",0,false) ------------------------------------------------------------------------------------- UnityEngine.UI.Text public virtual String get_text () ---------------------------- Il2CppImage ----> 0xe34c51a0 Il2CppClass ----> 0xbfb1d080 MethodInfo ----> 0xbf042b34 methodPointer ----> 0xc5389c7c ===> 0x1c24c7c -------------------------------------------------------------------------------------
列出所有的程序集及其class数量
others:m()列出class下的方法,f()列出class下的字段,可以配合实例进行参数解析
/** * 根据 ImageName , ClassName , functionName , argsCount 找到对应 function 的地址 * 最后一个参数 isRealAddr 用作显示静态分析地址还是当前内存地址(带这个参数则只返回地址,不带则列表信息) * i() * i("Unity") */ function i(filter) [Pixel XL::XXX]-> i("Unity") ------------------------------------------------------------------------------------- [*] 0xe34c4950 29 UnityEngine.SharedInternalsModule [*] 0xe34c4988 525 UnityEngine.CoreModule [*] 0xe34c49f8 5 UnityEngine.AssetBundleModule [*] 0xe34c4a30 20 UnityEngine.AudioModule [*] 0xe34c4a68 2 UnityEngine.ImageConversionModule [*] 0xe34c4aa0 15 UnityEngine.TextRenderingModule [*] 0xe34c4ad8 14 UnityEngine.UnityWebRequestModule [*] 0xe34c4b48 14 UnityEngine.AndroidJNIModule [*] 0xe34c4b80 43 UnityEngine.AnimationModule [*] 0xe34c4bb8 2 UnityEngine.DirectorModule [*] 0xe34c4bf0 14 UnityEngine.GameCenterModule [*] 0xe34c4c28 33 UnityEngine.IMGUIModule [*] 0xe34c4c60 10 UnityEngine.InputLegacyModule [*] 0xe34c4c98 2 UnityEngine.JSONSerializeModule [*] 0xe34c4cd0 16 UnityEngine.ParticleSystemModule [*] 0xe34c4d08 17 UnityEngine.Physics2DModule [*] 0xe34c4d40 27 UnityEngine.PhysicsModule [*] 0xe34c4d78 16 UnityEngine.TextCoreModule [*] 0xe34c4db0 11 UnityEngine.UIModule [*] 0xe34c4de8 13 UnityEngine.UnityAnalyticsModule [*] 0xe34c4e20 3 UnityEngine.UnityWebRequestWWWModule [*] 0xe34c4e58 15 UnityEngine.VideoModule [*] 0xe34c4f00 1 UnityEngine [*] 0xe34c51a0 196 UnityEngine.UI [*] 0xe34c5328 160 Unity.TextMeshPro [*] 0xe34c56a8 117 Unity.Timeline ---------------------------- List 26 Images | All 78 -------------------------------------------------------------------------------------
添加需要断点的函数(img/cls)
/** * 根据 img/cls 添加 img/cls 里面的所有方法到断点列表 * a() * a(0xe34c5328) */ function a(imgOrCls) [Pixel XL::XXX]-> a(0xe34c5328) ------------------------------------------------------------------------------------- [*] 0xc3d5dc5c ---> 0x5f8c5c public Void Add (Action rhs) [*] 0xc3d5dd3c ---> 0x5f8d3c public Void Remove (Action rhs) [*] 0xc3d5de28 ---> 0x5f8e28 public Void Call () [*] 0xc3d5dec8 ---> 0x5f8ec8 public Void .ctor () ... [*] 0xc3c34cd8 ---> 0x4cfcd8 public override String ToString () [*] 0xc3d638cc ---> 0x5fe8cc public Void .ctor () ------------------------------------------ Added 1133 Methods | All 1133 -------------------------------------------------------------------------------------
应用函数断点
/** * 断点列表中的函数启动断点,便于查看调用情况 * B() */ function B(filter) [Pixel XL::XXX]-> B() ------------------------- currentAddr:0xc3d5dc5c public Void Add (Action rhs) ---->0 0x5f8c5c is prepared ------------------------- currentAddr:0xc3d5dd3c public Void Remove (Action rhs) ---->1 0x5f8d3c is prepared ------------------------- currentAddr:0xc3d5de28 public Void Call () ---->2 0x5f8e28 is prepared ... currentAddr:0xc41d8c9c private Vector2 GetPivot (TextContainerAnchors anchor) ---->1131 0xa73c9c is prepared ------------------------- currentAddr:0xc41d86bc private TextContainerAnchors GetAnchorPosition (Vector2 pivot) ---->1132 0xa736bc is prepared ------------------------------------------ Added 1133 BreakPoints | All 1133 -------------------------------------------------------------------------------------
5.触发called function后可以使用b()去解析参数 使用listfieldsfrommethodinfo()解析该方法类实例的字段值
called : 0x380b10 (0xc1ef2a94) garage (0xc05ec300) ---> public Void SettingsMenu () called : 0x503348 (0xc00a918c) returnButton (0xc0096320) ---> public Void ImInSettings () called : 0x381414 (0xc1ef2c78) garage (0xc05ec300) ---> public Void Settings_Selector () called : 0x4444dc (0xc0124f98) animBikerMen.(0xc0008ca0) ---> private Void RandomAnims () called : 0x4445d8 (0xc0124ff0) animBikerMen.(0xc0008ca0) ---> public Void PlayCheckWatch () called : 0x4444dc (0xc0124f98) animBikerMen.(0xc0008ca0) ---> private Void RandomAnims () called : 0x44465c (0xc012501c) animBikerMen.(0xc0008ca0) ---> public Void PlayCrossArmsHigh () ... /** * 举例说明一下这里的值含义 * 0x380b10 函数实际地址(已经减去了偏移) * 0xc1ef2a94函数MethodInfo * 0xc05ec300当前函数所属cls(.代表太长了同一个世界省略了输出,getClassName获取全名) * [Pixel XL::XXX]-> getClassName(0xc0008ca0) * "animBikerMenu" */ [Pixel XL::XXX]-> b(0xc1ef2a94) [Pixel XL::XXX]-> ----------------------------------------------------------- Called public Void SettingsMenu () at 0xc6a9eb10(0x380b10) | MethodInfo 0xc1ef2a94 ---------------------- inst | 0xba994e00 [PLATFORM (garage)] ret | ---> 0x0 Void (0xe32e4340) ----------------------------------------------------------- [Pixel XL::XXX]-> [Pixel XL::XXX]-> lffm(0xc1ef2a94,0xba994e00) Current Function SettingsMenu 0 0xc1ef2a94 ---> 0xc6a9eb10 ---> 0x380b10 SettingsMenu ---> garage(0xc05ec300) ---> - ---> Assembly-CSharp(0xc56ceea8) ---> Il2CppAssembly(0xc56ceeb0) Found 99 Fields in class: garage (0xc05ec300) ----------------------------------------------------------------- [1] 0x4 public static garage(0xc05ec300) Instance 0xba994e04 ---> 0x0 ---> ? [2] 0xc public List`1(0xbf78bae8) cars 0xba994e0c ---> 0xba512680 ---> System.Collections.Generic.List`1[Car] [3] 0x10 public GameObject(0xc3f78a80) startPanel 0xba994e10 ---> 0xba51bf40 ---> Start panel (UnityEngine.GameObject) [4] 0x14 public GameObject(0xc3f78a80) startPanelContent 0xba994e14 ---> 0xba51bf30 ---> start panel content (UnityEngine.GameObject) [5] 0x18 public GameObject(0xc3f78a80) garageMenu 0xba994e18 ---> 0xba51bf20 ---> SelectCars_Panel (UnityEngine.GameObject) [6] 0x1c public GameObject(0xc3f78a80) loading 0xba994e1c ---> 0xba51bf10 ---> loading (UnityEngine.GameObject) [7] 0x20 private GameObject(0xc3f78a80) currentCar 0xba994e20 ---> 0xe0909020 ---> DUNE_BUGGY (UnityEngine.GameObject) ... [75] 0x12c private Int32(0xcc588980) car_number 0xba994f2c ---> 0x4 ---> 4 [76] 0x130 public GameObject(0xc3f78a80) selectButton 0xba994f30 ---> 0xba51bcf0 ---> select button (UnityEngine.GameObject) [77] 0x134 public GameObject(0xc3f78a80) lockedButton 0xba994f34 ---> 0xba51bce0 ---> locked button (UnityEngine.GameObject) [78] 0x138 public Text(0xc1f27200) car_name 0xba994f38 ---> 0xba94fcc0 ---> BUGGY [79] 0x13c public Text(0xc1f27200) car_price 0xba994f3c ---> 0xba94fe58 ---> 2000 [80] 0x140 public Text(0xc1f27200) car_speed 0xba994f40 ---> 0xba94fdd0 ---> 250 1111111111 [81] 0x144 public String[](0xbfc14a88) car_name_string 0xba994f44 ---> 0xba51af50 ---> System.String[] [82] 0x148 public Int32[](0xbf807188) car_price_string 0xba994f48 ---> 0xe0908320 ---> System.Int32[] ... [98] 0x170 public GameObject(0xc3f78a80) skins_button 0xba994f70 ---> 0xba51bc80 ---> skins button (UnityEngine.GameObject)
对常用类的解析
//showGameObject showTransform showEventData(用在onpointerclick) [Pixel XL::XXX]-> showGameObject(0xba51bc80) --------- GameObject --------- gameObj ---> 0xba51bc80 getName ---> skins button getLayer ---> 5 getTransform ---> 0xba940180 hierarchy ---> skins button(0xba940180) <--- start panel content(0xba940910) <--- Start panel(0xba9408b0) <--- Canvas(0xba940850) [Pixel XL::XXX]-> showTransform(0xba940180) --------- Transform --------- childCount ---> 1 (skins button) 0xba940180 : skins button 0xba940190 : skins button (2) eulerAngles (0xb3135a98) ---> 0 0 0 forward (0x9f659aa8) ---> 0 0 1 position (0xacb4acd0) ---> 2518.39990234375 1082.56005859375 0 localPosition (0xacb18b58) ---> 387 113.30000305175780 0 localRotation (0xb31287e8) ---> 0 0 0 1 localScale (0x9f5444d8) ---> 0.9999998211860657 0.9999998211860657 0.9999998211860657 lossyScale (0xacb868c8) ---> 3.1999995708465576 3.1999995708465576 3.1999995708465576 right (0xb313dc50) ---> 1 0 0 up (0x9f502710) ---> 0 1 0 rotation (0xb319c300) ---> 0 0 0 1
- 通过methodinfo或class 查找该类下的所有方法,以供callFunction调用
[Pixel XL::XXX]-> lmfc(0xc3f78a80) //methodinfo realAddr localAddr ------------------------------------------------------------------------------------- [*] 0xc3e8e000 ---> 0xc72e246c ---> 0xbc446c public Void .ctor (String name) ---> ret Void 0xe32e4340 ---> cls String 0xcc589400 [*] 0xc3e8e02c ---> 0xc72e2588 ---> 0xbc4588 public Void .ctor () ---> ret Void 0xe32e4340 ---> cls [*] 0xc3e8e058 ---> 0xc72e264c ---> 0xbc464c public Void .ctor (String name,Type[] name) ---> ret Void 0xe32e4340 ---> cls String 0xcc589400,Type[] 0xc56918d8 [*] 0xc3e8e084 ---> 0x0 ---> 0x398e2000 public T GetComponent () ---> ret T 0xaab16588 ---> cls [*] 0xc3e8e0b0 ---> 0xc72d86f4 ---> 0xbba6f4 public Component GetComponent (Type type) ---> ret Component 0xc3f788c0 ---> cls Type 0xc66c6f00 [*] 0xc3e8e0dc ---> 0xc72e2800 ---> 0xbc4800 internal Void GetComponentFastPath (Type type,IntPtr type) ---> ret Void 0xe32e4340 ---> cls Type 0xc66c6f00,IntPtr 0xcc67cb00 ... [*] 0xc3e8e70c ---> 0xc72e2f70 ---> 0xbc4f70 public Scene get_scene () ---> ret Scene 0xb2fa8540 ---> cls [*] 0xc3e8e738 ---> 0xc72e3028 ---> 0xbc5028 public GameObject get_gameObject () ---> ret GameObject 0xc3f78a80 ---> cls [*] 0xc3e8e764 ---> 0xc72e2fd4 ---> 0xbc4fd4 private Void get_scene_Injected (Scene ret) ---> ret Void 0xe32e4340 ---> cls Scene 0xb2fa8540 -------------------------------------------------------------------------------------
函数调用 callFunction
除去实例后面最多跟四个参数,看源码
//这里随便举例一个GameObject 下的 get_tag() [*] 0xc3e8e5ac ---> 0xc72d8c64 ---> 0xbbac64 public String get_tag () ---> ret String 0xcc589400 ---> cls [98] 0x170 public GameObject(0xc3f78a80) skins_button 0xba994f70 ---> 0xba51bc80 ---> skins button (UnityEngine.GameObject) [Pixel XL::XXX]-> readU16(callFunction(0xc72d8c64,0xba51bc80)) "Untagged"
常用的Hook封装
HookOnPointerClick() HookSendMessage() HookSetActive() HookDebugLog() HookLoadScene() HookPlayerPrefs()
常用的Set函数
//u3d gobj setActive() //u3d transform() SetLocalPosition() SetLocalScale() SetLocalRotation() //u3d sp SetString() SetInt() SetFloat()
筛选只显示指定类名下的函数调用
[Pixel XL::XXX]-> enableFilter = true [Pixel XL::XXX]-> filterClass.push("DailyReward")
其他方法
还有一些其他的方法就顾名思义了
function setFunctionBoolean(mPtr,boolean,index) function setFunctionValue(mPtr,value,index) function SendMessage(str0,str1,str2) function breakWithArgs(mPtr,argCount) function breakInline(mPtr) function canUseInlineHook(mPtr,Type) function PrintHierarchy(mPtr,level,inCall) function findClass(imageName,className) function getUnityInfo() function getApkInfo() function launchApp(pkgName) function readU16(mPtr) function allcStr(str,type) function allcVector(x,y,z,w) function seeHexR(addr,length) function seeHexA(addr,length) function printCtx(pointer,range,sign) function Toast(msg) function runOnMain(UpDatePtr,Callback) function GotoScene(str) ...