From 8d7cc6b9e798514804e29ef74aa9eaa6862cea54 Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Mon, 16 Oct 2023 17:31:46 -0400 Subject: [PATCH 1/8] Image classes table detect cycles --- src/game_engine/unity/mono.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/game_engine/unity/mono.rs b/src/game_engine/unity/mono.rs index 3e63dc8..17e424c 100644 --- a/src/game_engine/unity/mono.rs +++ b/src/game_engine/unity/mono.rs @@ -7,6 +7,8 @@ use crate::{ }; use core::{array, cell::RefCell, iter}; +#[cfg(all(debug_assertions, feature = "alloc"))] +use alloc::collections::BTreeSet; #[cfg(feature = "derive")] pub use asr_derive::MonoClass as Class; use bytemuck::CheckedBitPattern; @@ -266,6 +268,8 @@ impl Image { }; (0..class_cache_size.unwrap_or_default()).flat_map(move |i| { + #[cfg(all(debug_assertions, feature = "alloc"))] + let mut seen = BTreeSet::new(); let mut table = match table_addr { Ok(table_addr) => process .read_pointer( @@ -277,6 +281,8 @@ impl Image { }; iter::from_fn(move || { + #[cfg(all(debug_assertions, feature = "alloc"))] + if seen.replace(table?).is_some() { panic!("Image classes cycle detected"); } let class = process.read_pointer(table?, module.pointer_size).ok()?; table = process From d720ff3672627fc7659e004c6397cabd39281c2d Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Mon, 16 Oct 2023 17:32:04 -0400 Subject: [PATCH 2/8] Offsets comments --- src/game_engine/unity/mono.rs | 60 +++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/src/game_engine/unity/mono.rs b/src/game_engine/unity/mono.rs index 17e424c..2742d0f 100644 --- a/src/game_engine/unity/mono.rs +++ b/src/game_engine/unity/mono.rs @@ -841,25 +841,27 @@ impl Offsets { monovtable_vtable: 0x48, monoclassfieldalignment: 0x20, }), + // 64-bit PE V2 matches Unity2019_4_2020_3_x64_PE_Offsets from + // https://github.com/hackf5/unityspy/blob/master/src/HackF5.UnitySpy/Offsets/MonoLibraryOffsets.cs#L49 Version::V2 => Some(&Self { monoassembly_aname: 0x10, - monoassembly_image: 0x60, - monoimage_class_cache: 0x4C0, - monointernalhashtable_table: 0x20, - monointernalhashtable_size: 0x18, - monoclassdef_next_class_cache: 0x108, + monoassembly_image: 0x60, // AssemblyImage = 0x44 + 0x1c + monoimage_class_cache: 0x4C0, // ImageClassCache = 0x354 + 0x16c + monointernalhashtable_table: 0x20, // HashTableTable = 0x14 + 0xc + monointernalhashtable_size: 0x18, // HashTableSize = 0xc + 0xc + monoclassdef_next_class_cache: 0x108, // TypeDefinitionNextClassCache = 0xa8 + 0x34 + 0x10 + 0x18 + 0x4 monoclassdef_klass: 0x0, - monoclass_name: 0x48, - monoclass_name_space: 0x50, - monoclass_fields: 0x98, - monoclassdef_field_count: 0x100, - monoclass_runtime_info: 0xD0, - monoclass_vtable_size: 0x5C, - monoclass_parent: 0x30, + monoclass_name: 0x48, // TypeDefinitionName = 0x2c + 0x1c + monoclass_name_space: 0x50, // TypeDefinitionNamespace = 0x30 + 0x20 + monoclass_fields: 0x98, // TypeDefinitionFields = 0x60 + 0x20 + 0x18 + monoclassdef_field_count: 0x100, // TypeDefinitionFieldCount = 0xa4 + 0x34 + 0x10 + 0x18 + monoclass_runtime_info: 0xD0, // TypeDefinitionRuntimeInfo = 0x84 + 0x34 + 0x18 + monoclass_vtable_size: 0x5C, // TypeDefinitionVTableSize = 0x38 + 0x24 + monoclass_parent: 0x30, // TypeDefinitionParent = 0x20 + 0x10 monoclassfield_name: 0x8, monoclassfield_offset: 0x18, - monoclassruntimeinfo_domain_vtables: 0x8, - monovtable_vtable: 0x40, + monoclassruntimeinfo_domain_vtables: 0x8, // TypeDefinitionRuntimeInfoDomainVTables = 0x4 + 0x4 + monovtable_vtable: 0x40, // VTable = 0x28 + 0x18 monoclassfieldalignment: 0x20, }), Version::V3 => Some(&Self { @@ -905,26 +907,28 @@ impl Offsets { monoclassruntimeinfo_domain_vtables: 0x4, monovtable_vtable: 0x28, monoclassfieldalignment: 0x10, + // 32-bit PE V2 matches Unity2018_4_10_x86_PE_Offsets from + // https://github.com/hackf5/unityspy/blob/master/src/HackF5.UnitySpy/Offsets/MonoLibraryOffsets.cs#L12 }), Version::V2 => Some(&Self { monoassembly_aname: 0x8, - monoassembly_image: 0x44, - monoimage_class_cache: 0x354, - monointernalhashtable_table: 0x14, - monointernalhashtable_size: 0xC, - monoclassdef_next_class_cache: 0xA8, + monoassembly_image: 0x44, // AssemblyImage + monoimage_class_cache: 0x354, // ImageClassCache + monointernalhashtable_table: 0x14, // HashTableTable + monointernalhashtable_size: 0xC, // HashTableSize + monoclassdef_next_class_cache: 0xA8, // TypeDefinitionNextClassCache monoclassdef_klass: 0x0, - monoclass_name: 0x2C, - monoclass_name_space: 0x30, - monoclass_fields: 0x60, - monoclassdef_field_count: 0xA4, - monoclass_runtime_info: 0x84, - monoclass_vtable_size: 0x38, - monoclass_parent: 0x20, + monoclass_name: 0x2C, // TypeDefinitionName + monoclass_name_space: 0x30, // TypeDefinitionNamespace + monoclass_fields: 0x60, // TypeDefinitionFields + monoclassdef_field_count: 0xA4, // TypeDefinitionFieldCount + monoclass_runtime_info: 0x84, // TypeDefinitionRuntimeInfo + monoclass_vtable_size: 0x38, // TypeDefinitionVTableSize + monoclass_parent: 0x20, // TypeDefinitionParent monoclassfield_name: 0x4, monoclassfield_offset: 0xC, - monoclassruntimeinfo_domain_vtables: 0x4, - monovtable_vtable: 0x28, + monoclassruntimeinfo_domain_vtables: 0x4, // TypeDefinitionRuntimeInfoDomainVTables + monovtable_vtable: 0x28, // VTable monoclassfieldalignment: 0x10, }), Version::V3 => Some(&Self { From 99be3914dd00c90cbe9c11ecea449abbd0adc359 Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Mon, 16 Oct 2023 17:32:28 -0400 Subject: [PATCH 3/8] Create macho.rs --- src/file_format/macho.rs | 123 +++++++++++++++++++++++++++++++++++++++ src/file_format/mod.rs | 1 + 2 files changed, 124 insertions(+) create mode 100644 src/file_format/macho.rs diff --git a/src/file_format/macho.rs b/src/file_format/macho.rs new file mode 100644 index 0000000..1061956 --- /dev/null +++ b/src/file_format/macho.rs @@ -0,0 +1,123 @@ +//! Support for parsing MachO files + +use crate::{Process, Address}; + +use core::mem; + +// Magic mach-o header constants from: +// https://opensource.apple.com/source/xnu/xnu-4570.71.2/EXTERNAL_HEADERS/mach-o/loader.h.auto.html +const MH_MAGIC_32: u32 = 0xfeedface; +const MH_CIGAM_32: u32 = 0xcefaedfe; +const MH_MAGIC_64: u32 = 0xfeedfacf; +const MH_CIGAM_64: u32 = 0xcffaedfe; + +struct MachOFormatOffsets { + number_of_commands: usize, + load_commands: usize, + command_size: usize, + symbol_table_offset: usize, + number_of_symbols: usize, + string_table_offset: usize, + nlist_value: usize, + size_of_nlist_item: usize, +} + +impl MachOFormatOffsets { + const fn new() -> Self { + // offsets taken from: + // - https://github.com/hackf5/unityspy/blob/master/src/HackF5.UnitySpy/Offsets/MachOFormatOffsets.cs + // - https://opensource.apple.com/source/xnu/xnu-4570.71.2/EXTERNAL_HEADERS/mach-o/loader.h.auto.html + MachOFormatOffsets { + number_of_commands: 0x10, + load_commands: 0x20, + command_size: 0x04, + symbol_table_offset: 0x08, + number_of_symbols: 0x0c, + string_table_offset: 0x10, + nlist_value: 0x08, + size_of_nlist_item: 0x10, + } + } +} + +/// Scans the range for a page that begins with MachO Magic +pub fn scan_macho_page(process: &Process, range: (Address, u64)) -> Option
{ + const PAGE_SIZE: u64 = 0x1000; + let (addr, len) = range; + // negation mod PAGE_SIZE + let distance_to_page = (PAGE_SIZE - (addr.value() % PAGE_SIZE)) % PAGE_SIZE; + // round up to the next multiple of PAGE_SIZE + let first_page = addr + distance_to_page; + for i in 0..((len - distance_to_page) / PAGE_SIZE) { + let a = first_page + (i * PAGE_SIZE); + match process.read::(a) { + Ok(MH_MAGIC_64 | MH_CIGAM_64 | MH_MAGIC_32 | MH_CIGAM_32) => { + return Some(a); + } + _ => () + } + } + None +} + +/// Determines whether a MachO header at the address is 64-bit or 32-bit +pub fn is_64_bit(process: &Process, address: Address) -> Option { + let magic: u32 = process.read(address).ok()?; + match magic { + MH_MAGIC_64 | MH_CIGAM_64 => Some(true), + MH_MAGIC_32 | MH_CIGAM_32 => Some(false), + _ => None + } +} + +/// Finds the address of a function from a MachO module range and file contents. +pub fn get_function_address(process: &Process, range: (Address, u64), macho_bytes: &[u8], function_name: &[u8]) -> Option
{ + let function_offset: u32 = get_function_offset(&macho_bytes, function_name)?; + let function_address = scan_macho_page(process, range)? + function_offset; + let actual: [u8; 0x100] = process.read(function_address).ok()?; + let expected: [u8; 0x100] = slice_read(&macho_bytes, function_offset as usize).ok()?; + if actual != expected { return None; } + Some(function_address) +} + +/// Finds the offset of a function in the bytes of a MachO file. +pub fn get_function_offset(macho_bytes: &[u8], function_name: &[u8]) -> Option { + let macho_offsets = MachOFormatOffsets::new(); + let number_of_commands: u32 = slice_read(macho_bytes, macho_offsets.number_of_commands).ok()?; + let function_name_len = function_name.len(); + + let mut offset_to_next_command: usize = macho_offsets.load_commands as usize; + for _i in 0..number_of_commands { + // Check if load command is LC_SYMTAB + let next_command: i32 = slice_read(macho_bytes, offset_to_next_command).ok()?; + if next_command == 2 { + let symbol_table_offset: u32 = slice_read(macho_bytes, offset_to_next_command + macho_offsets.symbol_table_offset).ok()?; + let number_of_symbols: u32 = slice_read(macho_bytes, offset_to_next_command + macho_offsets.number_of_symbols).ok()?; + let string_table_offset: u32 = slice_read(macho_bytes, offset_to_next_command + macho_offsets.string_table_offset).ok()?; + + for j in 0..(number_of_symbols as usize) { + let symbol_name_offset: u32 = slice_read(macho_bytes, symbol_table_offset as usize + (j * macho_offsets.size_of_nlist_item)).ok()?; + let string_offset = string_table_offset as usize + symbol_name_offset as usize; + let symbol_name: &[u8] = &macho_bytes[string_offset..(string_offset + function_name_len + 1)]; + + if symbol_name[function_name_len] == 0 && symbol_name.starts_with(function_name) { + return Some(slice_read(macho_bytes, symbol_table_offset as usize + (j * macho_offsets.size_of_nlist_item) + macho_offsets.nlist_value).ok()?); + } + } + + break; + } else { + let command_size: u32 = slice_read(macho_bytes, offset_to_next_command + macho_offsets.command_size).ok()?; + offset_to_next_command += command_size as usize; + } + } + None +} + +/// Reads a value of the type specified from the slice at the address +/// given. +pub fn slice_read(slice: &[u8], address: usize) -> Result { + let size = mem::size_of::(); + let slice_src = &slice[address..(address + size)]; + bytemuck::checked::try_from_bytes(slice_src).cloned() +} diff --git a/src/file_format/mod.rs b/src/file_format/mod.rs index 14b8a83..f26597d 100644 --- a/src/file_format/mod.rs +++ b/src/file_format/mod.rs @@ -2,3 +2,4 @@ pub mod elf; pub mod pe; +pub mod macho; From 989c8433bccd2cbba7b8ab9260de19fd92b41f78 Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Mon, 16 Oct 2023 17:32:51 -0400 Subject: [PATCH 4/8] Support Mac SceneManager --- src/game_engine/unity/scene.rs | 72 ++++++++++++++++++++++++++-------- 1 file changed, 55 insertions(+), 17 deletions(-) diff --git a/src/game_engine/unity/scene.rs b/src/game_engine/unity/scene.rs index 51c3214..42668db 100644 --- a/src/game_engine/unity/scene.rs +++ b/src/game_engine/unity/scene.rs @@ -11,6 +11,7 @@ use core::{array, iter, mem::MaybeUninit}; use crate::{ file_format::pe, future::retry, signature::Signature, string::ArrayCString, Address, Address32, Address64, Error, PointerSize, Process, + file_format::macho, }; const CSTR: usize = 128; @@ -30,33 +31,64 @@ pub struct SceneManager { impl SceneManager { /// Attaches to the scene manager in the given process. pub fn attach(process: &Process) -> Option { - const SIG_64_BIT: Signature<13> = Signature::new("48 83 EC 20 4C 8B ?5 ???????? 33 F6"); + const SIG_64_BIT_PE: Signature<13> = Signature::new("48 83 EC 20 4C 8B ?5 ???????? 33 F6"); + const SIG_64_BIT_MACHO: Signature<13> = Signature::new("41 54 53 50 4C 8B ?5 ???????? 41 83"); const SIG_32_1: Signature<12> = Signature::new("55 8B EC 51 A1 ???????? 53 33 DB"); const SIG_32_2: Signature<6> = Signature::new("53 8D 41 ?? 33 DB"); const SIG_32_3: Signature<14> = Signature::new("55 8B EC 83 EC 18 A1 ???????? 33 C9 53"); - let unity_player = process.get_module_range("UnityPlayer.dll").ok()?; + let (unity_player, format) = [("UnityPlayer.dll", BinaryFormat::PE), ("UnityPlayer.dylib", BinaryFormat::MachO)] + .into_iter() + .find_map(|(name, format)| Some((process.get_module_range(name).ok()?, format)))?; - let pointer_size = match pe::MachineType::read(process, unity_player.0)? { - pe::MachineType::X86_64 => PointerSize::Bit64, - _ => PointerSize::Bit32, + let pointer_size = match format { + BinaryFormat::PE => { + match pe::MachineType::read(process, unity_player.0)? { + pe::MachineType::X86_64 => PointerSize::Bit64, + _ => PointerSize::Bit32, + } + } + BinaryFormat::MachO => { + if macho::is_64_bit(process, macho::scan_macho_page(process, unity_player)?)? { + PointerSize::Bit64 + } else { + PointerSize::Bit32 + } + } }; - let is_il2cpp = process.get_module_address("GameAssembly.dll").is_ok(); // There are multiple signatures that can be used, depending on the version of Unity // used in the target game. - let base_address: Address = if pointer_size == PointerSize::Bit64 { - let addr = SIG_64_BIT.scan_process_range(process, unity_player)? + 7; - addr + 0x4 + process.read::(addr).ok()? - } else if let Some(addr) = SIG_32_1.scan_process_range(process, unity_player) { - process.read::(addr + 5).ok()?.into() - } else if let Some(addr) = SIG_32_2.scan_process_range(process, unity_player) { - process.read::(addr.add_signed(-4)).ok()?.into() - } else if let Some(addr) = SIG_32_3.scan_process_range(process, unity_player) { - process.read::(addr + 7).ok()?.into() - } else { - return None; + let base_address: Address = match (pointer_size, format) { + (PointerSize::Bit64, BinaryFormat::PE) => { + let addr = SIG_64_BIT_PE.scan_process_range(process, unity_player)? + 7; + addr + 0x4 + process.read::(addr).ok()? + }, + (PointerSize::Bit64, BinaryFormat::MachO) => { + // RIP-relative addressing + // 7 is the offset to the ???????? question marks in the signature + let addr = SIG_64_BIT_MACHO.scan_process_range(process, unity_player)? + 7; + // 4 is the offset to the next instruction after the question marks + addr + 0x4 + process.read::(addr).ok()? + }, + (PointerSize::Bit32, BinaryFormat::PE) => { + if let Some(addr) = SIG_32_1.scan_process_range(process, unity_player) { + process.read::(addr + 5).ok()?.into() + } else if let Some(addr) = SIG_32_2.scan_process_range(process, unity_player) { + process.read::(addr.add_signed(-4)).ok()?.into() + } else if let Some(addr) = SIG_32_3.scan_process_range(process, unity_player) { + process.read::(addr + 7).ok()?.into() + } else { + return None; + } + }, + (PointerSize::Bit32, BinaryFormat::MachO) => { + return None; + }, + (PointerSize::Bit16, _) => { + return None; + }, }; let offsets = Offsets::new(pointer_size); @@ -429,6 +461,12 @@ impl Transform { } } +#[derive(Copy, Clone, PartialEq, Hash, Debug)] +enum BinaryFormat { + PE, + MachO, +} + struct Offsets { scene_count: u8, active_scene: u8, From d7f7a962d7af7eaf1b15a2581af0f6864d2585d1 Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Mon, 16 Oct 2023 17:33:11 -0400 Subject: [PATCH 5/8] Feature std to disable no_std --- Cargo.toml | 1 + src/lib.rs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index bfd6be9..a3cb50d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,6 +20,7 @@ libm = { version = "0.2.7", optional = true } wasi = { version = "0.11.0+wasi-snapshot-preview1", default-features = false } [features] +std = ["alloc"] alloc = [] derive = ["asr-derive"] flags = ["bitflags"] diff --git a/src/lib.rs b/src/lib.rs index d22d79b..8f1d560 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,4 +1,4 @@ -#![no_std] +#![cfg_attr(not(feature = "std"), no_std)] #![warn( clippy::complexity, clippy::correctness, From ae9b4ec47bc644fba98094fe7923ae4760001849 Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Mon, 16 Oct 2023 17:33:29 -0400 Subject: [PATCH 6/8] Offsets for 64-bit MachO V1, V2 --- src/game_engine/unity/mono.rs | 65 ++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 5 deletions(-) diff --git a/src/game_engine/unity/mono.rs b/src/game_engine/unity/mono.rs index 2742d0f..49bd62b 100644 --- a/src/game_engine/unity/mono.rs +++ b/src/game_engine/unity/mono.rs @@ -47,7 +47,7 @@ impl Module { _ => PointerSize::Bit32, }; - let offsets = Offsets::new(version, pointer_size)?; + let offsets = Offsets::new(version, pointer_size, BinaryFormat::PE)?; let root_domain_function_address = pe::symbols(process, module) .find(|symbol| { @@ -794,6 +794,13 @@ impl UnityPointer { } } +#[derive(Copy, Clone, PartialEq, Hash, Debug)] +enum BinaryFormat { + PE, + #[cfg(feature = "std")] + MachO, +} + struct Offsets { monoassembly_aname: u8, monoassembly_image: u8, @@ -817,9 +824,9 @@ struct Offsets { } impl Offsets { - const fn new(version: Version, pointer_size: PointerSize) -> Option<&'static Self> { - match pointer_size { - PointerSize::Bit64 => match version { + const fn new(version: Version, pointer_size: PointerSize, format: BinaryFormat) -> Option<&'static Self> { + match (pointer_size, format) { + (PointerSize::Bit64, BinaryFormat::PE) => match version { Version::V1 => Some(&Self { monoassembly_aname: 0x10, monoassembly_image: 0x58, @@ -886,7 +893,7 @@ impl Offsets { monoclassfieldalignment: 0x20, }), }, - PointerSize::Bit32 => match version { + (PointerSize::Bit32, BinaryFormat::PE) => match version { Version::V1 => Some(&Self { monoassembly_aname: 0x8, monoassembly_image: 0x40, @@ -953,6 +960,54 @@ impl Offsets { monoclassfieldalignment: 0x10, }), }, + #[cfg(feature = "std")] + (PointerSize::Bit64, BinaryFormat::MachO) => match version { + Version::V1 => Some(&Self { + monoassembly_aname: 0x10, + monoassembly_image: 0x58, // matches 64-bit PE V1 + monoimage_class_cache: 0x3D0, // matches 64-bit PE V1 + monointernalhashtable_table: 0x20, + monointernalhashtable_size: 0x18, + monoclassdef_next_class_cache: 0xF8, // 0x8 less than 64-bit PE V1 + monoclassdef_klass: 0x0, + monoclass_name: 0x40, // 0x8 less than 64-bit PE V1 + monoclass_name_space: 0x48, // 0x8 less than 64-bit PE V1 + monoclass_fields: 0xA0, // 0x8 less than 64-bit PE V1 + monoclassdef_field_count: 0x8C, // 0x8 less than 64-bit PE V1 + monoclass_runtime_info: 0xF0, // 0x8 less than 64-bit PE V1 + monoclass_vtable_size: 0x18, // MonoVtable.data + monoclass_parent: 0x28, // 0x8 less than 64-bit PE V1 + monoclassfield_name: 0x8, + monoclassfield_offset: 0x18, + monoclassruntimeinfo_domain_vtables: 0x8, + monovtable_vtable: 0x0, // UNUSED for V1 + monoclassfieldalignment: 0x20, + }), + // 64-bit MachO V2 matches Unity2019_4_2020_3_x64_MachO_Offsets from + // https://github.com/hackf5/unityspy/blob/master/src/HackF5.UnitySpy/Offsets/MonoLibraryOffsets.cs#L86 + Version::V2 => Some(&Self { + monoassembly_aname: 0x10, + monoassembly_image: 0x60, // AssemblyImage = 0x44 + 0x1c + monoimage_class_cache: 0x4C0, // ImageClassCache = 0x354 + 0x16c + monointernalhashtable_table: 0x20, // HashTableTable = 0x14 + 0xc + monointernalhashtable_size: 0x18, // HashTableSize = 0xc + 0xc + monoclassdef_next_class_cache: 0x100, // TypeDefinitionNextClassCache = 0xa8 + 0x34 + 0x10 + 0x18 + 0x4 - 0x8 + monoclassdef_klass: 0x0, + monoclass_name: 0x40, // TypeDefinitionName = 0x2c + 0x1c - 0x8 + monoclass_name_space: 0x48, // TypeDefinitionNamespace = 0x30 + 0x20 - 0x8 + monoclass_fields: 0x90, // TypeDefinitionFields = 0x60 + 0x20 + 0x18 - 0x8 + monoclassdef_field_count: 0xF8, // TypeDefinitionFieldCount = 0xa4 + 0x34 + 0x10 + 0x18 - 0x8 + monoclass_runtime_info: 0xC8, // TypeDefinitionRuntimeInfo = 0x84 + 0x34 + 0x18 - 0x8 + monoclass_vtable_size: 0x54, // TypeDefinitionVTableSize = 0x38 + 0x24 - 0x8 + monoclass_parent: 0x28, // TypeDefinitionParent = 0x20 + 0x10 - 0x8 + monoclassfield_name: 0x8, + monoclassfield_offset: 0x18, + monoclassruntimeinfo_domain_vtables: 0x8, // TypeDefinitionRuntimeInfoDomainVTables = 0x4 + 0x4 + monovtable_vtable: 0x40, // VTable = 0x28 + 0x18 + monoclassfieldalignment: 0x20, + }), + Version::V3 => None, + }, _ => None, } } From 9ff38c5f1d9933aa9b00689d04037a3ba79117e7 Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Thu, 25 Jan 2024 17:35:11 -0500 Subject: [PATCH 7/8] Mac std attach Module --- src/game_engine/unity/mono.rs | 162 ++++++++++++++++++++++++---------- 1 file changed, 115 insertions(+), 47 deletions(-) diff --git a/src/game_engine/unity/mono.rs b/src/game_engine/unity/mono.rs index 49bd62b..bdc57db 100644 --- a/src/game_engine/unity/mono.rs +++ b/src/game_engine/unity/mono.rs @@ -5,13 +5,19 @@ use crate::{ deep_pointer::DeepPointer, file_format::pe, future::retry, signature::Signature, string::ArrayCString, Address, Address32, Address64, Error, PointerSize, Process, }; +#[cfg(feature = "std")] +use crate::file_format::macho; use core::{array, cell::RefCell, iter}; #[cfg(all(debug_assertions, feature = "alloc"))] use alloc::collections::BTreeSet; +#[cfg(feature = "std")] +use alloc::vec::Vec; #[cfg(feature = "derive")] pub use asr_derive::MonoClass as Class; use bytemuck::CheckedBitPattern; +#[cfg(feature = "std")] +use std::{path::Path, fs::File, io, io::Read}; const CSTR: usize = 128; @@ -38,39 +44,78 @@ impl Module { /// correct for this function to work. If you don't know the version in /// advance, use [`attach_auto_detect`](Self::attach_auto_detect) instead. pub fn attach(process: &Process, version: Version) -> Option { - let module = ["mono.dll", "mono-2.0-bdwgc.dll"] - .iter() - .find_map(|&name| process.get_module_address(name).ok())?; - - let pointer_size = match pe::MachineType::read(process, module)? { - pe::MachineType::X86_64 => PointerSize::Bit64, - _ => PointerSize::Bit32, + #[allow(unused)] + let (module_name, module_range, format) = [ + ("mono.dll", BinaryFormat::PE), + ("mono-2.0-bdwgc.dll", BinaryFormat::PE), + #[cfg(feature = "std")] + ("libmono.0.dylib", BinaryFormat::MachO), + #[cfg(feature = "std")] + ("libmonobdwgc-2.0.dylib", BinaryFormat::MachO) + ].into_iter() + .find_map(|(name, format)| Some((name, process.get_module_range(name).ok()?, format)))?; + + let module = module_range.0; + + let pointer_size = match format { + BinaryFormat::PE => { + match pe::MachineType::read(process, module)? { + pe::MachineType::X86_64 => PointerSize::Bit64, + _ => PointerSize::Bit32, + } + } + #[cfg(feature = "std")] + BinaryFormat::MachO => { + if macho::is_64_bit(process, macho::scan_macho_page(process, module_range)?)? { + PointerSize::Bit64 + } else { + PointerSize::Bit32 + } + } + }; + let offsets = Offsets::new(version, pointer_size, format)?; + + let mono_assembly_foreach_address = match format { + BinaryFormat::PE => { + pe::symbols(process, module) + .find(|symbol| { + symbol + .get_name::<25>(process) + .is_ok_and(|name| name.matches("mono_assembly_foreach")) + })? + .address + }, + #[cfg(feature = "std")] + BinaryFormat::MachO => { + let mono_module_path = process.get_module_path(module_name).ok()?; + let mono_module_bytes = file_read_all_bytes(mono_module_path).ok()?; + macho::get_function_address(process, module_range, &mono_module_bytes, b"_mono_assembly_foreach")? + } }; - let offsets = Offsets::new(version, pointer_size, BinaryFormat::PE)?; - - let root_domain_function_address = pe::symbols(process, module) - .find(|symbol| { - symbol - .get_name::<25>(process) - .is_ok_and(|name| name.matches("mono_assembly_foreach")) - })? - .address; - - let assemblies_pointer: Address = match pointer_size { - PointerSize::Bit64 => { - const SIG_MONO_64: Signature<3> = Signature::new("48 8B 0D"); - let scan_address: Address = SIG_MONO_64 - .scan_process_range(process, (root_domain_function_address, 0x100))? + let assemblies_pointer: Address = match (pointer_size, format) { + (PointerSize::Bit64, BinaryFormat::PE) => { + const SIG_MONO_64_PE: Signature<3> = Signature::new("48 8B 0D"); + let scan_address: Address = SIG_MONO_64_PE + .scan_process_range(process, (mono_assembly_foreach_address, 0x100))? + 3; scan_address + 0x4 + process.read::(scan_address).ok()? - } - PointerSize::Bit32 => { + }, + #[cfg(feature = "std")] + (PointerSize::Bit64, BinaryFormat::MachO) => { + const SIG_MONO_64_MACHO: Signature<3> = Signature::new("48 8B 3D"); + // RIP-relative addressing + // 3 is the offset to the next thing after the signature + let scan_address = SIG_MONO_64_MACHO.scan_process_range(process, (mono_assembly_foreach_address, 0x100))? + 3; + // 4 is the offset to the next instruction after relative + scan_address + 0x4 + process.read::(scan_address).ok()? + }, + (PointerSize::Bit32, BinaryFormat::PE) => { const SIG_32_1: Signature<2> = Signature::new("FF 35"); const SIG_32_2: Signature<2> = Signature::new("8B 0D"); let ptr = [SIG_32_1, SIG_32_2].iter().find_map(|sig| { - sig.scan_process_range(process, (root_domain_function_address, 0x100)) + sig.scan_process_range(process, (mono_assembly_foreach_address, 0x100)) })? + 2; process.read::(ptr).ok()?.into() @@ -1029,41 +1074,40 @@ fn detect_version(process: &Process) -> Option { if process.get_module_address("mono.dll").is_ok() { return Some(Version::V1); } + if process.get_module_address("libmono.0.dylib").is_ok() { + return Some(Version::V1); + } - let unity_module = { - let address = process.get_module_address("UnityPlayer.dll").ok()?; - let range = pe::read_size_of_image(process, address)? as u64; - (address, range) - }; + let unity_module = [ + ("UnityPlayer.dll", BinaryFormat::PE), + #[cfg(feature = "std")] + ("UnityPlayer.dylib", BinaryFormat::MachO) + ].into_iter().find_map(|(name, format)| { + match format { + BinaryFormat::PE => { + let address = process.get_module_address(name).ok()?; + let range = pe::read_size_of_image(process, address)? as u64; + Some((address, range)) + }, + #[cfg(feature = "std")] + BinaryFormat::MachO => process.get_module_range(name).ok() + } + })?; + // null "202" wildcard "." const SIG_202X: Signature<6> = Signature::new("00 32 30 32 ?? 2E"); let Some(addr) = SIG_202X.scan_process_range(process, unity_module) else { return Some(Version::V2); }; - const ZERO: u8 = b'0'; - const NINE: u8 = b'9'; - let version_string = process.read::<[u8; 6]>(addr + 1).ok()?; let (before, after) = version_string.split_at(version_string.iter().position(|&x| x == b'.')?); - let mut unity: u32 = 0; - for &val in before { - match val { - ZERO..=NINE => unity = unity * 10 + (val - ZERO) as u32, - _ => break, - } - } + let unity: u32 = ascii_read_u32(before); - let mut unity_minor: u32 = 0; - for &val in &after[1..] { - match val { - ZERO..=NINE => unity_minor = unity_minor * 10 + (val - ZERO) as u32, - _ => break, - } - } + let unity_minor: u32 = ascii_read_u32(&after[1..]); Some(if (unity == 2021 && unity_minor >= 2) || (unity > 2021) { Version::V3 @@ -1071,3 +1115,27 @@ fn detect_version(process: &Process) -> Option { Version::V2 }) } + +fn ascii_read_u32(slice: &[u8]) -> u32 { + const ZERO: u8 = b'0'; + const NINE: u8 = b'9'; + + let mut result: u32 = 0; + for &val in slice { + match val { + ZERO..=NINE => result = result * 10 + (val - ZERO) as u32, + _ => break, + } + } + result +} + +// -------------------------------------------------------- + +#[cfg(feature = "std")] +fn file_read_all_bytes>(path: P) -> io::Result> { + let mut f = File::open(path)?; + let mut buffer: Vec = Vec::new(); + f.read_to_end(&mut buffer)?; + Ok(buffer) +} From c5a1b7c49cdf6f37d581ead4e4b829657feeeeec Mon Sep 17 00:00:00 2001 From: AlexKnauth Date: Fri, 26 Jan 2024 00:25:21 -0500 Subject: [PATCH 8/8] macho: is_64_bit -> pointer_size --- src/file_format/macho.rs | 8 ++++---- src/game_engine/unity/mono.rs | 8 +------- src/game_engine/unity/scene.rs | 8 +------- 3 files changed, 6 insertions(+), 18 deletions(-) diff --git a/src/file_format/macho.rs b/src/file_format/macho.rs index 1061956..0f6a7c0 100644 --- a/src/file_format/macho.rs +++ b/src/file_format/macho.rs @@ -1,6 +1,6 @@ //! Support for parsing MachO files -use crate::{Process, Address}; +use crate::{Address, PointerSize, Process}; use core::mem; @@ -61,11 +61,11 @@ pub fn scan_macho_page(process: &Process, range: (Address, u64)) -> Option Option { +pub fn pointer_size(process: &Process, address: Address) -> Option { let magic: u32 = process.read(address).ok()?; match magic { - MH_MAGIC_64 | MH_CIGAM_64 => Some(true), - MH_MAGIC_32 | MH_CIGAM_32 => Some(false), + MH_MAGIC_64 | MH_CIGAM_64 => Some(PointerSize::Bit64), + MH_MAGIC_32 | MH_CIGAM_32 => Some(PointerSize::Bit32), _ => None } } diff --git a/src/game_engine/unity/mono.rs b/src/game_engine/unity/mono.rs index bdc57db..e7d0309 100644 --- a/src/game_engine/unity/mono.rs +++ b/src/game_engine/unity/mono.rs @@ -65,13 +65,7 @@ impl Module { } } #[cfg(feature = "std")] - BinaryFormat::MachO => { - if macho::is_64_bit(process, macho::scan_macho_page(process, module_range)?)? { - PointerSize::Bit64 - } else { - PointerSize::Bit32 - } - } + BinaryFormat::MachO => macho::pointer_size(process, macho::scan_macho_page(process, module_range)?)?, }; let offsets = Offsets::new(version, pointer_size, format)?; diff --git a/src/game_engine/unity/scene.rs b/src/game_engine/unity/scene.rs index 42668db..7474d25 100644 --- a/src/game_engine/unity/scene.rs +++ b/src/game_engine/unity/scene.rs @@ -48,13 +48,7 @@ impl SceneManager { _ => PointerSize::Bit32, } } - BinaryFormat::MachO => { - if macho::is_64_bit(process, macho::scan_macho_page(process, unity_player)?)? { - PointerSize::Bit64 - } else { - PointerSize::Bit32 - } - } + BinaryFormat::MachO => macho::pointer_size(process, macho::scan_macho_page(process, unity_player)?)?, }; let is_il2cpp = process.get_module_address("GameAssembly.dll").is_ok();