1

I'm practice to reverse engineering a il2cpp unity project

Things I done:

  • get the apk
  • using Apktool to extract files
  • open libunity.so with Ghidra ( or IDA works too )

And I found a wired block of instructions like :

        004ac818 f4 0f 1e f8     str        x20,[sp, #local_20]!
        004ac81c f3 7b 01 a9     stp        x19,x30,[sp, #local_10]
        004ac820 e1 03 1f 2a     mov        w1,wzr
        004ac824 77 b5 00 94     bl         FUN_004d9e00

I follow bl FUN_004d9e00 and I found :

FUN_004d9e00

        004d9e00 6e              ??         6Eh    n
        004d9e01 97              ??         97h
        004d9e02 85              ??         85h
        004d9e03 60              ??         60h    `
        004d9e04 6d              ??         6Dh    m

But here is the thing, the instruction in FUN_004d9e00 is not a valid one. How can the libunity.so still work properly

ratsafalig
  • 442
  • 5
  • 21
  • Is that memory populated later? Look for other references to that address. – Carcigenicate Jun 11 '21 at 16:02
  • I am totally new to this area..did you suggest there is a way to override existing code at runtime or what ? – ratsafalig Jun 11 '21 at 16:08
  • My RE experience is with Malware Analysis, not legitimate software, but when I saw a region of memory being called, and the region of memory held garbage, it could be found somewhere else in the code where the memory of the function was populated at runtime. Yes, some other code **might** be writing to that memory after the code starts running. Check if the region of memory holding the function is writable. – Carcigenicate Jun 11 '21 at 16:11
  • I can't remember the shortcut in Ghidra, but ask it to find references to the `004d9e00` address. Unless that address is calculated at runtime, you may be able to find where the writing happens. – Carcigenicate Jun 11 '21 at 16:13
  • Thanks a lot, it is most likely to bee done so cause I'm trying to practice this on a il2cpp unity project that has been obfuscated. By the way it is nothing illegal, it is just a homework that someone gave me and the software was develop by him – ratsafalig Jun 11 '21 at 16:17
  • Sorry to bother, but is there any tech that can notify me when a specific address was modified ? – ratsafalig Jun 11 '21 at 16:20
  • You would use a write breakpoint in a debugger. I can't remember if Ghidra has a debugger built-in, but OllyDbg allows Write Breakpoints. I'm not sure you'd be able to use that for Android code though, since you need to run the code. There may be an Android Debugger that allows this? – Carcigenicate Jun 11 '21 at 16:22
  • Thanks I'll try!! – ratsafalig Jun 11 '21 at 16:23

1 Answers1

1

Perhaps there is a relocation symbol for address 0x004ac824? In that case the linker would modify the instruction when libunity.so is loaded, and it would end up calling a different address (maybe in a different shared library).

apt1002
  • 969
  • 6
  • 15