This is the code rewritten in Python 3 from the original code of esterTion's PHP version
Gen Proto BanG Dream
| from struct import unpack | |
| import re | |
| import sys | |
| dumpcs = open('dump.cs').read() | |
| prog = open('libil2cpp.so', 'rb') | |
| definedClass = [] | |
| targetClass = sys.argv[1] #'SuiteMasterGetResponse' # change to get different classes | |
| outputPath = './jp/{}.proto'.format(targetClass) | |
| outputFile = open(outputPath, 'w') | |
| # write first line | |
| outputFile.write('syntax = "proto2";\n') | |
| typeMap = { | |
| 'uint': 'uint32', | |
| 'string': 'string', | |
| 'ulong': 'uint32', | |
| 'float': 'float', | |
| 'int': 'int32', | |
| 'double': 'double', | |
| 'bool': 'bool', | |
| 'long': 'int32' | |
| } | |
| def getTag(address): | |
| offset = address & 0xFFFFFFFF | |
| prog.seek(offset) | |
| inst = prog.read(4) | |
| inst = int.from_bytes(inst, byteorder='little', signed=False) | |
| if inst == 0xe5900004: #0x080440f9: | |
| prog.seek(offset + 4) | |
| return int.from_bytes(prog.read(2), 'little', signed=False) & 0xfff | |
| elif inst == 0xe92d4c10: | |
| prog.seek(offset + 12) | |
| return int.from_bytes(prog.read(2), 'little', signed=False) & 0xfff | |
| else: | |
| print(hex(inst), hex(address)) | |
| return readInst(inst) | |
| def readInst(inst): | |
| chk = inst & 0x6f800000 | |
| if chk == 0x42800000: | |
| imme = (inst & 0x1fffe0) >> 5 | |
| dest = inst & 0x1f | |
| return imme | |
| elif chk == 0x22000000: | |
| N = (inst & 0x400000) != 0 | |
| immr = (inst & 0x3f0000) >> 16 | |
| imms = (inst & 0xfc00) >> 10 | |
| dest = inst & 0x1f | |
| if N: | |
| size = 64 | |
| else: | |
| size = 32 | |
| mask = 0x20 | |
| while size > 1: | |
| if (imms & mask) == 0: | |
| break | |
| size /= 2 | |
| mask /= 2 | |
| S = imms + 1 | |
| pattern = int((('1' * S).ljust(size, '0')) * (32 / size)) | |
| imme = rotate(pattern, immr) | |
| return imme | |
| else: | |
| print('Not found inst=' + inst) | |
| def rotate(pattern, rotate): | |
| result = pattern | |
| while rotate > 0: | |
| low = result & 1 | |
| result >>= 1 | |
| rotate -= 1 | |
| if low == 1: | |
| result |= 0x80000000 | |
| return result | |
| def writeMessage(target, message): | |
| outputFile.write('message {} {{\n'.format(target)) | |
| for item, info in message.items(): | |
| typ = info[0] | |
| if type(info[1]).__name__ == 'str': | |
| tag = getTag(int(info[1], 16)) | |
| if tag == 0xf4b: | |
| tag = 0x12c | |
| else: | |
| tag = info[1] | |
| hint = info[2] | |
| comment = info[3] | |
| if hint == 'map': | |
| outputFile.write(' {}{} {} = {}; // {}\n'.format(hint, typ, item, tag, comment)) | |
| else: | |
| outputFile.write(' {} {} {} = {}; // {}\n'.format(hint, typ, item, tag, comment)) | |
| outputFile.write('}\n') | |
| def readClass(level, target): | |
| try: | |
| definedClass.index(target) | |
| shownClass = True | |
| except ValueError: | |
| definedClass.append(target) | |
| shownClass = False | |
| message = {} | |
| classDef = re.search('\[ProtoContractAttribute\].*?\n.*?class ' + target + ' [^\{\}]*?\{((.*\n)*?)?\s+(//\s+Properties(.*\n)*?)?\s+(//\s+Methods(.*\n)*?)?\}\s*?', dumpcs) | |
| if not classDef: | |
| print('{} not found'.format(target)) | |
| else: | |
| propList = re.findall('(\[ProtoMemberAttribute\] // 0x([0-9A-F]+)\n \w+ ([^\ \<]+(\<(.*?)\>)?) ([^\ ;]+))', classDef[0]) | |
| for prop in propList: | |
| typ = jumpTyp(level, prop[2], prop[5]) | |
| message[typ[0]] = [typ[1], prop[1], typ[2], typ[3]] | |
| if not shownClass: | |
| print('{} \n'.format(target)) | |
| writeMessage(target, message) | |
| def jumpTyp(level, typ, name): | |
| if typ[-2:] == '[]': | |
| sub = jumpTyp(level + 2, typ[0:-2], 'entry') | |
| return [name, sub[1], 'repeated', 'array'] | |
| elif typ[0:11] == 'Dictionary`': | |
| subType = re.search('<(\w+), (\w+)>', typ) | |
| readClass(level + 1, subType[2]) | |
| # prefix = '{}_{}'.format(subType[1], subType[2]) | |
| # try: | |
| # definedClass.index(prefix) | |
| # shownClass = True | |
| # except ValueError: | |
| # definedClass.append(prefix) | |
| # shownClass = False | |
| # message = {} | |
| # sub = jumpTyp(level + 1, subType[1], '{}_key'.format(prefix)) | |
| # message[sub[0]] = [sub[1], 1, sub[2], sub[3]] | |
| # sub = jumpTyp(level + 1, subType[2], '{}_value'.format(prefix)) | |
| # message[sub[0]] = [sub[1], 2, sub[2], sub[3]] | |
| # if not shownClass: | |
| # writeMessage(prefix, message) | |
| return [name, '<{}, {}>'.format(typeMap.get(subType[1], subType[1]), typeMap.get(subType[2], subType[2])), 'map', 'dictionary'] | |
| elif typ[0:5] == 'List`': | |
| subType = re.search('<(\w+)>', typ) | |
| sub = jumpTyp(level + 1, subType[1], 'entry') | |
| return [name, sub[1], 'repeated', 'list'] | |
| elif typ[0:9] == 'Nullable`': | |
| subType = re.search('<(\w+)>', typ) | |
| sub = jumpTyp(level, subType[1], name) | |
| sub[3] = 'nullable' | |
| return sub | |
| else: | |
| expectTyp = ['uint','string','ulong','float','int','double', 'bool','long'] | |
| try: | |
| expectTyp.index(typ) | |
| isType = True | |
| except ValueError: | |
| expectTyp.append(typ) | |
| isType = False | |
| if isType: | |
| return [name, typeMap[typ], 'optional', 'normal type'] | |
| else: | |
| readClass(level + 1, typ) | |
| return [name, typ, 'optional', 'sub class'] | |
| readClass(0, targetClass) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
esterTion
commented
Sep 18, 2018
•
|
Great analyze & rewrite! Just found the article from googling. .text:01BD5348 sub_1BD5348
.text:01BD5348 LDR R0, [R0,#4]
.text:01BD534C MOV R1, #1 ; tag id
.text:01BD5350 MOV R2, #0
.text:01BD5354 LDR R0, [R0]
.text:01BD5358 B ProtoMemberAttribute$$.ctor
.text:01BD5358 ; End of function sub_1BD5348compared to ios arm64 __text:0000000101320B5C sub_101320B5C ; DATA XREF: __const:000000010256B948↓o
__text:0000000101320B5C LDR X8, [X0,#8]
__text:0000000101320B60 LDR X0, [X8]
__text:0000000101320B64 MOV W1, #1 ; tag id
__text:0000000101320B68 MOV X2, #0
__text:0000000101320B6C B ProtoMemberAttribute$$.ctor
__text:0000000101320B6C ; End of function sub_101320B5CAnd .text:01BAD68C sub_1BAD68C
.text:01BAD68C STMFD SP!, {R4,R10,R11,LR}
.text:01BAD690 ADD R11, SP, #8
.text:01BAD694 LDR R0, [R0,#4]
.text:01BAD698 MOV R1, #4 ; tag id
.text:01BAD69C MOV R2, #0
.text:01BAD6A0 LDR R4, [R0]
.text:01BAD6A4 MOV R0, R4
.text:01BAD6A8 BL ProtoMemberAttribute$$.ctor
.text:01BAD6AC MOV R0, R4
.text:01BAD6B0 MOV R1, #1
.text:01BAD6B4 MOV R2, #0
.text:01BAD6B8 LDMFD SP!, {R4,R10,R11,LR}
.text:01BAD6BC B ProtoMemberAttribute$$set_IsRequired
.text:01BAD6BC ; End of function sub_1BAD68Ccompared to ios arm64 __text:00000001012DC8B8 sub_1012DC8B8 ; DATA XREF: __const:0000000102557B50↓o
__text:00000001012DC8B8 STP X20, X19, [SP,#-0x10+var_10]!
__text:00000001012DC8BC STP X29, X30, [SP,#0x10+var_s0]
__text:00000001012DC8C0 ADD X29, SP, #0x10
__text:00000001012DC8C4 LDR X8, [X0,#8]
__text:00000001012DC8C8 LDR X19, [X8]
__text:00000001012DC8CC MOV W1, #3 ; tag id
__text:00000001012DC8D0 MOV X0, X19
__text:00000001012DC8D4 MOV X2, #0
__text:00000001012DC8D8 BL ProtoMemberAttribute$$.ctor
__text:00000001012DC8DC MOV W1, #1
__text:00000001012DC8E0 MOV X0, X19
__text:00000001012DC8E4 MOV X2, #0
__text:00000001012DC8E8 LDP X29, X30, [SP,#0x10+var_s0]
__text:00000001012DC8EC LDP X20, X19, [SP+0x10+var_10],#0x20
__text:00000001012DC8F0 B ProtoMemberAttribute$$set_IsRequired
__text:00000001012DC8F0 ; End of function sub_1012DC8B8Also, about that 300(0x12c) encoding problem, it's because how arm encode immediate values. For this 300 encoding case, which last 12 bits are (I actually found this article when I was searching for arm64 immediate value, but this doesn't help me as it's complete different encoding system from armv7, so I managed to found this) And another thing, I didn't know about the |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
dnaroma
Oct 11, 2018
@esterTion I'm glad to hear from you!
I didn't do much analyse of the arm code, just wondering how can I made a quick adaption. Thanks for your reply, now I know why the tag id is there and how to get them from the rotated value.
For the map syntax, it is a new syntax for proto2. It can make the decoded file somehow cleaner. Your code is amazing, don't bother to change it :-P
|
@esterTion I'm glad to hear from you! I didn't do much analyse of the arm code, just wondering how can I made a quick adaption. Thanks for your reply, now I know why the tag id is there and how to get them from the rotated value. For the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Great analyze & rewrite! Just found the article from googling.
And yes my code is dealing with ARM64 MachO binary, for android arm elf binary, I just dropped an so into ida.
04 00 90 E5function looks ascompared to ios arm64
And
10 4C 2D E9function looks ascompared to ios arm64
Also, about that 300(0x12c) encoding problem, it's because how arm encode immediate values.
Found in this article, those 12 bits are not just straight up immediate values, but encoded with 4 bit rotation and 8 bit value.
For this 300 encoding case, which last 12 bits are
1111 0100 1011, which means00000000 00000000 00000000 01001011rotate to the right0xf * 2times, or to the left 2 times, and becomes00000000 00000000 00000001 00101100, and that is exactly 0x12c(300).(I actually found this article when I was searching for arm64 immediate value, but this doesn't help me as it's complete different encoding system from armv7, so I managed to found this)
And another thing, I didn't know about the
mapsyntax in proto, that's pretty new to me, otherwise I wouldn't split dict like that. But changing it seems like would make my current code a lot messier (which is already a mess), so I decided not to bother with it :P.