Skip to content

Commit

Permalink
0.3
Browse files Browse the repository at this point in the history
  • Loading branch information
@xxzzddxzd
xxzzddxzd committed Aug 23, 2023
1 parent 64da1f5 commit 660fb1f
Show file tree
Hide file tree
Showing 8 changed files with 589 additions and 178 deletions.
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@

LatestBuild
.DS_Store
6 changes: 2 additions & 4 deletions unitySpeedTools2020.xcodeproj/project.pbxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -496,8 +496,7 @@
B1B0C23124519E0600F25F9D /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_IDENTITY = x5code;
CODE_SIGN_STYLE = Manual;
CODE_SIGN_IDENTITY = "Apple Development: ZhengDa Xu (7B37679NQV)";
DYLIB_COMPATIBILITY_VERSION = 1;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
Expand All @@ -523,8 +522,7 @@
B1B0C23224519E0600F25F9D /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_IDENTITY = x5code;
CODE_SIGN_STYLE = Manual;
CODE_SIGN_IDENTITY = "Apple Development: ZhengDa Xu (7B37679NQV)";
DYLIB_COMPATIBILITY_VERSION = 1;
DYLIB_CURRENT_VERSION = 1;
GCC_PRECOMPILE_PREFIX_HEADER = YES;
Expand Down
Binary file modified ...eproj/project.xcworkspace/xcuserdata/xuzhengda.xcuserdatad/UserInterfaceState.xcuserstate
View file
Binary file not shown.
323 changes: 224 additions & 99 deletions unitySpeedTools2020/getU3dsystemfunc.mm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,133 +62,258 @@ long doLoadFramework(){
mach_port_t *object_name
);

//static int getMap(void* dst, long* ad1, long *ad2){
// mach_port_t task;
// int rev = 0;
// vm_address_t region = (vm_address_t)dst;
// vm_size_t region_size = 0;
//// XLog(@"getMap dst %lx",dst)
//
//
// vm_region_basic_info_data_64_t info;
// mach_msg_type_number_t info_count = VM_REGION_BASIC_INFO_COUNT_64;
// vm_region_flavor_t flavor = VM_REGION_BASIC_INFO_64;
// if (mach_vm_region(mach_task_self(), &region, &region_size, flavor, (vm_region_info_t)&info, (mach_msg_type_number_t*)&info_count, (mach_port_t*)&task) != KERN_SUCCESS)
// {
// return rev;
// }
// else{
// rev = 64;
// }
//
// *ad1 =region;
// *ad2 =region + region_size;
//
// if (info.protection<1) {
// return 0;
// }
// XLog(@"getMap from %lx to %lx",region,region + region_size)
// return rev;
//}
//long dosearch(){
// long *ad1, *ad2;
// ad1 = (long*)malloc(sizeof(long));
// ad2 = (long*)malloc(sizeof(long));
// *ad2=doLoadFramework();
// /* 判断是否含有il2cpp_resolve_icall_0 函数*/
// void *il2cpp_resolve_icall_0 = MSFindSymbol(0,"_il2cpp_resolve_icall");
// if(il2cpp_resolve_icall_0){
//// il2cpp_resolve_icall位置需要跳转的位置
// XLog(@"*(int*)il2cpp_resolve_icall_0 %lx %lx ",il2cpp_resolve_icall_0,*(long*)il2cpp_resolve_icall_0 & 0xff000000)
//// 往下查找第一个b
// long baseaddr =(long)il2cpp_resolve_icall_0;
// int whilecount=0;
// while (*(long*)baseaddr & 0xff000000!=0x14000000 && whilecount <10) {
// whilecount+=1;
// baseaddr+=4;
// }
//// 计算偏移:取第一个b的相对位移,先取前3位,然后乘4
// long bsr=(long)(*(long*)baseaddr & 0xffffff )*4;
// XLog(@"baseaddr %lx:%lx,bsr:%lx",baseaddr,*(long*)baseaddr & 0xffffff ,bsr)
//// 加和
// long addrforil2cppresolveicall=bsr+(long)baseaddr;
// XLog(@"il2cpp_resolve_icall_0 %lx",addrforil2cppresolveicall);
// return addrforil2cppresolveicall;
// }
//
// /* 未找到il2cpp_resolve_icall_0 函数*/
// long rev=0;
// while (getMap((void*)(*ad2),ad1,ad2) != 0) {
// rev=searchintarget(*ad1,*ad2);
// if (rev!=0){
// break;
// }
// }
// return rev;
//}
static int getMap(void* dst, long* ad1, long *ad2){
mach_port_t task;
int rev = 0;
vm_address_t region = (vm_address_t)dst;
vm_size_t region_size = 0;
// XLog(@"getMap dst %lx",dst)


vm_region_basic_info_data_64_t info;
mach_msg_type_number_t info_count = VM_REGION_BASIC_INFO_COUNT_64;
vm_region_flavor_t flavor = VM_REGION_BASIC_INFO_64;
if (mach_vm_region(mach_task_self(), &region, &region_size, flavor, (vm_region_info_t)&info, (mach_msg_type_number_t*)&info_count, (mach_port_t*)&task) != KERN_SUCCESS)
kern_return_t kr = mach_vm_region(mach_task_self(), &region, &region_size, flavor, (vm_region_info_t)&info, (mach_msg_type_number_t*)&info_count, (mach_port_t*)&task);
if (kr != KERN_SUCCESS)
{
return rev;
}
else{
rev = 64;
return 0;
}

*ad1 =region;
*ad2 =region + region_size;
if (info.protection<1) {
*ad1 = region;
*ad2 = region + region_size;

if (info.protection < 1) {
return 0;
}
XLog(@"getMap from %lx to %lx",region,region + region_size)
return rev;
XLog(@"getMap from %lx to %lx", region, region + region_size)
return 64;
}
long dosearch(){
long *ad1, *ad2;
ad1 = (long*)malloc(sizeof(long));
ad2 = (long*)malloc(sizeof(long));
*ad2=doLoadFramework();
/* 判断是否含有il2cpp_resolve_icall_0 函数*/
void *il2cpp_resolve_icall_0 = MSFindSymbol(0,"_il2cpp_resolve_icall");
if(il2cpp_resolve_icall_0){
// il2cpp_resolve_icall位置需要跳转的位置
XLog(@"*(int*)il2cpp_resolve_icall_0 %lx %lx ",il2cpp_resolve_icall_0,*(long*)il2cpp_resolve_icall_0 & 0xff000000)
// 往下查找第一个b
long baseaddr =(long)il2cpp_resolve_icall_0;
int whilecount=0;
while (*(long*)baseaddr & 0xff000000!=0x14000000 && whilecount <10) {
whilecount+=1;
baseaddr+=4;
long dosearch() {
// 分配两个 long 类型指针变量 ad1 和 ad2 的内存空间,大小均为一个 long 类型的字节大小。
long *ad1 = (long*)malloc(sizeof(long));
long *ad2 = (long*)malloc(sizeof(long));
*ad2 = doLoadFramework();

// 判断是否含有 il2cpp_resolve_icall_0 函数
void *il2cpp_resolve_icall_0 = MSFindSymbol(0, "_il2cpp_resolve_icall");
if (il2cpp_resolve_icall_0) {
// il2cpp_resolve_icall 位置需要跳转的位置
XLog(@"*(int*)il2cpp_resolve_icall_0 %lx %lx ", il2cpp_resolve_icall_0, *(long*)il2cpp_resolve_icall_0 & 0xff000000);

// 往下查找第一个 0x14000000
long baseaddr = (long)il2cpp_resolve_icall_0;
for (int i = 0; i < 10; ++i) {
long value = *(long*)baseaddr;
if ((value & 0xff000000) == 0x14000000) {
long bsr = ((value & 0xffffff) << 2); // 计算偏移
long addrforil2cppresolveicall = baseaddr + bsr; // 加和
XLog(@"il2cpp_resolve_icall_0 %lx", addrforil2cppresolveicall);
return addrforil2cppresolveicall;
}
baseaddr += 4;
}
// 计算偏移:取第一个b的相对位移,先取前3位,然后乘4
long bsr=(long)(*(long*)baseaddr & 0xffffff )*4;
XLog(@"baseaddr %lx:%lx,bsr:%lx",baseaddr,*(long*)baseaddr & 0xffffff ,bsr)
// 加和
long addrforil2cppresolveicall=bsr+(long)baseaddr;
XLog(@"il2cpp_resolve_icall_0 %lx",addrforil2cppresolveicall);
return addrforil2cppresolveicall;
}

/* 未找到il2cpp_resolve_icall_0 函数*/
long rev=0;
while (getMap((void*)(*ad2),ad1,ad2) != 0) {
rev=searchintarget(*ad1,*ad2);
if (rev!=0){
// 未找到 il2cpp_resolve_icall_0 函数
long rev = 0;
while (getMap((void*)(*ad2), ad1, ad2) != 0) {
rev = searchintarget(*ad1, *ad2);
if (rev != 0) {
break;
}
}
return rev;
}
long searchintarget(long ad1,long ad2){
/* framework 类型的unity */
int target[]={0xFF03,0x02D1,0xF85F,0x04A9,0xF657,0x05A9,0xF44F,0x06A9,0xFD7B,0x07A9,0xFDC3,0x0191,0xF303,0x00AA,0xFFFF,0x02A9,0xFF13,0x00F9};
/* 普通类型的unity */
//long searchintarget(long ad1,long ad2){
// /* framework 类型的unity */
// int target[]={0xFF03,0x02D1,0xF85F,0x04A9,0xF657,0x05A9,0xF44F,0x06A9,0xFD7B,0x07A9,0xFDC3,0x0191,0xF303,0x00AA,0xFFFF,0x02A9,0xFF13,0x00F9};
// /* 普通类型的unity */
// int target1[] = {0xF657, 0xBDA9, 0xF44F, 0x01A9, 0xFD7B, 0x02A9, 0xFD83, 0x0091, 0xFF43, 0x01D1, 0xF403, 0x00AA, 0xFF7F, 0x04A9, 0xFF1F, 0x00F9};
// long now = (long)ad1;
// long end = (long)ad2;
// long rev = 0;
// long temprev = 0;
//
// XLog(@"\tnow 0x%lx-0x%lx ",now,end);
// unsigned long len = sizeof(target)/sizeof(int);
// int * bearray = (int*)malloc(sizeof(int)*len);
// for (int i=0;i<len;i++){
// *(bearray+i)=biglittlecover(target[i]);
// }
// XLog(@"start for framework version")
// while ((long)now<end-len*2){
// int index=0;
// while (1==cmpIndex(now, index,bearray)){
// index++;
// if (index==len){
// temprev = now;
// }
// }
// now+=1;
// }
// if(temprev!=0){
// rev = temprev;
// XLog(@"FOUND in %lx ",temprev );
// }else{
// XLog(@"start for normal version")
// now = (long)ad1;
// end = (long)ad2;
// rev = 0;
// temprev = 0;
// len = sizeof(target1)/sizeof(int);
// int *bearray1 = (int*)malloc(sizeof(int)*len);
// for (int i=0;i<len;i++){
// *(bearray1+i)=biglittlecover(target1[i]);
// }
// while ((long)now<end-len*2){
// int index=0;
// while (1==cmpIndex(now, index,bearray1)){
// index++;
// if (index==len){
// temprev = now;
// }
// }
// now+=1;
// }
// if(temprev!=0){
// rev = temprev;
// XLog(@"FOUND in %lx ",temprev );
// }
// else{
// XLog(@"FOUND end" );
// }
// }
// return rev;
//}

long searchintarget(long ad1, long ad2) {
// framework 类型的unity
int target[] = {0xFF03, 0x02D1, 0xF85F, 0x04A9, 0xF657, 0x05A9, 0xF44F, 0x06A9, 0xFD7B, 0x07A9, 0xFDC3, 0x0191, 0xF303, 0x00AA, 0xFFFF, 0x02A9, 0xFF13, 0x00F9};
// 普通类型的unity
int target1[] = {0xF657, 0xBDA9, 0xF44F, 0x01A9, 0xFD7B, 0x02A9, 0xFD83, 0x0091, 0xFF43, 0x01D1, 0xF403, 0x00AA, 0xFF7F, 0x04A9, 0xFF1F, 0x00F9};
long now = (long)ad1;
long end = (long)ad2;
long rev = 0;
long temprev = 0;

XLog(@"\tnow 0x%lx-0x%lx ",now,end);
unsigned long len = sizeof(target)/sizeof(int);
int * bearray = (int*)malloc(sizeof(int)*len);
for (int i=0;i<len;i++){
*(bearray+i)=biglittlecover(target[i]);
}
XLog(@"start for framework version")
while ((long)now<end-len*2){
int index=0;
while (1==cmpIndex(now, index,bearray)){
index++;
if (index==len){
temprev = now;
}

long now = ad1;
long end = ad2;
long rev = 0;
long temprev = 0;

XLog(@"\tnow 0x%lx-0x%lx ", now, end);

unsigned long len = sizeof(target) / sizeof(int);
int *bearray = (int*)malloc(sizeof(int) * len);
for (int i = 0; i < len; i++) {
*(bearray + i) = biglittlecover(target[i]);
}
XLog(@"start for framework version");
while (now < end - len * 2) {
int index = 0;
while (1 == cmpIndex(now, index, bearray)) {
index++;
if (index == len) {
temprev = now;
}
now+=1;
}
if(temprev!=0){
rev = temprev;
XLog(@"FOUND in %lx ",temprev );
}else{
XLog(@"start for normal version")
now = (long)ad1;
end = (long)ad2;
rev = 0;
temprev = 0;
len = sizeof(target1)/sizeof(int);
int *bearray1 = (int*)malloc(sizeof(int)*len);
for (int i=0;i<len;i++){
*(bearray1+i)=biglittlecover(target1[i]);
}
while ((long)now<end-len*2){
int index=0;
while (1==cmpIndex(now, index,bearray1)){
index++;
if (index==len){
temprev = now;
}
}
now+=1;
}
if(temprev!=0){
rev = temprev;
XLog(@"FOUND in %lx ",temprev );
}
else{
XLog(@"FOUND end" );
now += 1;
}
if (temprev != 0) {
rev = temprev;
XLog(@"FOUND in %lx ", temprev);
free(bearray);
return rev;
}

XLog(@"start for normal version");
now = ad1;
end = ad2;
rev = 0;
temprev = 0;
len = sizeof(target1) / sizeof(int);
int *bearray1 = (int*)malloc(sizeof(int) * len);
for (int i = 0; i < len; i++) {
*(bearray1 + i) = biglittlecover(target1[i]);
}
while (now < end - len * 2) {
int index = 0;
while (1 == cmpIndex(now, index, bearray1)) {
index++;
if (index == len) {
temprev = now;
}
}
return rev;
now += 1;
}
if (temprev != 0) {
rev = temprev;
XLog(@"FOUND in %lx ", temprev);
}
else {
XLog(@"FOUND end");
}
free(bearray);
free(bearray1);
return rev;
}


static int biglittlecover(int x){
// short int x;
unsigned char x0,x1;
Expand Down
1 change: 1 addition & 0 deletions unitySpeedTools2020/spscapi.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ extern long (*x5TimeScalex64)(long,float);
extern long (*x5TimeManagerx64)(long);
extern long (*x5TimeManagerNew)();
void cspeed64();
void cspeed64_cocos2dx();
long ne_x5TimeScalex64(long x0,float x1);
long ne_x5TimeManagerx64(long r0);
long ne_x5TimeManagerNew();
Expand Down
Loading

0 comments on commit 660fb1f

Please sign in to comment.