一淫半、目的

繼續(xù)前次的進程，我們本文的目的在于追溯mono_runtime_invoke() 的上層調(diào)用咬最，了解unity3d引擎如何調(diào)用自定義函數(shù)鞍时，如何生成和傳遞參數(shù)（method、obj和params）仔沿。

二坐桩、代碼

我們選取gamecontroller::update()這個第三方函數(shù)向上追溯

在靜態(tài)分析里是這樣的
<pre><code>
.text:00216858 ; =============== S U B R O U T I N E =======================================
.text:00216858
.text:00216858
.text:00216858 sub_216858 ; CODE XREF: sub_2D05BC+24?p
.text:00216858 ; sub_2D08B4+38?p
.text:00216858 STMFD SP!, {R4-R6,LR}
.text:0021685C MOV R4, R3
.text:00216860 LDR R3, [R0,#4]
.text:00216864 MOV R5, R1
.text:00216868 CMP R3, #0
.text:0021686C BEQ loc_216880 ; 賦予r6 method
.text:00216870 MOV R0, R5
.text:00216874 MOV R1, R4
.text:00216878 BLX R3
.text:0021687C LDMFD SP!, {R4-R6,PC}
.text:00216880 ; ---------------------------------------------------------------------------
.text:00216880
.text:00216880 loc_216880 ; CODE XREF: sub_216858+14?j
.text:00216880 LDR R6, [R0] ; 賦予r6 method
.text:00216884 MOV R0, R2
.text:00216888 BL sub_2D0008 ; 里面就是add r0,28
.text:0021688C MOV R2, R0 ; params數(shù)組的首地址
.text:00216890 MOV R0, R6 ; method
.text:00216894 MOV R1, R5 ; obj
.text:00216898 MOV R3, R4
.text:0021689C BL mono_runtime_invoke
.text:002168A0 LDMFD SP!, {R4-R6,PC}
.text:002168A0 ; End of function sub_216858
.text:002168A0
.text:002168A4
.text:002168A4 ; =============== S U B R O U T I N E =======================================
</code></pre>

<pre><code>
libunity.so:5CE8A6D8 runtime_invoke ; CODE XREF: libunity.so:ZSt13__adjust_heapIN9__gnu_cxx17__normal_iteratorIPiSt6vectorIiSaIiEEEEiiEvT_T0_S8_T1+20D4?p
libunity.so:5CE8A6D8 ADRL R12, 0x5D8BB6E0
libunity.so:5CE8A6E0 LDR PC, [R12,#(off_5D8BC190 - 0x5D8BB6E0)]!
libunity.so:5CE8A6E0 ; End of function runtime_invoke
</code></pre>
在靜態(tài)分析里是這樣的
<pre><code>
.plt:000576D8 mono_runtime_invoke ; CODE XREF: sub_200DEC+188?p
.plt:000576D8 ; sub_20436C+66C?p ...
.plt:000576D8 ADRL R12, 0xA886E0
.plt:000576E0 LDR PC, [R12,#(mono_runtime_invoke_ptr - 0xA886E0)]! ; __imp_mono_runtime_invoke
//實質(zhì)是讀取 [mono_runtime_invoke_ptr-a886e0+a886e0+模塊基址]這個內(nèi)存的值賦予pc，也就是mono_runtime_invoke函數(shù)的指針給了pc
</code></pre>

上2層
<pre><code>
.text:002D08B4 ; =============== S U B R O U T I N E =======================================
.text:002D08B4
.text:002D08B4
.text:002D08B4 sub_2D08B4 ; CODE XREF: sub_203704+16C?p
.text:002D08B4 ; DATA XREF: .data.rel.ro.local:00A6BE30?o
.text:002D08B4
.text:002D08B4 var_A0 = -0xA0
.text:002D08B4 var_98 = -0x98
.text:002D08B4 var_18 = -0x18
.text:002D08B4
.text:002D08B4 STMFD SP!, {R4-R6,LR}
.text:002D08B8 SUB SP, SP, #0x90
.text:002D08BC ADD R6, SP, #0xA0+var_98
.text:002D08C0 MOV R4, R1
.text:002D08C4 MOV R5, R0 ; r0 賦予r5 5DC2CAD0
.text:002D08C8 MOV R0, #0
.text:002D08CC STR R0, [R4]
.text:002D08D0 MOV R0, R6
.text:002D08D4 MOV R1, #0x7C
.text:002D08D8 MOV R2, #0
.text:002D08DC BL __aeabi_memset
.text:002D08E0 LDMIB R5, {R0,R1} ; method r0=[r5+4],r5=5dc2cad0 obj r1=[r5+8]
.text:002D08E4 MOV R2, R6
.text:002D08E8 MOV R3, R4
.text:002D08EC BL sub_216858 ; mono_runtime_invoke()的上2層
</code></pre>

上3層
<pre><code>
.text:002D088C ; =============== S U B R O U T I N E =======================================
.text:002D088C
.text:002D088C
.text:002D088C sub_2D088C ; CODE XREF: sub_203AAC+BC?p
.text:002D088C ; sub_203C44+B4?p ...
.text:002D088C
.text:002D088C var_C = -0xC
.text:002D088C
.text:002D088C STMFD SP!, {R11,LR}
.text:002D0890 SUB SP, SP, #8
.text:002D0894 MOV R1, #0
.text:002D0898 STR R1, [SP,#0x10+var_C]
.text:002D089C LDR R1, [R0]
.text:002D08A0 LDR R2, [R1]
.text:002D08A4 ADD R1, SP, #0x10+var_C
.text:002D08A8 BLX R2 ; r0=5dc2cad0,上3層,r2=5d1038b4
.text:002D08AC ADD SP, SP, #8
.text:002D08B0 LDMFD SP!, {R11,PC}
.text:002D08B0 ; End of function sub_2D088C
.text:002D08B0
.text:002D08B4
.text:002D08B4 ; =============== S U B R O U T I N E =======================================
</code></pre>

上4層
<pre><code>
.text:00203AAC ; =============== S U B R O U T I N E =======================================
.text:00203AAC
.text:00203AAC
.text:00203AAC sub_203AAC ; CODE XREF: sub_203B74+8?p
.text:00203AAC ; sub_203B84+8?p ...
.text:00203AAC
.text:00203AAC var_28 = -0x28
.text:00203AAC var_24 = -0x24
.text:00203AAC
.text:00203AAC STMFD SP!, {R4-R6,LR}
.text:00203AB0 SUB SP, SP, #0x20
.text:00203AB4 MOV R4, R0 ; 賦予r4
.text:00203AB8 MOV R5, R1
.text:00203ABC LDR R6, [R4,#0x14]
.text:00203AC0 CMP R6, #0
.text:00203AC4 BEQ loc_203B6C
.text:00203AC8 LDRB R0, [R4,#0x79]
.text:00203ACC CMP R0, #0
.text:00203AD0 BNE loc_203B14
.text:00203AD4 MOV R0, #1
.text:00203AD8 STRB R0, [R4,#0x79]
.text:00203ADC LDR R0, [R4,#0x2C]
.text:00203AE0 LDR R1, [R0,#0x2C]
.text:00203AE4 CMP R1, #0
.text:00203AE8 BEQ loc_203AFC
.text:00203AEC MOV R0, R4
.text:00203AF0 MOV R2, #0
.text:00203AF4 BL sub_204A68
.text:00203AF8 LDR R0, [R4,#0x2C]
.text:00203AFC
.text:00203AFC loc_203AFC ; CODE XREF: sub_203AAC+3C?j
.text:00203AFC LDR R1, [R0,#0x28]
.text:00203B00 CMP R1, #0
.text:00203B04 BEQ loc_203B14
.text:00203B08 MOV R0, R4
.text:00203B0C MOV R2, #0
.text:00203B10 BL sub_204A68
.text:00203B14
.text:00203B14 loc_203B14 ; CODE XREF: sub_203AAC+24?j
.text:00203B14 ; sub_203AAC+58?j
.text:00203B14 MOV R0, R6
.text:00203B18 BL sub_20F270
.text:00203B1C CMP R0, #0
.text:00203B20 BEQ loc_203B6C
.text:00203B24 LDR R0, [R4,#0x2C] ; 賦予r0=[r4+2c],method=[[[[[[[5E691810+10]+14]]+8]+2c]]]
.text:00203B28 LDR R5, [R0,R5,LSL#2] ; 賦予r5 60fdba30 將R0+R5*4地址處的數(shù)據(jù)讀出,保存到R5中,里面r5=0
.text:00203B28 ; r0=60fdc860
.text:00203B2C CMP R5, #0
.text:00203B30 BEQ loc_203B6C
.text:00203B34 MOV R0, R4
.text:00203B38 BL sub_EFC8C
.text:00203B3C CMP R0, #1
.text:00203B40 BNE loc_203B6C
.text:00203B44 MOV R6, SP ; 堆棧,sp賦予r6
.text:00203B48 MOV R1, R5 ; r5賦予r1
.text:00203B4C MOV R0, R6
.text:00203B50 BL sub_2D01E4 ; r1賦予[5dc2cad4]也就是[r6]和[sp]的值為60fdba30,其指向method update()
.text:00203B54 LDR R0, [R4,#4]
.text:00203B58 STR R0, [SP,#0x30+var_24] ; r0 賦予了[5dc2cad0+c]
.text:00203B5C LDR R0, [R4,#0x14] ; obj=[[[[[5E691810+10]+14]]+8]+14],
.text:00203B60 STR R0, [SP,#0x30+var_28] ; r0 賦予了[5dc2cad0+8],method=[[[[[[[5E691810+10]+14]]+8]+2c]]]
.text:00203B64 MOV R0, R6 ; r6賦予r0
.text:00203B68 BL sub_2D088C ; 上4層
.text:00203B6C
.text:00203B6C loc_203B6C ; CODE XREF: sub_203AAC+18?j
.text:00203B6C ; sub_203AAC+74?j ...
.text:00203B6C ADD SP, SP, #0x20
.text:00203B70 LDMFD SP!, {R4-R6,PC}
.text:00203B70 ; End of function sub_203AAC
.text:00203B70
.text:00203B74
.text:00203B74 ; =============== S U B R O U T I N E =======================================
</code></pre>
上5層
<pre><code>
.text:00203B74 ; =============== S U B R O U T I N E =======================================
.text:00203B74
.text:00203B74
.text:00203B74 sub_203B74 ; DATA XREF: .data.rel.ro:00A78114?o
.text:00203B74 STMFD SP!, {R11,LR}
.text:00203B78 MOV R1, #0
.text:00203B7C BL sub_203AAC ; 上5層
.text:00203B80 LDMFD SP!, {R11,PC}
.text:00203B80 ; End of function sub_203B74
.text:00203B80
.text:00203B84
.text:00203B84 ; =============== S U B R O U T I N E =======================================
</code></pre>
上6層 代碼片段
<pre><code>
.text:001EA614 loc_1EA614 ; CODE XREF: sub_1EA510+19C?j
.text:001EA614 LDR R0, [R0,#8] ; [[[[618C5648+8]+2c]]],賦予r0,原r0=618C5648
.text:001EA618 LDR R1, [R0]
.text:001EA61C LDR R1, [R1,#0x5C]
.text:001EA620 BLX R1 ; 上6層
</code></pre>
<pre><code>
.text:001EA590 LDR R0, [R4,#0x14] ; 賦予r0封锉，r4=61306770,[[[[[[61306770+14]]+8]+2c]]]
.text:001EA594 STR R5, [SP,#0x28+var_28]
.text:001EA598 STR R5, [SP,#0x28+var_24]
.text:001EA59C STR R0, [SP,#0x28+var_20]
.text:001EA5A0 STR R7, [SP,#0x28+var_1C]
.text:001EA5A4 LDR R1, [R0] ; 賦予r1 618C5648 r0=5E70F1D0,[[[[[5e70F1D0]+8]+2c]]]
.text:001EA5A8 STR R5, [R0]
.text:001EA5AC STR R1, [SP,#0x28+var_28] ; 賦予[sp]
</code></pre>
<pre><code>
.text:001EA518 MOV R5, R0 ; 賦予r5
.text:001EA51C ADD R6, R5, #8
.text:001EA520 LDR R4, [R5,#0x10] ; 賦予r4 61306770绵跷，r5=5e68fdc0,[[[[[[[5e68fdc0+10]+14]]+8]+2c]]]
</code></pre>

上7層
<pre><code>
.text:001EAB64 ; =============== S U B R O U T I N E =======================================
.text:001EAB64
.text:001EAB64
.text:001EAB64 sub_1EAB64 ; DATA XREF: .data.rel.ro.local:00A6BAB0?o
.text:001EAB64 STMFD SP!, {R11,LR}
.text:001EAB68 BL sub_1EA510 ; 上7層膘螟，r0=5e68fdc0,
.text:001EAB6C LDMFD SP!, {R11,PC}
.text:001EAB6C ; End of function sub_1EAB64
.text:001EAB6C
.text:001EAB70
.text:001EAB70 ; =============== S U B R O U T I N E =======================================
</code></pre>
上8層
<pre><code>
.text:0029FB5C BL sub_1E6FAC ; 修改了r0
.text:0029FB60 LDR R1, [R0]
.text:0029FB64 LDR R1, [R1,#8]
.text:0029FB68 BLX R1 ; 上8層,[[[[5e68fdc0+10]+14]]+8]+2c]]]
</code></pre>
源頭sub_1E6FAC
<pre><code>
.text:001E6FAC ; =============== S U B R O U T I N E =======================================
.text:001E6FAC
.text:001E6FAC ; r0=5d8bbf98-5d019fbc
.text:001E6FAC
.text:001E6FAC sub_1E6FAC ; CODE XREF: sub_205570+2C?p
.text:001E6FAC ; sub_29F368+7F4?p
.text:001E6FAC LDR R0, =0x8A1FDC
.text:001E6FB0 LDR R1, =sub_102A9C ; r0=5d8bbf98-5d019fbc,r1=0x102A9C
.text:001E6FB4 ADD R0, PC, R0 ; GLOBAL_OFFSET_TABLE ; 然后r0=GLOBAL_OFFSET_TABLE也就是5d8bbf98
.text:001E6FB8 LDR R0, [R1,R0] ; unk_B8BA34 ; 最后r0= [global_offset_table+偏移r1=5D9BEA34]指向的數(shù)值，
.text:001E6FBC BX LR
.text:001E6FBC ; End of function sub_1E6FAC
.text:001E6FBC
.text:001E6FBC ; ---------------------------------------------------------------------------
.text:001E6FC0 dword_1E6FC0 DCD 0x8A1FDC ; DATA XREF: sub_1E6FAC?r
.text:001E6FC4 off_1E6FC4 DCD sub_102A9C ; DATA XREF: sub_1E6FAC+4?r
.text:001E6FC8
.text:001E6FC8 ; =============== S U B R O U T I N E =======================================
</code></pre>