├── README.md └── global-metadata_dump.js /README.md: -------------------------------------------------------------------------------- 1 | u3d游戏global-metadata.dat加密,根据global-metadata.dat头部特征,从内存中抠取 2 | 3 | 4 | 5 | 6 | 使用方法: 7 | # frida -U -l global-metadata_dump.js 你的包名 8 | 9 | 10 | QQ群: 11 | 12 | 手游安全分析:542863693 13 | 14 | 手游安全分析2群:812701781 15 | 16 | 17 | ![ZSXQ_20250328_114222574](https://github.com/user-attachments/assets/9a67e660-c1c6-4922-b7b7-6574facbd24f) 18 | -------------------------------------------------------------------------------- /global-metadata_dump.js: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | 获取解密后的global-metadata.dat 4 | github:https://github.com/350030173/global-metadata_dump 5 | 6 | 用法: 7 | frida -U -l global-metadata_dump.js packagename 8 | 9 | 导出的文件在/data/data/yourPackageName/global-metadata.dat 10 | 11 | */ 12 | 13 | 14 | 15 | // 16 | //get_self_process_name()获取当前运行进程包名 17 | //参考:https://github.com/lasting-yang/frida_dump/blob/master/dump_dex_class.js 18 | function get_self_process_name() 19 | { 20 | var openPtr = Module.getExportByName('libc.so', 'open'); 21 | var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']); 22 | 23 | var readPtr = Module.getExportByName("libc.so", "read"); 24 | var read = new NativeFunction(readPtr, "int", ["int", "pointer", "int"]); 25 | 26 | var closePtr = Module.getExportByName('libc.so', 'close'); 27 | var close = new NativeFunction(closePtr, 'int', ['int']); 28 | 29 | var path = Memory.allocUtf8String("/proc/self/cmdline"); 30 | var fd = open(path, 0); 31 | if (fd != -1) 32 | { 33 | var buffer = Memory.alloc(0x1000); 34 | 35 | var result = read(fd, buffer, 0x1000); 36 | close(fd); 37 | result = ptr(buffer).readCString(); 38 | return result; 39 | } 40 | 41 | return "-1"; 42 | } 43 | 44 | var pattern = "AF 1B B1 FA 18";//global-metadata.dat头部特征 45 | function frida_Memory() 46 | { 47 | Java.perform(function () 48 | { 49 | console.log("头部标识:" + pattern); 50 | var addrArray = Process.enumerateRanges("r--"); 51 | for (var i = 0; i < addrArray.length; i++) 52 | { 53 | var addr = addrArray[i]; 54 | Memory.scan(addr.base, addr.size, pattern, 55 | { 56 | onMatch: function (address, size) 57 | { 58 | console.log('搜索到 ' + pattern + " 地址是:" + address.toString()); 59 | console.log(hexdump(address, 60 | { 61 | offset: 0, 62 | length: 0x110, 63 | header: true, 64 | ansi: true 65 | } 66 | )); 67 | //0x108,0x10C如果不行,换 0x100,0x104 68 | var DefinitionsOffset = parseInt(address, 16) + 0x108; 69 | var DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset)); 70 | 71 | var DefinitionsCount = parseInt(address, 16) + 0x10C; 72 | var DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount)); 73 | if (DefinitionsCount_size < 10) 74 | { 75 | DefinitionsOffset = parseInt(address, 16) + 0x100; 76 | DefinitionsOffset_size = Memory.readInt(ptr(DefinitionsOffset)); 77 | 78 | DefinitionsCount = parseInt(address, 16) + 0x104; 79 | DefinitionsCount_size = Memory.readInt(ptr(DefinitionsCount)); 80 | } 81 | //根据两个偏移得出global-metadata大小 82 | var global_metadata_size = DefinitionsOffset_size + DefinitionsCount_size 83 | console.log("大小:", global_metadata_size); 84 | var file = new File("/data/data/" + get_self_process_name() + "/global-metadata.dat", "wb"); 85 | file.write(Memory.readByteArray(address, global_metadata_size)); 86 | file.flush(); 87 | file.close(); 88 | console.log('路径:' + "/data/data/" + get_self_process_name() + "/global-metadata.dat"); 89 | console.log('导出完毕...'); 90 | }, 91 | onComplete: function () 92 | { 93 | //console.log("搜索完毕") 94 | } 95 | } 96 | ); 97 | } 98 | } 99 | ); 100 | } 101 | 102 | setImmediate(frida_Memory); 103 | --------------------------------------------------------------------------------