作者:小白 ???? | 日期:2026-03-29本文首发于CSDN/看雪论坛,转载请注明出处
在移动游戏开发领域,Cocos2d-x 作为一款成熟的开源游戏引擎,被广泛应用于各类手游开发。然而,随着游戏安全需求的提升,对 Cocos2d-x 游戏的逆向分析也成为了安全研究人员和游戏开发者关注的重点。本文将深入剖析一个实际的 Cocos2d-x iOS 游戏逆向案例,分享完整的技术细节和实战经验。
通过静态分析和动态调试,我们识别出以下技术栈:
我们开发了一个全面的 Frida 逆向分析工具,整体架构如下:
Lua脚本拦截 :
JavaScript脚本拦截 :
在开发过程中,我们遇到了多个技术挑战并进行了优化:
问题 :原始实现中遍历所有模块导出和ObjC类,导致Frida超时。
解决方案 :
问题 :尝试Hook数据符号地址导致崩溃。
解决方案 :
问题 :直接传递JS字符串给ObjC方法导致类型不匹配。
解决方案 :
为了提供更稳定的游戏数据监控,我们开发了原生iOS Tweak,将关键功能从Frida脚本迁移到原生代码中。
通过我们的工具,成功捕获了以下关键脚本:
通过分析捕获的脚本,我们还原了游戏的架构:
我们的工具能够实时监控游戏状态:
难点 :Cocos2d-x支持多种脚本引擎(Lua、JavaScriptCore、SpiderMonkey)。
解决方案 :
难点 :游戏脚本可能被加密或混淆。
解决方案 :
难点 :Hook过多影响游戏性能,Hook过少无法获取足够信息。
解决方案 :
通过我们的工具,可以深入分析游戏的核心逻辑:
基于我们的逆向经验,为游戏开发者提供以下防护建议:
通过本次逆向分析实战,我们取得了以下成果:
我们计划将核心工具开源,包括:
感谢以下开源项目和工具的支持:
版权声明 :本文仅供技术学习和研究使用,请勿用于非法用途。任何商业使用需获得原作者授权。
作者 :小白 ????联系方式 :通过技术论坛私信联系发布日期 :2026年3月29日更新日志 :
graph TD
A[Cocos2d-x游戏引擎] --> B[JavaScriptCore脚本引擎]
A --> C[OpenGL ES图形渲染]
B --> D[JSC字节码预编译]
B --> E[明文JS脚本]
F[游戏逻辑] --> G[房间管理]
F --> H[牌局处理]
F --> I[用户交互]
haoyousai.app/
├── haoyousai
├── Frameworks/
├── script/
├── src/
├── res/
├── project.json
├── project.manifest
└── main.js
class Cocos2dxFridaToolkit {
- Helper Functions
- Configuration Manager
- Logger System
- Cocos2 dxDetector
- ScriptEngineDetector
- LuaScriptAnalyzer
- JSScriptAnalyzer
- CocosGameAnalyzer
- InputOutputMonitor
- PerformanceProfiler
- ToolkitController
- RPC Exports
}
class Cocos2dxDetector {
detectLuaEngine (const exports = ['luaL_loadbuffer' , 'lua_pcall' , 'lua_getglobal' ];
return this .findExportsInMainModule (exports );
}
detectJavaScriptCore (const exports = ['JSEvaluateScript' , 'JSObjectCallAsFunction' ];
return this .findExportsInMainModule (exports );
}
detectSpiderMonkey (const exports = ['JS_EvaluateScript' , 'JS_ExecuteScript' ];
return this .findExportsInMainModule (exports );
}
detectCocosBindings (const patterns = ['jsb_' , 'cocos2d::' , 'ScriptingCore::' ];
return this .searchExportsByPattern (patterns);
}
}
class LuaScriptAnalyzer {
hookLuaFunctions (Interceptor .attach (Module .findExportByName (null , 'luaL_loadbuffer' ), {
onEnter : function (args ) {
const buffer = args[1 ];
const size = args[2 ];
const chunkname = args[3 ];
this .scriptData = Memory .readByteArray (buffer, size);
this .scriptName = Memory .readUtf8String (chunkname);
},
onLeave : function (retval ) {
if (this .scriptData ) {
this .saveLuaScript (this .scriptName , this .scriptData );
}
}
});
}
}
class JSScriptAnalyzer {
hookJavaScriptCore (Interceptor .attach (Module .findExportByName ('JavaScriptCore' , 'JSEvaluateScript' ), {
onEnter : function (args ) {
const script = args[1 ];
const sourceURL = args[3 ];
const scriptStr = this .readJSString (script);
const urlStr = this .readJSString (sourceURL);
this .analyzeJSScript (scriptStr, urlStr);
}
});
}
readJSString (jsStringRef ) {
const size = this .JSStringGetMaximumUTF 8CStringSize(jsStringRef);
const buffer = Memory .alloc (size);
this .JSStringGetUTF 8CString(jsStringRef, buffer, size);
return buffer.readUtf8String ();
}
}
Process .enumerateModules ().forEach (module =>module .enumerateExports ().forEach (export =>const mainModule = Process .enumerateModules ()[0 ];
mainModule.enumerateExports ().forEach (export =>const maxHooksPerCategory = CONFIG .maxHooksPerCategory || 50 ;
let hookCount = 0 ;
for (let className in ObjC .classes ) {
if (hookCount >= maxHooksPerCategory) break ;
hookCount++;
}
function isExecutableAddress (address ) {
const range = Process .findRangeByAddress (address);
return range && range.protection .includes ('x' );
}
function safeAttach (address, callbacks ) {
if (!isExecutableAddress (address)) {
logger.warn (`地址 ${address} 不可执行,跳过Hook` );
return null ;
}
return Interceptor .attach (address, callbacks);
}
function nsStr (jsString ) {
return ObjC .classes .NSString .stringWithUTF8String_ (jsString);
}
function createDir (path ) {
const fileManager = ObjC .classes .NSFileManager .defaultManager ();
const nsPath = nsStr (path);
const errorPtr = Memory .alloc (Process .pointerSize );
return fileManager.createDirectoryAtPath_withIntermediateDirectories_attributes_error_ (
nsPath,
1 ,
NULL ,
errorPtr
);
}
// CardRecorder.mm 核心代码分析
// 1. JavaScriptCore C-API Hook
__attribute__((constructor))
static void CardRecorderInit(void) {
// 加载JavaScriptCore框架
void *jscHandle = dlopen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_NOW);
// 获取JSEvaluateScript函数指针
JSEvaluateScript_t orig_JSEvaluateScript =
(JSEvaluateScript_t)dlsym(jscHandle, "JSEvaluateScript");
// 使用MSHookFunction进行Hook
MSHookFunction(
(void *)orig_JSEvaluateScript,
(void *)hook_JSEvaluateScript,
(void **)&orig_JSEvaluateScript
);
}
// 2. Hook函数实现
static JSValueRef hook_JSEvaluateScript(
JSContextRef ctx,
JSStringRef script,
JSObjectRef thisObject,
JSStringRef sourceURL,
int startingLineNumber,
JSValueRef *exception)
{
// 捕获JSContext
if (ctx && !g_jsCtx) {
g_jsCtx = ctx;
NSLog(@"[CardRecorder] 捕获JSContext: %p", ctx);
}
// 检测游戏脚本
if (!g_injected && script) {
size_t maxSize = JSStringGetMaximumUTF8CStringSize(script);
if (maxSize > 5000) { // 只处理大型脚本
char *buffer = (char *)malloc(maxSize);
JSStringGetUTF8CString(script, buffer, maxSize);
// 检测关键词"setRoomData"
if (strstr(buffer, "setRoomData") != NULL) {
NSLog(@"[CardRecorder] 检测到游戏脚本,准备注入监控代码");
injectCardMonitor(ctx);
}
free(buffer);
}
}
// 调用原始函数
return orig_JSEvaluateScript(ctx, script, thisObject, sourceURL, startingLineNumber, exception);
}
// 3. 监控代码注入
static void injectCardMonitor(JSContextRef ctx) {
const char *monitorJS =
"(function(){"
" if(window.__cardHookInstalled) return;"
" window.__cardHookInstalled = true;"
" setInterval(function(){"
" try {"
" if(!iGame || !iGame.Data || !iGame.Data.roomData) return;"
" var selfSeat = iGame.Data.getSelfSeatNo ? iGame.Data.getSelfSeatNo() : 0;"
" var players = iGame.Data.roomData.players;"
" var result = {self_seat: selfSeat, my_hold: [], players: []};"
" players.forEach(function(p){"
" if(p.seat_no === selfSeat){"
" result.my_hold = (p.hold || []).filter(c => c > 0);"
" }"
" result.players.push({"
" seat: p.seat_no,"
" out: p.out || [],"
" kou: p.kou || []"
" });"
" });"
" window.__cardData = JSON.stringify(result);"
" } catch(e){}"
" }, 1000);"
"})();";
// 在游戏JSContext中执行监控代码
JSStringRef jsStr = JSStringCreateWithUTF8CString(monitorJS);
JSValueRef exception = NULL;
JSEvaluateScript(ctx, jsStr, NULL, NULL, 0, &exception);
JSStringRelease(jsStr);
}
// 定时数据采集
static void startCardPolling(void) {
dispatch_source_t timer = dispatch_source_create(
DISPATCH_SOURCE_TYPE_TIMER, 0, 0, g_queue);
dispatch_source_set_timer(timer,
dispatch_time(DISPATCH_TIME_NOW, 1 * NSEC_PER_SEC),
1 * NSEC_PER_SEC, 0);
dispatch_source_set_event_handler(timer, ^{
if (!g_jsCtx || !g_injected) return;
// 读取游戏数据
NSString *cardData = evalInGameJS(g_jsCtx, "window.__cardData || \"\"");
if (cardData && ![cardData isEqualToString:g_lastCardData]) {
g_lastCardData = cardData;
// 保存到文件
[self appendCardLog:cardData];
}
});
dispatch_resume(timer);
}
// 文件存储
- (void)appendCardLog:(NSString *)json {
NSString *docPath = NSSearchPathForDirectoriesInDomains(
NSDocumentDirectory, NSUserDomainMask, YES).firstObject;
NSString *logPath = [docPath stringByAppendingPathComponent:@"card_log.json"];
NSFileManager *fm = [NSFileManager defaultManager];
if (![fm fileExistsAtPath:logPath]) {
[fm createFileAtPath:logPath contents:nil attributes:nil];
}
NSFileHandle *fh = [NSFileHandle fileHandleForWritingAtPath:logPath];
[fh seekToEndOfFile];
[fh writeData:[[json stringByAppendingString:@"\n"] dataUsingEncoding:NSUTF8StringEncoding]];
[fh closeFile];
}
scripts/
├── G212.jsc_1774770976633.bin
├── G30.jsc_1774770909867.bin
├── SYG30.jsc_1774770968778.bin
└── SYHall.jsc_1774770963515.bin
scripts/
├── js_1774770963709.js
├── js_1774770976843.js
├── js_1774770968967.js
└── 多个小型配置脚本 (88B-2KB)
window .iGame = {
Data : {
roomData : {
players : [{
seat_no : number,
hold : number[],
out : number[],
kou : number[]
}],
room_id : string,
game_type : number
},
getSelfSeatNo : function (return number;
},
setRoomData : function (data ) {
}
},
UI : {
},
Network : {
}
};
{
"timestamp" : "2026-03-29T21:00:00Z" ,
"self_seat" : 1 ,
"my_hold" : [ 11 , 12 , 13 , 14 , 15 ] ,
"players" : [
{
"seat" : 1 ,
"out" : [ 21 , 22 ] ,
"kou" : [ ]
} ,
{
"seat" : 2 ,
"out" : [ 31 ] ,
"kou" : [ 41 , 42 ]
} ,
{
"seat" : 3 ,
"out" : [ ] ,
"kou" : [ 51 ]
} ,
{
"seat" : 4 ,
"out" : [ 61 , 62 , 63 ] ,
"kou" : [ ]
}
]
}
class ScriptEngineDetector {
detectAllEngines (const engines = [];
if (this .detectLuaEngine ()) {
engines.push ({ type : 'lua' , version : this .getLuaVersion () });
}
if (this .detectJavaScriptCore ()) {
engines.push ({ type : 'javascriptcore' , version : this .getJSCVersion () });
}
if (this .detectSpiderMonkey ()) {
engines.push ({ type : 'spidermonkey' , version : this .getSMVersion () });
}
return engines;
}
}
class ScriptDecryptor {
decryptScript (encryptedData, encryptionType ) {
switch (encryptionType) {
case 'xor' :
return this .xorDecrypt (encryptedData, this .findXorKey ());
case 'base64' :
return this .base64Decode (encryptedData);
case 'custom' :
return this .customDecrypt (encryptedData);
default :
return encryptedData;
}
}
xorDecrypt (data, key ) {
const decrypted = [];
for (let i = 0 ; i < data.length ; i++) {
decrypted.push (data[i] ^ key[i % key.length ]);
}
return Buffer .from (decrypted);
}
findXorKey (const commonPatterns = [
[0x73 , 0x63 , 0x72 , 0x69 , 0x70 , 0x74 ],
[0x67 , 0x61 , 0x6D , 0x65 ],
[0x63 , 0x6F , 0x63 , 0x6F , 0x73 ]
];
for (const pattern of commonPatterns) {
if (this .testXorKey (pattern)) {
return pattern;
}
}
return this .dynamicFindXorKey ();
}
}
[培训]《冰与火的战歌:Windows内核攻防实战》!从零到实战,融合AI与Windows内核攻防全技术栈,打造具备自动化能力的内核开发高手。
