0

As the title says, I need to know the size of a memory region so I can dump it's contents. This is my firts RE project so I don't know if what I'm trying to do makes sense, at least it does for me, correct me if I'm wrong.

What I'm trying to achive is to dump a file after it's decryption. I'm using ghidra to do static analysis and frida to interact with the binary at runtime. The file in question is a global-metadata.dat from a unity project, I don't know if this is relevant.

So far I've located the point where the file is decrypted and I've dumped some bytes to make sure that it's what I'm looking for, it is. Now, the problem is that I want to dump the entire thing but I don't know the size. After the file decryption the entire thing is processed but I can't find anywhere in the program where the size is stored, is this even stored anywhere?

How would you go about solving this problem? Should I change the approach?

Here is where I'm hooking with frida:

undefined8 metadataCache_initialize2(int *param_1,undefined4 *param_2) { longlong lVar1; longlong lVar2; lVar1 = metadataLoader_LoadMetadataFile("global-metadata.dat"); DAT_18959b7a8 = lVar1; if (lVar1 == 0) { return 0; } DAT_18959b580 = (int)((ulonglong)(longlong)*(int *)(lVar1 + 0xac) / 0x28); DAT_18959b7b0 = lVar1; *param_1 = DAT_18959b580; lVar2 = (longlong)DAT_18959b580; *param_2 = (int)((ulonglong)(longlong)*(int *)(lVar1 + 0xb4) >> 6); DAT_18959b588 = _calloc_base(lVar2,0x18); DAT_18959b5a8 = _calloc_base((longlong)*(int *)(DAT_18959b7c0 + 0x30),8); DAT_18959b5b0 = _calloc_base((ulonglong)(longlong)*(int *)(DAT_18959b7b0 + 0xa4) / 0x58,8); DAT_18959b598 = _calloc_base((ulonglong)(longlong)*(int *)(DAT_18959b7b0 + 0x34) >> 5,8); DAT_18959b590 = _calloc_base((longlong)*(int *)(DAT_18959b7c0 + 0x40),8); FUN_1806b9e40(&LAB_1806b9850,&LAB_1806b9240); return 1; }

and in DAT_18959b7a8 is where the decrypted file is stored.

Let me know if more info is needed.

PD: Here is the call stack:

undefined8 metadataLoader_LoadMetadataFile(char *filename) { undefined8 uVar1; uVar1 = FUN_180722ad0(0,0); return uVar1; }

And here the decryption function itself (i made it into a pastebin becasue it's very long): https://pastebin.com/7PyiA9Xz

Improve this question
3
  • May be it would be easier to hook the decryption function? This function is usually called multiple times to process the encrypted data and output the decrypted data in blocks of several KB or MB. Usually decryption functions needs to know the size of the input data and return the size of the (decrypted) output data. That way you would get the data and the size, you just would have to make sure the data belongs to the decryption process you are interested in and then save the output data in onLeave to your file or using Frida send method. Commented Jul 20 at 11:15
  • I couldn't find anything size related in the decryption function and it just returns a pointer to the decrypted data. i will update the post with more code snipets. Commented Jul 20 at 11:38
  • Often one of the arguments in block cipher functions is a pointer to a size value that acts as in/out argument: in onEnter the pointer points to the input size, in onLeave it points to the output size. Or if you hook the low-level block-cipher function the input/output size should be fixed (the cipher block size). Commented Jul 20 at 11:42

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.