/*
|
Desc: 一个可以运行时 Hook Mono 方法的工具,让你可以无需修改 UnityEditor.dll 等文件就可以重写其函数功能
|
Author: Misaka Mikoto
|
Github: https://github.com/Misaka-Mikoto-Tech/MonoHook
|
*/
|
|
using DotNetDetour;
|
using System;
|
using System.Diagnostics;
|
using System.Reflection;
|
using System.Runtime.InteropServices;
|
using Unity.Collections.LowLevel.Unsafe;
|
#if UNITY_EDITOR
|
using UnityEditor;
|
#endif
|
using UnityEngine;
|
using System.Runtime.CompilerServices;
|
|
|
/*
|
>>>>>>> 原始 UnityEditor.LogEntries.Clear 一型(.net 4.x)
|
0000000000403A00 < | 55 | push rbp |
|
0000000000403A01 | 48 8B EC | mov rbp,rsp |
|
0000000000403A04 | 48 81 EC 80 00 00 00 | sub rsp,80 |
|
0000000000403A0B | 48 89 65 B0 | mov qword ptr ss:[rbp-50],rsp |
|
0000000000403A0F | 48 89 6D A8 | mov qword ptr ss:[rbp-58],rbp |
|
0000000000403A13 | 48 89 5D C8 | mov qword ptr ss:[rbp-38],rbx | <<
|
0000000000403A17 | 48 89 75 D0 | mov qword ptr ss:[rbp-30],rsi |
|
0000000000403A1B | 48 89 7D D8 | mov qword ptr ss:[rbp-28],rdi |
|
0000000000403A1F | 4C 89 65 E0 | mov qword ptr ss:[rbp-20],r12 |
|
0000000000403A23 | 4C 89 6D E8 | mov qword ptr ss:[rbp-18],r13 |
|
0000000000403A27 | 4C 89 75 F0 | mov qword ptr ss:[rbp-10],r14 |
|
0000000000403A2B | 4C 89 7D F8 | mov qword ptr ss:[rbp-8],r15 |
|
0000000000403A2F | 49 BB 00 2D 1E 1A FE 7F 00 00 | mov r11,7FFE1A1E2D00 |
|
0000000000403A39 | 4C 89 5D B8 | mov qword ptr ss:[rbp-48],r11 |
|
0000000000403A3D | 49 BB 08 2D 1E 1A FE 7F 00 00 | mov r11,7FFE1A1E2D08 |
|
|
|
>>>>>>> 二型(.net 2.x)
|
0000000000403E8F | 55 | push rbp |
|
0000000000403E90 | 48 8B EC | mov rbp,rsp |
|
0000000000403E93 | 48 83 EC 70 | sub rsp,70 |
|
0000000000403E97 | 48 89 65 C8 | mov qword ptr ss:[rbp-38],rsp |
|
0000000000403E9B | 48 89 5D B8 | mov qword ptr ss:[rbp-48],rbx |
|
0000000000403E9F | 48 89 6D C0 | mov qword ptr ss:[rbp-40],rbp | <<(16)
|
0000000000403EA3 | 48 89 75 F8 | mov qword ptr ss:[rbp-8],rsi |
|
0000000000403EA7 | 48 89 7D F0 | mov qword ptr ss:[rbp-10],rdi |
|
0000000000403EAB | 4C 89 65 D0 | mov qword ptr ss:[rbp-30],r12 |
|
0000000000403EAF | 4C 89 6D D8 | mov qword ptr ss:[rbp-28],r13 |
|
0000000000403EB3 | 4C 89 75 E0 | mov qword ptr ss:[rbp-20],r14 |
|
0000000000403EB7 | 4C 89 7D E8 | mov qword ptr ss:[rbp-18],r15 |
|
0000000000403EBB | 48 83 EC 20 | sub rsp,20 |
|
0000000000403EBF | 49 BB 18 3F 15 13 FE 7F 00 00 | mov r11,7FFE13153F18 |
|
0000000000403EC9 | 41 FF D3 | call r11 |
|
0000000000403ECC | 48 83 C4 20 | add rsp,20 |
|
|
>>>>>>>>> arm64
|
il2cpp:00000000003DE714 F5 0F 1D F8 STR X21, [SP,#-0x10+var_20]! | << absolute safe
|
il2cpp:00000000003DE718 F4 4F 01 A9 STP X20, X19, [SP,#0x20+var_10] | << may be safe
|
il2cpp:00000000003DE71C FD 7B 02 A9 STP X29, X30, [SP,#0x20+var_s0] |
|
il2cpp:00000000003DE720 FD 83 00 91 ADD X29, SP, #0x20 |
|
il2cpp:00000000003DE724 B5 30 00 B0 ADRP X21, #_ZZ62GameObject_SetActive_mCF1EEF2A314F3AE | << dangerous: relative instruction, can not be overwritten
|
il2cpp:00000000003DE728 A2 56 47 F9 LDR method, [X21,#_ZZ62GameObject_SetActive_mCF] ; |
|
il2cpp:00000000003DE72C F3 03 01 2A MOV W19, W1 |
|
*/
|
|
namespace MonoHook
|
{
|
/// <summary>
|
/// Hook 类,用来 Hook 某个 C# 方法
|
/// </summary>
|
public unsafe class MethodHook
|
{
|
public string tag;
|
public bool isHooked { get; private set; }
|
public bool isPlayModeHook { get; private set; }
|
|
public MethodBase targetMethod { get; private set; } // 需要被hook的目标方法
|
public MethodBase replacementMethod { get; private set; } // 被hook后的替代方法
|
public MethodBase proxyMethod { get; private set; } // 目标方法的代理方法(可以通过此方法调用被hook后的原方法)
|
|
private IntPtr _targetPtr; // 目标方法被 jit 后的地址指针
|
private IntPtr _replacementPtr;
|
private IntPtr _proxyPtr;
|
|
private CodePatcher _codePatcher;
|
|
#if UNITY_EDITOR && !UNITY_2020_3_OR_NEWER
|
/// <summary>
|
/// call `MethodInfo.MethodHandle.GetFunctionPointer()`
|
/// will visit static class `UnityEditor.IMGUI.Controls.TreeViewGUI.Styles` and invoke its static constructor,
|
/// and init static filed `foldout`, but `GUISKin.current` is null now,
|
/// so we should wait until `GUISKin.current` has a valid value
|
/// </summary>
|
private static FieldInfo s_fi_GUISkin_current;
|
#endif
|
|
static MethodHook()
|
{
|
#if UNITY_EDITOR && !UNITY_2020_3_OR_NEWER
|
s_fi_GUISkin_current = typeof(GUISkin).GetField("current", BindingFlags.Static | BindingFlags.NonPublic);
|
#endif
|
}
|
|
/// <summary>
|
/// 创建一个 Hook
|
/// </summary>
|
/// <param name="targetMethod">需要替换的目标方法</param>
|
/// <param name="replacementMethod">准备好的替换方法</param>
|
/// <param name="proxyMethod">如果还需要调用原始目标方法,可以通过此参数的方法调用,如果不需要可以填 null</param>
|
public MethodHook(MethodBase targetMethod, MethodBase replacementMethod, MethodBase proxyMethod, string data = "")
|
{
|
this.targetMethod = targetMethod;
|
this.replacementMethod = replacementMethod;
|
this.proxyMethod = proxyMethod;
|
this.tag = data;
|
|
CheckMethod();
|
}
|
|
public void Install()
|
{
|
if (LDasm.IsiOS()) // iOS 不支持修改 code 所在区域 page
|
return;
|
|
if (isHooked)
|
return;
|
|
#if UNITY_EDITOR && !UNITY_2020_3_OR_NEWER
|
if (s_fi_GUISkin_current.GetValue(null) != null)
|
DoInstall();
|
else
|
EditorApplication.update += OnEditorUpdate;
|
#else
|
DoInstall();
|
#endif
|
isPlayModeHook = Application.isPlaying;
|
}
|
|
public void Uninstall()
|
{
|
if (!isHooked)
|
return;
|
|
_codePatcher.RemovePatch();
|
|
isHooked = false;
|
HookPool.RemoveHooker(targetMethod);
|
}
|
|
#region private
|
private void DoInstall()
|
{
|
if (targetMethod == null || replacementMethod == null)
|
throw new Exception("none of methods targetMethod or replacementMethod can be null");
|
|
HookPool.AddHook(targetMethod, this);
|
|
if (_codePatcher == null)
|
{
|
if (GetFunctionAddr())
|
{
|
#if ENABLE_HOOK_DEBUG
|
UnityEngine.Debug.Log($"Original [{targetMethod.DeclaringType.Name}.{targetMethod.Name}]: {HookUtils.HexToString(_targetPtr.ToPointer(), 64, -16)}");
|
UnityEngine.Debug.Log($"Original [{replacementMethod.DeclaringType.Name}.{replacementMethod.Name}]: {HookUtils.HexToString(_replacementPtr.ToPointer(), 64, -16)}");
|
if(proxyMethod != null)
|
UnityEngine.Debug.Log($"Original [{proxyMethod.DeclaringType.Name}.{proxyMethod.Name}]: {HookUtils.HexToString(_proxyPtr.ToPointer(), 64, -16)}");
|
#endif
|
|
CreateCodePatcher();
|
_codePatcher.ApplyPatch();
|
|
#if ENABLE_HOOK_DEBUG
|
UnityEngine.Debug.Log($"New [{targetMethod.DeclaringType.Name}.{targetMethod.Name}]: {HookUtils.HexToString(_targetPtr.ToPointer(), 64, -16)}");
|
UnityEngine.Debug.Log($"New [{replacementMethod.DeclaringType.Name}.{replacementMethod.Name}]: {HookUtils.HexToString(_replacementPtr.ToPointer(), 64, -16)}");
|
if(proxyMethod != null)
|
UnityEngine.Debug.Log($"New [{proxyMethod.DeclaringType.Name}.{proxyMethod.Name}]: {HookUtils.HexToString(_proxyPtr.ToPointer(), 64, -16)}");
|
#endif
|
}
|
}
|
|
isHooked = true;
|
}
|
|
private void CheckMethod()
|
{
|
if (targetMethod == null || replacementMethod == null)
|
throw new Exception("MethodHook:targetMethod and replacementMethod and proxyMethod can not be null");
|
|
string methodName = $"{targetMethod.DeclaringType.Name}.{targetMethod.Name}";
|
if (targetMethod.IsAbstract)
|
throw new Exception($"WRANING: you can not hook abstract method [{methodName}]");
|
|
#if UNITY_EDITOR && !UNITY_2020_3_OR_NEWER
|
int minMethodBodySize = 10;
|
|
{
|
if ((targetMethod.MethodImplementationFlags & MethodImplAttributes.InternalCall) != MethodImplAttributes.InternalCall)
|
{
|
int codeSize = targetMethod.GetMethodBody().GetILAsByteArray().Length; // GetMethodBody can not call on il2cpp
|
if (codeSize < minMethodBodySize)
|
UnityEngine.Debug.LogWarning($"WRANING: you can not hook method [{methodName}], cause its method body is too short({codeSize}), will random crash on IL2CPP release mode");
|
}
|
}
|
|
if(proxyMethod != null)
|
{
|
methodName = $"{proxyMethod.DeclaringType.Name}.{proxyMethod.Name}";
|
int codeSize = proxyMethod.GetMethodBody().GetILAsByteArray().Length;
|
if (codeSize < minMethodBodySize)
|
UnityEngine.Debug.LogWarning($"WRANING: size of method body[{methodName}] is too short({codeSize}), will random crash on IL2CPP release mode, please fill some dummy code inside");
|
|
if ((proxyMethod.MethodImplementationFlags & MethodImplAttributes.NoOptimization) != MethodImplAttributes.NoOptimization)
|
throw new Exception($"WRANING: method [{methodName}] must has a Attribute `MethodImpl(MethodImplOptions.NoOptimization)` to prevent code call to this optimized by compiler(pass args by shared stack)");
|
}
|
#endif
|
}
|
|
private void CreateCodePatcher()
|
{
|
long addrOffset = Math.Abs(_targetPtr.ToInt64() - _proxyPtr.ToInt64());
|
|
if(_proxyPtr != IntPtr.Zero)
|
addrOffset = Math.Max(addrOffset, Math.Abs(_targetPtr.ToInt64() - _proxyPtr.ToInt64()));
|
|
if (LDasm.IsARM())
|
{
|
if (IntPtr.Size == 8)
|
_codePatcher = new CodePatcher_arm64_near(_targetPtr, _replacementPtr, _proxyPtr);
|
else if (addrOffset < ((1 << 25) - 1))
|
_codePatcher = new CodePatcher_arm32_near(_targetPtr, _replacementPtr, _proxyPtr);
|
else if (addrOffset < ((1 << 27) - 1))
|
_codePatcher = new CodePatcher_arm32_far(_targetPtr, _replacementPtr, _proxyPtr);
|
else
|
throw new Exception("address of target method and replacement method are too far, can not hook");
|
}
|
else
|
{
|
if (IntPtr.Size == 8)
|
{
|
if(addrOffset < 0x7fffffff) // 2G
|
_codePatcher = new CodePatcher_x64_near(_targetPtr, _replacementPtr, _proxyPtr);
|
else
|
_codePatcher = new CodePatcher_x64_far(_targetPtr, _replacementPtr, _proxyPtr);
|
}
|
else
|
_codePatcher = new CodePatcher_x86(_targetPtr, _replacementPtr, _proxyPtr);
|
}
|
}
|
|
/// <summary>
|
/// 获取对应函数jit后的native code的地址
|
/// </summary>
|
private bool GetFunctionAddr()
|
{
|
_targetPtr = GetFunctionAddr(targetMethod);
|
_replacementPtr = GetFunctionAddr(replacementMethod);
|
_proxyPtr = GetFunctionAddr(proxyMethod);
|
|
if (_targetPtr == IntPtr.Zero || _replacementPtr == IntPtr.Zero)
|
return false;
|
|
if (proxyMethod != null && _proxyPtr == null)
|
return false;
|
|
if(_replacementPtr == _targetPtr)
|
{
|
throw new Exception($"the addresses of target method {targetMethod.Name} and replacement method {replacementMethod.Name} can not be same");
|
}
|
|
if (LDasm.IsThumb(_targetPtr) || LDasm.IsThumb(_replacementPtr))
|
{
|
throw new Exception("does not support thumb arch");
|
}
|
|
return true;
|
}
|
|
|
[StructLayout(LayoutKind.Sequential, Pack = 1)] // 好像在 IL2CPP 里无效
|
private struct __ForCopy
|
{
|
public long __dummy;
|
public MethodBase method;
|
}
|
/// <summary>
|
/// 获取方法指令地址
|
/// </summary>
|
/// <param name="method"></param>
|
/// <returns></returns>
|
private IntPtr GetFunctionAddr(MethodBase method)
|
{
|
if (method == null)
|
return IntPtr.Zero;
|
|
if (!LDasm.IsIL2CPP())
|
return method.MethodHandle.GetFunctionPointer();
|
else
|
{
|
/*
|
// System.Reflection.MonoMethod
|
typedef struct Il2CppReflectionMethod
|
{
|
Il2CppObject object;
|
const MethodInfo *method;
|
Il2CppString *name;
|
Il2CppReflectionType *reftype;
|
} Il2CppReflectionMethod;
|
|
typedef Il2CppClass Il2CppVTable;
|
typedef struct Il2CppObject
|
{
|
union
|
{
|
Il2CppClass *klass;
|
Il2CppVTable *vtable;
|
};
|
MonitorData *monitor;
|
} Il2CppObject;
|
|
typedef struct MethodInfo
|
{
|
Il2CppMethodPointer methodPointer; // this is the pointer to native code of method
|
InvokerMethod invoker_method;
|
const char* name;
|
Il2CppClass *klass;
|
const Il2CppType *return_type;
|
const ParameterInfo* parameters;
|
// ...
|
}
|
*/
|
|
__ForCopy __forCopy = new __ForCopy() { method = method };
|
|
long* ptr = &__forCopy.__dummy;
|
ptr++; // addr of _forCopy.method
|
|
IntPtr methodAddr = IntPtr.Zero;
|
if (sizeof(IntPtr) == 8)
|
{
|
long methodDataAddr = *(long*)ptr;
|
byte* ptrData = (byte*)methodDataAddr + sizeof(IntPtr) * 2; // offset of Il2CppReflectionMethod::const MethodInfo *method;
|
|
long methodPtr = 0;
|
methodPtr = *(long*)ptrData;
|
methodAddr = new IntPtr(*(long*)methodPtr); // MethodInfo::Il2CppMethodPointer methodPointer;
|
}
|
else
|
{
|
int methodDataAddr = *(int*)ptr;
|
byte* ptrData = (byte*)methodDataAddr + sizeof(IntPtr) * 2; // offset of Il2CppReflectionMethod::const MethodInfo *method;
|
|
int methodPtr = 0;
|
methodPtr = *(int*)ptrData;
|
methodAddr = new IntPtr(*(int*)methodPtr);
|
}
|
return methodAddr;
|
}
|
}
|
|
#if UNITY_EDITOR && !UNITY_2020_3_OR_NEWER
|
private void OnEditorUpdate()
|
{
|
if (s_fi_GUISkin_current.GetValue(null) != null)
|
{
|
try
|
{
|
DoInstall();
|
}
|
finally
|
{
|
EditorApplication.update -= OnEditorUpdate;
|
}
|
}
|
}
|
#endif
|
|
#endregion
|
}
|
|
}
|
