this is free and unencumbered software released into the public domain

refer to the attached UNLICENSE or http://unlicense.org/

introduction

ARM and x86 hooking framework for love live school idol festival EN and JP

this is a proxy/stub library for libjniproxy.so. it can be used to easily read memory, hook, and call the game's functions from within the game process without relying on LD_PRELOAD or existing hooking frameworks

it comes with some hooks that log calls for crypto function and a few others as well as printing the lua stacktrace for functions called from lua

(update: it now also logs http traffic on JP)

rationale: I couldn't get LD_PRELOAD to work on my qemu android x86 virtual machine and I'm too lazy to use a real android device lol

NOTE: it's highly recommended that you compile this from source and check the code yourself, as malicious code could be easily injected through it. always get binaries and source from a trusted source (in this case my github, Francesco149). never share the logcat from this tool with other people, it may contain your account and device information!

compile and install the built-in hooks

compiling is linux-only for the time being. if you're a windows user and know how to set a build up, feel free to write a guide and pull request

chmod +x ./build
CC=~/arm/bin/clang CFLAGS=-DJNIPROXY_EN ./build
# change clang path to where your arm or x86 compiler is
# also change JNIPROXY_EN to JNIPROXY_JP if compiling for JP

adb root
adb shell

cd /data/app/klb.lovelive_en-1/lib/arm/
# remember to omit the _en suffix and use x86 instead of
# arm if working with the JP ver

mv libjniproxy.so libjniproxy.so.bak
exit
adb push libjniproxy.so /data/app/klb.lovelive_en-1/lib/arm/
adb shell

cd /data/app/klb.lovelive_en-1/lib/arm/
# remember to change arm to x86 if targeting x86

chmod 755 libjniproxy.so
chown system:system libjniproxy.so

# clear logcat
adb shell logcat -c

# start logging
adb shell logcat | grep jniproxy

# now start the game and watch the log
# I usually pipe the above command into a file, like
# adb shell logcat -d | grep jniproxy > log.txt
# so you can read it in your favorite editor

framework

example that hooks CAndroidRequest::getRandomBytes

read the declarations at the top of jniproxy.c for more information

myhook.c

static int hooks_init();

#define JNIPROXY_EN
#define JNIPROXY_IMPLEMENTATION
#define JNIPROXY_MONOLITHIC
#define JNIPROXY_INIT hooks_init
#include "jniproxy.c"

#define sig(name) int name(void* this, uint8_t* data, int n)

typedef sig(func);
static func* trampoline = 0;

static sig(hook)
{
    int res;
    char* buf = 0;
    size_t nb = 0;

    log("> called from %p", __builtin_return_address(0));
    res = trampoline(this, data, n);
    log_bytes("data", data, n, &buf, &nb);
    free(buf);

    return res;
}

static
int hooks_init()
{
    int err;
    void* base = m_base("libGame.so",
        "app_klb_android_GameEngine_PFInterface_frameFlip");

    if (!base) {
        return -1;
    }

    m_hook("CAndroidRequest::getRandomBytes",
        base, 0, (void*)0x003490A0, 0, 0,
        (void**)&trampoline, hook);

    return 0;
}

build

#!/bin/sh

CFLAGS="-fPIC $CFLAGS"
LDFLAGS="-shared -llog -ldl $LDFLAGS"
$CC $CFLAGS myhook.c $LDFLAGS -o libjniproxy.so

see main.c for advanced usage examples