Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Couldn't resolve export il2cpp_assembly_get_image #300

Closed
kosticyn opened this issue May 22, 2023 · 20 comments
Closed

Couldn't resolve export il2cpp_assembly_get_image #300

kosticyn opened this issue May 22, 2023 · 20 comments
Labels
feature New feature or request game specific Likely to be an issue related to a specific game

Comments

@kosticyn
Copy link

kosticyn commented May 22, 2023
edited by vfsfitvnm
Loading

Hi.
App - seen
Unity version: 2019.4.17f1c1

I try Il2Cpp.dump() but I get an error: il2cpp: couldn't resolve export il2cpp_assembly_get_image.
How fix?
@vfsfitvnm vfsfitvnm added feature New feature or request game specific Likely to be an issue related to a specific game labels May 22, 2023
@vfsfitvnm
Copy link
Owner

Confirmed. That game doesn't have that (necessary) export. Fortunately, there's a workaround!

vfsfitvnm added a commit that referenced this issue May 22, 2023
@vfsfitvnm
Add fallback for missing il2cpp_assembly_get_image (#300)
56fe0f0
@n1ce0n3
Copy link

n1ce0n3 commented Sep 6, 2023

Sup!

il2cpp: couldn't resolve export il2cpp_domain_get
at r (/node_modules/frida-il2cpp-bridge/dist/index.js:594:45)
at Object.get domainGet (/node_modules/frida-il2cpp-bridge/dist/index.js:344:20)
at Object.descriptor.get [as domainGet] (/node_modules/frida-il2cpp-bridge/dist/index.js:41:30)
at Object. (/node_modules/frida-il2cpp-bridge/dist/index.js:1992:45)
at Object.descriptor.get (/node_modules/frida-il2cpp-bridge/dist/index.js:41:30)
at Object.perform (/node_modules/frida-il2cpp-bridge/dist/index.js:1110:31)

Any workarounds for that case?
I can send the binaries if needed

@n1ce0n3
Copy link

n1ce0n3 commented Sep 6, 2023
edited
Loading

That export is stripped in the binary, currently made kind of a workaround.

globalThis.assemblies = [];
globalThis.pointers = [];
const base = globalThis.base = Process.enumerateModulesSync().find(e => e.name == "GameAssembly.dll"),
pat = ("48 83 EC 28 48 8B 05 ?? ?? ?? ?? 48 85 C0 75 11").replaceAll(/\s/g, '');
Memory.scan(base.base, base.size, pat, {
    onMatch(address, size) {
        console.log('Memory.scan() found match at', address, 'with size', size);
        Interceptor.attach(address, {
            onEnter: function (args) {
                try {
                    this.name = args[1].readUtf8String() || args[1].readCString() || undefined;
                    this.name && console.log(`${this.name} has been loaded.`);
                } catch (e) {}
            },
            onLeave: function (retval) {
                !pointers.find(e => e['il2cpp_domain_get']) && (globalThis.pointers.push({
                        "il2cpp_domain_get": new NativeFunction(ptr(address), 'pointer', [])
                    })) && (console.log(`Domain_get found. ${JSON.stringify(pointers.find(e => e['il2cpp_domain_get']))}`));
            }
        });
        // Optionally stop scanning early:
        return 'stop';

    },
    onComplete() {
        //    console.log('Memory.scan() complete');
    }
})





     ____
    / _  |   Frida 16.0.19 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Local System (id=local)


Memory.scan() found match at 0x7ffd8b0df450 with size 16
[Local::*.exe ]-> Domain_get found. {"il2cpp_domain_get":"0x7ffd8b0df450"}
UnityEngine has been loaded.
Assembly-CSharp has been loaded.
Cinemachine has been loaded.
Unity.Burst has been loaded.
KDTree-Asmdef has been loaded.
Obi has been loaded.
LitJson-asmdef has been loaded.
7zip.asmdef has been loaded.
OSA has been loaded.
UnityEngine.UI has been loaded.
Unity.Timeline has been loaded.
BGCurve-Asmdef has been loaded.
ConsoleAsmdef has been loaded.
VivoxUnity has been loaded.
L12Utils has been loaded.
Intercept has been loaded.
ZFBrowser has been loaded.
GlobalDebug has been loaded.
DOTween.Modules has been loaded.
XGamingRuntime has been loaded.
DOTween has been loaded.
protobuf-net has been loaded.
zxing.unity has been loaded.
System.Memory has been loaded.
IFix.Core has been loaded.
FlatBuffers has been loaded.
Ionic.Zip.Unity has been loaded.
Newtonsoft.Json has been loaded.

@vfsfitvnm
Copy link
Owner

@n1ce0n3 Thanks for reporting

@n1ce0n3
Copy link

n1ce0n3 commented Sep 6, 2023
edited
Loading

I still can't figure how can I make it work within the game I'm currently reversing. Would really appreciate some help, if you can @vfsfitvnm.
Here are all the il2cpp exports the game has:

[Local::narakabladepoint.exe ]-> Process.enumerateModulesSync().forEach(el => { 
Module.enumerateExportsSync(el.name).forEach(_export => { 
_export.name.match(/il2cpp_/gi) && console.log(_export.name) 
})
});

il2cpp_add_internal_call
il2cpp_alloc
il2cpp_allocation_granularity
il2cpp_array_element_size
il2cpp_array_object_header_size
il2cpp_capture_memory_snapshot
il2cpp_class_get_bitmap
il2cpp_class_get_bitmap_size
il2cpp_class_get_userdata_offset
il2cpp_class_set_userdata
il2cpp_current_thread_get_frame_at
il2cpp_current_thread_get_stack_depth
il2cpp_current_thread_get_top_frame
il2cpp_current_thread_walk_frame_stack
il2cpp_debugger_set_agent_options
il2cpp_exception_from_name_msg
il2cpp_format_exception
il2cpp_format_stack_trace
il2cpp_free
il2cpp_free_captured_memory_snapshot
il2cpp_gc_collect
il2cpp_gc_collect_a_little
il2cpp_gc_disable
il2cpp_gc_enable
il2cpp_gc_foreach_heap
il2cpp_gc_get_heap_size
il2cpp_gc_get_max_time_slice_ns
il2cpp_gc_get_used_size
il2cpp_gc_has_strict_wbarriers
il2cpp_gc_is_disabled
il2cpp_gc_is_incremental
il2cpp_gc_set_external_allocation_tracker
il2cpp_gc_set_external_wbarrier_tracker
il2cpp_gc_set_max_time_slice_ns
il2cpp_gc_wbarrier_set_field
il2cpp_gchandle_foreach_get_target
il2cpp_gchandle_free
il2cpp_gchandle_get
il2cpp_gchandle_get_target
il2cpp_gchandle_new
il2cpp_gchandle_new_weakref
il2cpp_get_corlib
il2cpp_get_exception_argument_null
il2cpp_image_get_assembly
il2cpp_image_get_class
il2cpp_image_get_class_count
il2cpp_image_get_entry_point
il2cpp_image_get_filename
il2cpp_image_get_name
il2cpp_init
il2cpp_init_utf16
il2cpp_is_debugger_attached
il2cpp_is_vm_thread
il2cpp_monitor_enter
il2cpp_monitor_exit
il2cpp_monitor_pulse
il2cpp_monitor_pulse_all
il2cpp_monitor_try_enter
il2cpp_monitor_try_wait
il2cpp_monitor_wait
il2cpp_object_header_size
il2cpp_offset_of_array_bounds_in_array_object_header
il2cpp_offset_of_array_length_in_array_object_header
il2cpp_override_stack_backtrace
il2cpp_profiler_install
il2cpp_profiler_install_allocation
il2cpp_profiler_install_enter_leave
il2cpp_profiler_install_fileio
il2cpp_profiler_install_gc
il2cpp_profiler_install_thread
il2cpp_profiler_set_events
il2cpp_raise_exception
il2cpp_register_debugger_agent_transport
il2cpp_register_log_callback
il2cpp_runtime_object_init_exception
il2cpp_runtime_unhandled_exception_policy_set
il2cpp_set_commandline_arguments
il2cpp_set_commandline_arguments_utf16
il2cpp_set_config
il2cpp_set_config_dir
il2cpp_set_config_utf16
il2cpp_set_data_dir
il2cpp_set_default_thread_affinity
il2cpp_set_find_plugin_callback
il2cpp_set_memory_callbacks
il2cpp_set_temp_dir
il2cpp_shutdown
il2cpp_start_gc_world
il2cpp_stats_dump_to_file
il2cpp_stats_get_value
il2cpp_stop_gc_world
il2cpp_thread_attach
il2cpp_thread_current
il2cpp_thread_detach
il2cpp_thread_get_all_attached_threads
il2cpp_thread_get_frame_at
il2cpp_thread_get_stack_depth
il2cpp_thread_get_top_frame
il2cpp_thread_walk_frame_stack
il2cpp_unhandled_exception
il2cpp_unity_install_unitytls_interface
il2cpp_unity_liveness_allocate_struct
il2cpp_unity_liveness_calculation_begin
il2cpp_unity_liveness_calculation_end
il2cpp_unity_liveness_calculation_from_root
il2cpp_unity_liveness_calculation_from_root_2021
il2cpp_unity_liveness_calculation_from_statics
il2cpp_unity_liveness_calculation_from_statics_2021
il2cpp_unity_liveness_calculation_from_steal
il2cpp_unity_liveness_collect_statics_2021
il2cpp_unity_liveness_finalize
il2cpp_unity_liveness_free_struct
il2cpp_unity_liveness_object_num
il2cpp_unity_liveness_traverse_static_from_steal
il2cpp_unity_liveness_traverse_statics_2021
il2cpp_unity_liveness_traverse_user_root
il2cpp_value_box

What methods do I need to manually resolve in order to make it work?
If I get it right - the "r" function basically returns something like this: new NativeFunction(ptr("0x7ffd8b0df450"), "pointer", []);
so I can hard code all the missing functions and check if that works, or am I wrong?
Thanks in advance <3

@vfsfitvnm
Copy link
Owner

vfsfitvnm commented Sep 6, 2023
edited
Loading

@n1ce0n3 It looks like they heavily modified their exports, I don't think there's much you can do other than manually find the missing exports.

so I can hard code all the missing functions and check if that works, or am I wrong?

correct :)

@vfsfitvnm vfsfitvnm mentioned this issue Sep 6, 2023
Closed
@n1ce0n3
Copy link

n1ce0n3 commented Sep 7, 2023

Thanks for confirming this @vfsfitvnm, the game is #6 on top free steam games atm, so I kind of expected that not to be as easy :)
I will post an update here in case I will manage to solve the issue and if I will actually get this whole thing working, but if someone is here with the same issue & game I am struggling with right now - I wouldn't really expect to wait for an update.

@n1ce0n3
Copy link

n1ce0n3 commented Sep 8, 2023
edited
Loading

Just in case anyone was waiting for an update, I actually got it to work after a while :)

[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_class_get_methods
    at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
    at get classGetMethods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:276)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694)
    at readNativeIterator (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:149)
    at get methods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815)
    at concat (native)
    at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
    at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_field_get_name
    at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
    at get fieldGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:348)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2040)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2079)
    at join (native)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815)
    at concat (native)
    at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
    at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_method_get_name
    at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
    at get methodGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:471)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2342)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2495)
    at join (native)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1816)
    at concat (native)
    at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
    at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: dumping System.Configuration...
il2cpp: dumping Mono.Security...
il2cpp: dumping System.Xml...
il2cpp: dumping System...
il2cpp: dumping System.Core...
il2cpp: dumping UnityEngine.SharedInternalsModule...
il2cpp: dumping UnityEngine.CoreModule...
il2cpp: dumping UnityEngine.AssetBundleModule...
il2cpp: dumping UnityEngine.PhysicsModule...
il2cpp: dumping UnityEngine.SubsystemsModule...
il2cpp: dumping UnityEngine.TextRenderingModule...
il2cpp: dumping UnityEngine.UnityWebRequestModule...
il2cpp: dumping UnityEngine.AudioModule...
il2cpp: dumping UnityEngine.GridModule...
il2cpp: dumping UnityEngine.IMGUIModule...
il2cpp: dumping UnityEngine.ImageConversionModule...
il2cpp: dumping UnityEngine.InputLegacyModule...
il2cpp: dumping UnityEngine.Physics2DModule...
il2cpp: dumping UnityEngine.TerrainModule...
il2cpp: dumping UnityEngine.TextCoreModule...
il2cpp: dumping UnityEngine.UnityWebRequestAssetBundleModule...
il2cpp: dumping UnityEngine.XRModule...
il2cpp: dumping System.Numerics...
il2cpp: dumping System.Runtime.Serialization...
il2cpp: dumping UnityEngine.AIModule...
il2cpp: dumping UnityEngine.AndroidJNIModule...
il2cpp: dumping UnityEngine.AnimationModule...
il2cpp: dumping UnityEngine.ClothModule...
il2cpp: dumping UnityEngine.DirectorModule...
il2cpp: dumping UnityEngine.InputModule...
il2cpp: dumping UnityEngine.JSONSerializeModule...
il2cpp: dumping UnityEngine.ParticleSystemModule...
il2cpp: dumping UnityEngine.ScreenCaptureModule...
il2cpp: dumping UnityEngine.StreamingModule...
il2cpp: dumping UnityEngine.TerrainPhysicsModule...
il2cpp: dumping UnityEngine.TilemapModule...
il2cpp: dumping UnityEngine.UIElementsModule...
il2cpp: dumping UnityEngine.UIModule...
il2cpp: dumping UnityEngine.UnityAnalyticsModule...
il2cpp: dumping UnityEngine.UnityWebRequestTextureModule...
il2cpp: dumping UnityEngine.UnityWebRequestWWWModule...
il2cpp: dumping UnityEngine.VFXModule...
il2cpp: dumping UnityEngine.VRModule...
il2cpp: dumping UnityEngine.VideoModule...
il2cpp: dumping System.Data...
il2cpp: dumping System.Diagnostics.StackTrace...
il2cpp: dumping System.Globalization.Extensions...
il2cpp: dumping System.IO.Compression...
il2cpp: dumping System.Xml.Linq...
il2cpp: dumping UnityEngine...
il2cpp: dumping Opencoding.Shared...
il2cpp: dumping System.Runtime...
il2cpp: dumping UnityEngine.UI...
il2cpp: dumping netstandard...
il2cpp: dumping Opencoding.LogHistory...
il2cpp: dumping System.Numerics.Vectors...
il2cpp: dumping System.Runtime.CompilerServices.Unsafe...
il2cpp: dumping Unity.Burst.Unsafe...
il2cpp: dumping Unity.RenderPipelines.Core.Runtime...
il2cpp: dumping L12Utils...
il2cpp: dumping Newtonsoft.Json...
il2cpp: dumping Obi...
il2cpp: dumping Opencoding.CommandHandlers...
il2cpp: dumping System.Memory...
il2cpp: dumping Unity.Burst...
il2cpp: dumping Unity.Mathematics...
il2cpp: dumping Unity.RenderPipeline.Universal.ShaderLibrary...
il2cpp: dumping Unity.Timeline...
il2cpp: dumping protobuf-net...
il2cpp: dumping 7zip.asmdef...
il2cpp: dumping ByteSerialize-Asmdef...
il2cpp: dumping Cinemachine...
il2cpp: dumping Coffee.UIParticle...
il2cpp: dumping DOTween...
il2cpp: dumping FlatBuffers...
il2cpp: dumping GlobalDebug...
il2cpp: dumping Googole-Protobuf-Asmdef...
il2cpp: dumping IFix.Core...
il2cpp: dumping Ionic.Zip.Unity...
il2cpp: dumping KDTree-Asmdef...
il2cpp: dumping Leihuo.Rendering.Runtime...
il2cpp: dumping LitJson-asmdef...
il2cpp: dumping MIConvexHull-Asmdef...
il2cpp: dumping Mono.Cecil...
il2cpp: dumping OSA...
il2cpp: dumping ObiRendering-Asmdef...
il2cpp: dumping Opencoding.Console...
il2cpp: dumping PowerCollections-Asmdef...
il2cpp: dumping RootMotion-Asmdef...
il2cpp: dumping Sirenix.OdinInspector.Attributes...
il2cpp: dumping Twitch.EnhancedExperiences...
il2cpp: dumping Unity.Collections...
il2cpp: dumping Unity.InputSystem...
il2cpp: dumping Unity.RenderPipelines.Universal.Runtime...
il2cpp: dumping Unity.TextMeshPro...
il2cpp: dumping Vectrosity-Scripts-Asmdef...
il2cpp: dumping VivoxUnity...
il2cpp: dumping XGamingRuntime...
il2cpp: dumping zxing.unity...
il2cpp: dumping BGCurve-Asmdef...
il2cpp: dumping ConsoleAsmdef...
il2cpp: dumping DOTween.Modules...
il2cpp: dumping Intercept...
il2cpp: dumping MersenneTwister-Asmdef...
il2cpp: dumping QHierarchy-Asmdef...
il2cpp: dumping Siccity.SerializableCallback...
il2cpp: dumping SpatialHash-Asmdef...
il2cpp: dumping ZFBrowser...
il2cpp: dumping Assembly-CSharp-firstpass...
il2cpp: dumping Assembly-CSharp...
il2cpp: dump saved to C:/Users/.../AppData/LocalLow/.../dump.cs

Just compile a project using the same unity version - and find the required exports in the compiled binary, you can extract them from IDA using either SigMaker or Fake PDB (for some functions one plugin worked better than another, vice versa), replace the functions in the "index.js" file according to the addresses you find.
In the binary I've had these signatures were not found, like none of them, however, if you run cheat engine or something similar and search for the signatures during runtime - it finds everything just as it was supposed to.
Much luv. <3

@vfsfitvnm
Copy link
Owner

@n1ce0n3 Thank you very much for reporting us back!
Searching for memory patterns is definitely a good solution. I'm not sure whether I could "automate" such feature, as I believe it is quite easy for the vendor to sidetrack the scanning operation.

However, I can definitely add a feature so that you can override the export offsets without having to tediously edit the source code.

@n1ce0n3
Copy link

n1ce0n3 commented Sep 8, 2023
edited
Loading

@vfsfitvnm glad I could've been useful :)
Idk, honestly, it's the first binary I see that would be stripped as much and if I get it right - the signature would vary depending on the unity version, and if so - it would be a real pain in the ass for you to get all the signatures for different versions.
If the signature doesn't change - I already have around 40 signatures saved in the notepad and that could be of help for you.

Actually, that is the only tool that allowed me to get a dump of the game (at least on my level of knowledge). I have no idea how can you manually add the missing exports to the library, so tools like MelonLoader/BepinEx/doorstep would actually recognize the methods and work. Since all the tools I've mentioned simply crash the game, printing out in the log that there is no required export, without a real way to manually point the tool to the required methods :)

@vfsfitvnm
Copy link
Owner

Most of the functions don't really change across minor unity versions, however the emitted binary code also depends on the compiler - so yeah, it's definitely a huge pain in the ass to get it done. I would have to collect every export times every unity version times every cpu architecture, at the very least. Won't do it 😛

@n1ce0n3
Copy link

n1ce0n3 commented Sep 8, 2023
edited
Loading

I totally agree, wouldn't do that either 😛
However, you could really consider adding an option to override the methods a bit easier, since for some reason, if I modify the functions in the compiled .js file - it won't let me launch it, saying it's malformed, so to do that I had to go in node_modules/module/dist and edit the code within index.js that file, and that definitely is not the best option. (Unless I missed a more obvious way of doing that).

Also, I'm really curious whether the distance between functions changes with the updates, cause if not - you could just find a single method and from then just find the other methods based on an offset relative to a method you've already found? Or that wouldn't work with exported functions?

@vfsfitvnm
Copy link
Owner

If you use another bundler (I personally use esbuild) instead of frida-compile, you can edit the compiled .js file straightforwardly (but you lose the features frida-compile has). However, yes, I will do something in that regard.

Also, I'm really curious whether the distance between functions changes with the updates, cause if not - you could just find a single method and from then just find the other methods based on an offset relative to a method you've already found? Or that wouldn't work with exported functions?

They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code

@n1ce0n3
Copy link

n1ce0n3 commented Sep 8, 2023

They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code

RIght, I didn't think about it that way.

I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)

vfsfitvnm added a commit that referenced this issue Sep 13, 2023
@vfsfitvnm
Add IL2CPP_EXPORTS to provide specific function pointers to IL2CPP ex…
7dcb0b1 
…ports (#300)
@vfsfitvnm vfsfitvnm mentioned this issue Sep 29, 2023
Closed
@thienha1
Copy link

They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code

RIght, I didn't think about it that way.

I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)

Are u still there? I need your help

@n1ce0n3
Copy link

n1ce0n3 commented Oct 31, 2023

They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code

RIght, I didn't think about it that way.
I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)

Are u still there? I need your help

Sup?

@thienha1
Copy link

thienha1 commented Nov 7, 2023

They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code

RIght, I didn't think about it that way.
I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)

Are u still there? I need your help

Sup?

Yes, my case is a almost il2cpp exports are merge all in one export "il2cpp_get_api_table", how to find out those exports inside this thing? Or how to call this in frida?

@n1ce0n3
Copy link

n1ce0n3 commented Nov 7, 2023
edited
Loading

They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code

RIght, I didn't think about it that way.
I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)

Are u still there? I need your help

Sup?

Yes, my case is a almost il2cpp exports are merge all in one export "il2cpp_get_api_table", how to find out those exports inside this thing? Or how to call this in frida?

I haven't seen a case like that, but googling that export quoted results in two URLs, one of which is the current thread and the other one is something in chinese.
I'm not exactly sure what they're talking about in there, but according to what I got from google translate - I'd assume you should look into either that or that.

@leonitousconforti leonitousconforti mentioned this issue Nov 19, 2023
Closed
@Elfi3s
Copy link

Elfi3s commented Feb 20, 2024

Just in case anyone was waiting for an update, I actually got it to work after a while :)

[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_class_get_methods
    at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
    at get classGetMethods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:276)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694)
    at readNativeIterator (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:149)
    at get methods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815)
    at concat (native)
    at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
    at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_field_get_name
    at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
    at get fieldGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:348)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2040)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2079)
    at join (native)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815)
    at concat (native)
    at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
    at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_method_get_name
    at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
    at get methodGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:471)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2342)
    at call (native)
    at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2495)
    at join (native)
    at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1816)
    at concat (native)
    at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
    at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: dumping System.Configuration...
il2cpp: dumping Mono.Security...
il2cpp: dumping System.Xml...
il2cpp: dumping System...
il2cpp: dumping System.Core...
il2cpp: dumping UnityEngine.SharedInternalsModule...
il2cpp: dumping UnityEngine.CoreModule...
il2cpp: dumping UnityEngine.AssetBundleModule...
il2cpp: dumping UnityEngine.PhysicsModule...
il2cpp: dumping UnityEngine.SubsystemsModule...
il2cpp: dumping UnityEngine.TextRenderingModule...
il2cpp: dumping UnityEngine.UnityWebRequestModule...
il2cpp: dumping UnityEngine.AudioModule...
il2cpp: dumping UnityEngine.GridModule...
il2cpp: dumping UnityEngine.IMGUIModule...
il2cpp: dumping UnityEngine.ImageConversionModule...
il2cpp: dumping UnityEngine.InputLegacyModule...
il2cpp: dumping UnityEngine.Physics2DModule...
il2cpp: dumping UnityEngine.TerrainModule...
il2cpp: dumping UnityEngine.TextCoreModule...
il2cpp: dumping UnityEngine.UnityWebRequestAssetBundleModule...
il2cpp: dumping UnityEngine.XRModule...
il2cpp: dumping System.Numerics...
il2cpp: dumping System.Runtime.Serialization...
il2cpp: dumping UnityEngine.AIModule...
il2cpp: dumping UnityEngine.AndroidJNIModule...
il2cpp: dumping UnityEngine.AnimationModule...
il2cpp: dumping UnityEngine.ClothModule...
il2cpp: dumping UnityEngine.DirectorModule...
il2cpp: dumping UnityEngine.InputModule...
il2cpp: dumping UnityEngine.JSONSerializeModule...
il2cpp: dumping UnityEngine.ParticleSystemModule...
il2cpp: dumping UnityEngine.ScreenCaptureModule...
il2cpp: dumping UnityEngine.StreamingModule...
il2cpp: dumping UnityEngine.TerrainPhysicsModule...
il2cpp: dumping UnityEngine.TilemapModule...
il2cpp: dumping UnityEngine.UIElementsModule...
il2cpp: dumping UnityEngine.UIModule...
il2cpp: dumping UnityEngine.UnityAnalyticsModule...
il2cpp: dumping UnityEngine.UnityWebRequestTextureModule...
il2cpp: dumping UnityEngine.UnityWebRequestWWWModule...
il2cpp: dumping UnityEngine.VFXModule...
il2cpp: dumping UnityEngine.VRModule...
il2cpp: dumping UnityEngine.VideoModule...
il2cpp: dumping System.Data...
il2cpp: dumping System.Diagnostics.StackTrace...
il2cpp: dumping System.Globalization.Extensions...
il2cpp: dumping System.IO.Compression...
il2cpp: dumping System.Xml.Linq...
il2cpp: dumping UnityEngine...
il2cpp: dumping Opencoding.Shared...
il2cpp: dumping System.Runtime...
il2cpp: dumping UnityEngine.UI...
il2cpp: dumping netstandard...
il2cpp: dumping Opencoding.LogHistory...
il2cpp: dumping System.Numerics.Vectors...
il2cpp: dumping System.Runtime.CompilerServices.Unsafe...
il2cpp: dumping Unity.Burst.Unsafe...
il2cpp: dumping Unity.RenderPipelines.Core.Runtime...
il2cpp: dumping L12Utils...
il2cpp: dumping Newtonsoft.Json...
il2cpp: dumping Obi...
il2cpp: dumping Opencoding.CommandHandlers...
il2cpp: dumping System.Memory...
il2cpp: dumping Unity.Burst...
il2cpp: dumping Unity.Mathematics...
il2cpp: dumping Unity.RenderPipeline.Universal.ShaderLibrary...
il2cpp: dumping Unity.Timeline...
il2cpp: dumping protobuf-net...
il2cpp: dumping 7zip.asmdef...
il2cpp: dumping ByteSerialize-Asmdef...
il2cpp: dumping Cinemachine...
il2cpp: dumping Coffee.UIParticle...
il2cpp: dumping DOTween...
il2cpp: dumping FlatBuffers...
il2cpp: dumping GlobalDebug...
il2cpp: dumping Googole-Protobuf-Asmdef...
il2cpp: dumping IFix.Core...
il2cpp: dumping Ionic.Zip.Unity...
il2cpp: dumping KDTree-Asmdef...
il2cpp: dumping Leihuo.Rendering.Runtime...
il2cpp: dumping LitJson-asmdef...
il2cpp: dumping MIConvexHull-Asmdef...
il2cpp: dumping Mono.Cecil...
il2cpp: dumping OSA...
il2cpp: dumping ObiRendering-Asmdef...
il2cpp: dumping Opencoding.Console...
il2cpp: dumping PowerCollections-Asmdef...
il2cpp: dumping RootMotion-Asmdef...
il2cpp: dumping Sirenix.OdinInspector.Attributes...
il2cpp: dumping Twitch.EnhancedExperiences...
il2cpp: dumping Unity.Collections...
il2cpp: dumping Unity.InputSystem...
il2cpp: dumping Unity.RenderPipelines.Universal.Runtime...
il2cpp: dumping Unity.TextMeshPro...
il2cpp: dumping Vectrosity-Scripts-Asmdef...
il2cpp: dumping VivoxUnity...
il2cpp: dumping XGamingRuntime...
il2cpp: dumping zxing.unity...
il2cpp: dumping BGCurve-Asmdef...
il2cpp: dumping ConsoleAsmdef...
il2cpp: dumping DOTween.Modules...
il2cpp: dumping Intercept...
il2cpp: dumping MersenneTwister-Asmdef...
il2cpp: dumping QHierarchy-Asmdef...
il2cpp: dumping Siccity.SerializableCallback...
il2cpp: dumping SpatialHash-Asmdef...
il2cpp: dumping ZFBrowser...
il2cpp: dumping Assembly-CSharp-firstpass...
il2cpp: dumping Assembly-CSharp...
il2cpp: dump saved to C:/Users/.../AppData/LocalLow/.../dump.cs

Just compile a project using the same unity version - and find the required exports in the compiled binary, you can extract them from IDA using either SigMaker or Fake PDB (for some functions one plugin worked better than another, vice versa), replace the functions in the "index.js" file according to the addresses you find. In the binary I've had these signatures were not found, like none of them, however, if you run cheat engine or something similar and search for the signatures during runtime - it finds everything just as it was supposed to. Much luv. <3

Hi, may i know how you determined the export il2cpp_class_get_methods_ to resolve them?
For my case the exports name have been obfuscated with some giberrish, is there a way to like match the exports by size or some parameter using IDA using the old non-obfuscated exports vs the current exports with giberrish names?

@n1ce0n3
Copy link

n1ce0n3 commented Feb 20, 2024
edited
Loading

Hi, may i know how you determined the export il2cpp_class_get_methods_ to resolve them? For my case the exports name have been obfuscated with some giberrish, is there a way to like match the exports by size or some parameter using IDA using the old non-obfuscated exports vs the current exports with giberrish names?

That's how I ended up making it work:

  1. Added that at the top of the script
globalThis.base = Process.enumerateModulesSync().find(e => e.name == "GameAssembly.dll"), 
_backupExports = {
	"il2cpp_field_static_set_value": "E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 89 5C 24 ?? 57 48 83 EC 40 49 63 D8",
        "il2cpp_domain_get":"E9????????????????CCCCCCCCCCCCCCCCCCCCCC40534883EC20488BDA",
        "il2cpp_object_new":"E8 ?? ?? ?? ?? 48 8B D3 48 8B C8 48 8B F8 E8 ?? ?? ?? ?? 4D 63 C7 ",
	"il2cpp_resolve_icall":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B41184C8BD2",
	"il2cpp_string_chars":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4053",
	"il2cpp_string_length":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4053",
	"il2cpp_domain_get_assemblies":"40534883EC20488BDAE8????????488B4808",
	"il2cpp_class_from_name":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28 4C 8D 44 24 40",
	"il2cpp_class_get_method_from_name":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 0F B6 81",
	"il2cpp_method_is_instance":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4883EC28E8????????EB02",
	"il2cpp_method_is_inflated":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4883EC28E8????????EB02",
	"il2cpp_runtime_class_init":"E9????????CCCCCCCCCCCCCCCCCCCCCC488B41184C8BD2",
	"il2cpp_class_get_field_from_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_field_get_flags":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B4108",
	"il2cpp_field_static_get_value":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC48895C2408574883EC40",
	"il2cpp_field_get_type":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B4108",
	"il2cpp_type_get_type":"E9????????CCCCCCCCCCCCCCCCCCCCCC8B4108",
	"il2cpp_class_get_type":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC 40 53 48 83 EC 20 48 8B C2",
	"il2cpp_array_class_get":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB820000000",
	"il2cpp_class_get_interfaces":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_class_get_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB6",
	"il2cpp_object_get_class":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201",
	"il2cpp_field_get_offset":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B4108",
	"il2cpp_method_get_return_type":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28 E8 ?? ?? ?? ?? EB 02",
	"il2cpp_type_get_name":"40 53 48 83 EC 40 45 33 C0",
	"il2cpp_method_get_param_count":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28",
	"il2cpp_class_from_il2cpp_type":"B201E9????????CCCCCCCCCCCCCCCCCCE9",
	"il2cpp_class_from_type":"B2 01 E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC E9",
	"il2cpp_class_is_valuetype":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000",
	"il2cpp_method_get_param_name":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28",
	"il2cpp_method_get_param":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28",
	"il2cpp_array_length":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB820000000",
	"il2cpp_string_new_wrapper":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4053",
	"il2cpp_class_enum_basetype":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201",
	"il2cpp_class_array_element_size":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201",
	"il2cpp_class_get_parent":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_class_get_assemblyname":"E9????????CCCCCCCCCCCCCCCCCCCCCC4883EC284C8D442440",
	"il2cpp_class_is_enum":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000",
	"il2cpp_class_is_interface":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000",
	"il2cpp_class_is_inflated":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000",
	"il2cpp_class_get_fields":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_class_get_methods":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_field_get_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201",
	"il2cpp_assembly_get_image":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201",
	"il2cpp_method_get_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_image_get_assembly":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_domain_assembly_open":"48 8B CA E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC E9",
	"il2cpp_field_get_parent":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_image_get_assembly":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_method_get_class":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_class_get_nested_types":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_class_get_image":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201",
	"il2cpp_class_get_static_field_data":"488B81B8000000C3CCCCCCCCCCCCCC",
	"il2cpp_class_get_namespace":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681",
	"il2cpp_class_value_size":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4883EC28E8????????488B4808",
	"il2cpp_class_instance_size":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000",
	"il2cpp_method_get_flags":"48 89 5C 24 ? 57 48 83 EC 20 48 8B DA 48 8B F9 48 85 D2 74 07",
	"il2cpp_object_unbox":"E9????????CCCCCCCCCCCCCCCCCCCCCCB818000000"
};
  1. Changed the "r" function to find them
function r(exportName, retType, argTypes) {
        let handle = globalThis.IL2CPP_EXPORTS?.[exportName]?.() ?? Il2Cpp.module.findExportByName(exportName) ?? Il2Cpp.memorySnapshotApi[exportName];
		if (!handle) {
			try {
			let pat = _backupExports[exportName];
			if (!pat) { 
				console.warn(`Pattern scan fucked up. ${exportName}`);
			}
			const results = Memory.scanSync(base.base, base.size, pat);
			if (!!results.length) {
				if (exportName == "il2cpp_class_get_type" || exportName == "il2cpp_type_get_name" || exportName == "il2cpp_method_get_param_count" || exportName == "il2cpp_method_get_param_name"  || exportName == "il2cpp_method_get_param"){
					handle = results[0].address;
				}				
				else 
				handle = results[results.length-1].address;
			}
			else {
				console.warn(`Pattern scan fucked up. ${exportName} - 2`);
			}
		}
		catch(e) {
				console.warn(exportName);
			}
		}
		console.warn(`${exportName} - ${handle}`);
        return new NativeFunction(handle ?? raise(`couldn't resolve export ${exportName}`), retType, argTypes);
    }

In my case - the exports were removed, so I had to pattern scan for them, if you know the names, you can simply compare the obfuscated names with the ones you'd specify - and replce the whole "try-catch" part with either Module.enumerateExports or Module.enumerateSymbols search to match the pairs.

P.S. if you're going to use to pattern scan method - note that frida accepts "?" as a 2-byte option if you use Memory.patternScan, if you use patternScanSync - that using a single question mark in place of a value equal to two bytes will give you an error, which explanation is not that straightforward, so I thought I would let you know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request game specific Likely to be an issue related to a specific game
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@thienha1 @kosticyn @n1ce0n3 @vfsfitvnm @Elfi3s