search

MJx0 / KittyMemory

This library aims for runtime code patching for both Android and iOS
MIT License
307 stars 109 forks source link

Edit memory on virtualApp at runtime #1

Closed Aghisna12 closed 5 years ago

Aghisna12 commented 5 years ago

does this code work on virtualapp?

im used "/proc/pid/maps" (the pid is from running game inside virualApp) I have tried it in virtualApp, getAbsoluteAddress = address(load_bias + offset libil2cpp) on maps is right. but in memWrite & memRead not in the appropriate address.

Thanks for this awesome source!

[UPDATE] sorry, it turns out memcpy only writes in virtualApp only :)

MJx0 commented 5 years ago

Did you check return value of libil2cpp base address?

Aghisna12 commented 5 years ago

i'm trying do use self process. at "/proc/self/maps" on my virtual. without hook dlopen ( loadLibrary ) on target game process. the Kitty only patch memory anddress on my virtual, not on lib game.

i dn't know to load Kitty on /proc/(target pid)/maps

sorry for my bad English

MJx0 commented 5 years ago

You need to load the library in game process. Edit the apk or inject with ptrace.

Aghisna12 commented 5 years ago

unlucky for me. my injector has fail to attach the target game with ptrace. but another game it's success to inject my lib with my injector. I though my tested game have anti ptrace. also my target game have signature checker on native for anti edit apk. I will trying do hook target game class to call loadLibrary.

MJx0 commented 5 years ago

Maybe there's work around with library preload instead of injection. I haven't tried it.

Aghisna12 commented 5 years ago

umm. thanks... but, ur Mono Toolkitten for root isn't open source.

MJx0 commented 5 years ago

It uses ptrace to inject not very special.

Aghisna12 commented 5 years ago

ok. thanks...

jbro129 commented 4 years ago

VirtualApp Hooks dlopen for loading the libs. That is why all the libs loaded within besides libva++.so is not defined in /proc/pid/maps of the app. https://github.com/asLody/VirtualApp/blob/master/VirtualApp/lib/src/main/jni/Foundation/IOUniformer.cpp line 639 I noticed there is an void onSoLoaded(const char *name, void *handle) {} on line 78. Maybe by modifying it to the following it could be used to get the base library's address.

void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        ...
    }
}

The handle parameter is the libraries base address. Look at lines 580 and 581, 590 and 591, and 601 and 602. The onSoLoaded function is used after each orig_dlopen. MemoryPatcher does not allow you to use MemoryPatch or MemoryPatch::createWithHex with the base lib address already defined. Maybe KittyMemory can include this? A MemoryPatch function that can use the handle base address as a parameter instead of the libraries name to find the base address itself itself?

void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        MemoryPatch mod = MemoryPatch(handle, 0x6A6144, "\x01\x00\xA0\xE3\x1E\xFF\x2F\xE1", 8);
        MemoryPatch mod2 = MemoryPatch::createWithHex(handle, 0x6A6144, "0100A0E31EFF2FE1");

    }
}

I haven't tested this so I am not sure if this will make everything work the way you want. I've looked into this specific issue myself (The fact that libs used within VirtualApp don't appear in the processes /proc/pid/maps file). This is what I've come across.

MJx0 commented 4 years ago

VirtualApp Hooks dlopen for loading the libs. That is why all the libs loaded within besides libva++.so is not defined in /proc/pid/maps of the app. https://github.com/asLody/VirtualApp/blob/master/VirtualApp/lib/src/main/jni/Foundation/IOUniformer.cpp line 639 I noticed there is an void onSoLoaded(const char *name, void *handle) {} on line 78. Maybe by modifying it to the following it could be used to get the base library's address.

void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        ...
    }
}

The handle parameter is the libraries base address. Look at lines 580 and 581, 590 and 591, and 601 and 602. The onSoLoaded function is used after each orig_dlopen. MemoryPatcher does not allow you to use MemoryPatch or MemoryPatch::createWithHex with the base lib address already defined. Maybe KittyMemory can include this? A MemoryPatch function that can use the handle base address as a parameter instead of the libraries name to find the base address itself itself?

void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        MemoryPatch mod = MemoryPatch(handle, 0x6A6144, "\x01\x00\xA0\xE3\x1E\xFF\x2F\xE1", 8);
        MemoryPatch mod2 = MemoryPatch::createWithHex(handle, 0x6A6144, "0100A0E31EFF2FE1");

    }
}

I haven't tested this so I am not sure if this will make everything work the way you want. I've looked into this specific issue myself (The fact that libs used within VirtualApp don't appear in the processes /proc/pid/maps file). This is what I've come across.

Il2cpp lib will load into game process maps not virtual app. You need to use /proc/gamepid/maps instead of self process, unless you are executing your code in game process.