Perfare
commented
3 years ago WARNING: find SHT_LOUSER section ERROR: This file may be protected.
https://github.com/Perfare/Il2CppDumper#error-this-file-may-be-protected
Closed chrrox closed 3 years ago
Perfare
commented
3 years ago WARNING: find SHT_LOUSER section ERROR: This file may be protected.
https://github.com/Perfare/Il2CppDumper#error-this-file-may-be-protected
chrrox
commented
3 years ago i defined this.
// 2018.4.18f1(v24.1) and up enable it
return atoi(prop_value); - said it was undefined so I added.
static int atoi(char value[92]);
static int atoi(char value[92]) { return 0; }
It built successfully but it is nor dumping anything.
Perfare
commented
3 years ago First of all, I suggest you use GameGuardian first, Riru-Il2CppDumper is just an alternative because it requires you to install Android Studio. Then, if you have any questions about Riru-Il2CppDumper, please go to the issue of Riru-Il2CppDumper. Finally, it is obvious that there is a problem with your compilation environment. You cannot simply let this function return 0, because it is a conversion function from string to number.
chrrox
commented
3 years ago The game has anti root I can't get a good dump with the module loaded. I got your plugin to dump the dump.cs. I had to include
in hook.cpp
Is there another way to dump the decrypted .so module?
Perfare
commented
3 years ago I am confused about this behavior,
chrrox
commented
3 years ago magisk hide works and the game launches but then game guardian does not seem to be able to access the process. game guardian dumps some files also sometime crashes but 99% of the file is 0's mabee android studio changed the name in newest version to cstdlib? https://i.snipboard.io/9iwhIL.jpg
I managed to get ios ipa dump using frida and was able to scan it with your tool. loading it into ghidra now.
neobenedict
commented
3 years ago Game guardian cannot access the process because crackproof (the commercial protector) forks itself and ptraces the original process, and you cannot ptrace a process already being ptraced, it is an anti-RE feature. However, killing the child process gives you a 1-2 second window to attach your debugger to the main process and dump memory, before the application notices the second process is missing and closes itself.
I never tried it but if you can emulate the child process somehow (perhaps in the process list available to the main app) you can probably bypass this closing mechanism. You might need to hook syscalls so good luck.
You could also maybe find the crackproof watchdog thread and kill/suspend just that thread like http://www.giovanni-rocca.com/cracking-the-uncrackables-reverse-engineering-supercell-part-7/ did, but that is quite advanced.
The encryption/packer itself is extremely advanced and obfuscated and you will have no luck trying to reverse it and decrypt manually.
nitializing metadata... Metadata Version: 24.1 Initializing il2cpp file... Applying relocations... WARNING: find SHT_LOUSER section ERROR: This file may be protected. Il2Cpp Version: 24.1 Searching... CodeRegistration : 0 MetadataRegistration : 0 ERROR: No symbol is detected ERROR: Can't use auto mode to process file, try manual mode. Input CodeRegistration:
https://github.com/chrrox/fgowaltz/blob/master/libil2cpp.7z https://github.com/chrrox/fgowaltz/blob/master/global-metadata.dat