Address of il2cpp export functions are not the same in scaffold project and json file

djkaty / Il2CppInspector

Powerful automated tool for reverse engineering Unity IL2CPP binaries

http://www.djkaty.com

GNU Affero General Public License v3.0

2.62k stars 433 forks source link

Address of il2cpp export functions are not the same in scaffold project and json file #200

Closed BobH233 closed 2 years ago

BobH233 commented 2 years ago

As title said, when I generate the scaffold project and see the il2cpp-api-functions-ptr.h，the export functions address are like this:

#define il2cpp_domain_get_ptr 0x080D21C0
#define il2cpp_domain_get_assemblies_ptr 0x080D21D0

but in metadata.json, the virtual address is not the same

      {
        "virtualAddress": "0x00000001880D2DC0",
        "name": "il2cpp_domain_get",
        "signature": "Il2CppDomain * il2cpp_domain_get()"
      },
      {
        "virtualAddress": "0x00000001880D2DD0",
        "name": "il2cpp_domain_get_assemblies",
        "signature": "Il2CppAssembly * * il2cpp_domain_get_assemblies(Il2CppDomain * domain, size_t * size)"
      }

After calculating, all il2cpp export functions ptr in metadata.json have an offset of 0xc00 over the il2cpp-api-functions-ptr.h

And after viewing in IDA, I found that the virtual address in il2cpp-api-functions-ptr.h is right.

I don't know whether it's my fault or the bug of il2cppinspector. Can anyone help me to figure it out?Thanks!

Darkratos commented 2 years ago

That happens because the decompilers need an absolute address. Since the base doesn't change in the decompiler, it get's the default one (0x180000000). As for the scaffold, you need to consider that the base may change, so you need to add the base address(just use GetModuleHandle on GameAssembly.dll and cast it to a uintptr_t) to the offset in the defines. If you want to know more, look for ASLR on google. Hope this helps and good luck!

BobH233 commented 2 years ago

That happens because the decompilers need an absolute address. Since the base doesn't change in the decompiler, it get's the default one (0x180000000). As for the scaffold, you need to consider that the base may change, so you need to add the base address(just use GetModuleHandle on GameAssembly.dll and cast it to a uintptr_t) to the offset in the defines. If you want to know more, look for ASLR on google. Hope this helps and good luck!

Yes, you are right. In scaffold, the address is relative. But for metadata.json, when you calculate the relative address of il2cpp_domain_get by "0x00000001880D2DC0 - 0x180000000 = 0x80D2DC0". So it means in metadata.json, it tells me il2cpp_domain_get = GameAssembly.dll + 80D2DC0. However, in scaffold, it tells me that il2cpp_domain_get = GameAssembly.dll + 0x80D21C0.

I mean that two relative address have difference(0x80D2DC0≠0x80D21C0)

BobH233 commented 2 years ago

And when viewing the code in decompilers and in CheatEngine, I found that the address provided by scaffold is right.

Darkratos commented 2 years ago

Oh, then there must be something we're not seeing. Can you confirm that the json address is right in IDA/Ghidra? If it is, then the baseaddr was most likely modified by the creator of the game you're analysing.

BobH233 commented 2 years ago

Actually, the json address is wrong, and the header of the scaffold project provide the correct address. Maybe the game developer modified the game if it's not the bug of Il2cppInspector.