Issues with scan on 2021.3.19

[sanktanglia]

So i got pointed to this project and ive been working with it and got it building, but on this particular version the scan isnt hit. Is there a specific method in UnityPlayer.dll that scan is supposed to find?

[extremeblackliu]

its still under dev, im reworking with it. i dont have time rn because i have job. there are just 3 things you need, iirc all of them can be found by exported functions. the signatures are totally broken in other version of unityengine(mayb even structs). im still looking for good way to get those needed data in proper way. thats why i need rework with it, but why not use internal version for now if you want to get it working? but anyway, if you want to continue using it, i will take the time to check out this Unity version for you later

[sanktanglia]

I need an external reader, as I'm distributing an app for a game the developers would rather we not inject in. I'm capable of reversing and figuring out the structs and other changes needed to make it work and I can contribute back whatever would be helpful. The assemblies scan seems to be working but not the other 2. Is the gom scan just pointing to the get object manager function? And what about the Third signature? Thanks for the help

[extremeblackliu]

this is reasonable. but i took fast look at newer UnityPlayer.dll, the global pointer to GameObjectManger is gone. its somehow removed, in older unity version like 2019, the internal functions of unityplayer.dll are based on the function GetGameObjectManager and the function will returns the GameObjectManager::s_Instance. (this could be big internal struct changes in newer unity versions) in other words, this problem cannot be solved in the short term. i recently returned from busy and just start rework on the library like 1 week ago. for the reason, i recommend you go internal way with maybe hijack method like version.dll. is the reason why dont you do that is anti-cheat?

[sanktanglia]

I appreciate the info on the internal version but i dont mind waiting/assisting with the external version. Im looking at 2021.3.19 in ida and i see a GetGameObjectManager call(48 8B 05 69 95 82 01 C3) so im going to try out using that one for my test fork. For the last scan, the one that points to the classes table, I see in GameAssembly il2cpp_class_for_each which seems like it iterates over a list of class objects, is this the one?

[sanktanglia]

Also it looks like in between the version you wrote this and 2021.3.19 they removed the offset field from the class struct, so im still trying to track down how that works now edit: tracked down this part and got it working but the classes arent being found properly so i need to check those structs and double check the pointer im using for the class table

[extremeblackliu]

well, since you insist, you can download the corresponding unity version and then build the debug binary and there will be the pdb file there. maybe the internal structure needs to be split in different files by unity version later. im sorry about for no help, that im busy with other projects so me usually only update this project when i have free time.

[sanktanglia]

No sorry needed, I appreciate the base to start from, ill push up a pull request once i have things working on this updated unity version, ive already got the pdbs and headers and found a il2cpp source ref thats closer to the new version so im making some progress, just trying to track down the class table offset

[sanktanglia]

Could you post the GameAssembly and metadata for the 2019.4.31 VRChat so I can see what the pattern you based on applies to inside UnityPlayer so i can better replicate it in the new version?

[extremeblackliu]

i dont have older gameassembly or metadata, instead i could bring you an idb if you want

[sanktanglia]

sure thatd be appreciated, im trying to track down an older version of vrchat so i can try and better determine which method you were hooking before

[extremeblackliu]

ida 7.4+, expires under 24h, glhf with it https://workupload.com/file/kLfBYWKtRT6

[sanktanglia]

much appreciated btw, ive managed to get assembly and type walking working though im still trying to nail down exactly how to get the class table offset

[sanktanglia]

Ive gotten pretty much everything I wanted in my own lib now after learning alot from yours, the only thing i havent been able to track down is a good way to get the class table in the newer versions of unity, the code seems quite a bit different. Let me know if you have a chance to look at that and if you find a reliable way to get a pointer to the class table. Thanks!

[sanktanglia]

should have just spent more time on it before asking you but i got it //find the function calling global-metadata.dat //class_table = (__int64)j_j__calloc_base((int )(qword_183A403A0 + 164) / 0x58ui64, 8ui64); var classTablePointer = scanner.FindPattern("48 F7 E1 48 8B CA BA 08 00 00 00 48 C1 E9 04 ? ? ? ? ? 48 89 05 ? ? ? ?", out time);

[extremeblackliu]

hi, sorry for late response, thanks for information, i will check it when i got free time.