search

nevermoe / EHook

A hooking framework for commercial Android emulators (雷电模拟器, NOX, BlueStacks).
GNU General Public License v2.0
160 stars 58 forks source link

ptrace_attach: Operation not permitted #2

Open zzcc1002 opened 3 years ago

zzcc1002 commented 3 years ago

C:\Users\user\Desktop\Debug\adb>adb shell /data/local/tmp/stalker 3926 ptrace_attach: Operation not permitted

How can I solve the problem?

MerzZly commented 3 years ago

It works with frida.

var found = false;
Interceptor.attach(Module.getExportByName(null, "open"), {
    onEnter(args) {
        if (found) return;
        const path = args[0].readUtf8String();
        if (path.includes('libil2cpp.so')) {
            found = true;
            console.log('libil2cpp.so found');
            setTimeout(() => {
                memprotect();
                libinject();
            }, 5_000); // await ready, just in case
        }
    }
});

function memprotect() {
    const search = ptr(0x8CB17E8); // virtual address of a function from Il2CppDumper
    for (let range of Process.enumerateRanges('r--')) {
        if (range.file.path.includes('libil2cpp.so') && (range.base <= search) && (search < range.base.add(range.size))) {
            Memory.protect(range.base, range.size, 'rwx');
            setTimeout(() => Memory.protect(range.base, range.size, 'r--'), 5_000); // change back
            break;
        }
    }
}

function libinject() {
    Module.load('/data/local/tmp/libinject.so');
    const init_func = new NativeFunction(Module.getExportByName('libinject.so', 'init_func'), 'int', ['pointer']);
    init_func(Memory.allocUtf8String('init_func called, initializing'));
}
zzcc1002 commented 3 years ago

Thank you very much. But I don't know how to use it.

Could you let me know through the tutorial video?

MerzZly commented 3 years ago

You need to learn how to work with frida.

I installed frida on my computer and copy frida-server for x86 (because my emulator works on this platform) in /data/local/tmp. Then I connected to the emulator with adb and run frida-server.

I created a file inject.js with code above and run the game with cmd on Windows: frida -U -f your_game_name --no-pause -l inject.js

You can check logs from EHook with (if you didn't change tag name): adb logcat *:S MY_HOOK

PettterWang commented 2 years ago

chmod 777 stalker

MafiaBoys commented 2 years ago

Thank you very much. But I don't know how to use it.

Could you let me know through the tutorial video?

This command requires a root on the device Turn on the root

MafiaBoys commented 2 years ago

The script is not working perfectly