Open zzcc1002 opened 3 years ago
It works with frida.
var found = false;
Interceptor.attach(Module.getExportByName(null, "open"), {
onEnter(args) {
if (found) return;
const path = args[0].readUtf8String();
if (path.includes('libil2cpp.so')) {
found = true;
console.log('libil2cpp.so found');
setTimeout(() => {
memprotect();
libinject();
}, 5_000); // await ready, just in case
}
}
});
function memprotect() {
const search = ptr(0x8CB17E8); // virtual address of a function from Il2CppDumper
for (let range of Process.enumerateRanges('r--')) {
if (range.file.path.includes('libil2cpp.so') && (range.base <= search) && (search < range.base.add(range.size))) {
Memory.protect(range.base, range.size, 'rwx');
setTimeout(() => Memory.protect(range.base, range.size, 'r--'), 5_000); // change back
break;
}
}
}
function libinject() {
Module.load('/data/local/tmp/libinject.so');
const init_func = new NativeFunction(Module.getExportByName('libinject.so', 'init_func'), 'int', ['pointer']);
init_func(Memory.allocUtf8String('init_func called, initializing'));
}
Thank you very much. But I don't know how to use it.
Could you let me know through the tutorial video?
You need to learn how to work with frida.
I installed frida on my computer and copy frida-server for x86 (because my emulator works on this platform) in /data/local/tmp. Then I connected to the emulator with adb and run frida-server.
I created a file inject.js with code above and run the game with cmd on Windows:
frida -U -f your_game_name --no-pause -l inject.js
You can check logs from EHook with (if you didn't change tag name):
adb logcat *:S MY_HOOK
chmod 777 stalker
Thank you very much. But I don't know how to use it.
Could you let me know through the tutorial video?
This command requires a root on the device Turn on the root
The script is not working perfectly
C:\Users\user\Desktop\Debug\adb>adb shell /data/local/tmp/stalker 3926 ptrace_attach: Operation not permitted
How can I solve the problem?