search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
1.03k stars 202 forks source link

The problem with the dump of structures #167

Closed kruvcraft21 closed 2 years ago

kruvcraft21 commented 2 years ago

Hi, After the dump was formed, I decided to work with the structures. In all structures, the field offset does not start from 0x0, but from 0x10 for arm64 and 0x8 for arm

// Arm64
// Assembly-CSharp
struct Str : System.ValueType
{
    System.String field1; // 0x10
    System.Int32 field2; // 0x18
}

// Arm
// Assembly-CSharp
struct Str  : System.ValueType
{
    System.String field1; // 0x8
    System.Int32 field2; // 0xc
}

it should be like this:

// Arm64
// Assembly-CSharp
struct Str : System.ValueType
{
    System.String field1; // 0x0
    System.Int32 field2; // 0x8
}

// Arm
// Assembly-CSharp
struct Str  : System.ValueType
{
    System.String field1; // 0x0
    System.Int32 field2; // 0x4
}
vfsfitvnm commented 2 years ago

Hi, why would you expect these offsets to start from zero? What are the advantages? il2cpp api returns the "wrong" offsets also.

Moreover, structs can be boxed to objects, so I would have to check if a certain object is a boxed struct before retrieving fields: this is certainly uglier than the adopted solution (= always subtract Il2CppObject size (16, 8) when it's a Il2Cpp.ValueType).

Also, this can't be a "dump only" thing.

kruvcraft21 commented 2 years ago

okay