search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
1.03k stars 202 forks source link

abort was called,when do nothing,just hook #198

Closed 350030173 closed 2 years ago

350030173 commented 2 years ago 
// Image 62: AddressablesPlayAssetDelivery.dll - 9070
// Namespace: AddressablesPlayAssetDelivery
public class PlayAssetDeliveryAssetBundleProvider : AssetBundleProvider // TypeDefIndex: 9077
private void CheckDownloadStatus(AndroidAssetPackInfo info); // 0x26E8ED0

when hook the method:

script:

    Il2Cpp.perform(() =>
    {
        var mydll = Il2Cpp.Domain.assembly("AddressablesPlayAssetDelivery").image;
        var myClass = mydll.class("AddressablesPlayAssetDelivery.PlayAssetDeliveryAssetBundleProvider");
        myClass.method("CheckDownloadStatus").implementation = function (AndroidAssetPackInfo)
        {
            console.log("AndroidAssetPackInfo:" + AndroidAssetPackInfo);
            var ret = this.method("CheckDownloadStatus").invoke(AndroidAssetPackInfo);
            return ret;
        };
    });

output:

Error: abort was called
    at invokeRaw (node_modules/frida-il2cpp-bridge/dist/il2cpp/structs/method.js:166)

    at <anonymous> (在我们之间.ts:44)
    at call (native)
    at callback (node_modules/frida-il2cpp-bridge/dist/il2cpp/structs/method.js:116)

the game url: https://apkpure.com/cn/among-us-mobile/com.innersloth.spacemafia

vfsfitvnm commented 2 years ago

If you install an exception listener:

Il2Cpp.installExceptionListener("all");

This is what it will print:

il2cpp: System.Exception: Provider of type AddressablesPlayAssetDelivery.PlayAssetDeliveryAssetBundleProvider with id AddressablesPlayAssetDelivery.PlayAssetDeliveryAssetBundleProvider has provided a result of type AddressablesPlayAssetDelivery.PlayAssetDeliveryAssetBundleProvider which cannot be converted to requested type UnityEngine.ResourceManagement.ResourceProviders.IAssetBundleResource. The operation will be marked as failed.
  at UnityEngine.ResourceManagement.AsyncOperations.ProviderOperation`1[TObject].ProviderCompleted[T] (T result, System.Boolean status, System.Exception e) [0x00000] in <00000000000000000000000000000000>:0 
  at AddressablesPlayAssetDelivery.PlayAssetDeliveryAssetBundleProvider.CheckDownloadStatus (UnityEngine.Android.AndroidAssetPackInfo info) [0x00000] in <00000000000000000000000000000000>:0 
il2cpp: System.NullReferenceException: Object reference not set to an instance of an object.
  at AddressableLoadWrapper`1+<LoadGameObject>d__3[T].MoveNext () [0x00000] in <00000000000000000000000000000000>:0 
  at UnityEngine.SetupCoroutine.InvokeMoveNext (System.Collections.IEnumerator enumerator, System.IntPtr returnValueAddress) [0x00000] in <00000000000000000000000000000000>:0 
il2cpp: System.NullReferenceException: Object reference not set to an instance of an object.
  at HatParent.PopulateFromHatViewData () [0x00000] in <00000000000000000000000000000000>:0 
  at HatParent+<>c__DisplayClass26_0.<SetHat>b__0 (HatViewData viewData) [0x00000] in <00000000000000000000000000000000>:0 
  at System.Action`1[T].Invoke (T obj) [0x00000] in <00000000000000000000000000000000>:0 
  at AddressableLoadWrapper`1+<CoLoadViewData>d__1[T].MoveNext () [0x00000] in <00000000000000000000000000000000>:0 
  at UnityEngine.SetupCoroutine.InvokeMoveNext (System.Collections.IEnumerator enumerator, System.IntPtr returnValueAddress) [0x00000] in <00000000000000000000000000000000>:0

It also happens if you don't implement that method. So, there's just a bug inside the application.

350030173 commented 2 years ago

thanks very much