search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
1.03k stars 202 forks source link

Emulate on throwing exception inside method implementation #208

Closed sinyo1015 closed 2 years ago

sinyo1015 commented 2 years ago

Is there any way to emulate throwing an exception inside method implementation?

Because I need the backtrace methods to determine which methods get called and the game itself send back the backtrace into the game server.

Thanks!

vfsfitvnm commented 2 years ago

Yes, you can create a System.Exception (or whatever is called) object and then call its method (can't remember if it's static or not) to throw it.

Alternatively, there's also a il2cpp export (e.g. il2cpp_exception_throw).

sinyo1015 commented 2 years ago

How do I call it without return/throw keyword? Or is it possible just to invoke as normal method from exception class? Could you give some example to do it?

vfsfitvnm commented 2 years ago

Or is it possible just to invoke as normal method from exception class

static System.Void ReportUnhandledException(System.Exception exception);
RimuruChan commented 2 years ago

Or is it possible just to invoke as normal method from exception class

static System.Void ReportUnhandledException(System.Exception exception);

I cant find this method

vfsfitvnm commented 2 years ago

Well, it depends on the unity version you are using. Just print the System.Exception class you will probably find one. You can dump the application and look for methods such as static System\.Void \w+\(System\.Exception \w+\)\; as well

Chensem commented 1 year ago

first , i called Il2Cpp.installExceptionListener('all') to catch the exception happened in il2cpp thread

image

as the above shown , the expception can be catched via hook the __ctx_thrown

when we hook a function or replace a function , then we want to know who called the function , we need to backtrace , but frida's api backtrace can not provide so much detail infomation , so i hava an idea

first , implement this function , once called the function , it create an exception , then throw this exception , so the detail backtrace can generate ?

some example below 

    Il2Cpp.Domain.assembly("Assembly-CSharp").image.class("XXX").method("XXX").implementation = function (message) {
        var il2cpp_raise_exception = new NativeFunction(Module.getExportByName(null , 'il2cpp_raise_exception') , 'void' , ['pointer']) 
        // var systemException = Il2Cpp.Image.corlib.class("System.Exception").new()
        var exp = Il2Cpp.Domain.assembly("Assembly-CSharp").image.class("LitJson.JsonException").new()
        Il2Cpp.installExceptionListener('all')
        il2cpp_raise_exception(exp)
    }
image

but only output this , don't cantain any infomation like backtrace .

Chensem commented 1 year ago

the idea like java self backtrace

image

i wonder is there a way to implement this function like java backtrace ?

vfsfitvnm commented 1 year ago

I had the same idea few months ago, so I tried implementing it but I couldn't make it for the same reason you pointed out.

Code you might find helpful: https://github.com/vfsfitvnm/frida-il2cpp-bridge/commit/78fd8ef78fc289458514899fa25fc39a5764718d