Il2Cpp.MemorySnapshot::objects has null objects

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.

https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki

MIT License

974 stars 199 forks source link

Il2Cpp.MemorySnapshot::objects has null objects #273

Closed commonuserlol closed 1 year ago

commonuserlol commented 1 year ago

hello, i am trying to get a class descriptor using Il2Cpp.MemorySnapshot.capture() but getting an error Error: access violation accessing 0x0 if run the code in the console without Il2Cpp.perform, get the same error but more detailed screen1 code:

function findChatManager() {
    Il2Cpp.perform(() => {
        const cs = Il2Cpp.Domain.assembly("Assembly-CSharp").image;
        const chatmgr = cs.class("Axlebolt.Standoff.Game.ChatManager");
        const snap = Il2Cpp.MemorySnapshot.capture();
        snap.objects.filter(Il2Cpp.Filtering.IsExactly(chatmgr)).forEach((inst: Il2Cpp.Object) => {
            console.log("chatmgr found");
        })
        snap.free();
    });
}

i call this function through the console when the class is already created, so there should be no problems with this game: https://apkpure.com/standoff-2/com.axlebolt.standoff2 (v0.22.3)

vfsfitvnm commented 1 year ago

Unfortunately I cannot reproduce with the following code (it won't let me download the game files, so...):

Il2Cpp.perform(() => {
    const UnityEngineIMGUIModule = Il2Cpp.Domain.assembly("UnityEngine.IMGUIModule").image;
    const UnityEngineEventArray = UnityEngineIMGUIModule.class("UnityEngine.Event").arrayClass;

    const memorySnapshot = Il2Cpp.MemorySnapshot.capture();
    memorySnapshot.objects.filter(Il2Cpp.Filtering.IsExactly(UnityEngineEventArray)).forEach(_ => {
        console.log("instance found:", _);
    });
    memorySnapshot.free();
});

Alternatively, you may have some luck using Il2Cpp.GC.choose, which I just fixed for Unity versions > 2021.1 - I didn't release a new version yet, so you you have to clone the repo locally!

commonuserlol commented 1 year ago

hmm, this might be considered offtopic, but I can't compile the script using the newer version. before i was using version 0.7.13 with npm and frida-compile didn't complain but after installing from github i get error

Compilation failed: Error: Can't walk dependency graph: Cannot find module 'frida-il2cpp-bridge' from 'C:\Users\User\frida-il2cpp\index.ts'
    required by C:\Users\User\frida-il2cpp\index.ts

unfortunately, i'm not familiar with npm and googling didn't help.

vfsfitvnm commented 1 year ago

Possibly https://stackoverflow.com/a/59766644/16885569

commonuserlol commented 1 year ago

thanks now Il2Cpp.MemorySnapshot is working fine

vfsfitvnm commented 1 year ago

@commonuserlol Uhm, so the original issue does not occur anymore?

commonuserlol commented 1 year ago

@commonuserlol Uhm, so the original issue does not occur anymore?

sorry, i jumped to conclusions a bit, Il2Cpp.MemorySnapshot still outputs Error: access violation accessing 0x0 (even in your example) Il2Cpp.GC.choose doesn't crash like before, but also can't find the class

vfsfitvnm commented 1 year ago

Yeah. In fact, Il2Cpp.MemorySnapshot works fine. There's a problem afterwards, i.e. when objects are being filtered. I think I just forgot to exclude nullobjects. Would you try:

function findChatManager() {
    Il2Cpp.perform(() => {
        const cs = Il2Cpp.Domain.assembly("Assembly-CSharp").image;
        const chatmgr = cs.class("Axlebolt.Standoff.Game.ChatManager");
        const snap = Il2Cpp.MemorySnapshot.capture();
        snap.objects
            .filter(_ => !_.handle.isNull())
            .filter(Il2Cpp.Filtering.IsExactly(chatmgr))
            .forEach((inst: Il2Cpp.Object) => {
                console.log("chatmgr found");
            });
        snap.free();
    });
}

commonuserlol commented 1 year ago

thank you very much, everything is working now (Il2Cpp.GC.choose too) screen2