search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
974 stars 199 forks source link

Il2Cpp.trace().detailed() abort was called #282

Closed commonuserlol closed 1 year ago

commonuserlol commented 1 year ago

hello, when using Il2Cpp.trace().detailed() i get the error

Error: abort was called
     at invokeRaw (C:\frida-il2cpp\_.js:3540)
     at toString (C:\frida-il2cpp\_.js:3733)
     at concat (native)
     at <anonymous> (C:\frida-il2cpp\_.js:2312)
     at map (native)
     at callback (C:\frida-il2cpp\_.js:2312)

after that the game crashes. my code:

Il2Cpp.perform(() => {
    const Bolt = Il2Cpp.Domain.assembly("Bolt").image;
    const RpcSupport = Il2Cpp.Domain.assembly("RpcSupport").image;
    const ClientService = RpcSupport.class("Axlebolt.RpcSupport.ClientService");
    const BoltApi = Bolt.class("Axlebolt.Bolt.BoltApi");
    Il2Cpp.trace().detailed().classes(BoltApi).and().classes(ClientService).and().attach();
});

in my case, the detailed mode will give more information, so i want to use it. unity version: 2019.2.19f1

commonuserlol commented 1 year ago

I found one of the methods that causes this error System.Void SendRequest(Axlebolt.RpcSupport.Protobuf.RpcRequest request); // 0x0161b6d0 ida disassembled: void __fastcall Axlebolt_RpcSupport_ClientService__SendRequest(Axlebolt_RpcSupport_ClientService_o *this, Axlebolt_RpcSupport_Protobuf_RpcRequest_o *request, const MethodInfo *method) where Axlebolt.RpcSupport.Protobuf.RpcRequest is

class Axlebolt.RpcSupport.Protobuf.RpcRequest : System.Object, Google.Protobuf.IMessage<Axlebolt.RpcSupport.Protobuf.RpcRequest>, Google.Protobuf.IMessage, System.IEquatable<Axlebolt.RpcSupport.Protobuf.RpcRequest>
{
     static Google.Protobuf.MessageParser<Axlebolt.RpcSupport.Protobuf.RpcRequest> _parser; // 0x0
     static System.Int32 IdFieldNumber = 1;
     System.String id_; // 0x10
     static System.Int32 ServiceNameFieldNumber = 2;
     System.String serviceName_; // 0x18
     static System.Int32 MethodNameFieldNumber = 3;
     System.String methodName_; // 0x20
     static System.Int32 ParamsFieldNumber = 4;
     static Google.Protobuf.FieldCodec<Axlebolt.RpcSupport.Protobuf.BinaryValue> _repeated_params_codec; // 0x8
     Google.Protobuf.Collections.RepeatedField<Axlebolt.RpcSupport.Protobuf.BinaryValue> params_; // 0x28
     static Google.Protobuf.MessageParser<Axlebolt.RpcSupport.Protobuf.RpcRequest> get_Parser(); // 0x0162b3b4
     static Google.Protobuf.Reflection.MessageDescriptor get_Descriptor(); // 0x0162b554
     Google.Protobuf.Reflection.MessageDescriptor pb::Google.Protobuf.IMessage.get_Descriptor(); // 0x0162b634
     System.Void .ctor(); // 0x0162b690
     System.String get_Id(); // 0x0161bd60
     System.Void set_Id(System.String value); // 0x0162b714
     System.String get_ServiceName(); // 0x0161bd50
     System.Void set_ServiceName(System.String value); // 0x0162b784
     System.String get_MethodName(); // 0x0161bd58
     System.Void set_MethodName(System.String value); // 0x0162b7f4
     Google.Protobuf.Collections.RepeatedField<Axlebolt.RpcSupport.Protobuf.BinaryValue> get_Params(); // 0x0162b864
     System.Boolean Equals(System.Object other); // 0x0162b86c
     System.Boolean Equals(Axlebolt.RpcSupport.Protobuf.RpcRequest other); // 0x0162b8e0
     System.Int32 GetHashCode(); // 0x0162b9ac
     System.StringToString(); // 0x0162ba4c
     System.Void WriteTo(Google.Protobuf.CodedOutputStream output); // 0x0162bab4
     System.Int32 CalculateSize(); // 0x0162bbec
     System.Void MergeFrom(Google.Protobuf.CodedInputStream input); // 0x0162bd58
     static System.Void .cctor(); // 0x0162beb0

upd: this method has 2 overloads System.Void SendRequest(Axlebolt.RpcSupport.Protobuf.RpcRequest request); // 0x0161b6d0 and Axlebolt.RpcSupport.Protobuf.RpcResponse SendRequest(Axlebolt.RpcSupport.Protobuf.RpcRequest request, System.Threading.CancellationToken ct); // 0x0161cee0

vfsfitvnm commented 1 year ago

Unfortunately I cannot reproduce. I traced the whole RpcSupport and no error showed up, well, at least up to the login screen (I don't have a Facebook account to use to log in, so...)

commonuserlol commented 1 year ago

tomorrow I will check on other games that use 2 or more overloads for the method

vfsfitvnm commented 1 year ago

@commonuserlol

abort was called usually happens when the invocation throws an exception. My suspect is the game throws that exception because of a "bug" on their side - however, if you trace that method AND you want to see the parameters, the hot potato goes to Frida, and thus the abort was called.

Would you try to use Il2Cpp.installExceptionListener("all") with and without the tracing to see if SendRequest throws the exception?

vfsfitvnm commented 1 year ago

(as seen at https://github.com/vfsfitvnm/frida-il2cpp-bridge/issues/198)

commonuserlol commented 1 year ago

sorry im busy right now, when i have free time i'll come back to this issue

commonuserlol commented 1 year ago

yeah, the problem is on their side. I somehow forgot that in 0.23 they changed the server addresses and now the client simply cannot find the old ones. but when i redirect it to my impromptu server

ClientService.method("Connect").implementation = function(host: Il2Cpp.String, port: number) {
        host.content = "192.168.0.103"
        return this.method("Connect").invoke(host, port);
    }

it also throws an error but there is no error dialog on the screen... it works very weird but ok. if i see something similar in other games i will reopen this issue.

j3rry228 commented 1 year ago

@commonuserlol hello, can you contact me on telegram? I have a question - tg @trx330zcx