Closed kosticyn closed 1 year ago
Confirmed. That game doesn't have that (necessary) export. Fortunately, there's a workaround!
Sup!
il2cpp: couldn't resolve export il2cpp_domain_get
at r (/node_modules/frida-il2cpp-bridge/dist/index.js:594:45)
at Object.get domainGet (/node_modules/frida-il2cpp-bridge/dist/index.js:344:20)
at Object.descriptor.get [as domainGet] (/node_modules/frida-il2cpp-bridge/dist/index.js:41:30)
at Object.
Any workarounds for that case? I can send the binaries if needed
That export is stripped in the binary, currently made kind of a workaround.
globalThis.assemblies = [];
globalThis.pointers = [];
const base = globalThis.base = Process.enumerateModulesSync().find(e => e.name == "GameAssembly.dll"),
pat = ("48 83 EC 28 48 8B 05 ?? ?? ?? ?? 48 85 C0 75 11").replaceAll(/\s/g, '');
Memory.scan(base.base, base.size, pat, {
onMatch(address, size) {
console.log('Memory.scan() found match at', address, 'with size', size);
Interceptor.attach(address, {
onEnter: function (args) {
try {
this.name = args[1].readUtf8String() || args[1].readCString() || undefined;
this.name && console.log(`${this.name} has been loaded.`);
} catch (e) {}
},
onLeave: function (retval) {
!pointers.find(e => e['il2cpp_domain_get']) && (globalThis.pointers.push({
"il2cpp_domain_get": new NativeFunction(ptr(address), 'pointer', [])
})) && (console.log(`Domain_get found. ${JSON.stringify(pointers.find(e => e['il2cpp_domain_get']))}`));
}
});
// Optionally stop scanning early:
return 'stop';
},
onComplete() {
// console.log('Memory.scan() complete');
}
})
____
/ _ | Frida 16.0.19 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
Memory.scan() found match at 0x7ffd8b0df450 with size 16
[Local::*.exe ]-> Domain_get found. {"il2cpp_domain_get":"0x7ffd8b0df450"}
UnityEngine has been loaded.
Assembly-CSharp has been loaded.
Cinemachine has been loaded.
Unity.Burst has been loaded.
KDTree-Asmdef has been loaded.
Obi has been loaded.
LitJson-asmdef has been loaded.
7zip.asmdef has been loaded.
OSA has been loaded.
UnityEngine.UI has been loaded.
Unity.Timeline has been loaded.
BGCurve-Asmdef has been loaded.
ConsoleAsmdef has been loaded.
VivoxUnity has been loaded.
L12Utils has been loaded.
Intercept has been loaded.
ZFBrowser has been loaded.
GlobalDebug has been loaded.
DOTween.Modules has been loaded.
XGamingRuntime has been loaded.
DOTween has been loaded.
protobuf-net has been loaded.
zxing.unity has been loaded.
System.Memory has been loaded.
IFix.Core has been loaded.
FlatBuffers has been loaded.
Ionic.Zip.Unity has been loaded.
Newtonsoft.Json has been loaded.
@n1ce0n3 Thanks for reporting
I still can't figure how can I make it work within the game I'm currently reversing. Would really appreciate some help, if you can @vfsfitvnm. Here are all the il2cpp exports the game has:
[Local::narakabladepoint.exe ]-> Process.enumerateModulesSync().forEach(el => {
Module.enumerateExportsSync(el.name).forEach(_export => {
_export.name.match(/il2cpp_/gi) && console.log(_export.name)
})
});
il2cpp_add_internal_call
il2cpp_alloc
il2cpp_allocation_granularity
il2cpp_array_element_size
il2cpp_array_object_header_size
il2cpp_capture_memory_snapshot
il2cpp_class_get_bitmap
il2cpp_class_get_bitmap_size
il2cpp_class_get_userdata_offset
il2cpp_class_set_userdata
il2cpp_current_thread_get_frame_at
il2cpp_current_thread_get_stack_depth
il2cpp_current_thread_get_top_frame
il2cpp_current_thread_walk_frame_stack
il2cpp_debugger_set_agent_options
il2cpp_exception_from_name_msg
il2cpp_format_exception
il2cpp_format_stack_trace
il2cpp_free
il2cpp_free_captured_memory_snapshot
il2cpp_gc_collect
il2cpp_gc_collect_a_little
il2cpp_gc_disable
il2cpp_gc_enable
il2cpp_gc_foreach_heap
il2cpp_gc_get_heap_size
il2cpp_gc_get_max_time_slice_ns
il2cpp_gc_get_used_size
il2cpp_gc_has_strict_wbarriers
il2cpp_gc_is_disabled
il2cpp_gc_is_incremental
il2cpp_gc_set_external_allocation_tracker
il2cpp_gc_set_external_wbarrier_tracker
il2cpp_gc_set_max_time_slice_ns
il2cpp_gc_wbarrier_set_field
il2cpp_gchandle_foreach_get_target
il2cpp_gchandle_free
il2cpp_gchandle_get
il2cpp_gchandle_get_target
il2cpp_gchandle_new
il2cpp_gchandle_new_weakref
il2cpp_get_corlib
il2cpp_get_exception_argument_null
il2cpp_image_get_assembly
il2cpp_image_get_class
il2cpp_image_get_class_count
il2cpp_image_get_entry_point
il2cpp_image_get_filename
il2cpp_image_get_name
il2cpp_init
il2cpp_init_utf16
il2cpp_is_debugger_attached
il2cpp_is_vm_thread
il2cpp_monitor_enter
il2cpp_monitor_exit
il2cpp_monitor_pulse
il2cpp_monitor_pulse_all
il2cpp_monitor_try_enter
il2cpp_monitor_try_wait
il2cpp_monitor_wait
il2cpp_object_header_size
il2cpp_offset_of_array_bounds_in_array_object_header
il2cpp_offset_of_array_length_in_array_object_header
il2cpp_override_stack_backtrace
il2cpp_profiler_install
il2cpp_profiler_install_allocation
il2cpp_profiler_install_enter_leave
il2cpp_profiler_install_fileio
il2cpp_profiler_install_gc
il2cpp_profiler_install_thread
il2cpp_profiler_set_events
il2cpp_raise_exception
il2cpp_register_debugger_agent_transport
il2cpp_register_log_callback
il2cpp_runtime_object_init_exception
il2cpp_runtime_unhandled_exception_policy_set
il2cpp_set_commandline_arguments
il2cpp_set_commandline_arguments_utf16
il2cpp_set_config
il2cpp_set_config_dir
il2cpp_set_config_utf16
il2cpp_set_data_dir
il2cpp_set_default_thread_affinity
il2cpp_set_find_plugin_callback
il2cpp_set_memory_callbacks
il2cpp_set_temp_dir
il2cpp_shutdown
il2cpp_start_gc_world
il2cpp_stats_dump_to_file
il2cpp_stats_get_value
il2cpp_stop_gc_world
il2cpp_thread_attach
il2cpp_thread_current
il2cpp_thread_detach
il2cpp_thread_get_all_attached_threads
il2cpp_thread_get_frame_at
il2cpp_thread_get_stack_depth
il2cpp_thread_get_top_frame
il2cpp_thread_walk_frame_stack
il2cpp_unhandled_exception
il2cpp_unity_install_unitytls_interface
il2cpp_unity_liveness_allocate_struct
il2cpp_unity_liveness_calculation_begin
il2cpp_unity_liveness_calculation_end
il2cpp_unity_liveness_calculation_from_root
il2cpp_unity_liveness_calculation_from_root_2021
il2cpp_unity_liveness_calculation_from_statics
il2cpp_unity_liveness_calculation_from_statics_2021
il2cpp_unity_liveness_calculation_from_steal
il2cpp_unity_liveness_collect_statics_2021
il2cpp_unity_liveness_finalize
il2cpp_unity_liveness_free_struct
il2cpp_unity_liveness_object_num
il2cpp_unity_liveness_traverse_static_from_steal
il2cpp_unity_liveness_traverse_statics_2021
il2cpp_unity_liveness_traverse_user_root
il2cpp_value_box
What methods do I need to manually resolve in order to make it work? If I get it right - the "r" function basically returns something like this: new NativeFunction(ptr("0x7ffd8b0df450"), "pointer", []); so I can hard code all the missing functions and check if that works, or am I wrong? Thanks in advance <3
@n1ce0n3 It looks like they heavily modified their exports, I don't think there's much you can do other than manually find the missing exports.
so I can hard code all the missing functions and check if that works, or am I wrong?
correct :)
Thanks for confirming this @vfsfitvnm, the game is #6 on top free steam games atm, so I kind of expected that not to be as easy :) I will post an update here in case I will manage to solve the issue and if I will actually get this whole thing working, but if someone is here with the same issue & game I am struggling with right now - I wouldn't really expect to wait for an update.
Just in case anyone was waiting for an update, I actually got it to work after a while :)
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_class_get_methods
at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
at get classGetMethods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:276)
at call (native)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694)
at readNativeIterator (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:149)
at get methods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694)
at call (native)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815)
at concat (native)
at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_field_get_name
at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
at get fieldGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:348)
at call (native)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2040)
at call (native)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2079)
at join (native)
at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815)
at concat (native)
at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: couldn't resolve export il2cpp_method_get_name
at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590)
at get methodGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:471)
at call (native)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2342)
at call (native)
at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41)
at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2495)
at join (native)
at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1816)
at concat (native)
at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653)
at <eval> (<input>:1)
[Local::executable_name.exe ]-> %reload
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs")
il2cpp: dumping mscorlib...
il2cpp: dumping System.Configuration...
il2cpp: dumping Mono.Security...
il2cpp: dumping System.Xml...
il2cpp: dumping System...
il2cpp: dumping System.Core...
il2cpp: dumping UnityEngine.SharedInternalsModule...
il2cpp: dumping UnityEngine.CoreModule...
il2cpp: dumping UnityEngine.AssetBundleModule...
il2cpp: dumping UnityEngine.PhysicsModule...
il2cpp: dumping UnityEngine.SubsystemsModule...
il2cpp: dumping UnityEngine.TextRenderingModule...
il2cpp: dumping UnityEngine.UnityWebRequestModule...
il2cpp: dumping UnityEngine.AudioModule...
il2cpp: dumping UnityEngine.GridModule...
il2cpp: dumping UnityEngine.IMGUIModule...
il2cpp: dumping UnityEngine.ImageConversionModule...
il2cpp: dumping UnityEngine.InputLegacyModule...
il2cpp: dumping UnityEngine.Physics2DModule...
il2cpp: dumping UnityEngine.TerrainModule...
il2cpp: dumping UnityEngine.TextCoreModule...
il2cpp: dumping UnityEngine.UnityWebRequestAssetBundleModule...
il2cpp: dumping UnityEngine.XRModule...
il2cpp: dumping System.Numerics...
il2cpp: dumping System.Runtime.Serialization...
il2cpp: dumping UnityEngine.AIModule...
il2cpp: dumping UnityEngine.AndroidJNIModule...
il2cpp: dumping UnityEngine.AnimationModule...
il2cpp: dumping UnityEngine.ClothModule...
il2cpp: dumping UnityEngine.DirectorModule...
il2cpp: dumping UnityEngine.InputModule...
il2cpp: dumping UnityEngine.JSONSerializeModule...
il2cpp: dumping UnityEngine.ParticleSystemModule...
il2cpp: dumping UnityEngine.ScreenCaptureModule...
il2cpp: dumping UnityEngine.StreamingModule...
il2cpp: dumping UnityEngine.TerrainPhysicsModule...
il2cpp: dumping UnityEngine.TilemapModule...
il2cpp: dumping UnityEngine.UIElementsModule...
il2cpp: dumping UnityEngine.UIModule...
il2cpp: dumping UnityEngine.UnityAnalyticsModule...
il2cpp: dumping UnityEngine.UnityWebRequestTextureModule...
il2cpp: dumping UnityEngine.UnityWebRequestWWWModule...
il2cpp: dumping UnityEngine.VFXModule...
il2cpp: dumping UnityEngine.VRModule...
il2cpp: dumping UnityEngine.VideoModule...
il2cpp: dumping System.Data...
il2cpp: dumping System.Diagnostics.StackTrace...
il2cpp: dumping System.Globalization.Extensions...
il2cpp: dumping System.IO.Compression...
il2cpp: dumping System.Xml.Linq...
il2cpp: dumping UnityEngine...
il2cpp: dumping Opencoding.Shared...
il2cpp: dumping System.Runtime...
il2cpp: dumping UnityEngine.UI...
il2cpp: dumping netstandard...
il2cpp: dumping Opencoding.LogHistory...
il2cpp: dumping System.Numerics.Vectors...
il2cpp: dumping System.Runtime.CompilerServices.Unsafe...
il2cpp: dumping Unity.Burst.Unsafe...
il2cpp: dumping Unity.RenderPipelines.Core.Runtime...
il2cpp: dumping L12Utils...
il2cpp: dumping Newtonsoft.Json...
il2cpp: dumping Obi...
il2cpp: dumping Opencoding.CommandHandlers...
il2cpp: dumping System.Memory...
il2cpp: dumping Unity.Burst...
il2cpp: dumping Unity.Mathematics...
il2cpp: dumping Unity.RenderPipeline.Universal.ShaderLibrary...
il2cpp: dumping Unity.Timeline...
il2cpp: dumping protobuf-net...
il2cpp: dumping 7zip.asmdef...
il2cpp: dumping ByteSerialize-Asmdef...
il2cpp: dumping Cinemachine...
il2cpp: dumping Coffee.UIParticle...
il2cpp: dumping DOTween...
il2cpp: dumping FlatBuffers...
il2cpp: dumping GlobalDebug...
il2cpp: dumping Googole-Protobuf-Asmdef...
il2cpp: dumping IFix.Core...
il2cpp: dumping Ionic.Zip.Unity...
il2cpp: dumping KDTree-Asmdef...
il2cpp: dumping Leihuo.Rendering.Runtime...
il2cpp: dumping LitJson-asmdef...
il2cpp: dumping MIConvexHull-Asmdef...
il2cpp: dumping Mono.Cecil...
il2cpp: dumping OSA...
il2cpp: dumping ObiRendering-Asmdef...
il2cpp: dumping Opencoding.Console...
il2cpp: dumping PowerCollections-Asmdef...
il2cpp: dumping RootMotion-Asmdef...
il2cpp: dumping Sirenix.OdinInspector.Attributes...
il2cpp: dumping Twitch.EnhancedExperiences...
il2cpp: dumping Unity.Collections...
il2cpp: dumping Unity.InputSystem...
il2cpp: dumping Unity.RenderPipelines.Universal.Runtime...
il2cpp: dumping Unity.TextMeshPro...
il2cpp: dumping Vectrosity-Scripts-Asmdef...
il2cpp: dumping VivoxUnity...
il2cpp: dumping XGamingRuntime...
il2cpp: dumping zxing.unity...
il2cpp: dumping BGCurve-Asmdef...
il2cpp: dumping ConsoleAsmdef...
il2cpp: dumping DOTween.Modules...
il2cpp: dumping Intercept...
il2cpp: dumping MersenneTwister-Asmdef...
il2cpp: dumping QHierarchy-Asmdef...
il2cpp: dumping Siccity.SerializableCallback...
il2cpp: dumping SpatialHash-Asmdef...
il2cpp: dumping ZFBrowser...
il2cpp: dumping Assembly-CSharp-firstpass...
il2cpp: dumping Assembly-CSharp...
il2cpp: dump saved to C:/Users/.../AppData/LocalLow/.../dump.cs
Just compile a project using the same unity version - and find the required exports in the compiled binary, you can extract them from IDA using either SigMaker or Fake PDB (for some functions one plugin worked better than another, vice versa), replace the functions in the "index.js" file according to the addresses you find. In the binary I've had these signatures were not found, like none of them, however, if you run cheat engine or something similar and search for the signatures during runtime - it finds everything just as it was supposed to. Much luv. <3
@n1ce0n3 Thank you very much for reporting us back! Searching for memory patterns is definitely a good solution. I'm not sure whether I could "automate" such feature, as I believe it is quite easy for the vendor to sidetrack the scanning operation.
However, I can definitely add a feature so that you can override the export offsets without having to tediously edit the source code.
@vfsfitvnm glad I could've been useful :) Idk, honestly, it's the first binary I see that would be stripped as much and if I get it right - the signature would vary depending on the unity version, and if so - it would be a real pain in the ass for you to get all the signatures for different versions. If the signature doesn't change - I already have around 40 signatures saved in the notepad and that could be of help for you.
Actually, that is the only tool that allowed me to get a dump of the game (at least on my level of knowledge). I have no idea how can you manually add the missing exports to the library, so tools like MelonLoader/BepinEx/doorstep would actually recognize the methods and work. Since all the tools I've mentioned simply crash the game, printing out in the log that there is no required export, without a real way to manually point the tool to the required methods :)
Most of the functions don't really change across minor unity versions, however the emitted binary code also depends on the compiler - so yeah, it's definitely a huge pain in the ass to get it done. I would have to collect every export times every unity version times every cpu architecture, at the very least. Won't do it :stuck_out_tongue:
I totally agree, wouldn't do that either 😛 However, you could really consider adding an option to override the methods a bit easier, since for some reason, if I modify the functions in the compiled .js file - it won't let me launch it, saying it's malformed, so to do that I had to go in node_modules/module/dist and edit the code within index.js that file, and that definitely is not the best option. (Unless I missed a more obvious way of doing that).
Also, I'm really curious whether the distance between functions changes with the updates, cause if not - you could just find a single method and from then just find the other methods based on an offset relative to a method you've already found? Or that wouldn't work with exported functions?
If you use another bundler (I personally use esbuild
) instead of frida-compile
, you can edit the compiled .js file straightforwardly (but you lose the features frida-compile
has). However, yes, I will do something in that regard.
Also, I'm really curious whether the distance between functions changes with the updates, cause if not - you could just find a single method and from then just find the other methods based on an offset relative to a method you've already found? Or that wouldn't work with exported functions?
They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code
They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code
RIght, I didn't think about it that way.
I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)
They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code
RIght, I didn't think about it that way.
I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)
Are u still there? I need your help
They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code
RIght, I didn't think about it that way. I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)
Are u still there? I need your help
Sup?
They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code
RIght, I didn't think about it that way. I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)
Are u still there? I need your help
Sup?
Yes, my case is a almost il2cpp exports are merge all in one export "il2cpp_get_api_table", how to find out those exports inside this thing? Or how to call this in frida?
They could still change the functions order within the source code, or add a no-op or apply whatever change so that the compiler does not emit the same code
RIght, I didn't think about it that way. I usually use tsc - but it doesn't work really good with frida for some reason, so I'm using frida-compile for that matter :)
Are u still there? I need your help
Sup?
Yes, my case is a almost il2cpp exports are merge all in one export "il2cpp_get_api_table", how to find out those exports inside this thing? Or how to call this in frida?
I haven't seen a case like that, but googling that export quoted results in two URLs, one of which is the current thread and the other one is something in chinese. I'm not exactly sure what they're talking about in there, but according to what I got from google translate - I'd assume you should look into either that or that.
Just in case anyone was waiting for an update, I actually got it to work after a while :)
[Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs") il2cpp: dumping mscorlib... il2cpp: couldn't resolve export il2cpp_class_get_methods at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590) at get classGetMethods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:276) at call (native) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694) at readNativeIterator (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:149) at get methods (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1694) at call (native) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41) at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815) at concat (native) at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653) at <eval> (<input>:1) [Local::executable_name.exe ]-> %reload [Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs") il2cpp: dumping mscorlib... il2cpp: couldn't resolve export il2cpp_field_get_name at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590) at get fieldGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:348) at call (native) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41) at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2040) at call (native) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41) at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2079) at join (native) at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1815) at concat (native) at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653) at <eval> (<input>:1) [Local::executable_name.exe ]-> %reload [Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs") il2cpp: dumping mscorlib... il2cpp: couldn't resolve export il2cpp_method_get_name at r (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:590) at get methodGetName (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:471) at call (native) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41) at get name (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2342) at call (native) at <anonymous> (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:41) at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:2495) at join (native) at toString (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:1816) at concat (native) at dump (D:\Stuff\Haaaaaaaaax\frida\bridge_install_web\node_modules\frida-il2cpp-bridge\dist\index.js:653) at <eval> (<input>:1) [Local::executable_name.exe ]-> %reload [Local::executable_name.exe ]-> Il2Cpp.dump("dump.cs") il2cpp: dumping mscorlib... il2cpp: dumping System.Configuration... il2cpp: dumping Mono.Security... il2cpp: dumping System.Xml... il2cpp: dumping System... il2cpp: dumping System.Core... il2cpp: dumping UnityEngine.SharedInternalsModule... il2cpp: dumping UnityEngine.CoreModule... il2cpp: dumping UnityEngine.AssetBundleModule... il2cpp: dumping UnityEngine.PhysicsModule... il2cpp: dumping UnityEngine.SubsystemsModule... il2cpp: dumping UnityEngine.TextRenderingModule... il2cpp: dumping UnityEngine.UnityWebRequestModule... il2cpp: dumping UnityEngine.AudioModule... il2cpp: dumping UnityEngine.GridModule... il2cpp: dumping UnityEngine.IMGUIModule... il2cpp: dumping UnityEngine.ImageConversionModule... il2cpp: dumping UnityEngine.InputLegacyModule... il2cpp: dumping UnityEngine.Physics2DModule... il2cpp: dumping UnityEngine.TerrainModule... il2cpp: dumping UnityEngine.TextCoreModule... il2cpp: dumping UnityEngine.UnityWebRequestAssetBundleModule... il2cpp: dumping UnityEngine.XRModule... il2cpp: dumping System.Numerics... il2cpp: dumping System.Runtime.Serialization... il2cpp: dumping UnityEngine.AIModule... il2cpp: dumping UnityEngine.AndroidJNIModule... il2cpp: dumping UnityEngine.AnimationModule... il2cpp: dumping UnityEngine.ClothModule... il2cpp: dumping UnityEngine.DirectorModule... il2cpp: dumping UnityEngine.InputModule... il2cpp: dumping UnityEngine.JSONSerializeModule... il2cpp: dumping UnityEngine.ParticleSystemModule... il2cpp: dumping UnityEngine.ScreenCaptureModule... il2cpp: dumping UnityEngine.StreamingModule... il2cpp: dumping UnityEngine.TerrainPhysicsModule... il2cpp: dumping UnityEngine.TilemapModule... il2cpp: dumping UnityEngine.UIElementsModule... il2cpp: dumping UnityEngine.UIModule... il2cpp: dumping UnityEngine.UnityAnalyticsModule... il2cpp: dumping UnityEngine.UnityWebRequestTextureModule... il2cpp: dumping UnityEngine.UnityWebRequestWWWModule... il2cpp: dumping UnityEngine.VFXModule... il2cpp: dumping UnityEngine.VRModule... il2cpp: dumping UnityEngine.VideoModule... il2cpp: dumping System.Data... il2cpp: dumping System.Diagnostics.StackTrace... il2cpp: dumping System.Globalization.Extensions... il2cpp: dumping System.IO.Compression... il2cpp: dumping System.Xml.Linq... il2cpp: dumping UnityEngine... il2cpp: dumping Opencoding.Shared... il2cpp: dumping System.Runtime... il2cpp: dumping UnityEngine.UI... il2cpp: dumping netstandard... il2cpp: dumping Opencoding.LogHistory... il2cpp: dumping System.Numerics.Vectors... il2cpp: dumping System.Runtime.CompilerServices.Unsafe... il2cpp: dumping Unity.Burst.Unsafe... il2cpp: dumping Unity.RenderPipelines.Core.Runtime... il2cpp: dumping L12Utils... il2cpp: dumping Newtonsoft.Json... il2cpp: dumping Obi... il2cpp: dumping Opencoding.CommandHandlers... il2cpp: dumping System.Memory... il2cpp: dumping Unity.Burst... il2cpp: dumping Unity.Mathematics... il2cpp: dumping Unity.RenderPipeline.Universal.ShaderLibrary... il2cpp: dumping Unity.Timeline... il2cpp: dumping protobuf-net... il2cpp: dumping 7zip.asmdef... il2cpp: dumping ByteSerialize-Asmdef... il2cpp: dumping Cinemachine... il2cpp: dumping Coffee.UIParticle... il2cpp: dumping DOTween... il2cpp: dumping FlatBuffers... il2cpp: dumping GlobalDebug... il2cpp: dumping Googole-Protobuf-Asmdef... il2cpp: dumping IFix.Core... il2cpp: dumping Ionic.Zip.Unity... il2cpp: dumping KDTree-Asmdef... il2cpp: dumping Leihuo.Rendering.Runtime... il2cpp: dumping LitJson-asmdef... il2cpp: dumping MIConvexHull-Asmdef... il2cpp: dumping Mono.Cecil... il2cpp: dumping OSA... il2cpp: dumping ObiRendering-Asmdef... il2cpp: dumping Opencoding.Console... il2cpp: dumping PowerCollections-Asmdef... il2cpp: dumping RootMotion-Asmdef... il2cpp: dumping Sirenix.OdinInspector.Attributes... il2cpp: dumping Twitch.EnhancedExperiences... il2cpp: dumping Unity.Collections... il2cpp: dumping Unity.InputSystem... il2cpp: dumping Unity.RenderPipelines.Universal.Runtime... il2cpp: dumping Unity.TextMeshPro... il2cpp: dumping Vectrosity-Scripts-Asmdef... il2cpp: dumping VivoxUnity... il2cpp: dumping XGamingRuntime... il2cpp: dumping zxing.unity... il2cpp: dumping BGCurve-Asmdef... il2cpp: dumping ConsoleAsmdef... il2cpp: dumping DOTween.Modules... il2cpp: dumping Intercept... il2cpp: dumping MersenneTwister-Asmdef... il2cpp: dumping QHierarchy-Asmdef... il2cpp: dumping Siccity.SerializableCallback... il2cpp: dumping SpatialHash-Asmdef... il2cpp: dumping ZFBrowser... il2cpp: dumping Assembly-CSharp-firstpass... il2cpp: dumping Assembly-CSharp... il2cpp: dump saved to C:/Users/.../AppData/LocalLow/.../dump.cs
Just compile a project using the same unity version - and find the required exports in the compiled binary, you can extract them from IDA using either SigMaker or Fake PDB (for some functions one plugin worked better than another, vice versa), replace the functions in the "index.js" file according to the addresses you find. In the binary I've had these signatures were not found, like none of them, however, if you run cheat engine or something similar and search for the signatures during runtime - it finds everything just as it was supposed to. Much luv. <3
Hi, may i know how you determined the export il2cpp_class_getmethods to resolve them? For my case the exports name have been obfuscated with some giberrish, is there a way to like match the exports by size or some parameter using IDA using the old non-obfuscated exports vs the current exports with giberrish names?
Hi, may i know how you determined the export il2cpp_class_getmethods to resolve them? For my case the exports name have been obfuscated with some giberrish, is there a way to like match the exports by size or some parameter using IDA using the old non-obfuscated exports vs the current exports with giberrish names?
That's how I ended up making it work:
globalThis.base = Process.enumerateModulesSync().find(e => e.name == "GameAssembly.dll"), _backupExports = { "il2cpp_field_static_set_value": "E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 89 5C 24 ?? 57 48 83 EC 40 49 63 D8", "il2cpp_domain_get":"E9????????????????CCCCCCCCCCCCCCCCCCCCCC40534883EC20488BDA", "il2cpp_object_new":"E8 ?? ?? ?? ?? 48 8B D3 48 8B C8 48 8B F8 E8 ?? ?? ?? ?? 4D 63 C7 ", "il2cpp_resolve_icall":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B41184C8BD2", "il2cpp_string_chars":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4053", "il2cpp_string_length":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4053", "il2cpp_domain_get_assemblies":"40534883EC20488BDAE8????????488B4808", "il2cpp_class_from_name":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28 4C 8D 44 24 40", "il2cpp_class_get_method_from_name":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 0F B6 81", "il2cpp_method_is_instance":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4883EC28E8????????EB02", "il2cpp_method_is_inflated":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4883EC28E8????????EB02", "il2cpp_runtime_class_init":"E9????????CCCCCCCCCCCCCCCCCCCCCC488B41184C8BD2", "il2cpp_class_get_field_from_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_field_get_flags":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B4108", "il2cpp_field_static_get_value":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC48895C2408574883EC40", "il2cpp_field_get_type":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B4108", "il2cpp_type_get_type":"E9????????CCCCCCCCCCCCCCCCCCCCCC8B4108", "il2cpp_class_get_type":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC 40 53 48 83 EC 20 48 8B C2", "il2cpp_array_class_get":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB820000000", "il2cpp_class_get_interfaces":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_class_get_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB6", "il2cpp_object_get_class":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201", "il2cpp_field_get_offset":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488B4108", "il2cpp_method_get_return_type":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28 E8 ?? ?? ?? ?? EB 02", "il2cpp_type_get_name":"40 53 48 83 EC 40 45 33 C0", "il2cpp_method_get_param_count":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28", "il2cpp_class_from_il2cpp_type":"B201E9????????CCCCCCCCCCCCCCCCCCE9", "il2cpp_class_from_type":"B2 01 E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC E9", "il2cpp_class_is_valuetype":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000", "il2cpp_method_get_param_name":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28", "il2cpp_method_get_param":"E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC CC CC CC 48 83 EC 28", "il2cpp_array_length":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB820000000", "il2cpp_string_new_wrapper":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4053", "il2cpp_class_enum_basetype":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201", "il2cpp_class_array_element_size":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201", "il2cpp_class_get_parent":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_class_get_assemblyname":"E9????????CCCCCCCCCCCCCCCCCCCCCC4883EC284C8D442440", "il2cpp_class_is_enum":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000", "il2cpp_class_is_interface":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000", "il2cpp_class_is_inflated":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000", "il2cpp_class_get_fields":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_class_get_methods":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_field_get_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201", "il2cpp_assembly_get_image":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201", "il2cpp_method_get_name":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_image_get_assembly":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_domain_assembly_open":"48 8B CA E9 ?? ?? ?? ?? CC CC CC CC CC CC CC CC E9", "il2cpp_field_get_parent":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_image_get_assembly":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_method_get_class":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_class_get_nested_types":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_class_get_image":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCB201", "il2cpp_class_get_static_field_data":"488B81B8000000C3CCCCCCCCCCCCCC", "il2cpp_class_get_namespace":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC0FB681", "il2cpp_class_value_size":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC4883EC28E8????????488B4808", "il2cpp_class_instance_size":"E9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCCE9????????CCCCCCCCCCCCCCCCCCCCCC488991D0000000", "il2cpp_method_get_flags":"48 89 5C 24 ? 57 48 83 EC 20 48 8B DA 48 8B F9 48 85 D2 74 07", "il2cpp_object_unbox":"E9????????CCCCCCCCCCCCCCCCCCCCCCB818000000" };
2. Changed the "r" function to find them
```js
function r(exportName, retType, argTypes) {
let handle = globalThis.IL2CPP_EXPORTS?.[exportName]?.() ?? Il2Cpp.module.findExportByName(exportName) ?? Il2Cpp.memorySnapshotApi[exportName];
if (!handle) {
try {
let pat = _backupExports[exportName];
if (!pat) {
console.warn(`Pattern scan fucked up. ${exportName}`);
}
const results = Memory.scanSync(base.base, base.size, pat);
if (!!results.length) {
if (exportName == "il2cpp_class_get_type" || exportName == "il2cpp_type_get_name" || exportName == "il2cpp_method_get_param_count" || exportName == "il2cpp_method_get_param_name" || exportName == "il2cpp_method_get_param"){
handle = results[0].address;
}
else
handle = results[results.length-1].address;
}
else {
console.warn(`Pattern scan fucked up. ${exportName} - 2`);
}
}
catch(e) {
console.warn(exportName);
}
}
console.warn(`${exportName} - ${handle}`);
return new NativeFunction(handle ?? raise(`couldn't resolve export ${exportName}`), retType, argTypes);
}
In my case - the exports were removed, so I had to pattern scan for them, if you know the names, you can simply compare the obfuscated names with the ones you'd specify - and replce the whole "try-catch" part with either Module.enumerateExports or Module.enumerateSymbols search to match the pairs.
P.S. if you're going to use to pattern scan method - note that frida accepts "?" as a 2-byte option if you use Memory.patternScan, if you use patternScanSync - that using a single question mark in place of a value equal to two bytes will give you an error, which explanation is not that straightforward, so I thought I would let you know.
Hi. App - seen Unity version: 2019.4.17f1c1
I try Il2Cpp.dump() but I get an error: il2cpp: couldn't resolve export il2cpp_assembly_get_image. How fix?