Tracing vs. Dumping: Different Addresses Issue

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.

https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki

MIT License

946 stars 194 forks source link

Tracing vs. Dumping: Different Addresses Issue #358

Closed catlowlevel closed 11 months ago

catlowlevel commented 11 months ago

I've noticed something strange – when I trace and dump, the addresses I get don't match up. I tried using Zygisk-Il2CppDumper and it gave me the right addresses. What's going on?

the dump address(left) is wrong swappy-20230901_181512

Great Tool by the way.

ekologic commented 11 months ago

Just curious both of them provide the offsets right?

catlowlevel commented 11 months ago

Just curious both of them provide the offsets right?

yes

catlowlevel commented 11 months ago

Okay, it turns out that the addresses from the trace result and Il2CppDumper are different. I initially assumed they were the same because the last three digits matched. I apologize for the confusion.

I realized that it was incorrect when I attempted to hook it, and it didn't work. I tried all three addresses.

Now, I've also tried another method from the same class, and it also has different addresses between the tracer, dumper, and Il2CppDumper.

I obtained the address by getting the MethodInfo* and placing a hook on methodPointer, and it's working. What's going on?

Note: im using And64InlineHook for hooking

vfsfitvnm commented 11 months ago

Uhm, unfortunately I cannot test the game by myself as I think it requires some effort to get that method to execute (I guess you need to play it a little). However I see the problem here, but I am confused: what did you try so far? What's the correct offset?

Both tracing and dumping print Il2Cpp.Method::relativeVirtualAddress, so it should be the same.

PS: what are the Frida and frida-il2cpp-bridge versions?

catlowlevel commented 11 months ago

I obtain the MethodInfo by calling il2cpp_class_get_method_from_name, and then I use the following function to hook it:

template<typename T>
void *MethodInfo::replace(T func) {
    A64HookFunction(methodPointer, (void *) func, &methodPointer);
    return methodPointer;
}

However, I've encountered an issue where this approach doesn't work for some functions. I'm curious about how this tool performs tracing. Does it hook every function? If it does, could you please explain how it accomplishes this?

By the way, my frida-il2cpp-bridge version is 0.8.3, and my frida version is 16.1.0. However, I suspect the problem may be related to how I'm hooking it, rather than these version details.

vfsfitvnm commented 11 months ago

frida-il2cpp-bridge is built on top of Frida, that is I do not perform any relatively low level operation on my own, I just use Frida's Interceptor::replace (used when tracing with parameters and when re-implementing a method body) and Interceptor.attach (used when tracing without parameters)

vfsfitvnm commented 11 months ago

Not every function can be hooked, though. For instance, thunk functions can't be hooked by Interceptor (there isn't enough space to accommodate the trampoline instructions), but Frida typically hooks the targeted function instead (ref)