search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
946 stars 194 forks source link

dlopen hook doesn't work on Android 7 #367

Closed vfsfitvnm closed 11 months ago

vfsfitvnm commented 11 months ago

https://github.com/vfsfitvnm/frida-il2cpp-bridge/issues/360

vfsfitvnm commented 11 months ago

@Flechaa it should be fixed at master now. Would you confirm? :heart:

Flechaa commented 11 months ago

With https://github.com/vfsfitvnm/frida-il2cpp-bridge/commit/f974f3124ecacfdc9657c74fca611f2a0b0c37f2 it wasn't able to get the hook like before, but https://github.com/vfsfitvnm/frida-il2cpp-bridge/commit/6a7182c5d4f4939031eccf6014b475f1b5a88a8e fixed it however the game crashes on startup everytime with: 

[HUAWEI VNS L31::com.nianticlabs.pokemongo ]-> Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'HUAWEI/VNS-L31/HWVNS-H:7.0/HUAWEIVNS-L31/C432B418:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 11386, tid: 11386, name: clabs.pokemongo  >>> com.nianticlabs.pokemongo <<<        
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
    x0   0000000000000000  x1   0000000000002c7a  x2   000000000000000b  x3   0000007fd3ab2a00
    x4   0000000000000000  x5   8000000000000000  x6   8000000000000000  x7   0000000000000000
    x8   00000000000000f0  x9   e0d3639f4eb8e6fd  x10  ffffffffffffffff  x11  0000000000000000
    x12  0000000000000000  x13  0000000000000000  x14  0000000000000000  x15  0003411a9289c48e
    x16  0000007cfb831dbc  x17  0000007cfb833130  x18  00000000ffffffff  x19  000000000000000b
    x20  0000007fd3ab2a00  x21  0000000000002c7a  x22  0000000000000046  x23  0000007cfb87cb40
    x24  0000007fd3ab2a00  x25  0000000000000000  x26  0000000000000001  x27  0000007cf77fc730
    x28  0000000100000000  x29  0000007fd3ab2540  x30  0000007cfb7d2394
    sp   0000007fd3ab2440  pc   0000007cfb82f340  pstate 0000000000000000

backtrace:
    #00 pc 0000000000064340  /system/bin/linker64 (__dl_syscall+32)
    #01 pc 0000000000007390  /system/bin/linker64 (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1116)
    #02 pc 0000000000002c34  /system/bin/app_process64 (InvokeUserSignalHandler+300)
    #03 pc 00000000001ae280  /system/lib64/libart.so (_ZN3art12FaultManager11HandleFaultEiP7siginfoPv+360)
    #04 pc 0000000000b3bb6c  /data/local/tmp/re.frida.server/frida-agent-64.so (offset 0x9f0000)
    #05 pc 00000000000004dc  [vdso:0000007cfb7ca000]
    #06 pc 00000000000004f4  /system/lib64/libc.so (offset 0x1b000)
***
vfsfitvnm commented 11 months ago

I'm so exhausted lol, it looks like frida just can't hook dlopen for some reason - it works fine on the x86 emulator...

vfsfitvnm commented 11 months ago

If it doesn't bother you, would you try older frida releases? E.g. 14.x.x, 15.x.x, as it may be a regression.

Test script:

const dlopen = Process.findModuleByName("linker64")
    .enumerateSymbols()
    .find(_ => _.name == "__dl_open");

Interceptor.attach(dlopen.address, {
    onEnter(args) {
        console.log(dlopen.name, args[0].readCString());
    }
});
Flechaa commented 11 months ago

Tried 15.0.0 and it did work, but your snippet also worked in 16.0.3 which is one of the last versions before frida completly breaks for my device.

[HUAWEI VNS L31::com.nianticlabs.pokemongo]-> __dl_open /vendor/lib64/hw/gralloc.hi6250.so
__dl_open /system/lib64/libhardware.so
__dl_open /dev/__properties__/u:object_r:debug_prop:s0
__dl_open /system/lib64/libcutils.so
__dl_open /system/lib64/libutils.so
__dl_open /system/lib64/libGLESv1_CM.so
__dl_open /system/lib64/liblog.so
__dl_open /system/lib64/libion.so
__dl_open /system/lib64/libhiion.so
__dl_open /vendor/lib64/libhiion.so
__dl_open /system/lib64/libsync.so
__dl_open /system/lib64/libhilog.so
__dl_open /vendor/lib64/libhilog.so
__dl_open /system/lib64/libc_sec_hisi.so
__dl_open /vendor/lib64/libc_sec_hisi.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /system/lib64/liblog.so
__dl_open /system/lib64/libion.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/oat/arm64/base.odex
__dl_open /system/framework/oat/arm64/com.android.location.provider.odex
__dl_open /system/framework/oat/arm64/com.android.media.remotedisplay.odex
__dl_open /data/app/com.google.android.gms-1/oat/arm64/base.odex
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libcrashlytics.so
__dl_open /data/user_de/0/com.google.android.gms/app_chimera/m/0000015b/oat/arm64/DynamiteLoader.odex
__dl_open /data/user_de/0/com.google.android.gms/app_chimera/m/00000160/oat/arm64/MeasurementDynamite.odex
__dl_open /data/user_de/0/com.google.android.gms/app_chimera/m/00000135/oat/arm64/dl-AdsFdrDynamite.integ_232400000000000.odex
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libmain.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libunity.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libil2cpp.so
__dl_open /vendor/lib64/hw/gralloc.hi6250.so
__dl_open /system/lib64/libiAwareSdkCore.so
__dl_open /system/lib64/libbinder.so
__dl_open /system/lib64/libutils.so
__dl_open /system/lib64/libcrypto.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /system/lib64/libhwaps.so
__dl_open /system/lib64/libcutils.so
__dl_open /system/lib64/libutils.so
__dl_open /system/lib64/libbinder.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /system/lib64/libhwuibp.so
__dl_open /vendor/lib64/libhwuibp.so
__dl_open /system/lib64/libcutils.so
__dl_open /system/lib64/libutils.so
__dl_open /system/lib64/libbinder.so
__dl_open /system/lib64/libEGL.so
__dl_open /system/lib64/libGLESv2.so
__dl_open /system/lib64/libskia.so
__dl_open /system/lib64/libhwui.so
__dl_open /system/lib64/libperfhub_client.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /dev/__properties__/u:object_r:default_prop:s0
__dl_open /dev/__properties__/u:object_r:logd_prop:s0
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libil2cpp.so
__dl_open /system/lib64/libmediamonitor_jni.so
__dl_open /system/lib64/libnativehelper.so
__dl_open /system/lib64/libandroid_runtime.so
__dl_open /system/lib64/liblog.so
__dl_open /system/lib64/libutils.so
__dl_open /system/lib64/libmedia.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/lib_burst_generated.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/lib_burst_generated.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libtensorflowlite.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libarcore_sdk_c.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libgeouploader.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libgeouploader.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libgeouploader.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libNianticLabsPlugin.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libNianticLabsPlugin.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libNianticLabsPlugin.so
__dl_open /apex/com.android.runtime/lib64/bionic/libc.so
__dl_open /system/lib64/libc.so
__dl_open /apex/com.android.runtime/lib64/bionic/libc.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libiAwareSdk_jni.so
__dl_open /system/lib64/libandroid_runtime.so
__dl_open /system/lib64/libcutils.so
__dl_open /system/lib64/libutils.so
__dl_open /system/lib64/libnativehelper.so
__dl_open /system/lib64/liblog.so
__dl_open /system/lib64/libc++.so
__dl_open /system/lib64/libc.so
__dl_open /system/lib64/libm.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/app_resources_lib.dex
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/google_api_resources_lib.dex
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/app_resources_lib.dex
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/google_api_resources_lib.dex
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/app_resources_lib.dex
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/google_api_resources_lib.dex
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libcrashlytics.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libcrashlytics.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libcrashlytics-common.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libFirebaseCppApp-11_1_0.so
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/.    
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/. ​​
__dl_open /data/data/com.nianticlabs.pokemongo/code_cache/. ​​
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libholoholo.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libholoholo.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libholoholo.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libardk_client_platform.so
__dl_open /data/app/com.android.chrome-1/oat/arm64/base.odex
__dl_open /data/app/com.android.chrome-1/oat/arm64/split_auxiliary_search.odex
__dl_open /data/app/com.android.chrome-1/oat/arm64/split_cablev2_authenticator.odex
__dl_open /data/app/com.android.chrome-1/oat/arm64/split_chrome.odex
__dl_open /data/app/com.android.chrome-1/oat/arm64/split_feedv2.odex
__dl_open /data/app/com.android.chrome-1/oat/arm64/split_survey.odex
__dl_open /data/app/com.android.chrome-1/oat/arm64/split_weblayer.odex
__dl_open /data/app/com.android.chrome-1/base.apk
__dl_open /data/app/com.android.chrome-1/base.apk
__dl_open /data/app/com.android.chrome-1/base.apk
__dl_open /data/app/com.android.chrome-1/base.apk
__dl_open /system/lib64/libwebviewchromium_plat_support.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /data/app/com.nianticlabs.pokemongo-2/lib/arm64/libadventuresync.so
__dl_open /system/lib64/libhwaps.so
Flechaa commented 11 months ago

Ok, this is really weird, after a few attempts the game stopped crashing and this happened instead:

[HUAWEI VNS L31::com.nianticlabs.pokemongo ]-> Error: unable to find module 'libil2cpp.so'
    at Object.value [as getModuleByName] (frida/runtime/core.js:339:1)
    at Object.<anonymous> (:45:23)
    at Object.n.get (:10:30)
    at t (:11:10)
    at Object.get getCorlib (:291:13)
    at Object.n.get [as getCorlib] (:10:30)
    at Object.e.initialize (:31:2)
    at Object.t [as perform] (:22:18)
il2cpp: libil2cpp.so has been loaded, but such event hasn't been detected - please file a bug
vfsfitvnm commented 11 months ago

Thanks for reporting back, at least we know it's a frida problem. What's the snippet that caused that weird behaviour? Unfortunately the stack trace isn't helpful (you aren't using frida-compile, are you?)

Flechaa commented 11 months ago

Using master caused this weird behavior, all I did was:

import "frida-il2cpp-bridge";

Il2Cpp.perform(() => console.log("Hello World"));

compiled with frida-compile. Sometimes I get a crash, sometimes it doesn't crash but Hello World is never printed.

vfsfitvnm commented 11 months ago

Frida version?

Flechaa commented 11 months ago

16.0.3

vfsfitvnm commented 11 months ago

Uhm, so the test snippet works on 16.0.3, but Il2Cpp.perform does not?

Flechaa commented 11 months ago

Yes

vfsfitvnm commented 11 months ago

@Flechaa Thanks for helping me out, master should work now! Can you confirm (no rush, take your time)?

Flechaa commented 11 months ago

Yes, it does work.

vfsfitvnm commented 11 months ago

Fixed in v0.8.7