search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
946 stars 194 forks source link

Faulty logic in testing which module to load #368

Closed bluewave41 closed 11 months ago

bluewave41 commented 11 months ago

https://github.com/vfsfitvnm/frida-il2cpp-bridge/blob/master/src/il2cpp/module.ts#L15C21-L15C21

There's no way this works correctly right? I tried to load a mac file that uses GameAssembly.dylib but it failed because there's no way for return "UnityFramework"; to return an exception thus it never tries the second option.

vfsfitvnm commented 11 months ago

That line of code always returns "UnityFramework" which is (of course) incorrect if you are on macos.

case "darwin":
    try {
        return "UnityFramework";
    } catch (e) {
        return "GameAssembly.dylib";
    }

exists so that the possible shared library names are kept within the same code block.

This is due to the fact Frida don't tell you whether you are on macos or ios (the same goes for linux and android), and I can't really test as I don't use those platforms (PR welcome!).

However, once you call Il2Cpp::perform https://github.com/vfsfitvnm/frida-il2cpp-bridge/blob/3754f1e9ee77eadede4953e11bb647cb0a2ec025/src/il2cpp/module.ts#L37 I set the detected module name.

Yes, this is the laziest solution I came up with, there's room for improvement :smile:

vfsfitvnm commented 11 months ago

Notice that on macos/ios, IL2CPP exports might be "bundled" within the executable itself, so there won't be any UnityFramework/GameAssembly.dylib, hence the DebugSymbol.fromName("il2cpp_init")

vfsfitvnm commented 11 months ago

Closing for now, feel free to submit further questions