search

vfsfitvnm / frida-il2cpp-bridge

A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
https://github.com/vfsfitvnm/frida-il2cpp-bridge/wiki
MIT License
946 stars 194 forks source link

il2cpp_field_static_set_value doesn't dereference pointer-like values #398

Closed bluewave41 closed 10 months ago

bluewave41 commented 10 months ago

This APK was never meant to run on phones so I have a convoluted script setup to even get it working somewhat which makes it a pain to share.

So there's a class

// Assembly-CSharp
class Launcher.Global : System.Object
{
    static System.String PersistentDataPath; // 0x8
    static System.Void .cctor(); // 0x00bf3678
}

I need to change the PersistentDataPath so I've done the following.

assembly.class('Launcher.Global').method('.cctor').implementation = function() {
    this.method('.cctor').invoke();
        if(this.field('PersistentDataPath')) {
            console.log('HERE', this.field('PersistentDataPath').value);
            console.log('HERE', this.field('PersistentDataPath').content);
            this.field('PersistentDataPath').value = Il2Cpp.string('/sdcard/Android/data/com.a.b/files');
            this.field('PersistentDataPath').content = Il2Cpp.string('/sdcard/Android/data/com.a.b/files');
            console.log('HERE', this.field('PersistentDataPath').value);
            console.log('HERE', this.field('PersistentDataPath').content);
        }
}

This prints out

HERE "/sdcard/Android/data/com.a.a/files"
HERE undefined
HERE ""
HERE undefined

I'm using the latest version, 0.8.8. I'm unsure what it's doing here as I've used this same approach in other projects and it worked fine there.

vfsfitvnm commented 10 months ago

Hey, do yourself a favor and use typescript, you could quickly see the apis.

The line that actually does something is:

this.field<Il2Cpp.String>("PersistentDataPath").value = Il2Cpp.string("/sdcard/Android/data/com.a.b/files")

However, for some reason I cannot recall now (I should investigate), it won't work.

You could do this instead:

this.field<Il2Cpp.String>("PersistentDataPath").value.content = "/sdcard/Android/data/com.a.b/files";

Keep in mind overwriting the content of a string is an unsafe operation (#332)

vfsfitvnm commented 10 months ago

I confirm it's a bug on my end. Thanks for reporting!

vfsfitvnm commented 10 months ago

In the meantime, you can do:

Il2Cpp.api.fieldSetStaticValue(this.field<Il2Cpp.String>("PersistentDataPath"), Il2Cpp.string("hello"));
bluewave41 commented 10 months ago

Hey, do yourself a favor and use typescript, you could quickly see the apis.

Haha, I do this is just quick proof of concept thing so I half ass it together. :)