Something weird is happening in jailed iOS

[matteozappia]

I injected frida-gadget in a unity game, and I got it working also without JIT. Then I tried to inject a script with Il2Cpp.perform but it looks like the script doesn't execute at all cause I can't see the changes I made in game.

To double check I tried on a jailbroken device the same script and it works, so I think there is an issue with jailed iOS when gadget configuration interaction is set to "script", cause when I set gadget interaction to "listen" the script loads successfully.

Maybe Il2cpp can't load images? I don't know how to see debug logs, i already tried with console.log but i can't see anything in Console app on my mac. maybe you can help me identifying the issue?

Note: it's not an issue of frida-gadget cause when the interaction is set to "script" and script.js is not using this library it works.

[vfsfitvnm]

Thanks for reporting; unfortunately I don't own a iOS device so I can't test it. However, I believe it's somewhere in https://github.com/vfsfitvnm/frida-il2cpp-bridge/blob/127d2f98e0322d06dbb38c5bb9bdc62b0cd271d4/src/utils/native-wait.ts

What happens if you wrap the script in a setTimeout?:

setTimeout(() => {
    Il2Cpp.perform(() => {
        console.log(Il2Cpp.unityVersion);
    });
}, 5000);

[matteozappia]

I tried the code u sent me and I can't tell if it works, cause I got no log in Console.app, but I added the timeout to my script and the situation is the same so I guess it isn't working :/

[vfsfitvnm]

setTimeout(() => {
    Il2Cpp.perform(() => {
        console.log(Il2Cpp.unityVersion);
    });
}, 5000);

console.log("Loaded");

So I believe this one prints "Loaded" and nothing else?

[matteozappia]

I don't know why it doesn't log anything to the Console.app, so I tried alerts and actually everything works. So Il2Cpp.perform does work.

The problem is that the moment I go to insert something like this into the script the game crashes:

const assembly = Il2Cpp.Domain.assembly("Assembly-CSharp").image;

assembly.class("BeatStar.RhythmGame.RhythmGameColours").method("GetLaneColourForScore").implementation = function (
  scoreType: any) {
  let result = this.method("GetLaneColourForScore").invoke(scoreType) as Il2Cpp.Object;
  if (scoreType.toString() == "APLUS") {
      result.field("r").value = 127;
      result.field("g").value = 17;
      result.field("b").value = 224;
      result.field("a").value = 1;
    }
  return result;
};

I then reopened the game with JIT enabled and this time it did not crash but it seems to completely ignore the code above, the changes had not been made. Not having the logs then makes everything much more difficult, I googled if there was a way to log everything in a file but couldn't find anything for jailed iOS.

[vfsfitvnm]

Now I see. You should find something similar to https://github.com/frida/frida/issues/382, but for iOS...

Unfortunately there's very little I can do - I cannot even check the correctness of you snippet without having the declarations of the method and classes you are interacting with.

Also, please upgrade to 0.9.0 if you didn't - it definitely helps as well

[matteozappia]

I couldn't find anything similar for iOS unfortunately, but at least I was able to use NSLog and found that the problem is in ".implementation". In fact, the script does not pass that step and does not get to "done"

this is my script code:

setTimeout(() => {

const assembly = Il2Cpp.domain.assembly("Assembly-CSharp").image;

customPrint("assembly: " + assembly.handle.toString())

Il2Cpp.perform(() => {
  customPrint("joined il2cpp.perform");

  customPrint("class: " + assembly.class("BeatStar.RhythmGame.RhythmGameColours").handle.toString())

  customPrint("method: " + assembly.class("BeatStar.RhythmGame.RhythmGameColours").method("GetLaneColourForScore").handle.toString())

    assembly.class("BeatStar.RhythmGame.RhythmGameColours").method("GetLaneColourForScore").implementation = function (scoreType: any) {

      customPrint("calling assembly.class(BeatStar.RhythmGame.RhythmGameColours).method(GetLaneColourForScore).implementation")

      let result = this.method("GetLaneColourForScore").invoke(scoreType) as Il2Cpp.Object;
      customPrint("result: " + result)
      if (scoreType.toString() == "APLUS") {
        result.field("r").value = 127;
        result.field("g").value = 17;
        result.field("b").value = 224;
        result.field("a").value = 1;
      }
      return result;
    };

customPrint("done")

});
}, 3000);

If you have ideas on how to debug better to provide more informations please tell me.

PS: I already had version 0.9.0. Also the hooking part is working on jailbroken device and on jailed device when gadget interaction is set to "listen" so the code shouldn't be the problem.

[ExternalAddress4401]

You might want to try logging the error explicitly in .implementation https://github.com/vfsfitvnm/frida-il2cpp-bridge/blob/master/src/structs/method.ts#L177

Lets make sure there aren't any frida errors being eaten there first somehow.

I'm fighting with objection and an iPhone xr right now to test this out.

[ExternalAddress4401]

I see you've already closed this but I can't replicate it.

First off the colors need to be between 0 and 1. 127 is way out of that range.

An objection compiled gadget in script mode works on my XR on ios 16 with the provided script.

[matteozappia]

Yeah I managed to fix this, it was an error with my gadget. Thanks for helping me btw😉

[vfsfitvnm]

Would you mind tell us the error within your configuration? It might help someone else as well :smile: