Discussion Frida not detecting libil2cpp.so

[athenegg]

Rooted, frida-server running, everything works. However, it can't detect the libil2cpp.so in the game.
I'm trying to get the base address of libil2cpp.so

I can see that libil2cpp.so is loaded in GameGuardian

I can successfully check all loaded module of the package and list it all out as seen below.

I enumerated all modules with this script.

Spoiler: Enumeration of Modules Code

// frida-enumerate-modules.js

// Wait for the script to attach to the process
Java.perform(function () {
// Function to enumerate and print information about all modules
function enumerateModules() {
console.log('Enumerating modules...');

// Introduce a short delay
setTimeout(function () {
// Enumerate loaded modules
Process.enumerateModules({
onMatch: function (module) {
console.log(`Module: ${module.name} - Base: ${module.base} - Size: ${module.size}`);
},
onComplete: function () {
console.log('Module enumeration completed.');
},
});
}, 1000); // Adjust the delay as needed
}

// Run the enumerateModules function when the script is loaded
enumerateModules();
});

However, libil2cpp.so isn't listed in there.

Is there something I'm doing wrong?
This is my code that I use to search for libil2cpp.so and it's base address.

Spoiler: libil2cpp.so attach base address code

// frida-search-libil2cpp.js

// Wait for the script to attach to the process
Java.perform(function () {
// Function to search for libil2cpp.so and print its base address
function searchForLibil2cpp() {
console.log('Searching for libil2cpp.so...');

// Introduce a short delay
setTimeout(function () {
// Flag to check if libil2cpp.so is found
var libil2cppFound = false;

// Enumerate loaded modules
Process.enumerateModules({
onMatch: function (module) {
if (module.name.toLowerCase().includes('libil2cpp.so')) {
console.log(`Found libil2cpp.so at base address: ${module.base}`);
libil2cppFound = true;
}
},
onComplete: function () {
if (!libil2cppFound) {
console.log('libil2cpp not found or base address not found.');
} else {
console.log('Module search completed.');
}
},
});
}, 1000); // Adjust the delay as needed
}

// Run the searchForLibil2cpp function when the script is loaded
searchForLibil2cpp();
});

 

[Del3787535]

Do you have an alternative to memory based il2cpp dumps?

There are probably multiple ways, one option I dont think I have ever seen mentioned in public forums personally (Not that I keep up to date much with android these days) is:

Its possible to dump global-metadata.dat from hooking a specific libil2cpp.so function, libil2cpp.so has a function that loads the global-metadata.dat file, Note I dont actively mod these days so some example info could be outdated, for example gameguard games also encrypt global-metadata.dat (used to at least), but it is possible (used to be at least) to hook the function that loads global-metadata.dat.

The function that loads the metadata.dat file returns the plain decrypted version of the file, so once you knew the offset to this function you could easily hook this function with frida and in "OnLeave" read the contents of "retval" and save the data, which conveniently was the decrypted global-metadata.dat.

I did have a quick look at this soul knight game, and that function is easy to find, the issue with this game is that there are strings mentioning ELF_HOOK("FunctionName") where "FunctionName" had common global-metadata.dat loader functions listed, meaning for this game they are definitely aware of this.

 

[hienngocloveyou]

Ok ye, I tried it myself with frida both frida-server-16.1.8-android-x86_64 and frida-server-16.1.9-android-x86_64 and yes logcat is reporting crashes and the connection is closed quickly.

This was using the default LDPlayer installed files which by default installs Android9.0 (64-bit), I then used LDMultiPlayer to create a new instance, this time with Android7.0 (64-bit) and retried. This time frida with realm=emulated does not crash on either version of frida-server, using the code I pasted above though doesnt log libil2cpp,so when I tested with a simple games (Subway Surfers). It appears that frida launches the script and instantly enumeratesModules() before the Unity libs are even loaded.

A simple way around this is is to launch the game and once the game has loaded for a few seconds (or more) you can then attach your frida script using:
frida -U -f "com.kiloo.subwaysurf" --realm emulated -l "script.js"
This should be fine since the game libs should have been loaded, my log showed this:

[...]
Module: libil2cpp.so - Base: 0x7ffef75a0000 - Size: 60784640
Module: libunity.so - Base: 0x7ffefaf98000 - Size: 19300352
[...]

Thank you for information.
I have a question, if i want to mod lib game armv7 (32bit) version. So I will use frida on Android 7 32bit (I dont know frida will work on android 32 bit or not).
Or I will just frida with Android 7 64bit but I will delete arm64 (64bit) lib to force game only load 32bit libs ( I don’t know frida can attach 32bit lib or not in this case)
I am waiting your reply.

Regards,s

 

[Del3787535]

Thank you for information.
I have a question, if i want to mod lib game armv7 (32bit) version. So I will use frida on Android 7 32bit (I dont know frida will work on android 32 bit or not).
Or I will just frida with Android 7 64bit but I will delete arm64 (64bit) lib to force game only load 32bit libs ( I don’t know frida can attach 32bit lib or not in this case)
I am waiting your reply.

Regards,s

If you are on a 64bit device, you can stick to frida-server 64 bit, even if you come across a game that is only 32bit it doesn't matter, frida can deal with that on its own.

When using frida there may be a time when you need to think about whether the game is 32 bit or 64 bit, but thats only really if you are using Frida's ArmWriter or Arm64Writer, since you use these to hex patch the games lib you will need to keep in mind whether to patch arm vs arm64 bytes, even then though you can still use frida-server 64 bit.

For Interceptor.attach() / Interceptor.replace() and so on, you shouldn't need to think about the game libs being 32/64 bit, you can just use 64 bit frida server and let frida do the rest.

 

[hienngocloveyou]

If you are on a 64bit device, you can stick to frida-server 64 bit, even if you come across a game that is only 32bit it doesn't matter, frida can deal with that on its own.

When using frida there may be a time when you need to think about whether the game is 32 bit or 64 bit, but thats only really if you are using Frida's ArmWriter or Arm64Writer, since you use these to hex patch the games lib you will need to keep in mind whether to patch arm vs arm64 bytes, even then though you can still use frida-server 64 bit.

For Interceptor.attach() / Interceptor.replace() and so on, you shouldn't need to think about the game libs being 32/64 bit, you can just use 64 bit frida server and let frida do the rest.

Hi mate,
Thank you make me clear about that. I was really confused about frida server x86-64, so frida not support for android 32bit device , right ? Because If I using android 64 bit I must delete arm64 libs to force the game load 32bit (32bit is easy to hex or mod rather than 64bit)
Seem you has experience about frida, can I DM you to deal to help me mod the game ?

Regard,

 

[Del3787535]

Hi mate,
Thank you make me clear about that. I was really confused about frida server x86-64, so frida not support for android 32bit device , right ? Because If I using android 64 bit I must delete arm64 libs to force the game load 32bit (32bit is easy to hex or mod rather than 64bit)
Seem you has experience about frida, can I DM you to deal to help me mod the game ?

Regard,

To put it really simply,
If you have 64 bit device use frida server 64 bit.
If you have 32 bit device use frida server 32 bit.

If you have a question relating to a specific game, I am happy to check out your question, although this is athenagg's thread, you should make a new thread in this section, I am happy to check out any question you have and reply there :)

 

[nowhere_222]

@Backshift if you're using zygisk dumper, I'd recommend adding a 1 minute delay before dumping. Insta-dumping would result in an incomplete dump.

Where to put the 1 minute delay bro?

 

[mashie90]

This worked! Changing the instance to Android 7.0 64bit was definitely the move.
Thank you so much! You have been really really helpful. I have no idea how to thank you <3

I finally can mess around with Subway Surfers! And yes, that was the game I'm messing with from the beginning :)

Today i solved this "puzzle" by follow your advices running new ldplayer (7.1 30bit) + new frida version and its working! Its old post but its all there here. True lagend lol Im new with Frida, any useful thread/tutorial i can refer sir?

 

[Umokazan]

Today i solved this "puzzle" by follow your advices running new ldplayer (7.1 30bit) + new frida version and its working! Its old post but its all there here. True lagend lol Im new with Frida, any useful thread/tutorial i can refer sir?

Can you explain the whole setup? I've tried a lot now but nothing seems to quite work correctly, i cant get libil2cpp etc to load. been using 7.1 64 bit, newest frida stuff and everything seems to be setup and working as intended too. --realm emulated did not help the issue / just gave me Java API / java VM errors.

 

[Umokazan]

Update, got it working - 7.1 64bit is also viable with newest frida stuff

 

[mashie90]

Update, got it working - 7.1 64bit is also viable with newest frida stuff

Is it with new ldplayer? I'm still using 32bit ldplayer. Tried with 64bit but no luck

 

[Umokazan]

Is it with new ldplayer? I'm still using 32bit ldplayer. Tried with 64bit but no luck

its the 7.1 64 bit version. opened its "5.0.10".

Now im only wondering, since --realm emulated hinders us a shit ton & guts the java api, how do we deal with that ?

 

[Umokazan]

It sadly looks like frida gadget or a physical device are the only options here