Discussion Frida not detecting libil2cpp.so

[Backshift]

Do you have an alternative to memory based il2cpp dumps?

There are probably multiple ways, one option I dont think I have ever seen mentioned in public forums personally (Not that I keep up to date much with android these days) is:

Its possible to dump global-metadata.dat from hooking a specific libil2cpp.so function, libil2cpp.so has a function that loads the global-metadata.dat file, Note I dont actively mod these days so some example info could be outdated, for example gameguard games also encrypt global-metadata.dat (used to at least), but it is possible (used to be at least) to hook the function that loads global-metadata.dat.

The function that loads the metadata.dat file returns the plain decrypted version of the file, so once you knew the offset to this function you could easily hook this function with frida and in "OnLeave" read the contents of "retval" and save the data, which conveniently was the decrypted global-metadata.dat.

I did have a quick look at this soul knight game, and that function is easy to find, the issue with this game is that there are strings mentioning ELF_HOOK("FunctionName") where "FunctionName" had common global-metadata.dat loader functions listed, meaning for this game they are definitely aware of this.

 

[hienngocloveyou]

Ok ye, I tried it myself with frida both frida-server-16.1.8-android-x86_64 and frida-server-16.1.9-android-x86_64 and yes logcat is reporting crashes and the connection is closed quickly.

This was using the default LDPlayer installed files which by default installs Android9.0 (64-bit), I then used LDMultiPlayer to create a new instance, this time with Android7.0 (64-bit) and retried. This time frida with realm=emulated does not crash on either version of frida-server, using the code I pasted above though doesnt log libil2cpp,so when I tested with a simple games (Subway Surfers). It appears that frida launches the script and instantly enumeratesModules() before the Unity libs are even loaded.

A simple way around this is is to launch the game and once the game has loaded for a few seconds (or more) you can then attach your frida script using:
frida -U -f "com.kiloo.subwaysurf" --realm emulated -l "script.js"
This should be fine since the game libs should have been loaded, my log showed this:

[...]
Module: libil2cpp.so - Base: 0x7ffef75a0000 - Size: 60784640
Module: libunity.so - Base: 0x7ffefaf98000 - Size: 19300352
[...]

Thank you for information.
I have a question, if i want to mod lib game armv7 (32bit) version. So I will use frida on Android 7 32bit (I dont know frida will work on android 32 bit or not).
Or I will just frida with Android 7 64bit but I will delete arm64 (64bit) lib to force game only load 32bit libs ( I don’t know frida can attach 32bit lib or not in this case)
I am waiting your reply.

Regards,s

 

[Backshift]

Thank you for information.
I have a question, if i want to mod lib game armv7 (32bit) version. So I will use frida on Android 7 32bit (I dont know frida will work on android 32 bit or not).
Or I will just frida with Android 7 64bit but I will delete arm64 (64bit) lib to force game only load 32bit libs ( I don’t know frida can attach 32bit lib or not in this case)
I am waiting your reply.

Regards,s

If you are on a 64bit device, you can stick to frida-server 64 bit, even if you come across a game that is only 32bit it doesn't matter, frida can deal with that on its own.

When using frida there may be a time when you need to think about whether the game is 32 bit or 64 bit, but thats only really if you are using Frida's ArmWriter or Arm64Writer, since you use these to hex patch the games lib you will need to keep in mind whether to patch arm vs arm64 bytes, even then though you can still use frida-server 64 bit.

For Interceptor.attach() / Interceptor.replace() and so on, you shouldn't need to think about the game libs being 32/64 bit, you can just use 64 bit frida server and let frida do the rest.

 

[hienngocloveyou]

If you are on a 64bit device, you can stick to frida-server 64 bit, even if you come across a game that is only 32bit it doesn't matter, frida can deal with that on its own.

When using frida there may be a time when you need to think about whether the game is 32 bit or 64 bit, but thats only really if you are using Frida's ArmWriter or Arm64Writer, since you use these to hex patch the games lib you will need to keep in mind whether to patch arm vs arm64 bytes, even then though you can still use frida-server 64 bit.

For Interceptor.attach() / Interceptor.replace() and so on, you shouldn't need to think about the game libs being 32/64 bit, you can just use 64 bit frida server and let frida do the rest.

Hi mate,
Thank you make me clear about that. I was really confused about frida server x86-64, so frida not support for android 32bit device , right ? Because If I using android 64 bit I must delete arm64 libs to force the game load 32bit (32bit is easy to hex or mod rather than 64bit)
Seem you has experience about frida, can I DM you to deal to help me mod the game ?

Regard,

 

[Backshift]

Hi mate,
Thank you make me clear about that. I was really confused about frida server x86-64, so frida not support for android 32bit device , right ? Because If I using android 64 bit I must delete arm64 libs to force the game load 32bit (32bit is easy to hex or mod rather than 64bit)
Seem you has experience about frida, can I DM you to deal to help me mod the game ?

Regard,

To put it really simply,
If you have 64 bit device use frida server 64 bit.
If you have 32 bit device use frida server 32 bit.

If you have a question relating to a specific game, I am happy to check out your question, although this is athenagg's thread, you should make a new thread in this section, I am happy to check out any question you have and reply there :)

 

[nowhere_222]

@Backshift if you're using zygisk dumper, I'd recommend adding a 1 minute delay before dumping. Insta-dumping would result in an incomplete dump.

Where to put the 1 minute delay bro?