This is the AMP version of this page.
If you want to load the real page instead, click this text.

Help! Get text associated with a GameObject

D

decompile

Platinian
Hello all! I am using frida-il2cpp-bridge for an android game written in Unity/Mono. I am trying to figure out how to get the text associated with GameObjects (PlayerName, NameLabel, LevelLabel, etc.) that I can see using gc:

import "frida-il2cpp-bridge"; Il2Cpp.perform(() => { const CoreModule = Il2Cpp.domain.assembly("UnityEngine.CoreModule").image; const Transform = CoreModule.class("UnityEngine.Transform"); const GameObject = CoreModule.class("UnityEngine.GameObject"); Il2Cpp.gc.choose(Transform).forEach((instance: Il2Cpp.Object) => { console.log(instance); }); });

This gives me output such as:
chatTagName (UnityEngine.RectTransform) TipsNum (UnityEngine.RectTransform) Text (TMP) (UnityEngine.RectTransform) CountText (UnityEngine.RectTransform) PlayerName (UnityEngine.RectTransform)

I would like to get the text of something, such as PlayerName. From what I have learned, GameObject's should have a GetComponent that might do this, however, you need a type. I do not know the type to provide for these. Maybe there is another method to achieve this? Thank you!
 
Sort by date Sort by votes
What is the output when you change the code line below

Code: 
console.log(instance);

to

Code: 
console.log(instance.method('get_name').invoke().content);
 
Upvote 0 Downvote
dewadw said:
What is the output when you change the code line below

Code: 
console.log(instance);

to

Code: 
console.log(instance.method('get_name').invoke().content);
Click to expand...

Thank you so much for trying to help me!

I received an error with .content (Object is of type 'unknown'), so after removing that the output I received was:
"CountText" "Text" "CurServerText" "labBountyCount" "coord" "SelfNameLabel" "LevelLabel" "MarchTimeText" "MarchTimeText" "AddMarchText" "MarchNumText" <SNIP>

The code I used was:

import "frida-il2cpp-bridge"; Il2Cpp.perform(() => { const CoreModule = Il2Cpp.domain.assembly("UnityEngine.CoreModule").image; const Transform = CoreModule.class("UnityEngine.Transform"); const GameObject = CoreModule.class("UnityEngine.GameObject"); Il2Cpp.gc.choose(Transform).forEach((instance: Il2Cpp.Object) => { console.log(instance.method('get_name').invoke()); }); });
 
Upvote 0 Downvote
I started filtering on Transform's that have have the string Player in the parent, then returning the get_localPosition and get_name on those Transforms:

import "frida-il2cpp-bridge"; Il2Cpp.perform(() => { const CoreModule = Il2Cpp.domain.assembly("UnityEngine.CoreModule").image; const Transform = CoreModule.class("UnityEngine.Transform"); const GameObject = CoreModule.class("UnityEngine.GameObject"); Il2Cpp.gc.choose(Transform).forEach((instance: Il2Cpp.Object) => { try{ const GetParent = instance.method('get_parent').invoke(); const GetName = instance.method('get_name').invoke(); if (String(GetParent).includes('Player')) { console.log(GetName + ', Position: ' + instance.method('get_localPosition').invoke()); } } catch {} }); });

This is the output:


My thought process was to try to get any text associated with the Transform's, like "PlayerName" and such. I just don't know how to do this!

My goal is to get a list of player names and coordinates in the game, this is the closest that I've gotten though!
 
Upvote 0 Downvote
What game is this?

It sounds like you are tackling it from the perspective of Unity Engine's GameObjects but...
decompile said:
My goal is to get a list of player names and coordinates in the game, this is the closest that I've gotten though!
Click to expand...
...this makes it sound like a multiplayer game? Its very likely and usually is the case that the game will have some kind of Entity/Player/Enemy class, unless you are targeting standard Unity GameObjects for a specific reason it would be helpful to know what game you are targeting to provide more relevant info.
 
Upvote 0 Downvote
Backshift said:
What game is this?
Click to expand...

This is Top Heroes! After the beginner tutorial, some building upgrades/castle upgrades, the map becomes unlocked! When you go to the map, players are scattered all over with their bases like this (you can click their base and see their X and Y coordinates, name, level, guild, etc.):

And the map is quite big, when you zoom out a little bit you see little house icons of enemy (red) and friendly (blue) bases:



It's a multiplayer game! I've been at this for weeks (I've had some help along the way though!). Thank you so much for reaching out, I would love any help. The only goal is to get player names and coordinates, I just can't seem to figure it out!
 
Upvote 0 Downvote
Ok, just had a look

il2cpp doesnt seem actually have much in it, this game is also has mono binaries in the libs directory, if you open the APK and go into assets/Assemblies ther are files with .mdl extension.
The main game code looks to be ScriptProj.mdl which is why I highlighted it. These files are actually mono dll's like old school unity games used before il2cpp was a thing, the first two bytes of the file in hex is invalid... it should be MZ (4D 5A in hex) but they all have different bytes in there.

If you fix the first 2 bytes in a hex editor by changing them to MZ, you can then load them in dnSpy (atleast it works for ScriptProj.mdl) where you can see ALL the code like old school unity games.
I havent personally seen games using this ever, literally all games on Unity Engine seem to just be standard il2cpp now

Anyway this probably explains why il2cpp isnt yielding great results, you should be able to edit the C# code in this file then revert the first 2 bytes back to what it was (ScriptProj.mdl originally has the first 2 bytes set to 43 54 instead of the expected 4D 5A) and replace the file in that folder and reinstall the apk... if the game isnt protected/checking this stuff its possible the game will load your modified code.

My first assumption on the process would be:
- Extract ScriptProj.mdl
- Edit header from 43 54 to 4D 5A
- Load in dnSpy, look around make some changes
- Edit header from 4D 5A back to 43 54
- Add file back to APK and test how the game reacts
 
Upvote 0 Downvote

Holy hell, how did you even know to do that lmao. You are absolutely brilliant. I'm going to have to give this a shot and poke around. I'm not quite sure what modifying would do to help, but that's probably because I am a noob haha.
 
Upvote 0 Downvote
I'm going to sound even more noob in this, but is it possible to even attach/hook this? My caveman brain tried this (and it didn't work):

import "frida-il2cpp-bridge"; console.log("Frida loaded successfully"); Il2Cpp.perform(function(){ const AssemblyTarget = Il2Cpp.domain.assembly("ScriptProj").image const ClassTarget = AssemblyTarget.class( "WorldSkinMeta" ); Il2Cpp.trace(true).classes(ClassTarget).and().attach(); });

And as expected:
 
Upvote 0 Downvote
Oh yeah, frida-il2cpp-bridge can only target il2cpp, if you want to check them files you are gonna need to download dnSpyEx (GitHub - dnSpyEx/dnSpy: Unofficial revival of the well known .NET debugger and assembly editor, dnSpy), fix the file like I posted above and look the the code that way.

Also, what is your goal with the play info? To log it or display it on the world map or something else?
 
Upvote 0 Downvote

So in the game you get bullies that teleport to your base, attack you, then teleport and hide somewhere in the map. It can take like 20-30 minutes of manually scrolling around in the map to find them lol.

I'm trying to log the data! Not trying to do any kind of ESP or anything in-game. One thought was to collect all player coordinates every 2 minutes, then just filter those results for the player(s) needed.
 
Upvote 0 Downvote

Oh yeah! I'm already on it haha. I think I found the class of interest:
 
Upvote 0 Downvote
Backshift said:
Also, what is your goal with the play info? To log it or display it on the world map or something else?
Click to expand...

I'm trying to log the data! Not trying to do any kind of ESP or anything in-game. One thought was to collect all player coordinates every 2 minutes, then just filter those results for the player(s) needed. Is there any way to hook/inject into this without modifying the APK? Thank you again so much for your help!
 
Upvote 0 Downvote
You must log in or register to reply here.
Menu
Log in
Register