Help! Get text associated with a GameObject

[decompile]

Hello all! I am using frida-il2cpp-bridge for an android game written in Unity/Mono. I am trying to figure out how to get the text associated with GameObjects (PlayerName, NameLabel, LevelLabel, etc.) that I can see using gc:


import "frida-il2cpp-bridge";
Il2Cpp.perform(() => {
const CoreModule = Il2Cpp.domain.assembly("UnityEngine.CoreModule").image;
const Transform = CoreModule.class("UnityEngine.Transform");
const GameObject = CoreModule.class("UnityEngine.GameObject");
Il2Cpp.gc.choose(Transform).forEach((instance: Il2Cpp.Object) => {
console.log(instance);
});
});


This gives me output such as:

chatTagName (UnityEngine.RectTransform)
TipsNum (UnityEngine.RectTransform)
Text (TMP) (UnityEngine.RectTransform)
CountText (UnityEngine.RectTransform)
PlayerName (UnityEngine.RectTransform)


I would like to get the text of something, such as PlayerName. From what I have learned, GameObject's should have a GetComponent that might do this, however, you need a type. I do not know the type to provide for these. Maybe there is another method to achieve this? Thank you!

 

[dewadw]

What is the output when you change the code line below

console.log(instance);

to

console.log(instance.method('get_name').invoke().content);

 

[decompile]

What is the output when you change the code line below

console.log(instance);

to

console.log(instance.method('get_name').invoke().content);

Thank you so much for trying to help me!

I received an error with .content (Object is of type 'unknown'), so after removing that the output I received was:
"CountText"
"Text"
"CurServerText"
"labBountyCount"
"coord"
"SelfNameLabel"
"LevelLabel"
"MarchTimeText"
"MarchTimeText"
"AddMarchText"
"MarchNumText"
<SNIP>

The code I used was:

import "frida-il2cpp-bridge";
Il2Cpp.perform(() => {
const CoreModule = Il2Cpp.domain.assembly("UnityEngine.CoreModule").image;
const Transform = CoreModule.class("UnityEngine.Transform");
const GameObject = CoreModule.class("UnityEngine.GameObject");
Il2Cpp.gc.choose(Transform).forEach((instance: Il2Cpp.Object) => {
console.log(instance.method('get_name').invoke());
});
});

 

[decompile]

I started filtering on Transform's that have have the string Player in the parent, then returning the get_localPosition and get_name on those Transforms:

import "frida-il2cpp-bridge";
Il2Cpp.perform(() => {
const CoreModule = Il2Cpp.domain.assembly("UnityEngine.CoreModule").image;
const Transform = CoreModule.class("UnityEngine.Transform");
const GameObject = CoreModule.class("UnityEngine.GameObject");
Il2Cpp.gc.choose(Transform).forEach((instance: Il2Cpp.Object) => {
try{
const GetParent = instance.method('get_parent').invoke();
const GetName = instance.method('get_name').invoke();
if (String(GetParent).includes('Player')) {
console.log(GetName + ', Position: ' + instance.method('get_localPosition').invoke());
}
} catch {}
});
});

This is the output:

My thought process was to try to get any text associated with the Transform's, like "PlayerName" and such. I just don't know how to do this!

My goal is to get a list of player names and coordinates in the game, this is the closest that I've gotten though!

 

[Backshift]

What game is this?

It sounds like you are tackling it from the perspective of Unity Engine's GameObjects but...

My goal is to get a list of player names and coordinates in the game, this is the closest that I've gotten though!

...this makes it sound like a multiplayer game? Its very likely and usually is the case that the game will have some kind of Entity/Player/Enemy class, unless you are targeting standard Unity GameObjects for a specific reason it would be helpful to know what game you are targeting to provide more relevant info.

 

[decompile]

What game is this?

This is Top Heroes! After the beginner tutorial, some building upgrades/castle upgrades, the map becomes unlocked! When you go to the map, players are scattered all over with their bases like this (you can click their base and see their X and Y coordinates, name, level, guild, etc.):

And the map is quite big, when you zoom out a little bit you see little house icons of enemy (red) and friendly (blue) bases:

...this makes it sound like a multiplayer game? Its very likely and usually is the case that the game will have some kind of Entity/Player/Enemy class, unless you are targeting standard Unity GameObjects for a specific reason it would be helpful to know what game you are targeting to provide more relevant info.

It's a multiplayer game! I've been at this for weeks (I've had some help along the way though!). Thank you so much for reaching out, I would love any help. The only goal is to get player names and coordinates, I just can't seem to figure it out!

 

[Backshift]

Ok, just had a look

il2cpp doesnt seem actually have much in it, this game is also has mono binaries in the libs directory, if you open the APK and go into assets/Assemblies ther are files with .mdl extension.

Spoiler: Assemblies

The main game code looks to be ScriptProj.mdl which is why I highlighted it. These files are actually mono dll's like old school unity games used before il2cpp was a thing, the first two bytes of the file in hex is invalid... it should be MZ (4D 5A in hex) but they all have different bytes in there.

Spoiler: Hex

If you fix the first 2 bytes in a hex editor by changing them to MZ, you can then load them in dnSpy (atleast it works for ScriptProj.mdl) where you can see ALL the code like old school unity games.

Spoiler: Example

I havent personally seen games using this ever, literally all games on Unity Engine seem to just be standard il2cpp now

Anyway this probably explains why il2cpp isnt yielding great results, you should be able to edit the C# code in this file then revert the first 2 bytes back to what it was (ScriptProj.mdl originally has the first 2 bytes set to 43 54 instead of the expected 4D 5A) and replace the file in that folder and reinstall the apk... if the game isnt protected/checking this stuff its possible the game will load your modified code.

My first assumption on the process would be:
- Extract ScriptProj.mdl
- Edit header from 43 54 to 4D 5A
- Load in dnSpy, look around make some changes
- Edit header from 4D 5A back to 43 54
- Add file back to APK and test how the game reacts

 

[decompile]

Ok, just had a look

il2cpp doesnt seem actually have much in it, this game is also has mono binaries in the libs directory, if you open the APK and go into assets/Assemblies ther are files with .mdl extension.

Spoiler: Assemblies

View attachment 632551

The main game code looks to be ScriptProj.mdl which is why I highlighted it. These files are actually mono dll's like old school unity games used before il2cpp was a thing, the first two bytes of the file in hex is invalid... it should be MZ (4D 5A in hex) but they all have different bytes in there.

Spoiler: Hex

View attachment 632552

If you fix the first 2 bytes in a hex editor by changing them to MZ, you can then load them in dnSpy (atleast it works for ScriptProj.mdl) where you can see ALL the code like old school unity games.

Spoiler: Example

View attachment 632553

I havent personally seen games using this ever, literally all games on Unity Engine seem to just be standard il2cpp now

Anyway this probably explains why il2cpp isnt yielding great results, you should be able to edit the C# code in this file then revert the first 2 bytes back to what it was (ScriptProj.mdl originally has the first 2 bytes set to 43 54 instead of the expected 4D 5A) and replace the file in that folder and reinstall the apk... if the game isnt protected/checking this stuff its possible the game will load your modified code.

My first assumption on the process would be:
- Extract ScriptProj.mdl
- Edit header from 43 54 to 4D 5A
- Load in dnSpy, look around make some changes
- Edit header from 4D 5A back to 43 54
- Add file back to APK and test how the game reacts

Holy hell, how did you even know to do that lmao. You are absolutely brilliant. I'm going to have to give this a shot and poke around. I'm not quite sure what modifying would do to help, but that's probably because I am a noob haha.

 

[decompile]

I'm going to sound even more noob in this, but is it possible to even attach/hook this? My caveman brain tried this (and it didn't work):

import "frida-il2cpp-bridge";
console.log("Frida loaded successfully");
Il2Cpp.perform(function(){
const AssemblyTarget = Il2Cpp.domain.assembly("ScriptProj").image
const ClassTarget = AssemblyTarget.class(
"WorldSkinMeta"
);
Il2Cpp.trace(true).classes(ClassTarget).and().attach();
});

And as expected:

 

[Backshift]

I'm going to sound even more noob in this, but is it possible to even attach/hook this? My caveman brain tried this (and it didn't work):

import "frida-il2cpp-bridge";
console.log("Frida loaded successfully");
Il2Cpp.perform(function(){
const AssemblyTarget = Il2Cpp.domain.assembly("ScriptProj").image
const ClassTarget = AssemblyTarget.class(
"WorldSkinMeta"
);
Il2Cpp.trace(true).classes(ClassTarget).and().attach();
});

And as expected:
View attachment 632554

Oh yeah, frida-il2cpp-bridge can only target il2cpp, if you want to check them files you are gonna need to download dnSpyEx (GitHub - dnSpyEx/dnSpy: Unofficial revival of the well known .NET debugger and assembly editor, dnSpy), fix the file like I posted above and look the the code that way.

Also, what is your goal with the play info? To log it or display it on the world map or something else?

 

[decompile]

Oh yeah, frida-il2cpp-bridge can only target il2cpp, if you want to check them files you are gonna need to download dnSpyEx (GitHub - dnSpyEx/dnSpy: Unofficial revival of the well known .NET debugger and assembly editor, dnSpy), fix the file like I posted above and look the the code that way.

Also, what is your goal with the play info? To log it or display it on the world map or something else?

So in the game you get bullies that teleport to your base, attack you, then teleport and hide somewhere in the map. It can take like 20-30 minutes of manually scrolling around in the map to find them lol.

I'm trying to log the data! Not trying to do any kind of ESP or anything in-game. One thought was to collect all player coordinates every 2 minutes, then just filter those results for the player(s) needed.

 

[decompile]

So in the game you get bullies that teleport to your base, attack you, then teleport and hide somewhere in the map. It can take like 20-30 minutes of manually scrolling around in the map to find them lol.

I'm trying to log the data! Not trying to do any kind of ESP or anything in-game. One thought was to collect all player coordinates every 2 minutes, then just filter those results for the player(s) needed.

Oh yeah, frida-il2cpp-bridge can only target il2cpp, if you want to check them files you are gonna need to download dnSpyEx (GitHub - dnSpyEx/dnSpy: Unofficial revival of the well known .NET debugger and assembly editor, dnSpy), fix the file like I posted above and look the the code that way.

Oh yeah! I'm already on it haha. I think I found the class of interest:

 

[decompile]

Also, what is your goal with the play info? To log it or display it on the world map or something else?

I'm trying to log the data! Not trying to do any kind of ESP or anything in-game. One thought was to collect all player coordinates every 2 minutes, then just filter those results for the player(s) needed. Is there any way to hook/inject into this without modifying the APK? Thank you again so much for your help!