auto BattleUserServantDataClass = LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"));
BNM::HOOK(BattleUserServantDataClass.GetMethodByName(OBFUSCATE_BNM("getClassPassive")), getClassPassive, old_getClassPassive);
The game is Fate/Grand Order (Japanese version) ver. 2.85.2 (but I think the ENG version has the same issue with the same method).
What the method looks like in dnSpy:
I have about 30 other hooks for this game yet only this one crashes. On top of which the game crashes before even reaching/printing the LOGD line...
Does anyone know what is wrong and how I can overcome this?
Just had a look in IDA at this function, it looks like its too small, check the spoiler for the screenshot
getClassPassive() is at 0x1546698, but its only 8 bytes (00 D4 40 F9 C0 03 5F D6]), the next function starts right after it and is GetSelfSkillArray() at 0x15466A0.
Hooking usually requires 8 bytes ALTEAST, it can also require more, which would mean getClassPassive is to small to fit the hook.
I logged the bytes starting from getClassPassive(), using a very quickly made function and using Dobby Hook:
C++:
void LogMemory(uintptr_t address, int numInstructions)
{
int bytesToRead = numInstructions * 4;
std::vector<uintptr_t> byteVec = {};
LOGD("========== START ==========");
LOGD("");
LOGD("> getClassPassive <");
for (int i = 0; i <= bytesToRead; i++)
{
if (i > 0 && (i % 4) == 0)
{
char bytes[128];
sprintf(bytes, "0x%01x\t0x%01x\t0x%01x\t0x%01x", *(char*)byteVec[0], *(char*)byteVec[1], *(char*)byteVec[2], *(char*)byteVec[3]);
LOGD("Address: %p | Bytes: %s", (void*)(address-4), bytes);
byteVec.clear();
}
if (i == 8)
{
LOGD("");
LOGD("> GetSelfSkillArray < ");
}
byteVec.push_back(address);
address++;
}
LOGD("");
LOGD("=========== END ===========");
}
Just had a look in IDA at this function, it looks like its too small, check the spoiler for the screenshot
getClassPassive() is at 0x1546698, but its only 8 bytes (00 D4 40 F9 C0 03 5F D6]), the next function starts right after it and is GetSelfSkillArray() at 0x15466A0.
Hooking usually requires 8 bytes ALTEAST, it can also require more, which would mean getClassPassive is to small to fit the hook.
I logged the bytes starting from getClassPassive(), using a very quickly made function and using Dobby Hook:
C++:
void LogMemory(uintptr_t address, int numInstructions)
{
int bytesToRead = numInstructions * 4;
std::vector<uintptr_t> byteVec = {};
LOGD("========== START ==========");
LOGD("");
LOGD("> getClassPassive <");
for (int i = 0; i <= bytesToRead; i++)
{
if (i > 0 && (i % 4) == 0)
{
char bytes[128];
sprintf(bytes, "0x%01x\t0x%01x\t0x%01x\t0x%01x", *(char*)byteVec[0], *(char*)byteVec[1], *(char*)byteVec[2], *(char*)byteVec[3]);
LOGD("Address: %p | Bytes: %s", (void*)(address-4), bytes);
byteVec.clear();
}
if (i == 8)
{
LOGD("");
LOGD("> GetSelfSkillArray < ");
}
byteVec.push_back(address);
address++;
}
LOGD("");
LOGD("=========== END ===========");
}
Yeah, I would imagine its hooking framework dependent based on their implementation?,
BNM::HOOK calls through to Dobby from what I saw, which would make sense why it crashes in both since I used plain dobby and got 12 bytes written to an 8 byte function.
Frida staying within the bounds of the function would mean its ok too I would think, although you would need to get into a battle (based on the class/method names) to confirm that. Interesting frida stays within 8 bytes though.
Thank you legends for finding what the issue is! I don't suppose this will be the last 8 byte function that we'll encounter, so what are some methods to circumvent this problem? Any frameworks/libs that we know of that can have the option to squeeze the hook within 8 bytes?
Thank you legends for finding what the issue is! I don't suppose this will be the last 8 byte function that we'll encounter, so what are some methods to circumvent this problem? Any frameworks/libs that we know of that can have the option to squeeze the hook within 8 bytes?
Not that I know of personally, Frida appears to work as @mIsmanXP said above, although frida is amazing for testing to actually make a packaged mod apk its not the best, although it is possible.
Personally, I would look for alternative ways to get the data you want like @CodeJutsu said.
If you dont mind me asking, what was your goal with getClassPassive(), I might be able to suggest something if you can give me the goal you had in mind, totally up to you though.
I haven't had much luck in successfully creating a new monoArray and replacing the old one with the new one within an instance.
I have no problem in replacing/updating individual elements of the native int array, however the size of the array is predetermined by who the servant/character is.
So if I wanted to add a few more passives then I'll need a bigger array.
I've had luck in using BNM's method of creating a new array, and have a function that suppose to return the monoArray to return the array that I've made. e.g.
The code above works fine and I haven't had any crashes related to it.
However, if I were to try something like this in the BattleUserServantData:
C++:
BNM::Field<monoArray<int>*> BattleUserServantData_classPassive__Field{};
int (*old_getBattleSvtId)(void *instance);
int getBattleSvtId(void *instance) {
bool isMyServant;
// Some code around here to determine which are the characters/servants I'm looking for
if (isMyServant) {
monoArray<int> *classPassive = *BattleUserServantData_classPassive__Field[instance].GetPointer();
for (int i = 0; i < classPassive->GetCapacity(); i++){
LOGD("The Servants's classPassive: i: %d, v: %d", i, *classPassive->At(i));
}
monoArray<int> *myOwnArray = BNM::LoadClass(BNM::LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"))).NewArray<int>(3);
for (int i = 0; i < myOwnArray->GetCapacity(); i++) {
myOwnArray->Update(i, 2188000);
}
BattleUserServantData_classPassive__Field[instance].Set(myOwnArray);
monoArray<int> *classPassiveVerify = *BattleUserServantData_classPassive__Field[instance].GetPointer();
for (int i = 0; i < classPassiveVerify->GetCapacity(); i++){
LOGD("The Servants's classPassive UPDATED: i: %d, v: %d", i, *classPassiveVerify->At(i));
}
}
return old_getBattleSvtId(instance);
}
void OnLoaded_Hooks() {
auto BattleUserServantDataClass = LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"));
BattleUserServantData_classPassive__Field = BattleUserServantDataClass.GetFieldByName(OBFUSCATE_BNM("classPassive"));
}
Through classPassive, I'm able to see what was there before, and through classPassiveVerify what is there after I've updated the field.
However the game would crash before fully loading in the battle.
I'm currently assuming it is something to do with Unity's garbage collection that is causing it to crash perhaps?
I haven't had much luck in successfully creating a new monoArray and replacing the old one with the new one within an instance.
I have no problem in replacing/updating individual elements of the native int array, however the size of the array is predetermined by who the servant/character is.
So if I wanted to add a few more passives then I'll need a bigger array.
I've had luck in using BNM's method of creating a new array, and have a function that suppose to return the monoArray to return the array that I've made. e.g.
The code above works fine and I haven't had any crashes related to it.
However, if I were to try something like this in the BattleUserServantData:
C++:
BNM::Field<monoArray<int>*> BattleUserServantData_classPassive__Field{};
int (*old_getBattleSvtId)(void *instance);
int getBattleSvtId(void *instance) {
bool isMyServant;
// Some code around here to determine which are the characters/servants I'm looking for
if (isMyServant) {
monoArray<int> *classPassive = *BattleUserServantData_classPassive__Field[instance].GetPointer();
for (int i = 0; i < classPassive->GetCapacity(); i++){
LOGD("The Servants's classPassive: i: %d, v: %d", i, *classPassive->At(i));
}
monoArray<int> *myOwnArray = BNM::LoadClass(BNM::LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"))).NewArray<int>(3);
for (int i = 0; i < myOwnArray->GetCapacity(); i++) {
myOwnArray->Update(i, 2188000);
}
BattleUserServantData_classPassive__Field[instance].Set(myOwnArray);
monoArray<int> *classPassiveVerify = *BattleUserServantData_classPassive__Field[instance].GetPointer();
for (int i = 0; i < classPassiveVerify->GetCapacity(); i++){
LOGD("The Servants's classPassive UPDATED: i: %d, v: %d", i, *classPassiveVerify->At(i));
}
}
return old_getBattleSvtId(instance);
}
void OnLoaded_Hooks() {
auto BattleUserServantDataClass = LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"));
BattleUserServantData_classPassive__Field = BattleUserServantDataClass.GetFieldByName(OBFUSCATE_BNM("classPassive"));
}
Through classPassive, I'm able to see what was there before, and through classPassiveVerify what is there after I've updated the field.
However the game would crash before fully loading in the battle.
I'm currently assuming it is something to do with Unity's garbage collection that is causing it to crash perhaps?
I haven't had much luck in successfully creating a new monoArray and replacing the old one with the new one within an instance.
I have no problem in replacing/updating individual elements of the native int array, however the size of the array is predetermined by who the servant/character is.
So if I wanted to add a few more passives then I'll need a bigger array.
I've had luck in using BNM's method of creating a new array, and have a function that suppose to return the monoArray to return the array that I've made. e.g.
The code above works fine and I haven't had any crashes related to it.
However, if I were to try something like this in the BattleUserServantData:
C++:
BNM::Field<monoArray<int>*> BattleUserServantData_classPassive__Field{};
int (*old_getBattleSvtId)(void *instance);
int getBattleSvtId(void *instance) {
bool isMyServant;
// Some code around here to determine which are the characters/servants I'm looking for
if (isMyServant) {
monoArray<int> *classPassive = *BattleUserServantData_classPassive__Field[instance].GetPointer();
for (int i = 0; i < classPassive->GetCapacity(); i++){
LOGD("The Servants's classPassive: i: %d, v: %d", i, *classPassive->At(i));
}
monoArray<int> *myOwnArray = BNM::LoadClass(BNM::LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"))).NewArray<int>(3);
for (int i = 0; i < myOwnArray->GetCapacity(); i++) {
myOwnArray->Update(i, 2188000);
}
BattleUserServantData_classPassive__Field[instance].Set(myOwnArray);
monoArray<int> *classPassiveVerify = *BattleUserServantData_classPassive__Field[instance].GetPointer();
for (int i = 0; i < classPassiveVerify->GetCapacity(); i++){
LOGD("The Servants's classPassive UPDATED: i: %d, v: %d", i, *classPassiveVerify->At(i));
}
}
return old_getBattleSvtId(instance);
}
void OnLoaded_Hooks() {
auto BattleUserServantDataClass = LoadClass(OBFUSCATE_BNM(""),OBFUSCATE_BNM("BattleUserServantData"));
BattleUserServantData_classPassive__Field = BattleUserServantDataClass.GetFieldByName(OBFUSCATE_BNM("classPassive"));
}
Through classPassive, I'm able to see what was there before, and through classPassiveVerify what is there after I've updated the field.
However the game would crash before fully loading in the battle.
I'm currently assuming it is something to do with Unity's garbage collection that is causing it to crash perhaps?
Ok just had a look, here is the code I came up with:
C++:
install_hook_name(getBattleSvtId, int, BattleUserServantData_o* pThis)
{
bool isMyServant = true; // force it because I dont have the logic
// Some code around here to determine which are the characters/servants I'm looking for
if (isMyServant) {
monoArray<int> *passives = (monoArray<int>*)pThis->fields.classPassive;
for(int i = 0; i < passives->GetCapacity(); i++) {
if (*passives->At(i) == 2188000) {
LOGD("Char already has passive added!");
return orig_getBattleSvtId(pThis);
}
}
for(int i = 0; i < passives->GetCapacity(); i++)
LOGD("[BEFORE] The Servants's classPassive: i: %d, v: %d", i, *passives->At(i));
std::vector<int> newPassives = {};
for(int i = 0; i < passives->GetCapacity(); i++)
newPassives.push_back(passives->At(i));
newPassives.push_back(2188000);
pThis->fields.classPassive = (System_Int32_array*)monoArray<int>().Create(newPassives);
monoArray<int> *passivesVerify = (monoArray<int>*)pThis->fields.classPassive;
for(int i = 0; i < passivesVerify->GetCapacity(); i++)
LOGD("[AFTER] The Servants's classPassive: i: %d, v: %d", i, *passivesVerify->At(i));
}
return orig_getBattleSvtId(pThis);
}
First thing, I changed the void* instance, void* is just a raw address, il2cppdumper actually generates an il2cpp.h which can be massively useful, although I dont see anyone ever make use of it. including that header from FGO il2cppdumper you have access to all the games classes/fields etc as structs hence I changed it to BattleUserServantData_o* pThis which then allows me to do this:
Note that in il2cpp.h pThis->fields.classPassive is of type struct System_Int32_array * hence the cast to BNM's type for easy use.
Here is the output from the code above:
Code:
FGO_TEST: [BEFORE] The Servants's classPassive: i: 0, v: 34550
FGO_TEST: [BEFORE] The Servants's classPassive: i: 1, v: 88350
FGO_TEST: [AFTER] The Servants's classPassive: i: 0, v: 34550
FGO_TEST: [AFTER] The Servants's classPassive: i: 1, v: 88350
FGO_TEST: [AFTER] The Servants's classPassive: i: 2, v: 2188000
FGO_TEST: Char already has passive added!
FGO_TEST: [AFTER] The Servants's classPassive: i: 0, v: 2188000
FGO_TEST: Char already has passive added!
--------- beginning of crash
Yes, it does crash, although the first time it goes through it adds a 3rd passive [34550, 88350, 2188000], the next log though.. it never logs the before message only the after where it adds a single [2188000], I have a feeling this is the enemy since I dont have the code for IsMyServant? It may work fine for you with this issue if you are filtering to only your team?
The crash happens a few seconds after the final message is logged FGO_TEST: Char already has passive added! and the backtrace for the crash doesnt mention my ELF binary at all, so it makes me wonder if the crash is potentially related to the last last log for the single passive being added to what I assume is the enemy is then confusing the game state later on in il2cpp.so since the enemy maybe isnt supposed to have this passive? or any passives at all? No idea since I never actually played FGO. Anyway here is the crashlog:
Code:
backtrace:
#00 pc 0000000000cbc91c libil2cpp.so
#01 pc 0000000000cbc850 libil2cpp.so
#02 pc 0000000000cbc4b8 libil2cpp.so
#03 pc 0000000000cbc6f8 libil2cpp.so
#04 pc 0000000000cbc4b8 libil2cpp.so
#05 pc 0000000000cbc75c libil2cpp.so
#06 pc 0000000000cbc4b8 libil2cpp.so
#07 pc 0000000000cbc6f8 libil2cpp.so
#08 pc 0000000000cbc4b8 libil2cpp.so
#09 pc 0000000000cbc75c libil2cpp.so
#10 pc 0000000000cbc4b8 libil2cpp.so
#11 pc 0000000000cbc6f8 libil2cpp.so
#12 pc 0000000000cbc4b8 libil2cpp.so
#13 pc 0000000000cbc75c libil2cpp.so
#14 pc 0000000000cbc4b8 libil2cpp.so
#15 pc 0000000000cbcf48 libil2cpp.so
#16 pc 00000000002a0258 libunity.so
#17 pc 00000000002adf00 libunity.so
#18 pc 00000000002ad194 libunity.so
#19 pc 00000000002adaf4 libunity.so
#20 pc 00000000002a15b4 libunity.so
#21 pc 00000000002a15e8 libunity.so
#22 pc 00000000002a182c libunity.so
#23 pc 00000000003bf37c libunity.so
#24 pc 00000000003d51c4 libunity.so
#25 pc 00000000000448fc base.odex
I'm 99.99% sure that 2188000 is a passive that can be added to enemies as well.
Here's my version of the crash log:
at libil2cpp.0xcbc90c(Native Method)
at libil2cpp.0xcbc6d0(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbc6f8(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbc75c(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbc6f8(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbc75c(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbc6f8(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbc75c(Native Method)
at libil2cpp.0xcbc4b8(Native Method)
at libil2cpp.0xcbcf48(Native Method)
at libunity.0x2a0258(Native Method)
at libunity.0x2adf00(Native Method)
at libunity.0x2ad194(Native Method)
at libunity.0x2adaf4(Native Method)
at libunity.0x2a15b4(Native Method)
at libunity.0x2a15e8(Native Method)
at libunity.0x2a182c(Native Method)
at libunity.0x3bf37c(Native Method)
at libunity.0x3d51c4(Native Method)
at base.0x4bbb4(Native Method)
