I have a question about creating hooks for android games.Can I do this the same way as for a PC? Just by setting a pointer to a function, etc.? Why am I asking this? I would like to get the functions from the il2cpp export table and get the class address of my mobs.That is, first get my assembly and get the class of the game object from the desired assembly by name, so that later i can get its coordinates through transform.position, what is the best and easiest way to do this?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Help! il2pp hook(android hook)
- Thread starter Ccb0y
- Start date
Ieugejdudjdj
Platinian
Not exactly like on PC—but close. You can absolutely hook and read IL2CPP memory on Android, but there are a few key differences in how things are structured and how protections work.
---
Here’s what actually works (in practice):
1. You can’t just set function pointers like you would on Windows.
On Android, the code is running inside libil2cpp.so, which is loaded by the game at runtime. Function hooking usually goes through:
Inline patching (NOP/branch inject)
Symbol-based hooking (e.g. dlsym, ELF parsing)
Libraries like Substrate, Frida, or xHook
2. To get the address of a class:
First, dump libil2cpp.so and global-metadata.dat
Use Il2CppDumper to get:
Offsets of assemblies
Class names
Field names like position, transform, etc.
You then hook or call:
il2cpp_domain_get()
il2cpp_domain_get_assemblies()
il2cpp_class_from_name()
il2cpp_class_get_fields()
> But: in modern games, these are often stubbed or stripped. You may need to go deeper.
3. How to actually get transform.position:
Once you have the GameObject* or its class instance:
Transform* transform = GameObject->transform;
Vector3 position = transform->position;
You can hook Update() or LateUpdate(), and from there, walk into the GameObject's memory to fetch its position in real-time.
---
Best and Easiest Way (for real):
Use Frida for quick dynamic memory access if you don’t want to recompile mods
Use Il2CppInspector or Dumper + Ghidra if you want static analysis + direct memory patching
Hook UnityEngine methods like:
Transform::get_position()
GameObject::Find()
Or even just hook a MonoBehaviour::Update() and scan fields from there
> You won’t need full exports if you can get the class pointers directly using memory maps.
---
Here’s what actually works (in practice):
1. You can’t just set function pointers like you would on Windows.
On Android, the code is running inside libil2cpp.so, which is loaded by the game at runtime. Function hooking usually goes through:
Inline patching (NOP/branch inject)
Symbol-based hooking (e.g. dlsym, ELF parsing)
Libraries like Substrate, Frida, or xHook
2. To get the address of a class:
First, dump libil2cpp.so and global-metadata.dat
Use Il2CppDumper to get:
Offsets of assemblies
Class names
Field names like position, transform, etc.
You then hook or call:
il2cpp_domain_get()
il2cpp_domain_get_assemblies()
il2cpp_class_from_name()
il2cpp_class_get_fields()
> But: in modern games, these are often stubbed or stripped. You may need to go deeper.
3. How to actually get transform.position:
Once you have the GameObject* or its class instance:
Transform* transform = GameObject->transform;
Vector3 position = transform->position;
You can hook Update() or LateUpdate(), and from there, walk into the GameObject's memory to fetch its position in real-time.
---
Best and Easiest Way (for real):
Use Frida for quick dynamic memory access if you don’t want to recompile mods
Use Il2CppInspector or Dumper + Ghidra if you want static analysis + direct memory patching
Hook UnityEngine methods like:
Transform::get_position()
GameObject::Find()
Or even just hook a MonoBehaviour::Update() and scan fields from there
> You won’t need full exports if you can get the class pointers directly using memory maps.