I already read the tutorials for hooking functions and also read some other guides on different platforms, i also will now create my own unity android game with a il2cpp files to hook it without any possible protection. But i would anyways start this topic in case i miss something.
to the application its not app its just a native NDK build. But after starting the binary it is giving me this output and kills itself.
my questions are, are there any protection iam missing, is it maybe because its not a static method or is it simply i do something wrong, i also tested it with alot of different methods of the dumped il2cpp (from ZYGISK dumper on rooted phones with the latest magisk version) but all results end in the crash showing above.
Spec: Im using Memu Android 7.1.2 (Version 7.6.6)
Thank you for your time.
UPDATE*
i now finsihed building my own game where i tried to hook the Jump Update method
Any help would now really nice.
C++:
// Token: 0x06001047 RID: 4167 RVA: 0x00007278 File Offset: 0x00005478
[Token(Token = "0x6000DE3")]
[Address(RVA = "0xCDAB1C", Offset = "0xCDAB1C", VA = "0xCDAB1C")]
public bool Build(int[] data)
{
return default(bool);
}
C++:
bool(*old_Function)(void *instance, int data[]);
bool Build(void *instance, int data[]) {
//Check if instance is NULL to prevent crashes! If the instance object is NULL,
//this is what the call to update would look like in C++:
//NULL.Update(); and dat doesnt make sense right?
//Also check if our example boolean is true so the hack will work then. if not it just returns the old method
if(instance != NULL) {
//Your code here
}
//int number = old_Function(instance);
LOGI("ACTION: X");
return old_Function(instance, data);
}
// we will run our patches in a new thread so our while loop doesn't block process main thread
void* hack_thread(void*) {
//void hack_thread(void*) {
LOGI("I have been loaded. Mwuahahahaha");
// loop until our target library is found
do {
sleep(1);
} while (!isLibraryLoaded(libName));
LOGI("I found the il2cpp lib. Address is: %p", (void*)findLibrary(libName));
LOGI("Hooking GameManager_LateUpdate");
octo_hook((void*)getAbsoluteAddress(0xCDAB1C), (void*)Build, (void**)&old_Function);
return NULL;
}
int main(int argc, char *argv[]){
pthread_t ptid;
pthread_create(&ptid, NULL, hack_thread, NULL);
while(1){
printf("waiting... \n");
sleep(2);
}
}to the application its not app its just a native NDK build. But after starting the binary it is giving me this output and kills itself.
Code:
06-14 11:43:58.751 28579 28582 I @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ TEST_MAIN: : I found the il2cpp lib. Address is: 0x77c84000
06-14 11:43:58.751 28579 28582 I @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ TEST_MAIN: : Hooking GameManager_LateUpdate
--------- beginning of crash
06-14 11:43:58.763 28579 28582 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7895eb1c in tid 28582 (main), pid 28579 (main)
06-14 11:43:58.853 28585 28585 E crash_dump32: unknown process state: t
06-14 11:43:58.863 28585 28585 I crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstonemy questions are, are there any protection iam missing, is it maybe because its not a static method or is it simply i do something wrong, i also tested it with alot of different methods of the dumped il2cpp (from ZYGISK dumper on rooted phones with the latest magisk version) but all results end in the crash showing above.
Spec: Im using Memu Android 7.1.2 (Version 7.6.6)
Thank you for your time.
UPDATE*
i now finsihed building my own game where i tried to hook the Jump Update method
C++:
[Token(Token = "0x6000002")]
[Address(RVA = "0x38DDD4", Offset = "0x38DDD4", VA = "0x38DDD4")]
private void Update()
{
}
C++:
void(*old_Update)(void *instance);
void Update(void *instance) {
if(instance != NULL) {
//Your code here
}
LOGI("ACTION: X");
return old_Update(instance);
}
//MSHOOKFUNCTION just renamed from the project
octo_hook((void*)getAbsoluteAddress(0x38DDD4), (void*)Update, (void**)&old_Update);
Code:
06-14 16:30:10.255 3228 3230 I @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ TEST_MAIN: : I have been loaded. Mwuahahahaha
06-14 16:30:11.258 3228 3230 I @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ TEST_MAIN: : I found the il2cpp lib. Address is: 0x6000000
06-14 16:30:11.259 3228 3230 I @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ TEST_MAIN: : Hooking GameManager_LateUpdate
06-14 16:30:11.259 3228 3230 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x638ddd4 in tid 3230 (main)
06-14 16:30:11.260 83 83 W : debuggerd: handling request: pid=3228 uid=0 gid=0 tid=3230
06-14 16:30:11.260 3228 3230 F libc : failed to resend signal during crash: Function not implemented
06-14 16:30:11.311 3232 3232 E DEBUG : unexpected waitpid response: n=3230, status=00000000
06-14 16:30:11.311 3232 3232 E : debuggerd: timed out waiting for signal
06-14 16:30:11.311 556 638 W NativeCrashListener: Couldn't find ProcessRecord for pid 3228
06-14 16:30:11.311 3232 3232 E : AM eod write failed: Broken pipe
06-14 16:30:11.311 3232 3232 E : debuggerd: ptrace detach from 3230 failed: No such process
06-14 16:30:11.311 3232 3232 E : debuggerd: failed to kill process 3228: No such process
06-14 16:30:11.312 83 83 W : debuggerd: resuming target 3228
06-14 16:30:11.312 83 83 E : debuggerd: failed to send signal 18 to target: No such processAny help would now really nice.
Last edited:
