Help! what's the proper way to call il2cpp function?

[mIsmanXP]

The application crashes upon invoking an IL2CPP function.

When utilizing the frida-il2cpp-bridge library, the provided code run smoothly:

    const uiWord = csImage.class("Game.UI.Word");
    const onKeySelect = uiWord.method("OnKeySelected");
    onKeySelect.implementation = function (key: any, after_input: boolean) {
        const getWord = this.method("GetWord");
        const result = getWord.invoke();
        console.log(result);
        return this.method(onKeySelect.name).invoke(key, after_input);
    };

On the C++ side, I store the instance of uiWord and later invoke the GetWord method. Attempting to call the GetWord method within the OnKeySelect function yields the same outcome – a crash:

//System.Void OnKeySelected(Game.UI.UIKey key, System.Boolean after_input); // 0x00d25414
void (*o_OnKeySelect)(void *uiWord, void *uiKey, bool afterInput);
void OnKeySelect(void *uiWord, void *uiKey, bool afterInput) {
    LOGD("OnKeySelect => %llx : %llx : %d", uiWord, uiKey, afterInput);
    uiwInstance = uiWord;
    return o_OnKeySelect(uiWord, uiKey, afterInput);
}
...

...
HOOK_LIB("libil2cpp.so", "0x1148F24", Initialize, o_Initialize);
HOOK_LIB("libil2cpp.so", "0xD25414", OnKeySelect, o_OnKeySelect);

setHints = (decltype(setHints)) getAbsoluteAddress(targetLibName, 0x01149a1c);
getWord = (decltype(getWord)) getAbsoluteAddress(targetLibName, 0x00d2661c);//System.String GetWord(); // 0x00d2661c


LOGD("getWord %llx", getWord);
...

...
     switch (featNum) {
        case 0: {
            LOGD("Trying to set hints to : %d", value); 
            if (hsInstance) {
                setHints(hsInstance, value); //works fine
            }
            break;
        }
        case 1: {

            if (uiwInstance) {
                LOGD("GETWORD");
                getWord(uiwInstance); //pauses briefly and then crashes
            }
            break;
        }
    }
...

i have confirmed the addresses, there's nothing wrong with it.
However, if, the game is launched through frida (with script provided by il2cpp-bridge), the game doesn't crash.

 

[mIsmanXP]

Any tips on how can i debug this?
Logs:

************* Crash Head ****************
Time Of Crash      : 2023_08_25-18_33_48
Device Manufacturer: Xiaomi
Device Model       : M2102J20SG
Android Version    : 13
Android SDK        : 33
App VersionName    : 1.8.1
App VersionCode    : 1020
************* Crash Head ****************

java.lang.Error: FATAL EXCEPTION [UnityMain]
Unity version     : 2021.3.16f1
Device model      : Xiaomi M2102J20SG
Device fingerprint: Xiaomi/vayu_global/vayu:13/RKQ1.200826.002/V14.0.1.0.TJUMIXM:user/release-keys
Build Type        : Release
Scripting Backend : IL2CPP
ABI               : arm64-v8a
Strip Engine Code : true

Caused by: java.lang.Error: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Version '2021.3.16f1 (4016570cf34f)', Build type 'Release', Scripting Backend 'il2cpp', CPU 'arm64-v8a'
Build fingerprint: 'Xiaomi/vayu_global/vayu:13/RKQ1.200826.002/V14.0.1.0.TJUMIXM:user/release-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2023-08-25 18:33:47+0800
pid: 22689, tid: 22689, name: tapps.figgerits  >>> com.hitapps.figgerits <<<
uid: 10654
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10
Cause: null pointer dereference
    x0  0000000000000000  x1  0000000000000000  x2  0000000000000000  x3  00000079dcaa4360
    x4  b400007d30bad260  x5  0000000000000000  x6  0000007ff4932da0  x7  0000000000000020
    x8  0000007e75bf1360  x9  0000007e75bf1040  x10 0000000000000001  x11 0000000000000001
    x12 0000000000000018  x13 0000000000000003  x14 0000000009546fc8  x15 d3f7ffffab428404
    x16 0000007d0df67a80  x17 0000007e6fb394d0  x18 0000007e763be000  x19 0000000000000000
    x20 0000007d0e12c4c0  x21 00000079dc9b8360  x22 0000007d3184d060  x23 0000007d0c971680
    x24 b400007d52031f90  x25 0000007ff4933110  x26 0000007ff4933138  x27 0000007ff4933110
    x28 0000007ff4933000  x29 0000007ff4932fe0
    sp  0000007ff4932ec0  lr  0000007d0b87c348  pc  0000007d0b87c348

backtrace:
      #00 pc 0000000000a78348  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libil2cpp.so (BuildId: 15c8cf893593b6df8bac98fdfe4fda375d5ef247)
      #01 pc 0000000000d8ecd8  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libil2cpp.so (BuildId: 15c8cf893593b6df8bac98fdfe4fda375d5ef247)
      #02 pc 0000000001d52c14  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libil2cpp.so (BuildId: 15c8cf893593b6df8bac98fdfe4fda375d5ef247)
      #03 pc 0000000001b6d6ac  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libil2cpp.so (BuildId: 15c8cf893593b6df8bac98fdfe4fda375d5ef247)
      #04 pc 000000000106f0e4  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libil2cpp.so (BuildId: 15c8cf893593b6df8bac98fdfe4fda375d5ef247)
      #05 pc 0000000000d26744  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libil2cpp.so (BuildId: 15c8cf893593b6df8bac98fdfe4fda375d5ef247)
      #06 pc 0000000000045fe4  /data/app/~~mPOjTXZDUbVzZzcvNqOnZQ==/com.hitapps.figgerits-jHJtl_Fy_fj-9XvzNM0iXw==/lib/arm64/libMyLibName.so (BuildId: 370da2bd0c195f704336074e615b405f51287481)
      #07 pc 000000000021a354  /apex/com.android.art/lib64/libart.so (art_quick_generic_jni_trampoline+148) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #08 pc 0000000000209b68  /apex/com.android.art/lib64/libart.so (nterp_helper+2152) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #09 pc 0000000000209334  /apex/com.android.art/lib64/libart.so (nterp_helper+52) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #10 pc 000000000020b074  /apex/com.android.art/lib64/libart.so (nterp_helper+7540) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #11 pc 000000000020a254  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #12 pc 000000000020a254  /apex/com.android.art/lib64/libart.so (nterp_helper+3924) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #13 pc 0000000000209334  /apex/com.android.art/lib64/libart.so (nterp_helper+52) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #14 pc 000000000020b074  /apex/com.android.art/lib64/libart.so (nterp_helper+7540) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #15 pc 0000000000209334  /apex/com.android.art/lib64/libart.so (nterp_helper+52) (BuildId: 7e1910ae9094dcecc5b38413a79aa63a)
      #16 pc 0000000002020578  /memfd:jit-cache (deleted)

    at libil2cpp.0xa78348(Native Method)
    at libil2cpp.0xd8ecd8(Native Method)
    at libil2cpp.0x1d52c14(Native Method)
    at libil2cpp.0x1b6d6ac(Native Method)
    at libil2cpp.0x106f0e4(Native Method)
    at libil2cpp.0xd26744(Native Method)
    at libMyLibName.0x45fe4(Native Method)
    at libart.art_quick_generic_jni_trampoline(art_quick_generic_jni_trampoline:148)
    at libart.nterp_helper(nterp_helper:2152)
    at libart.nterp_helper(nterp_helper:52)
    at libart.nterp_helper(nterp_helper:7540)
    at libart.nterp_helper(nterp_helper:3924)
    at libart.nterp_helper(nterp_helper:3924)
    at libart.nterp_helper(nterp_helper:52)
    at libart.nterp_helper(nterp_helper:7540)
    at libart.nterp_helper(nterp_helper:52)
    at memfd:jit-cache (deleted).0x2020578(Native Method)

 

[mIsmanXP]

nvm, fixed it

 

[wawahuy]

Have you fixed it yet? I'm experiencing a similar issue when calling the method; I noticed it's calling the method with a nullptr for the MethodInfo *.

 

[wawahuy]

    BetButton_o* betButton_o = nullptr;
    uintptr_t BetButton___ctorOffset = 0x1A364DC;
    typedef void (*BetButton___ctorType)(BetButton_o* __this, const void* method);
    BetButton___ctorType BetButton___ctorOrigin;
    void BetButton___ctor(BetButton_o* __this, const void* method) {
        betButton_o = __this;
        BetButton___ctorOrigin(__this, method);
    }

And I call it:

if (betButton_o != nullptr) {
     BetButton__OnBetButtonClicked(betButton_o, nullptr);
}

And error:

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10
Cause: null pointer dereference



 

[mIsmanXP]

Have you fixed it yet? I'm experiencing a similar issue when calling the method; I noticed it's calling the method with a nullptr for the MethodInfo *.

what's the problem?
how are you calling it?

 

[mIsmanXP]

you might need to call il2cpp_thread_attach

 

[wawahuy]

you might need to call il2cpp_thread_attach

Tks. I'll give it a try.

 

[wawahuy]

you might need to call il2cpp_thread_attach

"il2cpp_thread_attach" can you give me more information about it? I don't know where it is located.

 

[wawahuy]

"il2cpp_thread_attach" can you give me more information about it? I don't know where it is located.

Sorry, I found it, works perfectly, thank you