Il2cppHook

frida-based libil2cpp.so runtime parsing script

简体中文

Features

• Parse Unity's method m / class c / field f / instance lfs / lfp
• parse runtime method argument b / bt / nop function n / detachAll and clean cache D
• (Batch) Hook B/BF/BN for commonly used functions, modify function return value setFunctionXXX, setActive to set gameobject active
• Wrapped "Interceptor.attach" to make it easier to use from the command line A(ptr,(args)=>{},(ret)=>{})
• More convenient to find function findMethods / findClasses and call function callFunction / findExport to find exports function
• showMethodInfo help us to Simply get the details of an Il2cppMethod*, and getting the details of a game object useshowGameObject
• Object hierarchy PrintHierarchy / type hierarchy showTypeParent
• Disassemble showAsm with frida and method information, seeHexA means hexdump
• breakWithStack More symbol parsing for il2cpp, breakWithArgs just show args
• Commonly used Hook package HookOnPointerClick / HookSetActive / B_Button / HookPlayerPrefs soon ...
• Parse mount script showComponents alias PrintHierarchyWithComponents is also introduced !not alway work!
• JNI RegisterNatives Hook (impl in JNIHelper, default off [not stable]), using JNIHelper.cacheRegisterNativeItem to get info !testing!
• Using QBDI to simulate the execution of the function, using t(methoinfo) or traceFunction(mPtr) to enable replacement hook !testing!
• 😕 😕 😕

---

Install

$ npm install il2cpp-hooker -g

then you can use like this 👇

1. frida attch current app

$ fat

2. frida spawn app of ${PackageName}

$ fat ${PackageName}

3. Command line options

$ fat -h

        _ _  ______                        _                 _
        | | |(_____ \                      | |               | |
        | | |  ____) )____ ____  ____ _____| |__   ___   ___ | |  _ _____  ____
        | | | / ____// ___)  _ \|  _ (_____)  _ \ / _ \ / _ \| |_/ ) ___ |/ ___)
        | | || (____( (___| |_| | |_| |    | | | | |_| | |_| |  _ (| ____| |
        |_|_|\______)____)  __/|  __/     |_| |_|\___/ \___/|_| \_)_____)_|
                        |_|   |_|


Usage: fat [options] <package-name?>

Options:
  -h, --help                  Print usage information.
  -r, --runtime [engine]      Specify the JS engine (qjs, v8). Default: v8
  -t, --timeout [ms]          Specify the time in milliseconds before calling the function.
  -f, --functions [name]      Specify the functions to call on startup. example: -f getApkInfo();
  -l, --log [path]            Specify the path to save the log.
  -c, --vscode                Open project with vscode.
  -v, --version               Print version information.

Report bugs to:
   axhlzy <[email protected]> (https://github.com/axhlzy/Il2CppHookScripts/)

---

Compile

$ git clone https://github.com/axhlzy/Il2CppHookScripts.git
$ cd Il2cppHook/

$ npm install

$ npm run build & npm run compress
OR
$ npm run watch

$ frida -U -f com.xxx.xxx -l ../_Ufunc.js
OR
$ frida -FU -l ../_Ufunc.js

---

👇 Here's a simpler way to use it (Recommended)

frida --codeshare axhlzy/il2cpphookscripts -U -f ${PackageName}

Requires Scientific Internet Access

---

Note

The npm package may not be updated in time, so you may consider using fat -c to open the project and use the github action Artifacts to replace _Ufunc.js file. 😯

---

API

More details

OR

open with vscode and search globalthis. to find more useage

---

Buy the author a cup of coffee (^_^)