Edit memory on virtualApp at runtime

Question

Edit memory on virtualApp at runtime

Aghisna12 opened this issue 5 years ago · 10 comments

does this code work on virtualapp?

im used "/proc/pid/maps" (the pid is from running game inside virualApp)
I have tried it in virtualApp, getAbsoluteAddress = address(load_bias + offset libil2cpp) on maps is right. but in memWrite & memRead not in the appropriate address.

Thanks for this awesome source!

[UPDATE]
sorry, it turns out memcpy only writes in virtualApp only :)

Answer 1 · 2019-06-22T12:52:25.000Z

Did you check return value of libil2cpp base address?

Answer 2 · 2019-06-22T12:57:43.000Z

i'm trying do use self process. at "/proc/self/maps" on my virtual. without hook dlopen ( loadLibrary ) on target game process.
the Kitty only patch memory anddress on my virtual, not on lib game.

i dn't know to load Kitty on /proc/(target pid)/maps

sorry for my bad English

Answer 3 · 2019-06-22T13:03:22.000Z

You need to load the library in game process. Edit the apk or inject with ptrace.

Answer 4 · 2019-06-22T13:09:16.000Z

unlucky for me. my injector has fail to attach the target game with ptrace.
but another game it's success to inject my lib with my injector.
I though my tested game have anti ptrace. also my target game have signature checker on native for anti edit apk.
I will trying do hook target game class to call loadLibrary.

Answer 5 · 2019-06-22T13:17:24.000Z

Maybe there's work around with library preload instead of injection. I haven't tried it.

Answer 6 · 2019-06-22T13:21:16.000Z

umm. thanks...
but, ur Mono Toolkitten for root isn't open source.

Answer 7 · 2019-06-22T13:24:47.000Z

It uses ptrace to inject not very special.

Answer 8 · 2019-06-22T13:26:24.000Z

ok. thanks...

Answer 9 · 2020-05-26T03:19:59.000Z

VirtualApp Hooks dlopen for loading the libs. That is why all the libs loaded within besides libva++.so is not defined in /proc/pid/maps of the app.
https://github.com/asLody/VirtualApp/blob/master/VirtualApp/lib/src/main/jni/Foundation/IOUniformer.cpp
line 639
I noticed there is an void onSoLoaded(const char *name, void *handle) {} on line 78.
Maybe by modifying it to the following it could be used to get the base library's address.

void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        ...
    }
}

The handle parameter is the libraries base address. Look at lines 580 and 581, 590 and 591, and 601 and 602. The onSoLoaded function is used after each orig_dlopen.
MemoryPatcher does not allow you to use MemoryPatch or MemoryPatch::createWithHex with the base lib address already defined.
Maybe KittyMemory can include this? A MemoryPatch function that can use the handle base address as a parameter instead of the libraries name to find the base address itself itself?

void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        MemoryPatch mod = MemoryPatch(handle, 0x6A6144, "\x01\x00\xA0\xE3\x1E\xFF\x2F\xE1", 8);
        MemoryPatch mod2 = MemoryPatch::createWithHex(handle, 0x6A6144, "0100A0E31EFF2FE1");
        

    }
}

I haven't tested this so I am not sure if this will make everything work the way you want.
I've looked into this specific issue myself (The fact that libs used within VirtualApp don't appear in the processes /proc/pid/maps file). This is what I've come across.

Answer 10 · 2020-05-26T06:44:49.000Z

VirtualApp Hooks dlopen for loading the libs. That is why all the libs loaded within besides libva++.so is not defined in /proc/pid/maps of the app.
https://github.com/asLody/VirtualApp/blob/master/VirtualApp/lib/src/main/jni/Foundation/IOUniformer.cpp
line 639
I noticed there is an void onSoLoaded(const char *name, void *handle) {} on line 78.
Maybe by modifying it to the following it could be used to get the base library's address.
void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        ...
    }
}
The handle parameter is the libraries base address. Look at lines 580 and 581, 590 and 591, and 601 and 602. The onSoLoaded function is used after each orig_dlopen.
MemoryPatcher does not allow you to use MemoryPatch or MemoryPatch::createWithHex with the base lib address already defined.
Maybe KittyMemory can include this? A MemoryPatch function that can use the handle base address as a parameter instead of the libraries name to find the base address itself itself?
void onSoLoaded(const char *name, void *handle)
{
    if (strstr(name, "lib name")) // libil2cpp.so
    {
        MemoryPatch mod = MemoryPatch(handle, 0x6A6144, "\x01\x00\xA0\xE3\x1E\xFF\x2F\xE1", 8);
        MemoryPatch mod2 = MemoryPatch::createWithHex(handle, 0x6A6144, "0100A0E31EFF2FE1");
        

    }
}
I haven't tested this so I am not sure if this will make everything work the way you want.
I've looked into this specific issue myself (The fact that libs used within VirtualApp don't appear in the processes /proc/pid/maps file). This is what I've come across.

Il2cpp lib will load into game process maps not virtual app. You need to use /proc/gamepid/maps instead of self process, unless you are executing your code in game process.