/Il2CppHookScripts

frida-based libil2cpp.so runtime parsing script

Primary LanguageTypeScriptMIT LicenseMIT

Il2cppHook

frida-based libil2cpp.so runtime parsing script

npm license Build Status Open in Dev Containers npm version npm downloads

Features

  • Parse Unity's method m / class c / field f / instance lfs / lfp
  • parse runtime method argument b / bt / nop function n / detachAll and clean cache D
  • (Batch) Hook B/BF/BN for commonly used functions, modify function return value setFunctionXXX, setActive to set gameobject active
  • Wrapped "Interceptor.attach" to make it easier to use from the command line A(ptr,(args)=>{},(ret)=>{})
  • More convenient to find function findMethods / findClasses and call function callFunction / findExport to find exports function
  • showMethodInfo help us to Simply get the details of an Il2cppMethod*, and getting the details of a game object useshowGameObject
  • Object hierarchy PrintHierarchy / type hierarchy showTypeParent
  • Disassemble showAsm with frida and method information, seeHexA means hexdump
  • breakWithStack More symbol parsing for il2cpp, breakWithArgs just show args
  • Commonly used Hook package HookOnPointerClick / HookSetActive / B_Button / HookPlayerPrefs soon ...
  • Parse mount script showComponents alias PrintHierarchyWithComponents is also introduced !not alway work!
  • JNI RegisterNatives Hook (impl in JNIHelper, default off [not stable]), using JNIHelper.cacheRegisterNativeItem to get info !testing!
  • Using QBDI to simulate the execution of the function, using t(methoinfo) or traceFunction(mPtr) to enable replacement hook !testing!
  • 😕 😕 😕

Install

$ npm install il2cpp-hooker -g

then you can use like this 👇

  1. frida attch current app
$ fat
  1. frida spawn app of ${PackageName}
$ fat ${PackageName}
  1. Command line options
$ fat -h

        _ _  ______                        _                 _
        | | |(_____ \                      | |               | |
        | | |  ____) )____ ____  ____ _____| |__   ___   ___ | |  _ _____  ____
        | | | / ____// ___)  _ \|  _ (_____)  _ \ / _ \ / _ \| |_/ ) ___ |/ ___)
        | | || (____( (___| |_| | |_| |    | | | | |_| | |_| |  _ (| ____| |
        |_|_|\______)____)  __/|  __/     |_| |_|\___/ \___/|_| \_)_____)_|
                        |_|   |_|


Usage: fat [options] <package-name?>

Options:
  -h, --help                  Print usage information.
  -r, --runtime [engine]      Specify the JS engine (qjs, v8). Default: v8
  -t, --timeout [ms]          Specify the time in milliseconds before calling the function.
  -f, --functions [name]      Specify the functions to call on startup. example: -f getApkInfo();
  -l, --log [path]            Specify the path to save the log.
  -c, --vscode                Open project with vscode.
  -v, --version               Print version information.

Report bugs to:
   axhlzy <axhlzy@live.cn> (https://github.com/axhlzy/Il2CppHookScripts/)

Compile

$ git clone https://github.com/axhlzy/Il2CppHookScripts.git
$ cd Il2cppHook/

$ npm install

$ npm run build & npm run compress
OR
$ npm run watch

$ frida -U -f com.xxx.xxx -l ../_Ufunc.js
OR
$ frida -FU -l ../_Ufunc.js

👇 Here's a simpler way to use it (Recommended)

frida --codeshare axhlzy/il2cpphookscripts -U -f ${PackageName}

Requires Scientific Internet Access


Note

The npm package may not be updated in time, so you may consider using fat -c to open the project and use the github action Artifacts to replace _Ufunc.js file. 😯


API

More details

OR

open with vscode and search globalthis. to find more useage


Support the author