Game has no il2cpp api exports
leonitousconforti opened this issue · comments
Hey there,
I've read similar issues like #300, #363, #400, and #427 about other games missing some of the required il2cpp api exports and how they solved it by disassembling, looking for the required exports, and then using the global IL2CPP_EXPORTS object to set the addresses.
In those other issues, it seemed to me like they weren't missing all the il2cpp exports. However, when I run this Frida script:
for (const module_ of Process.enumerateModules()) {
for (const export_ of module_.enumerateExports()) {
if (export_.name.includes("il2cpp")) {
send(`${module_.name}!${export_.name} @ ${export_.address}`);
}
}
}It prints no exports.
I've used tools like Il2cppDumper to dump exports and then loaded the generated ghidra script into ghidra but it has no address with Is there any hope in finding all the required IL2cpp exports? because it seems to me like they have all been stripped out. Have you encountered anything like this before?il2cpp in their names. I am just wondering, when I disassemble the game using ghidra, what exactly am I looking for to find the il2cpp exports?
Ok in ghidra I can see all the il2cpp api exports in the Exports folder of the symbol tree? How come my frida script isn't able to see them though?
Personally, I have never encountered such scenario, but I haven't been actively using (i.e. for a personal project) this library for more than two years, so my bag is quite empty I'm afraid.
I'm curious too to see how Ghidra can detect the exports; what happens if you use enumerateSymbols?
I just tried to enumerateSymbols, and frida crashes sometimes :(
my script:
const il2cppModule = Process.findModuleByName("libil2cpp.so")!;
for (const symbol_ of il2cppModule.enumerateSymbols()) {
send(`${symbol_.name} @ ${symbol_.address}`);
}
send("aaaaahhhhhh");sometimes it works:
Spawned `com.nimblebit.tinytower`. Resuming main thread!
[Remote::com.nimblebit.tinytower ]-> message: {'type': 'send', 'payload': 'aaaaahhhhhh'} data: None
but as you can see it prints no symbols, and sometimes it crashes:
Process crashed: java.lang.Error: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
***
FATAL EXCEPTION: UnityMain
Process: com.nimblebit.tinytower, PID: 6514
java.lang.Error: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Version '2020.3.38f1 (8f5fde82e2dc)', Build type 'Release', Scripting Backend 'il2cpp', CPU 'arm64-v8a'
Build fingerprint: 'Must use __system_property_read_callback() to read'
Revision: '0'
ABI: 'arm64'
Timestamp: 2023-11-20 17:27:53+0000
pid: 6514, tid: 6548, name: gum-js-loop >>> com.nimblebit.tinytower <<<
uid: 10168
signal 4 (SIGILL), code -6 (SI_TKILL from pid -484203228, uid 28905), fault addr --------
x0 000070ee28896460 x1 000000000000000a x2 0000000000000000 x3 0000000000000000
x4 000070ee28896b00 x5 fffffffffffffff9 x6 64616f6c79617022 x7 2264616f6c796170
x8 433fffffffffffff x9 0000000000000012 x10 000070e9e2b69f18 x11 000070e9e323a398
x12 000000000000003d x13 000070e9e32360d8 x14 0000000000000057 x15 0000000000000007
x16 0000000000000001 x17 0000000000000000 x18 0000000000000000 x19 000070ee28896460
x20 0000000000000000 x21 000070ee28896460 x22 0000000000000000 x23 000070e9e284950a
x24 000070ee288e3aa0 x25 fffffffffffffff9 x26 000070ee28896b00 x27 0000000000000007
x28 0000000000000001 x29 000070e9ddd1dc18
sp 000070e9ddd1da80 lr 000070e9e323a430 pc 000070e9e323a524
backtrace:
#00 pc 0000000000c2e524 /data/local/tmp/re.frida.server/frida-agent-arm64.so
#01 pc 0000000000c2e3a4 /data/local/tmp/re.frida.server/frida-agent-arm64.so
#02 pc 0000000000c390d0 /data/local/tmp/re.frida.server/frida-agent-arm64.so
at frida-agent-arm64.0xc2e524(Native Method)
at frida-agent-arm64.0xc2e3a4(Native Method)
at frida-agent-arm64.0xc390d0(Native Method)
***
[Remote::com.nimblebit.tinytower ]->
Thank you for using Frida!
The script failed with exit code 1
The above means nothing to me, sometimes I get different errors if I rerun it, but I am clueless in how to decipher it.
Never mind, I am able to get the script to run successfully now without crashing all the time, seemed to be an issue with my network connection. I can see a bunch of symbols using objdump too:
000000000064d9e0 g DF .text 0000000000000004 il2cpp_method_get_param
000000000064d6e4 g DF .text 0000000000000004 il2cpp_exception_from_name_msg
000000000064d8b4 g DF .text 0000000000000004 il2cpp_field_static_set_value
000000000064d0bc g DF .text 0000000000000004 il2cpp_class_get_property_from_name
000000000064d96c g DF .text 0000000000000008 il2cpp_gc_wbarrier_set_field
000000000064db1c g DF .text 0000000000000004 il2cpp_thread_get_all_attached_threads
000000000064da44 g DF .text 0000000000000004 il2cpp_profiler_install_thread
000000000064d890 g DF .text 0000000000000004 il2cpp_field_get_parent
000000000064d0cc g DF .text 0000000000000004 il2cpp_class_get_name
000000000064db78 g DF .text 0000000000000004 il2cpp_type_get_class_or_element_class
000000000064db14 g DF .text 0000000000000004 il2cpp_thread_attach
000000000064d9a8 g DF .text 0000000000000008 il2cpp_allocation_granularity
000000000064da58 g DF .text 0000000000000004 il2cpp_property_get_flags
000000000064d988 g DF .text 0000000000000008 il2cpp_object_header_size
000000000064d094 g DF .text 0000000000000004 il2cpp_class_has_parent
000000000064d9b0 g DF .text 0000000000000004 il2cpp_unity_liveness_calculation_begin
000000000064dd70 g DF .text 0000000000000004 il2cpp_custom_attrs_has_attr
000000000064d898 g DF .text 0000000000000004 il2cpp_field_get_type
000000000064d998 g DF .text 0000000000000008 il2cpp_offset_of_array_length_in_array_object_header
000000000064d9d4 g DF .text 0000000000000004 il2cpp_method_is_inflated
000000000064d9dc g DF .text 0000000000000004 il2cpp_method_get_param_count
000000000064db64 g DF .text 0000000000000004 il2cpp_thread_get_stack_depth
000000000064dae0 g DF .text 0000000000000004 il2cpp_runtime_class_init
000000000064d9d8 g DF .text 0000000000000004 il2cpp_method_is_instance
000000000064dcc4 g DF .text 000000000000000c il2cpp_type_is_byref
000000000064dd40 g DF .text 0000000000000004 il2cpp_register_debugger_agent_transport
000000000064d9b4 g DF .text 0000000000000004 il2cpp_unity_liveness_calculation_end
000000000064dafc g DF .text 0000000000000004 il2cpp_string_new_wrapper
000000000064d128 g DF .text 0000000000000008 il2cpp_class_get_rank
000000000064db20 g DF .text 0000000000000004 il2cpp_is_vm_thread
000000000064d8b0 g DF .text 0000000000000004 il2cpp_field_static_get_value
000000000064d6ec g DF .text 000000000000006c il2cpp_format_exception
000000000064daf8 g DF .text 0000000000000004 il2cpp_string_new
000000000064dd38 g DF .text 0000000000000004 il2cpp_debugger_set_agent_options
000000000064d9e4 g DF .text 0000000000000004 il2cpp_method_get_class
000000000064d9f0 g DF .text 0000000000000034 il2cpp_method_get_flags
000000000064d0f4 g DF .text 0000000000000004 il2cpp_class_is_abstract
000000000064db08 g DF .text 0000000000000004 il2cpp_string_intern
000000000064d8f4 g DF .text 0000000000000004 il2cpp_gc_get_heap_size
000000000064d100 g DF .text 0000000000000008 il2cpp_class_from_type
000000000064dcd0 g DF .text 0000000000000008 il2cpp_type_get_attrs
000000000064d0e8 g DF .text 0000000000000004 il2cpp_class_is_blittable
000000000064d130 g DF .text 0000000000000008 il2cpp_class_get_data_size
000000000064d940 g DF .text 000000000000002c il2cpp_gchandle_foreach_get_target
000000000064d990 g DF .text 0000000000000008 il2cpp_array_object_header_size
000000000064dd08 g DF .text 0000000000000004 il2cpp_image_get_entry_point
000000000064da3c g DF .text 0000000000000004 il2cpp_profiler_install_gc
000000000064dcd8 g DF .text 0000000000000004 il2cpp_type_equals
000000000064d9c0 g DF .text 0000000000000004 il2cpp_method_get_return_type
000000000064d020 g DF .text 0000000000000010 il2cpp_set_commandline_arguments_utf16
000000000064d9ec g DF .text 0000000000000004 il2cpp_method_get_declaring_type
000000000064db28 g DF .text 0000000000000004 il2cpp_thread_walk_frame_stack
000000000064dd44 g DF .text 0000000000000004 il2cpp_debug_get_method_info
000000000064dd78 g DF .text 0000000000000004 il2cpp_custom_attrs_construct
000000000064d000 g DF .text 0000000000000004 il2cpp_shutdown
000000000064d144 g DF .text 0000000000000024 il2cpp_class_get_bitmap
000000000064d758 g DF .text 000000000000006c il2cpp_format_stack_trace
000000000064d07c g DF .text 0000000000000004 il2cpp_class_from_system_type
000000000064d8d4 g DF .text 0000000000000004 il2cpp_gc_enable
000000000064dcdc g DF .text 000000000000000c il2cpp_type_is_static
000000000064d8f0 g DF .text 0000000000000004 il2cpp_gc_get_used_size
000000000064db7c g DF .text 00000000000000a4 il2cpp_type_get_name
000000000064db3c g DF .text 0000000000000004 il2cpp_current_thread_get_frame_at
000000000064d8e4 g DF .text 0000000000000004 il2cpp_gc_is_incremental
000000000064d89c g DF .text 0000000000000004 il2cpp_field_get_value
000000000064d8ec g DF .text 0000000000000004 il2cpp_gc_set_max_time_slice_ns
000000000064d00c g DF .text 0000000000000004 il2cpp_set_temp_dir
000000000064d08c g DF .text 0000000000000008 il2cpp_class_is_subclass_of
000000000064daac g DF .text 0000000000000004 il2cpp_monitor_try_wait
000000000064d974 g DF .text 0000000000000008 il2cpp_gc_has_strict_wbarriers
000000000064d0d8 g DF .text 0000000000000004 il2cpp_class_get_declaring_type
000000000064d8c8 g DF .text 0000000000000004 il2cpp_gc_collect
000000000064d6e8 g DF .text 0000000000000004 il2cpp_get_exception_argument_null
000000000064d8a8 g DF .text 0000000000000004 il2cpp_field_set_value
000000000064d8cc g DF .text 0000000000000004 il2cpp_gc_collect_a_little
000000000064d9b8 g DF .text 0000000000000004 il2cpp_unity_liveness_calculation_from_root
000000000064d0ec g DF .text 0000000000000004 il2cpp_class_value_size
000000000064d0b4 g DF .text 0000000000000004 il2cpp_class_get_interfaces
000000000064dce8 g DF .text 0000000000000014 il2cpp_type_is_pointer_type
000000000064d6a0 g DF .text 0000000000000034 il2cpp_domain_get_assemblies
000000000064db18 g DF .text 0000000000000004 il2cpp_thread_detach
000000000064dab0 g DF .text 0000000000000018 il2cpp_runtime_invoke_convert_args
000000000064da2c g DF .text 0000000000000004 il2cpp_profiler_install
000000000064da38 g DF .text 0000000000000004 il2cpp_profiler_install_allocation
000000000064d8dc g DF .text 0000000000000004 il2cpp_gc_is_disabled
000000000064d068 g DF .text 0000000000000008 il2cpp_bounded_array_class_get
000000000064d0e4 g DF .text 0000000000000004 il2cpp_class_is_valuetype
000000000064dd00 g DF .text 0000000000000004 il2cpp_image_get_name
000000000064d0c8 g DF .text 0000000000000004 il2cpp_class_get_method_from_name
000000000064d9c8 g DF .text 0000000000000004 il2cpp_method_get_object
000000000064d124 g DF .text 0000000000000004 il2cpp_class_get_assemblyname
000000000064d084 g DF .text 0000000000000004 il2cpp_class_is_inflated
000000000064dd3c g DF .text 0000000000000004 il2cpp_is_debugger_attached
000000000064db0c g DF .text 0000000000000004 il2cpp_string_is_interned
000000000064d928 g DF .text 0000000000000004 il2cpp_start_gc_world
000000000064d9a0 g DF .text 0000000000000008 il2cpp_offset_of_array_bounds_in_array_object_header
000000000064d010 g DF .text 0000000000000010 il2cpp_set_commandline_arguments
000000000064db04 g DF .text 0000000000000004 il2cpp_string_new_len
000000000064d9c4 g DF .text 0000000000000004 il2cpp_method_get_from_reflection
000000000064d048 g DF .text 0000000000000004 il2cpp_alloc
000000000064d0d4 g DF .text 0000000000000004 il2cpp_class_get_parent
000000000064d88c g DF .text 0000000000000004 il2cpp_field_get_flags
000000000064d060 g DF .text 0000000000000004 il2cpp_array_new_specific
000000000064d894 g DF .text 0000000000000004 il2cpp_field_get_offset
000000000064dd28 g DF .text 0000000000000004 il2cpp_capture_memory_snapshot
000000000064d114 g DF .text 0000000000000004 il2cpp_class_has_attribute
000000000064d038 g DF .text 0000000000000004 il2cpp_set_memory_callbacks
000000000064d694 g DF .text 0000000000000004 il2cpp_domain_get
000000000064cf70 g DF .text 0000000000000090 il2cpp_init_utf16
000000000064db74 g DF .text 0000000000000004 il2cpp_type_get_type
000000000064d8f8 g DF .text 000000000000002c il2cpp_gc_foreach_heap
000000000064d058 g DF .text 0000000000000004 il2cpp_array_get_byte_length
000000000064d924 g DF .text 0000000000000004 il2cpp_stop_gc_world
000000000064dd24 g DF .text 0000000000000004 il2cpp_image_get_class
000000000064da90 g DF .text 0000000000000004 il2cpp_value_box
000000000064daa0 g DF .text 0000000000000004 il2cpp_monitor_pulse
000000000064d8e8 g DF .text 0000000000000004 il2cpp_gc_get_max_time_slice_ns
000000000064d008 g DF .text 0000000000000004 il2cpp_set_data_dir
000000000064d9cc g DF .text 0000000000000004 il2cpp_method_get_name
000000000064dda0 g DF .text 0000000000000004 il2cpp_class_for_each
000000000064d0f8 g DF .text 0000000000000004 il2cpp_class_is_interface
000000000064da98 g DF .text 0000000000000004 il2cpp_monitor_try_enter
000000000064dd90 g DF .text 0000000000000008 il2cpp_class_set_userdata
000000000064dd74 g DF .text 0000000000000004 il2cpp_custom_attrs_get_attr
000000000064d8a4 g DF .text 0000000000000004 il2cpp_field_has_attribute
000000000064d004 g DF .text 0000000000000004 il2cpp_set_config_dir
000000000064d05c g DF .text 0000000000000004 il2cpp_array_new
000000000064d03c g DF .text 0000000000000004 il2cpp_get_corlib
000000000064d0b8 g DF .text 0000000000000004 il2cpp_class_get_properties
000000000064dd7c g DF .text 0000000000000004 il2cpp_custom_attrs_free
000000000064d044 g DF .text 0000000000000004 il2cpp_resolve_icall
000000000064cf38 g DF .text 0000000000000038 il2cpp_init
000000000064d098 g DF .text 0000000000000008 il2cpp_class_fromil2cpp_type
000000000064da60 g DF .text 0000000000000004 il2cpp_object_get_size
000000000064da5c g DF .text 0000000000000004 il2cpp_object_get_class
000000000064da48 g DF .text 0000000000000004 il2cpp_property_get_name
000000000064d0e0 g DF .text 0000000000000004 il2cpp_class_num_fields
000000000064d0c4 g DF .text 0000000000000004 il2cpp_class_get_methods
000000000064d0fc g DF .text 0000000000000004 il2cpp_class_array_element_size
000000000064d7c4 g DF .text 0000000000000004 il2cpp_unhandled_exception
000000000064d9d0 g DF .text 0000000000000004 il2cpp_method_is_generic
000000000064d138 g DF .text 0000000000000008 il2cpp_class_get_static_field_data
000000000064daa4 g DF .text 0000000000000004 il2cpp_monitor_pulse_all
000000000064d888 g DF .text 0000000000000004 il2cpp_field_get_name
000000000064d168 g DF .text 00000000000002d4 il2cpp_stats_dump_to_file
000000000064d0dc g DF .text 0000000000000004 il2cpp_class_instance_size
000000000064dd5c g DF .text 0000000000000014 il2cpp_custom_attrs_from_method
000000000064da30 g DF .text 0000000000000004 il2cpp_profiler_set_events
000000000064db2c g DF .text 000000000000000c il2cpp_current_thread_get_top_frame
000000000064daf4 g DF .text 0000000000000004 il2cpp_string_chars
000000000064d9e8 g DF .text 0000000000000004 il2cpp_method_has_attribute
000000000064d080 g DF .text 0000000000000004 il2cpp_class_is_generic
000000000064dd48 g DF .text 0000000000000004 il2cpp_unity_install_unitytls_interface
000000000064da54 g DF .text 0000000000000004 il2cpp_property_get_parent
000000000064db40 g DF .text 0000000000000004 il2cpp_thread_get_frame_at
000000000064dae8 g DF .text 0000000000000004 il2cpp_runtime_object_init_exception
000000000064dac8 g DF .text 0000000000000018 il2cpp_runtime_invoke
000000000064d6d4 g DF .text 0000000000000010 il2cpp_raise_exception
000000000064d0d0 g DF .text 0000000000000004 il2cpp_class_get_namespace
000000000064d064 g DF .text 0000000000000004 il2cpp_array_new_full
000000000064d0f0 g DF .text 0000000000000004 il2cpp_class_get_flags
000000000064d8ac g DF .text 0000000000000004 il2cpp_field_set_value_object
000000000064d140 g DF .text 0000000000000004 il2cpp_class_get_bitmap_size
000000000064d11c g DF .text 0000000000000004 il2cpp_class_is_enum
000000000064db24 g DF .text 0000000000000004 il2cpp_current_thread_walk_frame_stack
000000000064da28 g DF .text 0000000000000004 il2cpp_method_get_param_name
000000000064d628 g DF .text 0000000000000024 il2cpp_stats_get_value
000000000064d934 g DF .text 0000000000000008 il2cpp_gchandle_new_weakref
000000000064dae4 g DF .text 0000000000000004 il2cpp_runtime_object_init
000000000064d070 g DF .text 0000000000000004 il2cpp_array_element_size
000000000064d984 g DF .text 0000000000000004 il2cpp_gchandle_free
000000000064db44 g DF .text 0000000000000020 il2cpp_current_thread_get_stack_depth
000000000064dd98 g DF .text 0000000000000008 il2cpp_class_get_userdata_offset
000000000064d8b8 g DF .text 0000000000000010 il2cpp_field_is_literal
000000000064dcfc g DF .text 0000000000000004 il2cpp_image_get_assembly
000000000064db38 g DF .text 0000000000000004 il2cpp_thread_get_top_frame
000000000064da50 g DF .text 0000000000000004 il2cpp_property_get_set_method
000000000064d108 g DF .text 0000000000000004 il2cpp_class_get_type
000000000064d9bc g DF .text 0000000000000004 il2cpp_unity_liveness_calculation_from_statics
000000000064d0c0 g DF .text 0000000000000004 il2cpp_class_get_field_from_name
000000000064db70 g DF .text 0000000000000004 il2cpp_type_get_object
000000000064dd04 g DF .text 0000000000000004 il2cpp_image_get_filename
000000000064d0a4 g DF .text 0000000000000004 il2cpp_class_get_element_class
000000000064daa8 g DF .text 0000000000000004 il2cpp_monitor_wait
000000000064d0ac g DF .text 0000000000000004 il2cpp_class_get_fields
000000000064da8c g DF .text 0000000000000004 il2cpp_object_unbox
000000000064d7c8 g DF .text 00000000000000c0 il2cpp_native_stack_trace
000000000064da68 g DF .text 0000000000000024 il2cpp_object_new
000000000064db10 g DF .text 0000000000000004 il2cpp_thread_current
000000000064d034 g DF .text 0000000000000004 il2cpp_set_config
000000000064dd80 g DF .text 0000000000000010 il2cpp_type_get_name_chunked
000000000064db6c g DF .text 0000000000000004 il2cpp_override_stack_backtrace
000000000064d8d0 g DF .text 0000000000000004 il2cpp_gc_start_incremental_collection
000000000064da94 g DF .text 0000000000000004 il2cpp_monitor_enter
000000000064dc20 g DF .text 00000000000000a4 il2cpp_type_get_assembly_qualified_name
000000000064da4c g DF .text 0000000000000004 il2cpp_property_get_get_method
000000000064d8a0 g DF .text 0000000000000004 il2cpp_field_get_value_object
000000000064daec g DF .text 0000000000000004 il2cpp_runtime_unhandled_exception_policy_set
000000000064d93c g DF .text 0000000000000004 il2cpp_gchandle_get_target
000000000064d030 g DF .text 0000000000000004 il2cpp_set_config_utf16
000000000064d8d8 g DF .text 0000000000000004 il2cpp_gc_disable
000000000064d0a0 g DF .text 0000000000000004 il2cpp_class_from_name
000000000064d040 g DF .text 0000000000000004 il2cpp_add_internal_call
000000000064dd34 g DF .text 0000000000000004 il2cpp_register_log_callback
000000000064d074 g DF .text 0000000000000004 il2cpp_assembly_get_image
000000000064d088 g DF .text 0000000000000004 il2cpp_class_is_assignable_from
000000000064da40 g DF .text 0000000000000004 il2cpp_profiler_install_fileio
000000000064dd0c g DF .text 0000000000000018 il2cpp_image_get_class_count
000000000064d078 g DF .text 0000000000000004 il2cpp_class_enum_basetype
000000000064db00 g DF .text 0000000000000004 il2cpp_string_new_utf16
000000000064d698 g DF .text 0000000000000008 il2cpp_domain_assembly_open
000000000064d118 g DF .text 0000000000000004 il2cpp_class_has_references
000000000064da64 g DF .text 0000000000000004 il2cpp_object_get_virtual_method
000000000064d04c g DF .text 0000000000000004 il2cpp_free
000000000064da24 g DF .text 0000000000000004 il2cpp_method_get_token
000000000064d980 g DF .text 0000000000000004 il2cpp_gc_set_external_wbarrier_tracker
000000000064d054 g DF .text 0000000000000004 il2cpp_array_length
000000000064d050 g DF .text 0000000000000004 il2cpp_array_class_get
000000000064da34 g DF .text 0000000000000004 il2cpp_profiler_install_enter_leave
000000000064d97c g DF .text 0000000000000004 il2cpp_gc_set_external_allocation_tracker
000000000064d8e0 g DF .text 0000000000000004 il2cpp_gc_set_mode
000000000064d120 g DF .text 0000000000000004 il2cpp_class_get_image
000000000064d92c g DF .text 0000000000000008 il2cpp_gchandle_new
000000000064daf0 g DF .text 0000000000000004 il2cpp_string_length
000000000064dd2c g DF .text 0000000000000004 il2cpp_free_captured_memory_snapshot
000000000064dd30 g DF .text 0000000000000004 il2cpp_set_find_plugin_callback
000000000064da9c g DF .text 0000000000000004 il2cpp_monitor_exit
000000000064d0b0 g DF .text 0000000000000004 il2cpp_class_get_nested_types
000000000064d10c g DF .text 0000000000000008 il2cpp_class_get_type_token
000000000064db68 g DF .text 0000000000000004 il2cpp_set_default_thread_affinity
000000000064d0a8 g DF .text 0000000000000004 il2cpp_class_get_events
000000000064dd4c g DF .text 0000000000000010 il2cpp_custom_attrs_from_classJust not sure why frida can't see them
Ok a little more information to chew on, here is the objdump command I used (I am using whichever objdump comes by default on macos):
objdump -TC libil2cpp.so | grep "il2cpp_"where -C is alias for --demangle
and -T is alias for --dynamic-syms
If I run objdump without -T it finds no symbols. I also tried nm (once again the default one that comes on macos):
nm -D libil2cpp.so | grep il2cpp_where -D is alias for --dynamic
and once again, if I run nm without -D it finds no symbols.
I'm not familiar with dynamic symbol tables, but if I had to guess right now, frida isn't able to see the dynamic symbols for some reason.
Ok, I've gotten something working again. I copy and pasted the output of
nm -D libil2cpp.so | grep il2cpp_000000000064d040 T il2cpp_add_internal_call
000000000064d048 T il2cpp_alloc
000000000064d9a8 T il2cpp_allocation_granularity
000000000064d050 T il2cpp_array_class_get
000000000064d070 T il2cpp_array_element_size
000000000064d058 T il2cpp_array_get_byte_length
000000000064d054 T il2cpp_array_length
000000000064d05c T il2cpp_array_new
000000000064d064 T il2cpp_array_new_full
000000000064d060 T il2cpp_array_new_specific
000000000064d990 T il2cpp_array_object_header_size
000000000064d074 T il2cpp_assembly_get_image
000000000064d068 T il2cpp_bounded_array_class_get
000000000064dd28 T il2cpp_capture_memory_snapshot
000000000064d0fc T il2cpp_class_array_element_size
000000000064d078 T il2cpp_class_enum_basetype
000000000064dda0 T il2cpp_class_for_each
000000000064d098 T il2cpp_class_from_il2cpp_type
000000000064d0a0 T il2cpp_class_from_name
000000000064d07c T il2cpp_class_from_system_type
000000000064d100 T il2cpp_class_from_type
000000000064d124 T il2cpp_class_get_assemblyname
000000000064d144 T il2cpp_class_get_bitmap
000000000064d140 T il2cpp_class_get_bitmap_size
000000000064d130 T il2cpp_class_get_data_size
000000000064d0d8 T il2cpp_class_get_declaring_type
000000000064d0a4 T il2cpp_class_get_element_class
000000000064d0a8 T il2cpp_class_get_events
000000000064d0c0 T il2cpp_class_get_field_from_name
000000000064d0ac T il2cpp_class_get_fields
000000000064d0f0 T il2cpp_class_get_flags
000000000064d120 T il2cpp_class_get_image
000000000064d0b4 T il2cpp_class_get_interfaces
000000000064d0c8 T il2cpp_class_get_method_from_name
000000000064d0c4 T il2cpp_class_get_methods
000000000064d0cc T il2cpp_class_get_name
000000000064d0d0 T il2cpp_class_get_namespace
000000000064d0b0 T il2cpp_class_get_nested_types
000000000064d0d4 T il2cpp_class_get_parent
000000000064d0b8 T il2cpp_class_get_properties
000000000064d0bc T il2cpp_class_get_property_from_name
000000000064d128 T il2cpp_class_get_rank
000000000064d138 T il2cpp_class_get_static_field_data
000000000064d108 T il2cpp_class_get_type
000000000064d10c T il2cpp_class_get_type_token
000000000064dd98 T il2cpp_class_get_userdata_offset
000000000064d114 T il2cpp_class_has_attribute
000000000064d094 T il2cpp_class_has_parent
000000000064d118 T il2cpp_class_has_references
000000000064d0dc T il2cpp_class_instance_size
000000000064d0f4 T il2cpp_class_is_abstract
000000000064d088 T il2cpp_class_is_assignable_from
000000000064d0e8 T il2cpp_class_is_blittable
000000000064d11c T il2cpp_class_is_enum
000000000064d080 T il2cpp_class_is_generic
000000000064d084 T il2cpp_class_is_inflated
000000000064d0f8 T il2cpp_class_is_interface
000000000064d08c T il2cpp_class_is_subclass_of
000000000064d0e4 T il2cpp_class_is_valuetype
000000000064d0e0 T il2cpp_class_num_fields
000000000064dd90 T il2cpp_class_set_userdata
000000000064d0ec T il2cpp_class_value_size
000000000064db3c T il2cpp_current_thread_get_frame_at
000000000064db44 T il2cpp_current_thread_get_stack_depth
000000000064db2c T il2cpp_current_thread_get_top_frame
000000000064db24 T il2cpp_current_thread_walk_frame_stack
000000000064dd78 T il2cpp_custom_attrs_construct
000000000064dd7c T il2cpp_custom_attrs_free
000000000064dd4c T il2cpp_custom_attrs_from_class
000000000064dd5c T il2cpp_custom_attrs_from_method
000000000064dd74 T il2cpp_custom_attrs_get_attr
000000000064dd70 T il2cpp_custom_attrs_has_attr
000000000064dd44 T il2cpp_debug_get_method_info
000000000064dd38 T il2cpp_debugger_set_agent_options
000000000064d698 T il2cpp_domain_assembly_open
000000000064d694 T il2cpp_domain_get
000000000064d6a0 T il2cpp_domain_get_assemblies
000000000064d6e4 T il2cpp_exception_from_name_msg
000000000064d88c T il2cpp_field_get_flags
000000000064d888 T il2cpp_field_get_name
000000000064d894 T il2cpp_field_get_offset
000000000064d890 T il2cpp_field_get_parent
000000000064d898 T il2cpp_field_get_type
000000000064d89c T il2cpp_field_get_value
000000000064d8a0 T il2cpp_field_get_value_object
000000000064d8a4 T il2cpp_field_has_attribute
000000000064d8b8 T il2cpp_field_is_literal
000000000064d8a8 T il2cpp_field_set_value
000000000064d8ac T il2cpp_field_set_value_object
000000000064d8b0 T il2cpp_field_static_get_value
000000000064d8b4 T il2cpp_field_static_set_value
000000000064d6ec T il2cpp_format_exception
000000000064d758 T il2cpp_format_stack_trace
000000000064d04c T il2cpp_free
000000000064dd2c T il2cpp_free_captured_memory_snapshot
000000000064d8c8 T il2cpp_gc_collect
000000000064d8cc T il2cpp_gc_collect_a_little
000000000064d8d8 T il2cpp_gc_disable
000000000064d8d4 T il2cpp_gc_enable
000000000064d8f8 T il2cpp_gc_foreach_heap
000000000064d8f4 T il2cpp_gc_get_heap_size
000000000064d8e8 T il2cpp_gc_get_max_time_slice_ns
000000000064d8f0 T il2cpp_gc_get_used_size
000000000064d974 T il2cpp_gc_has_strict_wbarriers
000000000064d8dc T il2cpp_gc_is_disabled
000000000064d8e4 T il2cpp_gc_is_incremental
000000000064d97c T il2cpp_gc_set_external_allocation_tracker
000000000064d980 T il2cpp_gc_set_external_wbarrier_tracker
000000000064d8ec T il2cpp_gc_set_max_time_slice_ns
000000000064d8e0 T il2cpp_gc_set_mode
000000000064d8d0 T il2cpp_gc_start_incremental_collection
000000000064d96c T il2cpp_gc_wbarrier_set_field
000000000064d940 T il2cpp_gchandle_foreach_get_target
000000000064d984 T il2cpp_gchandle_free
000000000064d93c T il2cpp_gchandle_get_target
000000000064d92c T il2cpp_gchandle_new
000000000064d934 T il2cpp_gchandle_new_weakref
000000000064d03c T il2cpp_get_corlib
000000000064d6e8 T il2cpp_get_exception_argument_null
000000000064dcfc T il2cpp_image_get_assembly
000000000064dd24 T il2cpp_image_get_class
000000000064dd0c T il2cpp_image_get_class_count
000000000064dd08 T il2cpp_image_get_entry_point
000000000064dd04 T il2cpp_image_get_filename
000000000064dd00 T il2cpp_image_get_name
000000000064cf38 T il2cpp_init
000000000064cf70 T il2cpp_init_utf16
000000000064dd3c T il2cpp_is_debugger_attached
000000000064db20 T il2cpp_is_vm_thread
000000000064d9e4 T il2cpp_method_get_class
000000000064d9ec T il2cpp_method_get_declaring_type
000000000064d9f0 T il2cpp_method_get_flags
000000000064d9c4 T il2cpp_method_get_from_reflection
000000000064d9cc T il2cpp_method_get_name
000000000064d9c8 T il2cpp_method_get_object
000000000064d9e0 T il2cpp_method_get_param
000000000064d9dc T il2cpp_method_get_param_count
000000000064da28 T il2cpp_method_get_param_name
000000000064d9c0 T il2cpp_method_get_return_type
000000000064da24 T il2cpp_method_get_token
000000000064d9e8 T il2cpp_method_has_attribute
000000000064d9d0 T il2cpp_method_is_generic
000000000064d9d4 T il2cpp_method_is_inflated
000000000064d9d8 T il2cpp_method_is_instance
000000000064da94 T il2cpp_monitor_enter
000000000064da9c T il2cpp_monitor_exit
000000000064daa0 T il2cpp_monitor_pulse
000000000064daa4 T il2cpp_monitor_pulse_all
000000000064da98 T il2cpp_monitor_try_enter
000000000064daac T il2cpp_monitor_try_wait
000000000064daa8 T il2cpp_monitor_wait
000000000064d7c8 T il2cpp_native_stack_trace
000000000064da5c T il2cpp_object_get_class
000000000064da60 T il2cpp_object_get_size
000000000064da64 T il2cpp_object_get_virtual_method
000000000064d988 T il2cpp_object_header_size
000000000064da68 T il2cpp_object_new
000000000064da8c T il2cpp_object_unbox
000000000064d9a0 T il2cpp_offset_of_array_bounds_in_array_object_header
000000000064d998 T il2cpp_offset_of_array_length_in_array_object_header
000000000064db6c T il2cpp_override_stack_backtrace
000000000064da2c T il2cpp_profiler_install
000000000064da38 T il2cpp_profiler_install_allocation
000000000064da34 T il2cpp_profiler_install_enter_leave
000000000064da40 T il2cpp_profiler_install_fileio
000000000064da3c T il2cpp_profiler_install_gc
000000000064da44 T il2cpp_profiler_install_thread
000000000064da30 T il2cpp_profiler_set_events
000000000064da58 T il2cpp_property_get_flags
000000000064da4c T il2cpp_property_get_get_method
000000000064da48 T il2cpp_property_get_name
000000000064da54 T il2cpp_property_get_parent
000000000064da50 T il2cpp_property_get_set_method
000000000064d6d4 T il2cpp_raise_exception
000000000064dd40 T il2cpp_register_debugger_agent_transport
000000000064dd34 T il2cpp_register_log_callback
000000000064d044 T il2cpp_resolve_icall
000000000064dae0 T il2cpp_runtime_class_init
000000000064dac8 T il2cpp_runtime_invoke
000000000064dab0 T il2cpp_runtime_invoke_convert_args
000000000064dae4 T il2cpp_runtime_object_init
000000000064dae8 T il2cpp_runtime_object_init_exception
000000000064daec T il2cpp_runtime_unhandled_exception_policy_set
000000000064d010 T il2cpp_set_commandline_arguments
000000000064d020 T il2cpp_set_commandline_arguments_utf16
000000000064d034 T il2cpp_set_config
000000000064d004 T il2cpp_set_config_dir
000000000064d030 T il2cpp_set_config_utf16
000000000064d008 T il2cpp_set_data_dir
000000000064db68 T il2cpp_set_default_thread_affinity
000000000064dd30 T il2cpp_set_find_plugin_callback
000000000064d038 T il2cpp_set_memory_callbacks
000000000064d00c T il2cpp_set_temp_dir
000000000064d000 T il2cpp_shutdown
000000000064d928 T il2cpp_start_gc_world
000000000064d168 T il2cpp_stats_dump_to_file
000000000064d628 T il2cpp_stats_get_value
000000000064d924 T il2cpp_stop_gc_world
000000000064daf4 T il2cpp_string_chars
000000000064db08 T il2cpp_string_intern
000000000064db0c T il2cpp_string_is_interned
000000000064daf0 T il2cpp_string_length
000000000064daf8 T il2cpp_string_new
000000000064db04 T il2cpp_string_new_len
000000000064db00 T il2cpp_string_new_utf16
000000000064dafc T il2cpp_string_new_wrapper
000000000064db14 T il2cpp_thread_attach
000000000064db10 T il2cpp_thread_current
000000000064db18 T il2cpp_thread_detach
000000000064db1c T il2cpp_thread_get_all_attached_threads
000000000064db40 T il2cpp_thread_get_frame_at
000000000064db64 T il2cpp_thread_get_stack_depth
000000000064db38 T il2cpp_thread_get_top_frame
000000000064db28 T il2cpp_thread_walk_frame_stack
000000000064dcd8 T il2cpp_type_equals
000000000064dc20 T il2cpp_type_get_assembly_qualified_name
000000000064dcd0 T il2cpp_type_get_attrs
000000000064db78 T il2cpp_type_get_class_or_element_class
000000000064db7c T il2cpp_type_get_name
000000000064dd80 T il2cpp_type_get_name_chunked
000000000064db70 T il2cpp_type_get_object
000000000064db74 T il2cpp_type_get_type
000000000064dcc4 T il2cpp_type_is_byref
000000000064dce8 T il2cpp_type_is_pointer_type
000000000064dcdc T il2cpp_type_is_static
000000000064d7c4 T il2cpp_unhandled_exception
000000000064dd48 T il2cpp_unity_install_unitytls_interface
000000000064d9b0 T il2cpp_unity_liveness_calculation_begin
000000000064d9b4 T il2cpp_unity_liveness_calculation_end
000000000064d9b8 T il2cpp_unity_liveness_calculation_from_root
000000000064d9bc T il2cpp_unity_liveness_calculation_from_statics
000000000064da90 T il2cpp_value_boxinto my frida script, used vscode multi cursor to edit every line at once and transform it into:
il2cpp_get_corlib: () => Il2Cpp.module.base.add(0x64d03c),so my final frida script looked like:
import "frida-il2cpp-bridge";
declare global {
let IL2CPP_EXPORTS: Record<string, () => NativePointer>;
}
(globalThis as any).IL2CPP_EXPORTS = {
il2cpp_get_corlib: () => Il2Cpp.module.base.add(0x64d03c),
...
};
Il2Cpp.perform(() => {
send("aaaahhhhh");
});and it works now. I still don't understand why frida can't see those exports though? I might keep investigating and open an issue over there because to me it seems like frida should be able to see them
Nice job! Yes, you could open an issue on Frida's side 😄
Alternatively you could use an ELF reader (or whatever file format reader) and do the mapping at runtime. Closing since there's nothing I can do