shenmi

struct Il2CppClass_1 { void* image; void* gc_desc; const char* name; const char* namespaze; Il2CppType byval_arg; Il2CppType this_arg; Il2CppClass* element_class; Il2CppClass* castClass; Il2CppClass* declaringType; Il2CppClass* parent; void *generic_class; void* typeDefinition; void* interopData; Il2CppClass* klass; void* fields; void* events; void* properties; void* methods; Il2CppClass** nestedTypes; Il2CppClass** implementedInterfaces; Il2CppRuntimeInterfaceOffsetPair* interfaceOffsets; };

View File 64-hook field It can only be used for ARM64 games. It is produced and open sourced by shenmi. It hooks any field in the same class through a function that will be called by the game. hook-field.lua Submitter shenmi Submitted 09/18/2024 Category Tools  

Regarding the listening function on Gameguardian, my idea is to parse the symbol table of libil2cpp.so through the ELF file structure and parse out some il2cpp api functions in the native layer, such as il2cpp_method_get_name, and its ARM assembly segment is generally LDR X0, [X0,#0x18] ~A8 RET When many functions are called, the pointer of the function instance will be X0. When assembled by il2cpp_method_get_name, the function name string is read through the offset of 0x18. Then we modify the function flow. Since many called functions will execute the assembly of this API function, we can write a unique tag value and actively tag ourselves when the function passes by. Then we can monitor which functions are called by searching for this tag value. call LDR X10, [PC,#0xC] STR X10, [X0,#0x40] ~A8 RET 983466571 We use the LDR instruction to load the tag 983466571 into the useless register X10, and then use the STR instruction to write the tag value to 0x40 of X0 (the function pointer, which is also the first bit of the function structure). Then when the function is called, When this API is executed, it actively exposes itself by writing the STR mark so that I can monitor it. Of course, don’t forget to make up for it LDR X0, [X0,#0x18] ~A8 RET Otherwise it will cause the game to crash The above are some of Shenmi’s ideas, and the gglua tool with this function has been written and can be used.

View File Get all registers for ARM64 gglua 64-bit register debugging tool will obtain X0 to X31, S0 to S31, D0 to D31, a total of 93 register values for our debugging, shenmi production and open source sharing Note: The function that needs to obtain the register needs to be placed in the save list and checked. When those registers appear in the save list, please let the game start and call this function, then the value of the register will be output in your save list. 64-registersdebugging.lua Submitter shenmi Submitted 09/18/2024 Category Tools  

I guess this is simple since you can locate the method instance directly by the method name string without having to worry about dumping out the same offset