Happy Secret

iGameGod got a new feature - Dumping iOS Unity's global-metadata.dat from Memory/Runtime using iGameGod. 
Let me see if it helps or not

On 1/19/2023 at 10:46 PM, AlyssaX64 said:

It could be protected global metadata or unsupported unity version. 

Try frida-il2cpp-bridge module to dump the app at runtime instead:

https://github.com/vfsfitvnm/frida-il2cpp-bridge

Cool, does it support non-jailbroken iOS device? 
 

i only have non-jailbroken device 

Oh my God!!! This is really CRAZY nice feature!!!!!!!

See anything can learn 

Looking for tutorial

Hack found

@Aye Jayy

@faalshe

@S1MostHated

@Domon Mondo

Need some help. Not sure why consecutive two games hit this "System.InvalidOperationException: Sequence contains no matching element" message. 

1. Lamar-Idle Vlogger
2. Frozen City

Both use UnityFramework file and global-metadata.dat file as input to https://armconverter.com/il2cppdumper/

Below is the sample result for Lamar-Idle Vlogger

Task status for ID: 1a5f3f7f-cc14-43be-bbb5-02310e551ac3Edit and restart
Current status:  error-il2cppdumper-35

Starting il2cppdumper on 2023-01-19 13:27:25.709076

Initializing metadata...
Metadata Version: 29
Initializing il2cpp file...
Il2Cpp Version: 29
Searching...
System.InvalidOperationException: Sequence contains no matching element
  at System.Linq.Enumerable.First[TSource] (System.Collections.Generic.IEnumerable`1[T] source, System.Func`2[T,TResult] predicate) [0x00015] in <d22af090bceb4be792f53595cf074724>:0 
  at Il2CppDumper.Macho64.MapVATR (System.UInt64 addr) [0x0000d] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.SectionHelper.FindMetadataRegistrationV21 () [0x00097] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.SectionHelper.FindMetadataRegistration () [0x00035] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.Macho64.PlusSearch (System.Int32 methodCount, System.Int32 typeDefinitionsCount, System.Int32 imageCount) [0x00011] in <db8182c1b351438a8097566295703173>:0 
  at Il2CppDumper.Program.Init (System.String il2cppPath, System.String metadataPath, Il2CppDumper.Metadata& metadata, Il2CppDumper.Il2Cpp& il2Cpp) [0x002f9] in <db8182c1b351438a8097566295703173>:0 
ERROR: An error occurred while processing.

Total time for il2cppdumper: 0:00:03.897344

========

Il2cppdumper did not produce any files. Probably something is wrong with the executable or metadata?

Is it I am missing some important skill or knowledge ?

Both game are under Hack Request, trying to see if I can find a solution. Unfortunately, blocked by this.

Not sure why, I can’t even sideload the decrypted version with Sideloadly. Game crash on opening.

Also, the metadata file looks like included quite some foul language. IL2CPP dumping failed as well.

Dont even know how to get started, sorry can’t help. 

Completely dead ended for live hook on non-jailbroken.

Tried 

1. Interceptor.replace instead of Interceptor.attach —FAILED on my IPad Pro 2nd Gen

2. Remove memory protection —FAILED on my IPad Pro 2nd Gen

For now, I will Iive with live patch first.
May be later see if H5GG would update embedded Frida version to latest. Then could give it a try.

Thanks

What type of string? You can’t do it with iGameGod or HG55?
 

Thx 

Although you said for newbies, I still don’t know how to use

11 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

Update:

1. It works every time on my iPad Pro (9.7) but not work on my iPad Pro 2nd Generation.

2. Both are on iPad OS 16.2

Completely no idea what happens. 
 

Luckily the live patching work across device. Just the Interceptor failed on one.

I guess it is the implementation of Interceptor causing problem. Because the statement simply hang and not returning, app’s console log show nothing. We just see the Interceptor call invoked, then nothing more in log and not progressing.

So, it is probably not invalid memory access stuff.

Looking for possible solutions.

6 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Mhhh so you mean H5GG hook is working some times if debugging is on ? 

I am not able to find out what causing the game hang yet. But I seem happened after I tried to clean up the script. It could also because I mess up the code.

Let me try a bit more today.

Test Result:

1. try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){} - NOT WORK

2. let frontapp = h5frida.get_frontmost_application();

    frontapp.pid; - THIS WORK

But the hook seems not always work, sometime it cause game hang (not exit) on applying the hook.

Need some more study.

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

I mean c++ hook like on Ted2 mod menu

Never use Ted2 mod menu. I don’t have a jailbroken device now. 
 

is it a simple deb that I can inject and try out? 

3 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Maybe after there is a way to find an automated step to make the app thinks it's in debugging mod ! 

It's good that "normal" hook with c++ work 

Am….are we talking the same hook? You seems have special expectation on that word “normal”.

My “normal” just mean, we don’t need to patch and re-Sideload the app. Just directly hook on to the app under debugging state.

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

let procs = h5frida.enumerate_processes();
if(!procs || !procs.length) throw "frida无法获取进程列表\n\nfrida can't get process list";

let pid = -1; //pid=-1, 使用自身进程来调用OC/C/C++函数, 也可以附加到其他APP进程来调用
//Use its own process to call OC/C/C++ functions, or attach to other APP processes to call

try {pid=h5gg.getProcList("UnityFramework")[0].pid;}catch(e){}

let found = false;
for(let i=0;i<procs.length;i++) {
    if(procs[i].pid==pid) {
        //if(procs[i].name!='Gadget') throw "免越狱测试请卸载frida-server的deb然后重启当前APP\nFor non-jailbreak tests, please uninstall the frida-server deb and restart the current APP";
        found = true;
    }
}

if(!found) throw "frida无法找到目标进程\n\nfrida cannot find the target process";

//检查目标APP进程是否在前台运行, 如果在后台暂停了, frida附加调用会卡住
//Check whether the target APP process is running in the foreground, if it is suspended in the background, frida will be blocked
while(pid>0) {
    let frontapp = h5frida.get_frontmost_application();
    if(frontapp && frontapp.pid == pid) break;
    
    alert("请将目标APP切换至前台运行, 再点击确定继续...\n"
            + "Please switch the target APP to the foreground to run, and then click OK to continue...");
}

 

Im on my device atm, couldn't paste it as code, but here is a raw code i found on an H5GG project that takes the PID. Tho i haven't read anything related to frida interceptor method (regarding H5GG)

Cool, let me give them a try. 
If I remember correctly, h5frida.enumerate_processes() return process within Frida only. I only see Gadget in it previously.

Below one could work, frontmost app should be the game

• let frontapp = h5frida.get_frontmost_application();
• frontapp.pid

This one, I am not so sure. 

• h5gg.getProcList("UnityFramework")[0].pid

There is a version of h5gg works cross-process app, which is requires jailbroken. Hopefully, these commands does not need that version.

9 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself 

GOD!!! I seems make the normal hook working under debugging state! I can hook the Subway Surfers - Always can jump!

Not sure if there has any drawback/issue yet.

Will give another try later tonight!

If it really works, I will definitely make another Tutorial.

Anyway, current version is still quite handicapped. Need manually hard code process ID in script. But if hook is possible, I will find way to get process ID from system.

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

@Happy Secret Have you tried to see if "normal" hook that is used for common cheats, work on jailed if debugging is on ?

I do not have XCode, otherwise i would test it by myself 

Quite busy these two days. I am still figuring out how to write “Intercepter” on UnityFramework. Never try it before.

Or do you have good tutorial? Or a quick piece of normal hook script for Subway Surfers?

Two quick challenges found are, 

1. How to get process ID in script? 
     “var pid = $("#procname").attr('pid');” is not working. 
     Per tuancc, this seems need different version of H5GG. I am trying to hard code “pid” for now.

2. Interceptor is default not available under current configuration. We will need to update the Frida config. Already found what to change, hopefully we won’t block by the jailed implementation of H5GG/h5frida.

3 minutes ago, namcyeon said:

After ida processed your il2cpp file (take about 30min), press F5, it will show the pseudocode of which function you selected https://www.hex-rays.com/products/decompiler/manual/interactive.shtml

Oh! God! I just missed the lovely “F5”!

Thank you so much!

6 minutes ago, namcyeon said:

To

/cdn-cgi/mirage/db804e55228eea14ed66529a8d29de853ef284cd521d3708b93a2ff43c4bae76/1280/https://i.imgur.com/Je63274.png

Oh!! That is something I don’t know.

Any tutorial? How to convert first photo to second one?

I thought we can only look at those arm code to mentally reverse engine the logic. Very painful exercise for me.

2 hours ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

use IlSpy for macOS, it's working great, it's different then DnSpy but well at least you can decompile DLLs

Cool, thx. Not aware of that. 
Do you have a good source of it? I don’t familiar GitHub and how to build. It often take me long time.

1 hour ago, namcyeon said:

IDA pro crack also, 😆

Haven’t try to do same thing with IDA. 

I use IDA normally for string search, static analysis using graphical view. 
I don’t even debug from IDA now. Completely don’t know how to debug on non-jailbroken device.

4 minutes ago, ꞋꞌꞋꞌꞋꞌꞋꞌ said:

Yeah but sadly i don't have a mac

Frankly, I want a Windows PC as well. A lot app in Windows OS are not available in Mac. Take DnSpy as example, I tried pretty hard still can’t get it running with wine in Mac.