Help/Support Help with printing parameters of il2cpp hooked function with Theos Tweak.xm

errantmitosis · May 12, 2023

hello!

I am following https://iosgods.com/topic/166258-unity-game-hacking-tutorial-speed-hack-part-3-function-hooking/ and have made some progress in hooking an il2cpp unity game. (jailbreak ipad pro)

Here is the method I'm trying to hook for practice.

[Token(Token = "0x60003DF")]
[Address(RVA = "0x264C3E4", Offset = "0x264C3E4", VA = "0x264C3E4")]
private static byte[] KeySaltShaker(string keySalt)
{
	return null;
}

I'm using the iOS-Mod-Menu-Template-for-Theos and am just trying to print the parameters of the method and not actually alter anything.

My tweak.xm looks like this, with the framework set to "UnityFramework" but I cut all the stuff beyond including setupMenu

#import "Macros.h"

void writeAndAppendString(NSString *str) {

    NSData *data = [str dataUsingEncoding:NSUTF8StringEncoding];

    NSString *filePath = [NSTemporaryDirectory() stringByAppendingPathComponent:@"hook.log"];

    NSFileManager *fileManager = [NSFileManager defaultManager];
    if ([fileManager fileExistsAtPath:filePath]) {
        // Add the text at the end of the file.
        NSFileHandle *fileHandler = [NSFileHandle fileHandleForUpdatingAtPath:filePath];
        [fileHandler seekToEndOfFile];
        [fileHandler writeData:data];
        [fileHandler closeFile];
    } else {
        // Create the file and write text to it.
                [data writeToFile:filePath atomically:YES];
    }
}

std::string* (*original_method)(void *self, std::string *keySalt);
std::string* hook_method(void *self, std::string *keySalt) {

    if (self != NULL) {
    
        writeAndAppendString(@"\nEnter\n");
        writeAndAppendString([NSString stringWithUTF8String:keySalt->c_str()]);
    
        std::string *returnValue = original_method(self, keySalt);
    
        writeAndAppendString(@"\nExit\n");
    
        return returnValue;
    }

    return original_method(self, keySalt);
}

/***********************************************************
  INSIDE THE FUNCTION BELOW YOU'LL HAVE TO ADD YOUR SWITCHES!
***********************************************************/
void setup() {
    HOOK(0x264C3E4, hook_method, original_method);

    writeAndAppendString(@"Completed setup\n");
}

The `Enter` and `Exit` print properly and I can see the method is being invoked multiple times without the game crashing but my `keySalt` parameter always prints empty.

The `returnValue` also prints nothing in this case if I try to log it in the same way as `keySalt`

I don't know enough about C / Objective C++ and how it relates to the .Net in dnSpy. I only write Java lol. I'm going crazy trying to figure out string, std::string, NSString, IL2CppString and how they all fit when wanting to hook in this way.

I'm not sure if its hooking the right method, nor reading the parameters properly. Its an appguard protected game. FFBE War of the Visions which has existing hack here too

Can anyone give me some tips on how to print out the parameters of methods like this?? I'm also going to run into some other use cases where the parameters of methods in the il2cpp dump are Unity classes.

Thanks in advance!

EDIT: just realized its static method. will try a few more things as well.

Updated May 14, 2023 by errantmitosis

quatorze · May 15, 2023

https://developer.apple.com/documentation/foundation/1395275-nslog

errantmitosis · May 15, 2023

6 hours ago, quatorze said:

https://developer.apple.com/documentation/foundation/1395275-nslog

I was originally using NSLog but I couldn't find where it was logging to so I decided to just log to a file in the app's tmp directory.

I made some more progress after I found some info on using an implementation of a Unity string I found here, so I will continue researching other data types.

typedef struct _monoString {
    void *klass;
    void *monitor;
    int length;
    char chars[1];

    int getLength() {
        return length;
    }

    char *getChars() {
        return chars;
    }
} monoString;

It brought me to another question. If you have a pointer to something like a string or a byte[], is it possible to know the length? or is that something you have to dig elsewhere in the binary itself.

// Gsc.App.Encryption.EncryptionHelper
// Token: 0x060003DE RID: 990 RVA: 0x000020B2 File Offset: 0x000002B2
[Token(Token = "0x60003DE")]
[Address(RVA = "0x264C49C", Offset = "0x264C49C", VA = "0x264C49C")]
internal static byte[] Encrypt(byte[] input, string keySalt, EncryptionHelper.Options options, [Optional] byte[] IV, [Optional] string requestId, [Optional] byte[] customKey)
{
    return null;
}

if I wanted to log the input or the IV for instance. I tried sizeof but thats just the 8 bytes for the 64 bit pointer it seems.

Sorry for the noob questions!