A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
- Dump classes, methods, fields and so on
- Trace, intercept and replace method calls
- Mess around with the C# runtime
- Il2Cpp structs and global metadata (almost) free
It should work for any Unity version in the range 5.3.0 - 6000.1.x.
Android, Linux, Windows, iOS, macOS are supported. However, only Android and Linux are "tested": expect breakage if you are using another platform.
Starting from version 0.10.0, a frida-il2cpp-bridge Python executable is included alongside the NPM package installation. This executable wraps the frida command and adds IL2CPP specific features. To invoke it, simply run:
npx frida-il2cpp-bridge --helpor
npm exec frida-il2cpp-bridge -- --helpUse the dump subcommand to dump an application:
$ npm exec frida-il2cpp-bridge -- dump --help
usage: frida-il2cpp-bridge [options] dump [-h] [--out-dir OUT_DIR] [--cs-output {none,stdout,flat,tree}] [--no-namespaces] [--flatten-nested-classes] [--keep-implicit-base-classes]
[--enums-as-structs] [--no-type-keywords] [--actual-constructor-names] [--indentation-size INDENTATION_SIZE]
options:
-h, --help show this help message and exit
--out-dir OUT_DIR where to save the dump (defaults to current working dir)
--cs-output {none,stdout,flat,tree}
style of C# output (defaults to tree)
- none: do nothing;
- stdout: print to console;
- flat: one single file (dump.cs);
- tree: directory structure having one file per assembly.
--no-namespaces do not emit namespace blocks, and prepend namespace name in class declarations
--flatten-nested-classes
write nested classes at the same level of their inclosing classes, and prepend enclosing class name in their declarations
--keep-implicit-base-classes
write implicit base classes (class -> System.Object, struct -> System.ValueType, enum -> System.Enum) in class declarations
--enums-as-structs write enum class declarations as structs
--no-type-keywords use fully qualified names for builtin types instead of their keywords (e.g. use 'System.Int32' instead of 'int', or 'System.Object' instead of 'object')
--actual-constructor-names
write actual constructors names (e.g. '.ctor' and '.cctor')
--indentation-size INDENTATION_SIZE
indentation size (defaults to 4)
Example:
npm exec frida-il2cpp-bridge -- -f com.example.application dump --out-dir dumpsOutput:
Spawning `com.example.application`...
IL2CPP module loaded in 1.13s (id=com.example.application, version=1.12.8, unity version=2019.3.0f1)
Dumping mscorlib: 2872 of 2872 classes
Dumping GameAssembly: 32 of 32 classes
Collected 2904 classes in 4.76s
Dump saved to dumps/com.example.application/1.12.8
Over the time, it was realized that some testing was necessary, as supporting many Unity version makes introducing regressions or faulty features easy. Though it's far from being complete and bullet-proof, there's a minimal testing setup contributors can get advantage of to test their changes.
In order to test frida-il2cpp-bridge, a IL2CPP application is needed (of course). Here are some very useful resources:
Unity editors (so IL2CPP toolchains) will be downloaded and extracted automatically.
Prerequisites
- Only Linux is currently supported;
- Make sure to have
clangandmakeinstalled.
make assembliesAn assembly (GameAssembly.so) will be built for each of tested Unity versions.
make unity/2019.3.0f1/make testTests run against only the installed Unity versions.
Thanks to meme and knobse for helping and getting me into this, and to djkaty and nneonneo for providing the Il2Cpp API.
Discussions and Wiki are both active. Use them!
