frida-il2cpp-bridge
Advanced tools
A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
It should work for any Unity version in the range 5.3.0 - 6000.1.x.
Android, Linux, Windows, iOS, macOS are supported. However, only Android and Linux are "tested": expect breakage if you are using another platform.
Starting from version 0.10.0, a frida-il2cpp-bridge Python executable is included alongside the NPM package installation. This executable wraps the frida command and adds IL2CPP specific features. To invoke it, simply run:
npx frida-il2cpp-bridge --help
or
npm exec frida-il2cpp-bridge -- --help
Use the dump subcommand to dump an application:
$ npm exec frida-il2cpp-bridge -- dump --help
usage: frida-il2cpp-bridge [options] dump [-h] [--out-dir OUT_DIR] [--cs-output {none,stdout,flat,tree}] [--no-namespaces] [--flatten-nested-classes] [--keep-implicit-base-classes]
[--enums-as-structs] [--no-type-keywords] [--actual-constructor-names] [--indentation-size INDENTATION_SIZE]
options:
-h, --help show this help message and exit
--out-dir OUT_DIR where to save the dump (defaults to current working dir)
--cs-output {none,stdout,flat,tree}
style of C# output (defaults to tree)
- none: do nothing;
- stdout: print to console;
- flat: one single file (dump.cs);
- tree: directory structure having one file per assembly.
--no-namespaces do not emit namespace blocks, and prepend namespace name in class declarations
--flatten-nested-classes
write nested classes at the same level of their inclosing classes, and prepend enclosing class name in their declarations
--keep-implicit-base-classes
write implicit base classes (class -> System.Object, struct -> System.ValueType, enum -> System.Enum) in class declarations
--enums-as-structs write enum class declarations as structs
--no-type-keywords use fully qualified names for builtin types instead of their keywords (e.g. use 'System.Int32' instead of 'int', or 'System.Object' instead of 'object')
--actual-constructor-names
write actual constructors names (e.g. '.ctor' and '.cctor')
--indentation-size INDENTATION_SIZE
indentation size (defaults to 4)
Example:
npm exec frida-il2cpp-bridge -- -f com.example.application dump --out-dir dumps
Output:
Spawning `com.example.application`...
IL2CPP module loaded in 1.13s (id=com.example.application, version=1.12.8, unity version=2019.3.0f1)
Dumping mscorlib: 2872 of 2872 classes
Dumping GameAssembly: 32 of 32 classes
Collected 2904 classes in 4.76s
Dump saved to dumps/com.example.application/1.12.8
Over the time, it was realized that some testing was necessary, as supporting many Unity version makes introducing regressions or faulty features easy. Though it's far from being complete and bullet-proof, there's a minimal testing setup contributors can get advantage of to test their changes.
In order to test frida-il2cpp-bridge, a IL2CPP application is needed (of course). Here are some very useful resources:
Unity editors (so IL2CPP toolchains) will be downloaded and extracted automatically.
Prerequisites
clang and make installed.make assemblies
An assembly (GameAssembly.so) will be built for each of tested Unity versions.
make unity/2019.3.0f1/
make test
Tests run against only the installed Unity versions.
Thanks to meme and knobse for helping and getting me into this, and to djkaty and nneonneo for providing the Il2Cpp API.
Discussions and Wiki are both active. Use them!
FAQs
A Frida module to dump, trace or hijack any Il2Cpp application at runtime, without needing the global-metadata.dat file.
The npm package frida-il2cpp-bridge receives a total of 215 weekly downloads. As such, frida-il2cpp-bridge popularity was classified as not popular.
We found that frida-il2cpp-bridge demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Security News
The CNA Scorecard ranks CVE issuers by data completeness, revealing major gaps in patch info and software identifiers across thousands of vulnerabilities.