chirp-hook

An il2cpp function hooking framework for Unity games

24 Replies

Added basic hooking Added IL2CPP type support Include Unity 2019 IL2CPP source code, will most likely be removed in public version Added CustomUI, allows you to create custom UI's... obviously Assumes you have access to IL2CPP custom types specified by your game. Use IL2CPP inspector to get this if you don't have them already Added IL2CPP function support Added IL2CPP class support Planned support for offsetless hook definitions instead of having to specify a offset Added basic usage examples using Ghidra, and Frida injection methods Planned codegen generator, which will help immensely, for now I'd just use IL2CPP inspector. Added Android NDK r23c support, well now it's pretty much required (thanks to newly added IL2CPP support) Added And64InlineHook support, allowing for chirp-hook to work on Android ARMv8 based CPUs. For now, I'm removing ARMv7 support as almost all games on the Quest 1, 2, and 3 don't actually use ARMv7 that much. For keeping my sanity, I'm not going to maintain both versions :) Improved logging system, as well as fixing function names stopping some conflicts log->logp, and logf->logpf Added Linux building support, allowing patching, and building to be done via shell scripts. Cleaned up the PowerShell scripts for patching and installing Patching now defaults to abusing a SMALI hack. Finds applications entry point and injects code for a mod loader chirp-hook now comes with my own general purpose mod loader installed. When changing the mod loader being used, make sure you also edit what function is called at the entry point of the application! Added RapidJson for quick JSON parsing chirp-hook's primary use is for the Gorilla Tag mod loader, GUTS.

Dumb Bird•2y ago

As GUTS is still in very early development, all I have to share is its logo:

Dumb Bird•2y ago

GUTS code won't actually be open source, though tools used by it (such as chirp-hook will be open sourced) If you have any questions, please ask me chirp-hook still isn't at a public release version. I will be discussing it's development here Added INSTALL_HOOK_DIRECT Added getRealOffset which calculates dump.cs address + lib.so base address. Used to get the real offset of a function Added il2cpp::createcsstr for creating a c# string Improved baseAddr function Added MAKE_HOOK_OFFSETLESS should be used like so

MAKE_HOOK_OFFSETLESS(name, retval, ...) {
  code here ;)
}

MAKE_HOOK_OFFSETLESS(name, retval, ...) {
  code here ;)
}

Added INSTALL_HOOK_OFFSETLESS Added INSTALL_HOOK_DIRECT which installs a direct 64bit hook. DOESN'T TAKE A RETVAL! Here is the definitions for the new hooking and installing functions, this may help some as no documentation is actually made yet :3

#define MAKE_HOOK(name, addr, retval, ...) \
void* addr_ ## name = (void*) addr; \
retval (*name)(__VA_ARGS__) = NULL; \
retval hook_ ## name(__VA_ARGS__) 

#define MAKE_HOOK_OFFSETLESS(name, retval, ...) \
retval (*name)(__VA_ARGS__) = NULL; \
retval hook_ ## name(__VA_ARGS__)

#define MAKE_HOOK_NAT(name, addr, retval, ...) \
void* addr_ ## name = (void*) addr; \
retval (*name)(__VA_ARGS__) = NULL; \
retval hook_ ## name(__VA_ARGS__)

#define MAKE_HOOK(name, addr, retval, ...) \
void* addr_ ## name = (void*) addr; \
retval (*name)(__VA_ARGS__) = NULL; \
retval hook_ ## name(__VA_ARGS__) 

#define MAKE_HOOK_OFFSETLESS(name, retval, ...) \
retval (*name)(__VA_ARGS__) = NULL; \
retval hook_ ## name(__VA_ARGS__)

#define MAKE_HOOK_NAT(name, addr, retval, ...) \
void* addr_ ## name = (void*) addr; \
retval (*name)(__VA_ARGS__) = NULL; \
retval hook_ ## name(__VA_ARGS__)

#ifdef __aarch64__

#define INSTALL_HOOK(name) \
log_print(INFO, "Installing 64 bit hook!"); \
A64HookFunction((void*)getRealOffset(addr_ ## name),(void*) hook_ ## name, (void**)&name); \

#define INSTALL_HOOK_OFFSETLESS(name, methodInfo) \
log_print(INFO, "Installing 64 bit offsetless hook!"); \
A64HookFunction((void*)methodInfo->methodPointer,(void*) hook_ ## name, (void**)&name); \

#define INSTALL_HOOK_NAT(name) \
log_print(INFO, "Installing 64 bit native hook!"); \
A64HookFunction((void*)(addr_ ## name),(void*) hook_ ## name, (void**)&name); \

#define INSTALL_HOOK_DIRECT(name, addr) \
log_print(INFO, "Installing 64 bit direct hook!"); \
A64HookFunction((void*)addr, (void*) hook_ ## name, (void**)&name); \

#else

#define INSTALL_HOOK(name) \
log_print(INFO, "Installing 32 bit hook!"); \
registerInlineHook((uint32_t)getRealOffset(addr_ ## name), (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)getRealOffset(addr_ ## name)); \

#define INSTALL_HOOK_OFFSETLESS(name, methodInfo) \
log_print(INFO, "Installing 32 bit offsetless hook!"); \
registerInlineHook((uint32_t)methodInfo->methodPointer, (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)methodInfo->methodPointer); \

#define INSTALL_HOOK_NAT(name) \
log_print(INFO, "Installing 32 bit native hook!"); \
registerInlineHook((uint32_t)(addr_ ## name), (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)(addr_ ## name)); \

#define INSTALL_HOOK_DIRECT(name, addr) \
log_print(INFO, "Installing 32 bit offsetless hook!"); \
registerInlineHook((uint32_t)addr, (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)addr); \

#endif

#ifdef __aarch64__

#define INSTALL_HOOK(name) \
log_print(INFO, "Installing 64 bit hook!"); \
A64HookFunction((void*)getRealOffset(addr_ ## name),(void*) hook_ ## name, (void**)&name); \

#define INSTALL_HOOK_OFFSETLESS(name, methodInfo) \
log_print(INFO, "Installing 64 bit offsetless hook!"); \
A64HookFunction((void*)methodInfo->methodPointer,(void*) hook_ ## name, (void**)&name); \

#define INSTALL_HOOK_NAT(name) \
log_print(INFO, "Installing 64 bit native hook!"); \
A64HookFunction((void*)(addr_ ## name),(void*) hook_ ## name, (void**)&name); \

#define INSTALL_HOOK_DIRECT(name, addr) \
log_print(INFO, "Installing 64 bit direct hook!"); \
A64HookFunction((void*)addr, (void*) hook_ ## name, (void**)&name); \

#else

#define INSTALL_HOOK(name) \
log_print(INFO, "Installing 32 bit hook!"); \
registerInlineHook((uint32_t)getRealOffset(addr_ ## name), (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)getRealOffset(addr_ ## name)); \

#define INSTALL_HOOK_OFFSETLESS(name, methodInfo) \
log_print(INFO, "Installing 32 bit offsetless hook!"); \
registerInlineHook((uint32_t)methodInfo->methodPointer, (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)methodInfo->methodPointer); \

#define INSTALL_HOOK_NAT(name) \
log_print(INFO, "Installing 32 bit native hook!"); \
registerInlineHook((uint32_t)(addr_ ## name), (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)(addr_ ## name)); \

#define INSTALL_HOOK_DIRECT(name, addr) \
log_print(INFO, "Installing 32 bit offsetless hook!"); \
registerInlineHook((uint32_t)addr, (uint32_t)hook_ ## name, (uint32_t **)&name); \
inlineHook((uint32_t)addr); \

#endif

Planned to auto-detect location of libil2cpp.so, currently hard coded into the hooking library Added rapidjson-utils.hpp which makes using rapidjson a lot more convenient Added a lot more logging during hooking, and installing hooks. Very helpful when trying to debug Added support for mod loading. Loads mods (.so files) from sdcard/Android/data/appnamehere/files/mods Cleaned up code so that ARMv7 support can be added in the future (if I feel inclinded to do so) I may replace inlineHook with PolyHook, a more extensive option that allows chirp-hook to do more

Dumb Bird•2y ago

https://github.com/stevemk14ebr/PolyHook_2_0

GitHub

GitHub - stevemk14ebr/PolyHook_2_0: C++17, x86/x64 Hooking Libary v2.0

C++17, x86/x64 Hooking Libary v2.0. Contribute to stevemk14ebr/PolyHook_2_0 development by creating an account on GitHub.

Dumb Bird•2y ago

Added logWatcher script, makes monitoring the program really easy Made interacting with Unity methods and classes much smoother assuming you know a bit about Unity game development and how the game your modding works internally "borrowed" some code from frida-gum; a cross-platform instrumentation and introspection library Added back ARMv7 support, along with adding X86, X86-64 support. So many architectures :O Made chirp-hook far more modular so you don't have countless issues trying to compile and get things to work Added Unity field name modding Created add_library function for better apk patching, uses Sc2ad's method of patching SMALI at app runtime Messed around with sockets using chirp-hook, it's not perfect, but it gets client to server communication done. If you want to use it to make custom servers in a game, go ahead, that's what this test was designed for. For games that already have multiplayer support, it's a bit easier to implement multiplayer with a custom server, but depending on the game it can be quite difficult. Also requires the person who hosts the server to port forward Implementing custom servers is a lot of work and a painfully time-consuming task, though chirp-hook makes it a bit easier with some socket examples. Added Python script for building (as it's easier than me having to maintain .sh, .ps1 and CMake files) Chirp hook now supports the following Unity versions 2017.1, 2017.4, 2018.1, 2018.2, 2018.4, 2019.2, 2019.3, 2019.4, 2020.1, 2020.3, 2021.1, 2021.2 and 2021.3 and the following architectures X86, X86-64, ARM, and ARM64 Building works on Windows, Mac, and Linux assuming you have the proper Android tools and NDK installed I've tested it on both Windows and Linux, not mac, though it should work fine there too I'll be messing with servers more in a bit, I'll keep you updated on the development Played around with make global custom cosmetics Added LoadClass function for helping ease the pain of Unity modding Added ResolveFunction and InitResolveFunction I’m back to working on chirp hook for a bit Added by name modding which allows for easy to read offset-less control Now has the ability to create additional functions not just modify existing ones

Unknown User•2y ago

Message Not Public

Dumb Bird•2y ago

It’s a tool that I made to help me mod Unity games, that’s a really simple explanation It allows me to modify existing Unity functions, and classes I developed it mainly for VR games, and pretty much all Unity vr games use IL2CPP and not Mono IL2CPP stands for Intermediate Language to c++ It converts IL to cpp which can then be compiled by a native compiler on the target system

Unknown User•2y ago

Message Not Public

Dumb Bird•2y ago

Chirp hook is pretty much only useful for modding Unity games on android

Unknown User•2y ago

Message Not Public

Dumb Bird•2y ago

Which the Oculus quest 2 is based off from Not surprised lol Chirp hook by default automatically hooks into Unity games by finding the applications entry point then injecting some code into the smali file Added library hooking as a function, allowing a mod developer to inject addition library files. Makes apk signature checking a breeze to bypass (in most cases) Added a string literal obfuscation function chrip-hook now has IL2CPP Resolver support This makes mods developed using chirp-hook are pretty much completely offsetless Meaning mods are a bit more universal, and when a game updates simple mods will still work without having to go through and replace old offsets Added some camera manipulation examples, tested in Gorilla tag, and beatsaber Things like changing FOV and moving the camera around Added a function for converting a std::string to an il2cpp string Added il2cpp dictionary type I really want to try to integrate a gui library into a vr port Something really simple, I'd like to have some kind of gui for mod menus when in vr I'll look into it

Unknown User•2y ago

Message Not Public

Dumb Bird•2y ago

What do you mean? Like being able to cast the screen and make it viewable like a 360 video?

Unknown User•2y ago

Message Not Public

Dumb Bird•2y ago

Oh Yes

Unknown User•2y ago

Message Not Public

Dumb Bird•2y ago

That is possile but it'd be trippy I'll find an image of what it would look like