Areizen · March 4, 2025 22:22
diff --git a/PianoTile3_Hook.js b/PianoTile3_Hook.js

 var library_name = "libil2cpp.so";
 var library_loaded = 0;
 var base_address = 0;

 // frida -U -l script.js -f com.youmusic.magictiles --no-pause

 var parse_tile_base_o = function(tile_base_o) {
    return {
       tileSizeX : tile_base_o.add(0x6c).readFloat(),
       tileSizeY : tile_base_o.add(0x70).readFloat(),
       startX : tile_base_o.add(0x74).readFloat(),
       startY : tile_base_o.add(0x78).readFloat(),
    }
 }


 var hookFunction = function(){
    // Getting il2cpp base adresse
    var il2cpp_addr = Module.findBaseAddress(library_name);
    
    //TileBase.Setup(TileBase_o *this, PianoIdol_NoteData_o *note, float startX, float startY, float sizeX, float sizeY, float cameraSpeed, float currentScale, UnityEngine_Transform_o *syncPos, int32_t index)
    var Setup_pointer = il2cpp_addr.add(0x11E97D4)
    const Setup = new NativeFunction(Setup_pointer, "void", ["pointer","pointer","float","float","float","float","float","float","pointer","int32"]);
    Interceptor.replace(Setup_pointer,
        new NativeCallback(function(thiz_ptr, note_ptr, startX, startY, sizeX, sizeY, cameraSpeed, currentScale, syncPos, index) {
            console.log("[+] Setup Tile : " + index);
            Setup(thiz_ptr, note_ptr, startX, startY, sizeX, sizeY, cameraSpeed, currentScale, syncPos, index);
        },
        "void", ["pointer","pointer","float","float","float","float","float","float","pointer","int32"])
        );


    //TileBase.onHit(TileBase_o *this, vector3 position)
    var onHit_pointer = il2cpp_addr.add(0x11E9E64)
    const onHit = new NativeFunction(onHit_pointer, "void", ["pointer","float","float","float"]);
    Interceptor.replace(onHit_pointer,
                        new NativeCallback(function(pointer, x, y, z) {
                            console.log("[+] Hit :")
                            console.log("x:" + x);
                            console.log("y:" + y);
                            console.log("z:" + z);
                            onHit(pointer, x, y, z);
                        },
                        "void", ["pointer","float","float","float"])
                        );


    //TileBase.UpdatePosition(TileBase_o *this, float deltaTime, float currentCameraSpeed)
    /* Workaround to parse float args */
    var UpdatePosition_pointer = il2cpp_addr.add(0x11e9998)
    const UpdatePosition = new NativeFunction(UpdatePosition_pointer, "void", ["pointer","float","float"]);
    Interceptor.replace(UpdatePosition_pointer,
                        new NativeCallback(function(pointer, deltaTime, currentCameraSpeed) {
                            console.log("[+] Update : ")
                            console.log("y:" + (deltaTime*currentCameraSpeed))
                            UpdatePosition(pointer, deltaTime, currentCameraSpeed);
                        },
                        "void", ["pointer","float","float"])
                        );
 }



 // First Step : waiting for the application to load the good library
 // https://android.googlesource.com/platform/system/core/+/master/libnativeloader/native_loader.cpp#746
 // 
 // OpenNativeLibrary is called when you loadLibrary from Java, it then call android_dlopen_ext
 Interceptor.attach(Module.findExportByName(null, 'android_dlopen_ext'),{
    onEnter: function(args){
        // first arg is the path to the library loaded
        var library_path = Memory.readCString(args[0]);

        if( library_path.includes(library_name)){
            console.log("[...] Loading library : " + library_path);
            library_loaded = 1;
        }
    },
    onLeave: function(return_val){
        // if it's the library we want to hook, hooking it
        if(library_loaded ==  1){
            console.log("[+] Loaded")
            library_loaded = 0;
            hookFunction();
        }
    }
 })

	var library_name = "libil2cpp.so";
	var library_loaded = 0;
	var base_address = 0;

	// frida -U -l script.js -f com.youmusic.magictiles --no-pause

	var parse_tile_base_o = function(tile_base_o) {
	return {
	tileSizeX : tile_base_o.add(0x6c).readFloat(),
	tileSizeY : tile_base_o.add(0x70).readFloat(),
	startX : tile_base_o.add(0x74).readFloat(),
	startY : tile_base_o.add(0x78).readFloat(),
	}
	}


	var hookFunction = function(){
	// Getting il2cpp base adresse
	var il2cpp_addr = Module.findBaseAddress(library_name);

	//TileBase.Setup(TileBase_o this, PianoIdol_NoteData_o note, float startX, float startY, float sizeX, float sizeY, float cameraSpeed, float currentScale, UnityEngine_Transform_o *syncPos, int32_t index)
	var Setup_pointer = il2cpp_addr.add(0x11E97D4)
	const Setup = new NativeFunction(Setup_pointer, "void", ["pointer","pointer","float","float","float","float","float","float","pointer","int32"]);
	Interceptor.replace(Setup_pointer,
	new NativeCallback(function(thiz_ptr, note_ptr, startX, startY, sizeX, sizeY, cameraSpeed, currentScale, syncPos, index) {
	console.log("[+] Setup Tile : " + index);
	Setup(thiz_ptr, note_ptr, startX, startY, sizeX, sizeY, cameraSpeed, currentScale, syncPos, index);
	},
	"void", ["pointer","pointer","float","float","float","float","float","float","pointer","int32"])
	);


	//TileBase.onHit(TileBase_o *this, vector3 position)
	var onHit_pointer = il2cpp_addr.add(0x11E9E64)
	const onHit = new NativeFunction(onHit_pointer, "void", ["pointer","float","float","float"]);
	Interceptor.replace(onHit_pointer,
	new NativeCallback(function(pointer, x, y, z) {
	console.log("[+] Hit :")
	console.log("x:" + x);
	console.log("y:" + y);
	console.log("z:" + z);
	onHit(pointer, x, y, z);
	},
	"void", ["pointer","float","float","float"])
	);


	//TileBase.UpdatePosition(TileBase_o *this, float deltaTime, float currentCameraSpeed)
	/* Workaround to parse float args */
	var UpdatePosition_pointer = il2cpp_addr.add(0x11e9998)
	const UpdatePosition = new NativeFunction(UpdatePosition_pointer, "void", ["pointer","float","float"]);
	Interceptor.replace(UpdatePosition_pointer,
	new NativeCallback(function(pointer, deltaTime, currentCameraSpeed) {
	console.log("[+] Update : ")
	console.log("y:" + (deltaTime*currentCameraSpeed))
	UpdatePosition(pointer, deltaTime, currentCameraSpeed);
	},
	"void", ["pointer","float","float"])
	);
	}



	// First Step : waiting for the application to load the good library
	// https://android.googlesource.com/platform/system/core/+/master/libnativeloader/native_loader.cpp#746
	//
	// OpenNativeLibrary is called when you loadLibrary from Java, it then call android_dlopen_ext
	Interceptor.attach(Module.findExportByName(null, 'android_dlopen_ext'),{
	onEnter: function(args){
	// first arg is the path to the library loaded
	var library_path = Memory.readCString(args[0]);

	if( library_path.includes(library_name)){
	console.log("[...] Loading library : " + library_path);
	library_loaded = 1;
	}
	},
	onLeave: function(return_val){
	// if it's the library we want to hook, hooking it
	if(library_loaded == 1){
	console.log("[+] Loaded")
	library_loaded = 0;
	hookFunction();
	}
	}
	})