Merge pull request #2 from TrialCarrot/main

Add Dobby to replace And64InlineHook.

Author: Cyb3r9

app/src/main/jni/Android.mk

@@ -8,6 +8,12 @@ LOCAL_MODULE    := Keystone
 LOCAL_SRC_FILES := $(KITTYMEMORY_PATH)/Deps/Keystone/libs-android/$(TARGET_ARCH_ABI)/libkeystone.a
 include $(PREBUILT_STATIC_LIBRARY)
 
+# Dobby
+include $(CLEAR_VARS)
+LOCAL_MODULE := Dobby
+LOCAL_SRC_FILES := Dobby/${TARGET_ARCH_ABI}/libdobby.a
+include $(PREBUILT_STATIC_LIBRARY)
+
 # Here is the name of your lib.
 # When you change the lib name, change also on System.loadLibrary("") under OnCreate method on StaticActivity.java
 # Both must have same name
@@ -24,6 +30,7 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_C_INCLUDES += $(LOCAL_PATH)
 LOCAL_C_INCLUDES += $(LOCAL_PATH)/Includes/
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/Dobby/
 
 # Here you add the cpp file to compile
 LOCAL_SRC_FILES := Main.cpp \
@@ -44,6 +51,6 @@ LOCAL_SRC_FILES := Main.cpp \
     KittyMemory/MemoryBackup.cpp \
 	And64InlineHook/And64InlineHook.cpp \
 
-LOCAL_STATIC_LIBRARIES := Keystone
+LOCAL_STATIC_LIBRARIES := Keystone Dobby
 
 include $(BUILD_SHARED_LIBRARY)

app/src/main/jni/Dobby/README.md

@@ -0,0 +1,17 @@
+The latest version of [Dobby](https://github.com/jmpews/Dobby.git) is impossiable to compile.
+To build Dobby, please run `git checkout 0932d69c320e786672361ab53825ba8f4245e9d3`
+For more details, please see https://github.com/jmpews/Dobby/issues/257.
+
+These pre-compiled objects use CMake options:
+```cmake
+option(DOBBY_GENERATE_SHARED "Build shared library" OFF)
+option(DOBBY_DEBUG "Enable debug logging" OFF)
+option(NearBranch "Enable near branch trampoline" ON)
+option(FullFloatingPointRegisterPack "Save and pack all floating-point registers" OFF)
+option(Plugin.SymbolResolver "Enable symbol resolver" ON)
+option(Plugin.ImportTableReplace "Enable import table replace " ON)
+option(Plugin.Android.BionicLinkerUtil "Enable android bionic linker util" ON)
+option(DOBBY_BUILD_EXAMPLE "Build example" OFF)
+option(DOBBY_BUILD_TEST "Build test" OFF)
+add_subdirectory(dobby) # Compile Dobby
+```

app/src/main/jni/Dobby/arm64-v8a/libdobby.a

@@ -0,0 +1,152 @@
+#ifndef dobby_h
+#define dobby_h
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdbool.h>
+#include <stdint.h>
+
+typedef uintptr_t addr_t;
+typedef uint32_t addr32_t;
+typedef uint64_t addr64_t;
+
+typedef void *dobby_dummy_func_t;
+typedef void *asm_func_t;
+
+#if defined(__arm__)
+typedef struct {
+  uint32_t dummy_0;
+  uint32_t dummy_1;
+
+  uint32_t dummy_2;
+  uint32_t sp;
+
+  union {
+    uint32_t r[13];
+    struct {
+      uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12;
+    } regs;
+  } general;
+
+  uint32_t lr;
+} DobbyRegisterContext;
+#elif defined(__arm64__) || defined(__aarch64__)
+#define ARM64_TMP_REG_NDX_0 17
+
+typedef union _FPReg {
+  __int128_t q;
+  struct {
+    double d1;
+    double d2;
+  } d;
+  struct {
+    float f1;
+    float f2;
+    float f3;
+    float f4;
+  } f;
+} FPReg;
+
+// register context
+typedef struct {
+  uint64_t dmmpy_0; // dummy placeholder
+  uint64_t sp;
+
+  uint64_t dmmpy_1; // dummy placeholder
+  union {
+    uint64_t x[29];
+    struct {
+      uint64_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20, x21, x22,
+          x23, x24, x25, x26, x27, x28;
+    } regs;
+  } general;
+
+  uint64_t fp;
+  uint64_t lr;
+
+  union {
+    FPReg q[32];
+    struct {
+      FPReg q0, q1, q2, q3, q4, q5, q6, q7;
+      // [!!! READ ME !!!]
+      // for Arm64, can't access q8 - q31, unless you enable full floating-point register pack
+      FPReg q8, q9, q10, q11, q12, q13, q14, q15, q16, q17, q18, q19, q20, q21, q22, q23, q24, q25, q26, q27, q28, q29,
+          q30, q31;
+    } regs;
+  } floating;
+} DobbyRegisterContext;
+#elif defined(_M_IX86) || defined(__i386__)
+typedef struct _RegisterContext {
+  uint32_t dummy_0;
+  uint32_t esp;
+
+  uint32_t dummy_1;
+  uint32_t flags;
+
+  union {
+    struct {
+      uint32_t eax, ebx, ecx, edx, ebp, esp, edi, esi;
+    } regs;
+  } general;
+
+} DobbyRegisterContext;
+#elif defined(_M_X64) || defined(__x86_64__)
+typedef struct {
+  uint64_t dummy_0;
+  uint64_t rsp;
+
+  union {
+    struct {
+      uint64_t rax, rbx, rcx, rdx, rbp, rsp, rdi, rsi, r8, r9, r10, r11, r12, r13, r14, r15;
+    } regs;
+  } general;
+
+  uint64_t dummy_1;
+  uint64_t flags;
+} DobbyRegisterContext;
+#endif
+
+#define install_hook_name(name, fn_ret_t, fn_args_t...)                                                                \
+  static fn_ret_t fake_##name(fn_args_t);                                                                              \
+  static fn_ret_t (*orig_##name)(fn_args_t);                                                                           \
+  /* __attribute__((constructor)) */ static void install_hook_##name(void *sym_addr) {                                 \
+    DobbyHook(sym_addr, (dobby_dummy_func_t)fake_##name, (dobby_dummy_func_t *)&orig_##name);                          \
+    return;                                                                                                            \
+  }                                                                                                                    \
+  fn_ret_t fake_##name(fn_args_t)
+
+// memory code patch
+int DobbyCodePatch(void *address, uint8_t *buffer, uint32_t buffer_size);
+
+// function inline hook
+int DobbyHook(void *address, dobby_dummy_func_t replace_func, dobby_dummy_func_t *origin_func);
+
+// dynamic binary instruction instrument
+// for Arm64, can't access q8 - q31, unless enable full floating-point register pack
+typedef void (*dobby_instrument_callback_t)(void *address, DobbyRegisterContext *ctx);
+int DobbyInstrument(void *address, dobby_instrument_callback_t pre_handler);
+
+// destroy and restore code patch
+int DobbyDestroy(void *address);
+
+const char *DobbyGetVersion();
+
+// symbol resolver
+void *DobbySymbolResolver(const char *image_name, const char *symbol_name);
+
+// import table replace
+int DobbyImportTableReplace(char *image_name, char *symbol_name, dobby_dummy_func_t fake_func,
+                            dobby_dummy_func_t *orig_func);
+
+// for arm, Arm64, try use b xxx instead of ldr absolute indirect branch
+// for x86, x64, always use absolute indirect jump
+void dobby_enable_near_branch_trampoline();
+void dobby_disable_near_branch_trampoline();
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

app/src/main/jni/Dobby/armeabi-v7a/libdobby.a

@@ -17,6 +17,10 @@
 #include "Menu/Jni.hpp"
 #include "Includes/Macros.h"
 
+// Dobby is a very powerful hook framework that including hook, stub, patch, and symbol resolve.
+// It can completely replace And64InlineHook and KittyMemory, so they are deprecated.
+#include "dobby.h" // https://github.com/jmpews/Dobby
+
 bool noDeath;
 int scoreMul = 1, coinsMul = 1;
 
@@ -136,6 +140,8 @@ void Update(void *instance) {
     return old_Update(instance);
 }
 
+// This pattern of orig_xxx and hook_xxx can be completely replaced by macro `install_hook_name` from dobby.h.
+// You can modify it if you want.
 void (*old_AddScore)(void *instance, int score);
 void AddScore(void *instance, int score) {
     return old_AddScore(instance, score * scoreMul);
@@ -152,14 +158,18 @@ void AddCoins(void *instance, int count) {
 ElfScanner g_il2cppELF;
 
 // we will run our hacks in a new thread so our while loop doesn't block process main thread
-void *hack_thread(void *) {
+void hack_thread() {
     LOGI(OBFUSCATE("pthread created"));
 
-    //Check if target lib is loaded
-    /*do {
-        sleep(1);
-    } while (!isLibraryLoaded(targetLibName));*/
+    // This loop should be always enabled in unity game
+    // because libil2cpp.so is not loaded into memory immediately.
+    while (!isLibraryLoaded(targetLibName)) {
+        sleep(1); // Wait for target lib be loaded.
+    }
 
+    // ElfScanner::createWithPath can actually be replaced by xdl_open() and xdl_info(),
+    // but that's from https://github.com/hexhacking/xDL.
+    // You can compile it if you want.
     do {
         sleep(1);
         // getElfBaseMap can also find lib base even if it was loaded from zipped base.apk
@@ -168,6 +178,8 @@ void *hack_thread(void *) {
 
     LOGI(OBFUSCATE("%s has been loaded"), (const char *) targetLibName);
 
+    // In Android Studio, to switch between arm64-v8a and armeabi-v7a syntax highlighting,
+    // You can modify the "Active ABI" in "Build Variants" to switch to another architecture for parsing.
 #if defined(__aarch64__)
     uintptr_t il2cppBase = g_il2cppELF.base();
 
@@ -179,6 +191,9 @@ void *hack_thread(void *) {
     HOOK(targetLibName, str2Offset(OBFUSCATE("0x107A2FC")), AddCoins, old_AddCoins);
     HOOK(targetLibName, str2Offset(OBFUSCATE("0x1078C44")), Update, old_Update);
 
+    // This function can completely replace MemoryPatch::createWithHex:
+    // int DobbyCodePatch(void *address, uint8_t *buffer, uint32_t buffer_size); (from dobby.h)
+    // And it is more powerful and intuitive.
     gPatches.noDeath = MemoryPatch::createWithHex(il2cppBase + str2Offset(OBFUSCATE("0x1079728")), "C0 03 5F D6");
 
     //HOOK(targetLibName, str2Offset(OBFUSCATE("0x1079728")), Kill, old_Kill);
@@ -195,12 +210,18 @@ void *hack_thread(void *) {
 #endif
 
     LOGI(OBFUSCATE("Done"));
-    return nullptr;
 }
 
+// Functions with `__attribute__((constructor))` are executed immediately when System.loadLibrary("lib_name") is called.
+// If there are multiple such functions at the same time, `constructor(priority)` (the priority is an integer)
+// will determine the execution priority, otherwise the execution order is undefined behavior.
 __attribute__((constructor))
 void lib_main() {
     // Create a new thread so it does not block the main thread, means the game would not freeze
-    pthread_t ptid;
-    pthread_create(&ptid, NULL, hack_thread, NULL);
+    // pthread_t ptid;
+    // pthread_create(&ptid, NULL, hack_thread, NULL);
+
+    // In modern C++, you should use std::thread(yourFunction).detach() instead of pthread_create
+    // because it is cross-platform and more intuitive.
+    std::thread(hack_thread).detach();
 }