Getting backtrace to work

[HeisenBuerger42]

I lately experimented a lot with frida-il2cpp-bridge, and I think it is a very helpful tool. On my latest project I try to hook onto some functions of an android app that is running inside an emulator. In order to achieve my desired results I want to better understand the overall function calls the app is making. So I got my function, but I would like to see where it is called from. I saw that there is a backtrace functionality inside frida-il2cpp-bridge, but I wasn't really able to get it to work. I used the following code.

Il2Cpp.backtrace().classes(BattlePreviewPopup).and().attach();

As far as I understand it the backtrace functionality should output the current stack when a function inside the BattlePreviewPopup class is called. But sadly it only outputs:

I don't really know if it is a game-specific issue since I saw that the backtrace functionality is still titled "very experimental". I would be interested in hearing if anyone had any success in using this feature. Thanks for your time.

[vfsfitvnm]

Hi 😄
The backtracer entirely relies on Frida's Thread::backtrace - here's how I use it:

frida-il2cpp-bridge/src/tracer.ts

Lines 345 to 367 in a28fa2e

	Interceptor.attach(method.virtualAddress, function () {
	if (this.threadId == threadId) {
	const handles = globalThis.Thread.backtrace(this.context, mode);
	handles.unshift(method.virtualAddress);
	for (const handle of handles) {
	if (handle.compare(Il2Cpp.module.base) > 0 && handle.compare(Il2Cpp.module.base.add(Il2Cpp.module.size)) < 0) {
	const method = searchInsert(handle);
	if (method) {
	const offset = handle.sub(method.virtualAddress);
	if (offset.compare(0xfff) < 0) {
	// prettier-ignore
	state.buffer.push(`\x1b[2m0x${method.relativeVirtualAddress.toString(16).padStart(8, "0")}\x1b[0m\x1b[2m+0x${offset.toString(16).padStart(3, `0`)}\x1b[0m ${method.class.type.name}::\x1b[1m${method.name}\x1b[0m`);
	}
	}
	}
	}
	state.flush();
	}
	});

Unfortunately, it's not possible to go faaar back, and you also should consider that a method might not be called by another method within the IL2CPP module: that's probably why you see an empty log

[HeisenBuerger42]

Thank you for your quick reply. Really appreciate your work with this tool, ;) Your tip that the method doesn't get called within the IL2CPP module might actually be the answer to the empty log. Earlier that day I tried decompiling the lib2cpp.so with the help of il2cppdumper and ghidra. After looking at the function call graph, I saw that the function never gets called inside the .so file. Although that, might also be because I messed something up during the decompiling process. I am still pretty new to all of that stuff :D