Library initialization issue with KittyInjector on real devices (works on emulator)

[Cyb3r9]

I'm experiencing an issue where my native library loads correctly via JNI_OnLoad but the BNM (ByNameModding) initialization doesn't complete properly on real Android devices (Rooted) when using KittyInjector for injection. The same setup works perfectly on emulators (tested with MuMuPlayer).

Setup

• Injection Method: KittyInjector
• Library: Using BNM with JNI_OnLoad
• Environment:
  • Emulator (MuMuPlayer) → ✅ Works fine (BNM loads and logs appear)
  • Real Devices → ❌ Only shows ByNameModding: JNI_OnLoad, no further logs

---

Code (JNI_OnLoad)

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, [[maybe_unused]] void *reserved) {
    JNIEnv *env;
    vm->GetEnv((void **) &env, JNI_VERSION_1_6);
    try {
        BNM::Loading::AllowLateInitHook();
        // Load BNM by finding the path to libil2cpp.so
        BNM::Loading::TryLoadByJNI(env);
        BNM::Loading::AddOnLoadedEvent(initializeUnityHooks);
    } catch (const std::exception &e) {
        LOGE("JNI_Exception in BNM loading: %s", e.what());
        return JNI_ERR;
    }

    BNM_LOG_INFO("JNI_OnLoad");
    return JNI_VERSION_1_6;
}

Logs

Emulator (working case):

ByNameModding: [SetupBNM] il2cpp::vm::Class::Init in lib: 0x1c69d54.
ByNameModding: [SetupBNM] code has il2cpp_image_get_class. BNM will use it.
ByNameModding: [SetupBNM] il2cpp::vm::Class::FromIl2CppType in lib: 0x1c698ac.
ByNameModding: [SetupBNM] il2cpp::vm::Type::GetClassOrElementClass in lib: 0x1cc21b

Real Device (failing case):

ByNameModding: JNI_OnLoad

Additional Notes

If I load the library with smali code, it works correctly on both emulator and real devices.
This issue only happens with KittyInjector on real devices (Rooted).

[BNM-Dev]

This is intended behavior. BNM logs [SetupBNM] have debug level, so them won't show on real devices unless you meat some conditions (debugable app, or some global prop).

And BNM doesn't use C++ exceptions, so things like that:

} catch (const std::exception &e) {
LOGE("JNI_Exception in BNM loading: %s", e.what());
return JNI_ERR;
}

Are fully useless. BNM use only logs for debugging.

[Cyb3r9]

Thanks for the clarification about the debug logs 🙏 That makes sense now.

I have one more doubt:
When I register an OnLoadedEvent (as you can see above JNI_OnLoad)

void initializeUnityHooks() {
    BNM_LOG_INFO("Hooks: start");

    auto characterMotorAbilitiesClass = BNM::Class("SYBO.RunnerCore.Character", "CharacterMotorAbilities");
    BNM::Method<int> JumpLimit = characterMotorAbilitiesClass.GetMethod("get_JumpLimit");
    BasicHook(JumpLimit.GetOffset(), GetJumpLimit, OldGetJumpLimit);
}

On the emulator, I can see the Hooks: start log, but on a real device, nothing appears, which makes me think the callback might not be firing there.

[BNM-Dev]

Try remove AllowLateInitHook. It not needed for TryLoadByJNI.
About logs in event - idk. It should work. I always had other problem - logs worked on real devices, but glitched on emulators.
To validate, you can try create tmp file (in /scdard/Android/data/pkg name/) that will indicate that method fires. This not useful in real development, but this will be temporary workaround of logs problem (if file will be created).

BasicHook(JumpLimit.GetOffset(), GetJumpLimit, OldGetJumpLimit);

And you can replace this line with BNM::BasicHook(JumpLimit, GetJumpLimit, OldGetJumpLimit);. It will have same result, but it more readable.

[Cyb3r9]

Thanks for the suggestions.

I tried:

• Removing AllowLateInitHook
• Replacing with BNM::BasicHook(JumpLimit, GetJumpLimit, OldGetJumpLimit)
• Also added the tmp file check to confirm if initializeUnityHooks() runs

But on the real device, the behavior is still the same, the event doesn’t seem to fire (no log). On the emulator, it works fine.

[BNM-Dev]

Can you send apk with mod lib? I will check on my devices

[Cyb3r9]

Here’s everything you need:

• Example repo (ImGui menu project, just compile the cpp with CMake): ImGui_Menu
• Precompiled mod lib with the latest BNM (already includes the hook): Mod_Lib
• Please use this injector for testing: Kitty Injector (arm64-v8a v4.1.0)
• Game used for testing: Subway Surfers (package com.kiloo.subwaysurf)

Let me know if you also need any thing else 👍.

[BNM-Dev]

1. Add BNM::Loading::AddOnLoadedEvent(initializeUnityHooks); and initializeUnityHooks method back to lib. In your precompiled version I can't see both.
2. Remove pthread_create(&ptid, 0, hack_thread, 0); and pthread_create(&newthread, 0, background_task, 0); from void lib_main().
3. Add BNM::Loading::AddOnLoadedEvent(hack_thread); and BNM::Loading::AddOnLoadedEvent(background_task); to JNI_OnLoad.
4. Remove

 do {
    sleep(1u);
  } while ( !BNM::IsLoaded() );

from both hack_thread and background_task.
5. Remove AttachIl2Cpp/DetachIl2Cpp from hack_thread.

So some psedo code:

void initializeUnityHooks() {
    BNM_LOG_INFO("Hooks: start");

    auto characterMotorAbilitiesClass = BNM::Class("SYBO.RunnerCore.Character", "CharacterMotorAbilities");
    BNM::Method<int> JumpLimit = characterMotorAbilitiesClass.GetMethod("get_JumpLimit");
    BasicHook(JumpLimit.GetOffset(), GetJumpLimit, OldGetJumpLimit);
}

void hack_thread(); // Should be somewhere
void background_task(); // Should be somewhere

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, [[maybe_unused]] void *reserved) {
    JNIEnv *env;
    vm->GetEnv((void **) &env, JNI_VERSION_1_6);
    
    BNM::Loading::AllowLateInitHook();
    BNM::Loading::AddOnLoadedEvent(initializeUnityHooks);
    BNM::Loading::AddOnLoadedEvent(hack_thread);
    BNM::Loading::AddOnLoadedEvent(background_task);
    BNM::Loading::TryLoadByJNI(env);

    BNM_LOG_INFO("JNI_OnLoad");
    return JNI_VERSION_1_6;
}

On my device I only can see An attempt to call property's (Dead property) getter that does not exist in logs

[Cyb3r9]

well its still same. doest not work on Mobile with Injector.

[doviettung96]

Agree with you. I got the same symtom.. I inject my lib to a game (arm64) on a real device, no log.. but on an emulator (with AndKittyInjector x86_64.. worked.. many logs)

[doviettung96]

@Cyb3r9 any news on that bro? Mine still failed

[YummyBacon5]

Have people tried following the example from the BNM docs?

https://bynamemodding.github.io/KittyMemoryFinder_8cpp-example.html

[Cyb3r9]

@Cyb3r9 any news on that bro? Mine still failed

Still not.