30 October 2016

How to dump and mod il2cpp games (2016) (Obsolete)

Disclaimer: This tutorial is for modders only, NOT for beginners

In this tutorial, i dump Craft Royale as an example. Let's get started

Before you start, check if the game was build in latest Unity3d and have il2cpp lib and make sure you meet requirements

This method will not work for x86 only apps/games

* Be an advanced modder
* IDA Pro. Download link
* Notepad++. Download link
* il2cpp dumper with interactive CLI. Download link
* Any Hex Editor software. I'm using Hex Workshop. Download link
* Online ARM converter. Link to the website
* Basic C# knowledge

* Basic IDA knowledge

Open the APK with 7-Zip or WinRAR and extract the libil2cpp.so and global-metadata.dat file.
libil2cpp.so is located in "lib\armeabi-v7a" and global-metadata.dat is located in "\assets\bin\Data\Managed\Metadata".

Disassemble the file libil2cpp.so on IDA first

In functions window, press CTRL + F and search il2cpp::vm::MetadataCache::Register


See the results. Open the function with .plt Segment


You need to find out which function calls il2cpp::vm::MetadataCache::Register. There is the long name below the function name


Select it and press X to XREF's it. Click OK

Found it. Look at the unk offsets (unknown offsets) #1 and #2 (marked in red). This is what you need to dump the libil2cpp.so and global-metadata.dat. Each games always have same functions but different offsets


Launch the Il2CppDumper console program. Input the unk offsets #1 and #2


The program will dump and close and you will get the dump.cs file


Before you mod, check HEX-view in IDA so see if the binary uses THUMB or ARM.  4 byte is THUMB and 8 byte hex is ARM. This is ARM


Open the .cs file with Notepad++ because it will automatically highlight the whole code. Press CTRL+F and start searching the useful keywords. Click on "Find All in All Opened Documents" to find results of the keyword you searched. The green text of offsets are from IDA. The other numbers, I don't know


Open a Hex editor program and open libil2cpp.so file. Search the offset of the function, and click Go, it will find the right offset for you



Enjoy modding!

iAndroHacker (Interactive CLI)


Post a Comment