30 October 2016

How to dump and mod il2cpp games (2016) (Obsolete)


Disclaimer: This tutorial is for modders only, NOT for beginners

In this tutorial, i dump Craft Royale as an example. Let's get started

Before you start, check if the game was build in latest Unity3d and have il2cpp lib and make sure you meet requirements

This method will not work for x86 only apps/games

Requirements:
* Be an advanced modder
* IDA Pro. Download link
* Notepad++. Download link
* il2cpp dumper with interactive CLI. Download link
* Any Hex Editor software. I'm using Hex Workshop. Download link
* Online ARM converter. Link to the website
* Basic C# knowledge

* Basic IDA knowledge

Open the APK with 7-Zip or WinRAR and extract the libil2cpp.so and global-metadata.dat file.
libil2cpp.so is located in "lib\armeabi-v7a" and global-metadata.dat is located in "\assets\bin\Data\Managed\Metadata".


Disassemble the file libil2cpp.so on IDA first

In functions window, press CTRL + F and search il2cpp::vm::MetadataCache::Register

[​IMG]

See the results. Open the function with .plt Segment

[​IMG]

You need to find out which function calls il2cpp::vm::MetadataCache::Register. There is the long name below the function name

[​IMG]

Select it and press X to XREF's it. Click OK
 [​IMG]

Found it. Look at the unk offsets (unknown offsets) #1 and #2 (marked in red). This is what you need to dump the libil2cpp.so and global-metadata.dat. Each games always have same functions but different offsets

[​IMG]

Launch the Il2CppDumper console program. Input the unk offsets #1 and #2

[​IMG]

The program will dump and close and you will get the dump.cs file

[​IMG]

Before you mod, check HEX-view in IDA so see if the binary uses THUMB or ARM.  4 byte is THUMB and 8 byte hex is ARM. This is ARM

[​IMG]

Open the .cs file with Notepad++ because it will automatically highlight the whole code. Press CTRL+F and start searching the useful keywords. Click on "Find All in All Opened Documents" to find results of the keyword you searched. The green text of offsets are from IDA. The other numbers, I don't know

[​IMG]

Open a Hex editor program and open libil2cpp.so file. Search the offset of the function, and click Go, it will find the right offset for you

[​IMG]

[​IMG]

Enjoy modding!

Credits:
iAndroHacker (Interactive CLI)

0 comments:

Post a Comment