4. april 2017

How to dump and mod il2cpp games (Metadata v21-23) (2017)

<iframe width="560" height="315" src="https://www.youtube.com/embed/BN5UCGP_5os" frameborder="0" allowfullscreen></iframe>
Video tutorial by TechX Original

Most peoples asked me to make a new tutorial so I did! I know it's very late but I had not enough time to make the tutorial.

il2cpp dumper helps you to find the right function + offset to mod.

This guide is for IDA modding experience only!

- IDA Pro. Download link
- Notepad++. Download link
- Any Hex Editor software. I'm using Hex Workshop. Download link. (You can modify hex in IDA but editing the file in hex editor is the fastest way for me)
- Online ARM converter. Link to the website
- Basic C# and ARM knowledge. You don't really need to learn C# but know simple codes of C#
- Know how to use IDA Pro
- Perfare or Katy's dumper. Links below

Extract required files from APK file:
Open the APK and extract the following files to dump:

Using Perfare's Il2CppDumper:

Launch Il2CppDumper.exe, the program want you to select the ELF file or Mach-O file. Select libil2cpp.so file. The dialog box should appear again. Select global-metadata.dat file.

The program asks you to select mode. Manual (1) or auto (2)

Auto mode:
Automatically find the required offsets to dump il2cpp.
Press 2 and the file dump.cs will be created

Skip reading manual mode if you don't want to use manual mode.

Manual mode:
The manual mode is the complicated steps to dump il2cpp. Auto mode does tell you the offsets, but I would like to show you how to find offsets to manually dump il2cpp.

Disassemble libil2cpp.so in IDA Pro. Click on Search -> Sequence of bytes...

Search this hex
1C 00 9F E5 20 10 9F E5 00 20 8F E0
Click OK

IDA should jump to this function

But there's no unk offsets, right? now try this trick:
Right click on loc_xxxxxxx and select Create Function, you will get the unk offsets

In the console app, press 1, it will ask you to input the CodeRegistration(R0). Input the unk offset of R0, R12, R2. Example: 15C70C4. Hit enter. Input MetadataRegistration(R1), and Hit enter.

The dump.cs file will be created

Using Katy's Il2CppInspector:

Skip this if you are using Perfare's Il2CppDumper

Extract the ZIP file. The il2cppdumper.exe can't run with just double-click, so you have to use CMD, "cd" to the path of Il2CppInspector or click File -> Open commandprompt, and type this command.

Il2CppDumper [<binary-file> [<metadata-file> [<output-file>]]]

What does these usage mean?

Il2CppDumper = Execute Il2CppDumper.exe file
<binary-file> = Path of libil2cpp.so
<metadata-file> = Path of global-metadata.dat
<output-file> = Output file. You can name the file. Example: dumpedfile.cs

This is my example:
il2cppdumper "D:\Android apps + data\Craft Royale\libil2cpp.so" "D:\Android apps + data\Craft Royale\global-metadata.dat" "D:\Android apps + data\Craft Royale\dumped.cs"

Hit enter and it will dump il2cpp for you. The dumped file will be created at the path you have given

If you want to use command anywhere, add the PATH environment variable in Advanced System Properties

View the dumped file with Notepad++:
Right click on the dumped file and select Edit with Notepad++
You'll see a C# code. It's not a full code but the code tells you function names and offsets to mod.
To search, click Search -> Find...
To find all keyword, click on Find All in Current Document

If you never seen C# code before, I'll explain a bit what this method mean

public static int get_IsCheater(); // e8e9cc

public is an access modifier. It can be private, protected etc.This is not important to know

static is a static modified to declare a static member. This is not important to know

int is a data type. It can be float, double, boolean etc....

// e8e9cc is a comment. This tells you the real offset (sub_xxxxxx) to mod. You can search it in functions window in IDA

Fields and Properties are not modable, so don't look at them. Only look at fuctions under // Methods

Modding il2cpp game is the same as modding other .so file.

That's all.

Happy modding!

iAndroHacker (this tutorial)

0 kommentarer:

Send en kommentar