Il2CppDumper GUI 1.0.4 - With .APK extension for dump automation



Extract .NET metadata from il2cpp binaries. (types, methods, fields, etc.)

Extraction code is based on Il2CppDumper

Requirements:
- Net Framework 4
- Windows 7 and above

Features:
  • Supports il2cpp binaries in ELF(arm, x86) and Mach-O(32bit, 64bit) format
  • Supports global-metadata version 16 and 20-24
  • Extracts .NET metadata including types, fields, properties, methods and attributes
  • Supports automated IDA script generation
    • name and tag methods
    • store dynamic string literals in comments
  • Generates dummy DLLs that can be viewed in .NET decompilers

GUI Features:
·         Select files
·         Rename files
·         Set output directory.
·         Set mode.
·         Set registration offsets
·         Auto fill up offset registrations after dump
·         Drag and drop support
·         Remember everything except registrations
·         Logs saves on exit. It saves on your documents if tool is located in C drive.
·         Support open APK with Il2CppDumper to start dump automation

Download:


How to use:
This works as same as original Il2CppDumper but with GUI.

Open .apk (Android) or .ipa (iOS) using 7-zip or Winrar.

Extract libil2cpp.so file from ARM or x86 folder (Android) or extract binary file that does not have a file extension (iOS)

Extract global-metadata.dat from  \Data\Managed\Metadata\

Select binary file (.so file or iOS binary) and global-metadata.dat file.

Set your output directory

Rename the files if you want

Select your mode. If manual set, you need to imput offsets you found in the binary file.

Press start when you are ready

Extraction Modes
Manual
The parameters (CodeRegistration and MetadataRegistration) that are passed to il2cpp::vm::MetadataCache::Register()needs to be manually reverse engineered and passed to the program.

Auto
Automatically finds the il2cpp_codegen_register() function by signature matching and read out the first (CodeRegistration) and second (MetadataRegistration) parameter passed to the il2cpp::vm::MetadataCache::Register() method that will be invoked in the registration function. May not work well due to compiler optimizations.

Auto(Advanced)
Matches possible pointers in the data section. Generally works better than Auto mode.
Supports metadata version 20 and later (only CodeRegistration address can be found on metadata version 16).

Auto(Plus) - Recommended
Matches possible pointers in the data section with some guidance from global-metadata. Works better than Auto(Advanced)mode on certain binaries.
Supports metadata version 20 and later (only CodeRegistration address can be found on metadata version 16).

Auto(Symbol)
Uses symbols in the il2cpp binary to locate CodeRegistration and MetadataRegistration.
Only supports certain Android ELF files.

Output files
dump.cs
C# pseudocode. Can be viewed in text editors (syntax highlighting recommended)

script.py
Requires IDA and IDAPython. Can be loaded in IDA via File -> Script file.

DummyDll
DLLs generated by Mono.Cecil which contain the .NET metadata extracted from the binary (no code included). Can be viewed in .NET decompilers.

Configuration
All the configuration options are located in config.json Available options:
  • DumpMethod, DumpField, DumpProperty, DumpAttribute, DumpFieldOffset
    • Whether or not the program should extract these information
  • DummyDll
    • Whether or not the program should generate dummy DLLs
  • ForceIl2CppVersion, ForceVersion
    • If ForceIl2CppVersion is true, the program will use the version number specified in ForceVersion to choose parser for il2cpp binaries (does not affect the choice of metadata parser). This may be useful on some older il2cpp version (e.g. the program may need to use v16 parser on ilcpp v20 (Android) binaries in order to work properly)

Common errors
ERROR: Metadata file supplied is not valid metadata file.
The specified global-metadata.dat is invalid and the program cannot recognize it. Make sure you choose the correct file. Sometimes games may obfuscate this file for content protection purposes and so on. Deobfuscating of such files is beyond the scope of this program, so please DO NOT file an issue regarding to deobfuscating.

ERROR: Can't use this mode to process file, try another mode.
Try other extraction modes.
If all automated extraction modes failed with this error and you are sure that the files you supplied are not corrupted/obfuscated, please file an issue with the logs and sample files.

Credits:
AndnixSH (GUI)

Kommentarer