How to dump and mod il2cpp games (2017)
Video tutorial by TechX Original
Most peoples asked me to make a new tutorial so I did! I know it's very late but I had not enough time to make the tutorial.
il2cpp dumper helps you to find the right
function + offset to mod.
This guide is for IDA modding
experience only!
Requirements:
- Any Hex Editor software. I'm using
Hex Workshop. Download link.
(You can modify hex in IDA but editing the file in hex editor is the fastest way
for me)
- Basic C# and ARM knowledge. You
don't really need to learn C# but know simple codes of C#
- Know how to use IDA Pro
- Perfare or Katy's dumper. Links
below
Extract required files from APK file:
Open the APK and extract the
following files to dump:
\lib\armeabi-v7a\libil2cpp.so
\assets\bin\Data\Managed\global-metadata.dat
Using Perfare's Il2CppDumper:
Launch Il2CppDumper.exe, the program
want you to select the ELF file or Mach-O file. Select libil2cpp.so file. The dialog box should appear again. Select global-metadata.dat file.
The program asks you to select mode.
Manual (1) or auto (2)
Auto mode:
Automatically find the required
offsets to dump il2cpp.
Press 2 and the file dump.cs will be created
Skip reading manual mode
if you don't want to use manual mode.
Manual mode:
The manual mode is the complicated steps
to dump il2cpp. Auto mode does tell you the offsets, but I would like to show
you how to find offsets to manually dump il2cpp.
Disassemble libil2cpp.so in IDA Pro. Click on Search -> Sequence of
bytes...
Search this hex
1C 00 9F E5 20 10 9F E5 00 20 8F E0
Click OK
IDA should jump to this function
But there's no unk offsets, right? now
try this trick:
Right click on loc_xxxxxxx and select Create
Function, you will get the unk offsets
In the console app, press 1, it will
ask you to input the CodeRegistration(R0). Input the unk offset of R0, R12, R2.
Example: 15C70C4. Hit enter. Input MetadataRegistration(R1), and Hit enter.
The dump.cs file will be created
Using Katy's Il2CppInspector:
Skip this if you are using
Perfare's Il2CppDumper
Extract the ZIP file. The
il2cppdumper.exe can't run with just double-click, so you have to use CMD,
"cd" to the path of Il2CppInspector or click File -> Open
commandprompt, and type this command.
Usage:
Il2CppDumper [<binary-file>
[<metadata-file> [<output-file>]]]
What does these usage mean?
Il2CppDumper = Execute Il2CppDumper.exe
file
<binary-file> = Path of libil2cpp.so
<metadata-file> = Path of global-metadata.dat
<output-file> = Output file.
You can name the file. Example: dumpedfile.cs
This is my example:
il2cppdumper "D:\Android apps +
data\Craft Royale\libil2cpp.so" "D:\Android apps + data\Craft
Royale\global-metadata.dat" "D:\Android apps + data\Craft Royale\dumped.cs"
Hit enter and it will dump il2cpp
for you. The dumped file will be created at the path
you have given
If you want to use command anywhere,
add the PATH environment variable in Advanced System Properties
View the dumped file with Notepad++:
Right click on the dumped file and
select Edit with Notepad++
You'll see a C# code. It's not a
full code but the code tells you function names and offsets to mod.
To search, click Search -> Find...
To find all keyword, click on Find All in Current Document
If you never seen C# code before, I'll
explain a bit what this method mean
public static
int get_IsCheater(); // e8e9cc
public is an access modifier. It can be private, protected etc.This
is not important to know
static is a static modified to declare a
static member. This is not important to know
int is a data type. It can be float, double, boolean etc....
// e8e9cc is a comment. This tells you the
real offset (sub_xxxxxx) to mod. You can
search it in functions window in IDA
Fields and Properties are not
modable, so don't look at them. Only look at fuctions under // Methods
Modding il2cpp game is the same as
modding other .so file.
That's all.
Happy modding!
Credits:
iAndroHacker (this tutorial)
Comments
Post a Comment