[iOS] How to dump Il2Cpp-based Unity Games to find functions + offsets to hack (Experimental)

Posted by AndnixSH
As requested, here is the tutorial how to dump il2cpp of iOS Unity games. With Il2CppDumper, it will be much easier to find useful functions and offsets to hack. No need to waste your time debugging the game.

Requirements:
- ARM/ASM knowledge
- IDA hacking experience
- IDA Pro. Download link
- 64-bit based computer is required if you work with 64-bit hacking
- Notepad++. Download link
- Il2CppDumper (Windows). Download link
- Clutch or Rasticrac for jailbroken devices or visit appvn.com to download latest cracked free games
- Winrar or 7-zip to open .ipa file

Instructions:
Download Il2CppDumper released version by Perfare and extract the program

To open .ipa file, simply rename file extension to .zip and open it
If you are using 7-zip, right click -> 7-zip -> Open Archive to open .ipa file directly


Navigate to \Payload\<app or game name>.app\ and extract the big binary file that doesn't have file extension
Navigate to \Payload\iosfps.app\Data\Managed\Metadata\ and extract global-metadata.dat

launch Il2CppDumper.exe. It will open the dialog twice to select file. For ELF file or Mach-O file, select the binary file. For global-metadata.dat, select global-metadata.dat

It will ask you to select platform, 32-bit or 64-bit.

32-bit:
Press 1 for 32-bit and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required pointers (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find,
As you used auto mode, the program will tell the pointers, but you do not need to know it if you have no idea what it is.

Skip 64-bit steps if you are working with 32-bit

64-bit:
Auto mode does not work on 64-bit binary yet. Here is dev's response
"I have to say, these same questions will make me feel that adding auto feature is a bad decision"

We have to find 2 required offsets (CodeRegistration and MetadataRegistration) in IDA to dump. Open IDA Pro 64-bit (idaq64.exe), and disassemble the binary in 64-bit. Search function name InitFunc_1.

Above InitFunc_1, there is sub function that contains 2 pointers we need.

sub_100C46D8C                           ; DATA XREF: InitFunc_1+8o
                 ADRP            X0, #unk_101D48FE8@PAGE
                 ADD             X0, X0, #unk_101D48FE8@PAGEOFF
                 ADRP            X1, #dword_101D948C8@PAGE


In Il2CppDumper, Press 2 for 64-bit and Press 1 for manual. Input your pointers:
Input CodeRegistration(X0): your first pointer

Input MetadataRegistration(X1): your second pointer

The dump.cs file should be created at the location where Il2CppDumper.exe is located

Open dump.cs with Notepad++ by right click and select Edit with Notepad++
Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.

To search, click Search -> Find...
To find all keyword, click on Find All in Current Document

lnwqXUy.png

If you never seen C# code before, I'll explain a bit what the codes mean. I'm bad at explaining what these code means but I hope it goes well

This comment you see on top is just a list .dll files that are been converted into il2cpp
// Image 0: mscorlib.dll - 0
// Image 1: System.Security.dll - xxxx
// Image xx: Assembly-CSharp.dll - xxxx

The Assembly-CSharp.dll (Android users know this) is a game logic thing and it is what we looking for. The full code of "Assembly-CSharp.dll" thingy is always located somewhere at the bottom of the dumped file

This class body is like a group to make programmers easier to find codes. For example PlayerAntiHack class contains anti-hack code related.
// Namespace:
public class PlayerScript : MonoBehaviour // TypeDefIndex: 4303
{
}

In IDA you'll probarly see function names like
Player::Get_Gold…
Player::Get_Cash…
Player::Isbanned…
….

I'll bring this better details for you:
A class is a construct that enables you to create your own custom types by grouping together variables of other types, methods and events. A class is like a blueprint. It defines the data and behavior of a type. ... Unlike structs, classes support inheritance, a fundamental characteristic of object-oriented programming.

In the class, you'll see something like this:
// Fields
private int primaryWeaponIndex; // 0x10
private float minSpread; // 0x820
private float spread; // 0x824
private float visualSpread; // 0x828
….

Fields is not what we looking for so let's look into Methods.

// Methods
private int findNextAvailableWeapon(int currentWeaponIndex); // 1e704c
private bool IsLookingAtPlayer(PlayerScript player); // 1f3894
public bool HasBeenVisible(); // 1f2fa0
….
public int get_Gold_Example(); // 1a2b3c
public float float_example(); // 1a2b3d
….

This is what we looking for. These simple codes explains the name of the methods/functions, what type and the REAL IDA OFFSETS are written in the green commenented text.

public, private, protected etc, are access modifier. It's not important to know

static is a static modified to declare a static member. It's not important to know


int, float, double, boolean etc are data type.

If you look up the offset in IDA, you will see a sub_xxxxxx

vePK7YP.png

Write down all useful functions + offsets you found inside the dumped .cs file and start writing your code injection.

Note: It is suggested that you disassemble the binary file and look up the offsets to see if there are enough spaces to replace the instructions to hack.

That's all. Good luck hacking iOS games!

Credits:
iAndroHacker (this tutorial)

Perfare (Il2CppDumper https://github.com/Perfare/Il2CppDumper)
If you have any issues with Il2Cpp, please report the issue at: https://github.com/Perfare/Il2CppDumper/issues/


Thank you!

Comments

Post a Comment

Popular Posts

VMOS Pro Global CN FREE Custom ROMs | Gapps, ROOT, Xposed | Android 4.4.4, 5.1.1, 7.1.2, 9.0 ROMs | NO VIP

Posted by AndnixSH
Image
VMOS Pro was protected so I wasn’t able to modify/crack APK. Instead, I made a custom ROM as a zip file for VMOS Pro that includes permanent root and Xposed, all done on my Android phone because zipping on Windows or Linux caused corruption on the ROM file. You don’t need to use modded APK at all YOU CANNOT INSTALL ANY OTHER ROMS SUCH AS SAMSUNG, HUAWEI, ETC THAT ARE NOT MADE FOR VMOS. VMOS ROM IMPORTING IS FOR VMOS ROM ONLY. PLEASE DO NOT BE DUMB! FOR EMULATOR USERS: DO NOT TRY TO RUN VMOS IN EMULATORS, ALL VM APPS ARE NEVER SUPPORTED AND WILL SUBJECT TO CRASH. THIS IS ABSOLUTELY DUMB WAY TO DO IT. INSTEAD, INSTALL OTHER EMULATORS LISTED HERE: https://www.andnixsh.com/2018/10/free-android-emulator-collections.html Tested on VMOS Pro 2.9.7 on Android 11 Download VMOS Pro app English and Chinese version has been combined into one APK, so you will get same version if you downloaded from EN or CN website Global (EN) website: https://www.vmos.com/ Chinese website: http://www.vmos.c
Read more

[TOOL] Unity Assets Bundle Extractor

Posted by AndnixSH
Image
Unity .assets and AssetBundle editor UABE is an editor for Unity 3.4+/4/5/2017/2018 .assets and AssetBundle files. It can create standalone mod installers from changes to .assets and/or bundles. Type information extracted from Unity is used in order to generate text representations of various asset types. Custom MonoBehaviour types also are supported. There are multiple plugins to convert Unity assets from/to common file formats : The Texture plugin can export and import .png and .tga files and decode&encode most texture formats used by Unity. The TextAsset plugin can export and import .txt files. The AudioClip plugin can export uncompressed .wav files from U5's AudioClip assets using FMOD, .m4a files from WebGL builds and Unity 4 sound files. The Mesh plugin can export .obj and .dae (Collada) files, also supporting rigged SkinnedMeshRenderers. The MovieTexture plugin can export and import .ogv (Ogg Theora) files.
Read more