If ForceIl2CppVersion is true, the program will use the version number specified in ForceVersion to choose parser for il2cpp binaries (does not affect the choice of metadata parser). This may be useful on some older il2cpp version (e.g. The program may need to use v16 parser on ilcpp v20 (Android) binaries in order to work properly). Hi all, So I have this IL2CPP game that I have the function names of. Currently I'm using ASI Hook to edit the game functions and call them to my will. However the game updated today, and as expected, all addresses have changed. In Cheat Engine I can go to Mono - Dissect Mono and it will load.
-->Follow these steps to attach a managed debugger to your Unity IL2CPP UWP build for HoloLens and HoloLens 2.
You'll need to be on a network that supports multicast.
Go to UWP Publishing Settings Capabilities and check InternetClientServer and PrivateNetworkClientServer:
Configure the Unity UWP build settings:
- Development Build
- Script Debugging
- Wait for Managed Debugger (optional)
Build in Unity.
Build and deploy from the Visual Studio solution to your device. You should build with the Debug or Release configurations. The Master configuration disables the Unity profiler and can prevent optimal debugging. Optionally, verify Internet (Client & Server) and Private Networks (Client & Server) in the capabilities list in Package.appxmanifest in the solution.
Make sure your device is connected to the same network as your PC and start the app on your device.
Make sure the device is not connected to your PC via USB.
Double-click one of your scripts in Unity and go to the Visual Studio solution that opens to view and edit.
Debug -> Attach Unity Debugger.
Select your device in the list and click 'OK' to attach.
Il2Cpp is a converter for c# that translates from IL (Intermediate Language) to normal native assembly. I think it’s even made for unity. But yeah you will find it often in mobile apps and some games.
So we’ve got two unity il2cpp games currently being very popular: Fall Guys and… Among Us.
I started playing Among Us with a few guys and thought “mhh what shenanigans could one do?”.
And I hope you’re not doing the big evil piracy just because the devs are to lazy to implement proper security right? Like that would be very evil and probably wouldn’t even give you all the DLCs.
Dumping the game
While we can basically reverse the game like usual with Ghidra or IDA, we can get a huge headstart here.
C# usually can be almost completely decompiled and recompiled again including variable names and method bodies.
Here we don’t have that luxury, but il2cpp saves the function names and classes (including fields) in a metadata file (called global-metadata). That means we have to reverse the method bodies on our own though.
Okay first we need the game and a program called Il2CppDumper.
We can run it and get a few prompts or use this:
The executable is here not the Among Us.exe, but the GameAssembly.dll. The global metadata can be found (relative from the base directory) in Among Us_Datail2cpp_dataMetadata.
So the its this:
We get a few output files including some DummyDlls, which we could use in VS or dnSpy, a script.json , a header and some scripts like ida.py and ghidra.py (they are actually in the base directory and don’t get generated).
We can now analyze the dll in Ghidra (which takes long af) and then run the ghidra.py (and select the script.json).
After some long time, we can see that the script did a suboptimal job at importing the functions, but at least we know where which function is and how the classes are built.
Actually using the gathered info
We could start a new c++ project, import the header and do our typical stuff like changing values etc. I mean we have the offsets, so that would be easy. I found something else after that, but more on that later.
Calling Methods
We can read out of dnSpy something like this:
The Method CompleteTask is then located at GameAssembly.dll + RVA (0x20C0E0). We can also find the signature in the script.json:
Notice the third parameter const MethodInfo* method. If we look at a call in Ghidra, in most cases we will just put there 0x0. Don’t ask me why, it’s some il2cpp stuff.
Accessing Static fields
I found this playerlist as a field of GameData:
Lucky for us GameData has a static Instance field:
Il2cpp Error
Okay I tried to find the solution, but I only found this (for me at the time) useless thread on Github.
Look at script.py to find something like “Class${namespace}{classname}”
I have no idea what I’m supposed to to with that info.
You could probably just use this struct (from the header) and look at the script.json address.
Then access it via GameData->klass->static_fields.Instance.
Btw spoiler: You probable won’t be able to access GameData, because it was always null for me.
While I was looking for a way to use the static fields, I found this program called Il2CppInspector which promised a better Ghidra experience, that was on-par with the IDA one (meaning with full parameters and all).
Dumping the game
Okay it has a nice gui and all that, but it also gives you the ability to generate a dll injection project. That sounds like exactly what I need!
Okay let’s go: Select metadata file, select GameAssembly.dll, blabla.
We then can select the Python Script for dissassemblers (Ghidra for me) or something else (like the DLL Injection project).
Let’s go with the Ghidra route for now:
If you don’t wanna use the GUI you can use this command:
In the output directory we have the Ghidra.py and the metadata.json and a cpp folder (which is the DLL injection project). To import it into Ghidra:
- Open up Ghidra
- Add GameAssembly.dll
- No auto analysis (it gets automatically analysed after the script import and doesn’t create conflicts)
- File > Parse C Source
- New Config, add
cpp/appdata/il2cpp-types.h - Parse options:
-D_GHIDRA_ - Click Parse
- Add the Output folder as Script Folder
- Run the Ghidra.py
- Wait for like 1 hour
Il2cpp Fix
Okay now we have a proper reversing environment.
Using the stuff
The generated project already has some folder structure:
Il2cpp Vm
- appdata (the actual data for the game like function offsets and structs)
- framework (dll entry point and il2cpp init helpers)
- user (where we will put our code)
Calling Methods
That’s pretty easy actually. You can just call something like GaugeRandomizer_Update(gauze, 0x0). The last parameter is the MethodInfo* again.
Note that some functions can’t be called from other threads (like Present).
Static types
Most classes with static fields are nicely mapped to <class>__TypeInfo from il2cpp-types-ptr.h.
We can use the usage in Ghidra:
Il2cpp
Example
Failed To Load Il2cpp
Here is some code I wrote in first to test around
Of course this is not good code, but I wanted to test around till I got the hang of it.
If you want to use the code in other files, include il2cpp-appdata.h. You may need to include it before any other headers. Also the precompiled header didn’t fucking work for me.
This game is written with pure security in mind
- Just see all the bad guys, I mean what’s this game all about right?
- Kill People from whereever you are
- Kill yourself, this works surprisingly great
- Gotta go fast
- Complete tasks from whereever you are
- Kill Timer? Nah
- Jump into those vents, just to be sus. Oh you’re innocent? Doesn’t matter
I haven’t found a way to say no to murder yet. If you hook the local function, you won’t die, but the other players believe you did. Also you can’t really force being a imposter.
Hook DirectX, draw a nice menu (guess what I didn’t do), play around to see what shit you can do. And don’t use it online. This game has no anti cheat. Just don’t ruin the fun. Yes, I am saying this under a basically step to step guide how to do this. Fight me.
What Is Il2cpp On Pc
The World’s First Universal Mod Loader for Unity Games
Supposed to work with every Unity game including Mono AND Il2Cpp games.
Combined with CppExplorer (a ingame explorer and debugging tool) that sounded great.
Queue 2 hours of me trying to find out why MelonLoader didn’t even start.
The answer: Oh wow it doesn’t work with 32-bit games. I needed to dig in the forgotten discord server archives to find that. Thanks for nothing.