When you dump il2cpp games using Il2CppDumper, you will get the following files:
- il2cpp.h: Structure information header file
- script.json: For ida.py/ida_py3.py and ghidra.py
- stringliteral.json: Contains all stringLiteral information
The scripts are in the same folder of the Il2CppDumper executeable, if you extracted all. Otherwise, you can get them from Il2CppDumper releases. We only need following scripts for Android games
ida.py and ida_py3.py: Script for IDA to read script.json file
ida_with_struct.py and ida_with_struct_py3.py: Script for IDA to read script.json file and il2cpp.h file to apply structure information. It helps IDA load faster
ghidra.py: Script for Ghidra to read script.json file
ghidra_with_struct.py: Script for Ghidra to read script.json file and il2cpp.h file to apply structure information. It helps Gridra load faster
IDA Pro
Ghidra
- il2cpp.h: Structure information header file
- script.json: For ida.py/ida_py3.py and ghidra.py
- stringliteral.json: Contains all stringLiteral information
The scripts are in the same folder of the Il2CppDumper executeable, if you extracted all. Otherwise, you can get them from Il2CppDumper releases. We only need following scripts for Android games
ida.py and ida_py3.py: Script for IDA to read script.json file
ida_with_struct.py and ida_with_struct_py3.py: Script for IDA to read script.json file and il2cpp.h file to apply structure information. It helps IDA load faster
ghidra.py: Script for Ghidra to read script.json file
ghidra_with_struct.py: Script for Ghidra to read script.json file and il2cpp.h file to apply structure information. It helps Gridra load faster
IDA Pro
The first thing to do is to make sure you have Python installed. You need Python 2 if using IDA 7.3 or below, and Python 3 if using IDA 7.4 or above (Correct me if i'm wrong)
Open IDA and load the il2cpp binary file straight forward
While the binary is loading, you can click File -> Script file... and load the .py script already. Navigate to the il2cppdumper directory and open one of the py files for your IDA version
ida.py or ida_py3.py: Script for IDA to read json file
ida_with_struct.py or ida_with_struct_py3.py: Script for IDA to read json file and read il2cpp.h file and apply structure information. It helps IDA load things faster
Note: If the .py files are not shown, check the dropdown like the screenshot above. If it only shows Script files (*.idc), means python hasn't been installed correctly or enviorment path as not been set. Please make sure you have installed Python Correctly. It must show Script files (*.idc, *py)
Wait for the script to load. If you got bad declaration warning, just click OK. You can check "Don't display this message again" if the warning is shown again
After that, you have now function names to search
Do not load stringliteral.json manually, it is automatically loaded
Open IDA and load the il2cpp binary file straight forward
While the binary is loading, you can click File -> Script file... and load the .py script already. Navigate to the il2cppdumper directory and open one of the py files for your IDA version
ida.py or ida_py3.py: Script for IDA to read json file
ida_with_struct.py or ida_with_struct_py3.py: Script for IDA to read json file and read il2cpp.h file and apply structure information. It helps IDA load things faster
Note: If the .py files are not shown, check the dropdown like the screenshot above. If it only shows Script files (*.idc), means python hasn't been installed correctly or enviorment path as not been set. Please make sure you have installed Python Correctly. It must show Script files (*.idc, *py)
Wait for the script to load. If you got bad declaration warning, just click OK. You can check "Don't display this message again" if the warning is shown again
After that, you have now function names to search
Do not load stringliteral.json manually, it is automatically loaded
Ghidra
Python 3 needs to be installed on the system in order to use Python scripting in Ghidra.
Open Ghidra and load the il2cpp binary file straight forward
While the binary is loading, click the green Play button to open the Script Manager
Click List icon to open Bundle Manager
Click plus button to open file selection dialog
Navigate to the Il2CppDumper location that contains ghidra.py file, select the Il2CppDumper folder or other desired location and click OK
Your directory will be added to Bundle Manager.
Now close it
Search ghidra.py, select it on the list and click Play
The script will run and ask you to select script.json, select it and click Open. The type is not filtered but notice the title that it says script.json
Wait for it to load...
After that, you have now function names
Using ghidra_with_struct.py
If you want to use ghidra_with_struct.py, you first need to convert il2cpp.h to ghidra using il2cpp_header_to_ghidra.py. This script is broken, so download my modified script and replace it in the il2cppdumper location you have just selected https://github.com/AndnixSH/Il2CppDumper-GUI-1/raw/patch-1/Il2CppDumper/il2cpp_header_to_ghidra.py
Open Script Manager (The green Play button), and run select il2cpp_header_to_ghidra.py
Choose il2cpp.h file
If successful, the file il2cpp_ghidra.h will be generated
Open Script Manager again, and run select ghidra_with_struct.py
Select script.json file
Since it doesn't ask for il2cpp.h or il2cpp_ghidra.h, unlike in IDA script, i'm not certain if it detects il2cpp_ghidra.h or not. I'm not familar with Ghidra so I can't really tell. Feel free to comment if you have any infomation about it
Open Ghidra and load the il2cpp binary file straight forward
While the binary is loading, click the green Play button to open the Script Manager
Click List icon to open Bundle Manager
Click plus button to open file selection dialog
Navigate to the Il2CppDumper location that contains ghidra.py file, select the Il2CppDumper folder or other desired location and click OK
Your directory will be added to Bundle Manager.
Now close it
Search ghidra.py, select it on the list and click Play
The script will run and ask you to select script.json, select it and click Open. The type is not filtered but notice the title that it says script.json
Wait for it to load...
After that, you have now function names
Using ghidra_with_struct.py
If you want to use ghidra_with_struct.py, you first need to convert il2cpp.h to ghidra using il2cpp_header_to_ghidra.py. This script is broken, so download my modified script and replace it in the il2cppdumper location you have just selected https://github.com/AndnixSH/Il2CppDumper-GUI-1/raw/patch-1/Il2CppDumper/il2cpp_header_to_ghidra.py
Open Script Manager (The green Play button), and run select il2cpp_header_to_ghidra.py
Choose il2cpp.h file
If successful, the file il2cpp_ghidra.h will be generated
Open Script Manager again, and run select ghidra_with_struct.py
Select script.json file
Since it doesn't ask for il2cpp.h or il2cpp_ghidra.h, unlike in IDA script, i'm not certain if it detects il2cpp_ghidra.h or not. I'm not familar with Ghidra so I can't really tell. Feel free to comment if you have any infomation about it
Attachments
Last edited:
