Tutorial Is it possible to deobfuscate Il2Cpp game?

AndnixSH

PMT Elite Modder
Original poster
Staff member
Modding-Team
Jun 27, 2017
4,685
297,073
1,213
Modding World
I know many modders were looking il2cpp deobfuscation and asked for it, so I thought to explain if it's possible

Is it possible? Technically yes, if you have some reliable infomation somewhere, like older version of the game, otherwise, no. Obfuscation simply rename everything without storing original names. Tools like de4dot doesn't know anything, it would just change obfuscated names to GClassXXXX, smethod_XX, Int32_XX etc.

Before:
1610977232630.png


After:
1610977222001.png


It’s important to note that obfuscation is not a properly encryption but rather an obstacle. Encryption however, can often be decrypted with a decryption key or by dumping infomation from the memory. Other times it is simply a manual process that takes time to work through.

Getting copy of older versions:
Sometimes, older versions do not have obfuscation. Take a look at the older versions of the game and dump them one by one until you find one that does not have obfuscation. This process may provide hints and make the analysis easier. For example, in Among Us, versions up to v2020.9.9 are not obfuscated, while v2020.10.22 and later versions are obfuscated.

APK sites like Apkpure, Apkcombo, Apkmirror, and Apk4fun allow you to download older versions. Apk4fun, in particular, can hold versions that are more than 4 years old.

On iOS, you need to use the AppStore++ tweak to downgrade the app and decrypt the IPA/binary again.

As for PC, I'm not sure. It's possible that Steam has a special tool to downgrade.

Whenever possible, remember to make a backup of the game with each update. Old versions can be useful.

If there are no unobfuscated versions available, you're out of luck.

To get started, you can begin reverse-engineering both the unobfuscated and obfuscated versions of the game, compare various elements, and conduct pattern searches. However, please note that this is a time-consuming task, and I won't delve into the details here. You can seek assistance from existing tools like AUDeobfuscator, or Il2CppInspector to deobfuscate using the unobfuscated (or less obfuscated) version of the game. It's important to mention that these tools may be outdated, so you might need to modify them to support newer Unity versions. Rest assured that some modders have used this approach successfully

Other ways to deal with obfuscations

- Analyzing in IDA or Ghidra:
It's always a good idea to load python scripts for dumped il2cpp for disassemblers, IDA or Ghidra, making it easier to analyze How to use il2cpp.h, script.json and stringliteral.json (Il2CppDumper) - Platinmods.com - Android & iOS MODs, Mobile Games & Apps and guess which methods to mod. Although guessing can take a little bit longer

- Memory hacking: Memory hacking like GameGuardian, Cheat Engine etc. can already do all fun stuff by just searching for a value, you don't need function names and offsets to mod.

On GameGuardian, you can write your own lua script with mod menu, not recommended though since encrypted lua is still leechable. If you are familar with C++, you can port your GG values to C++ using this source mrcang09/Android-Mem-Edit

- Debugging: Debugging can be useful sometimes. Find any debugging methods like Frida you want to do it.

Can you get the original names back by dumping memory?
No! What do you expect? Nothing are recovered on runtime. Obfuscation is not encryption

IF you anyhow manage to get original names back after dumping lib, then it was because the lib was encrypted caused il2cppdumper to dump incorrect infomation. Nothing do to with obfuscation at all! Try dump Block Strike to see if the same trick works

But... bro, there must be a way to get original names directly without using any tricks above?
*sigh*
Only way is to tell game developers to give you unobfuscated APK, or hoping they provide unobfuscated APK by accident every update or by joining beta tester. Good luck with that
 
Last edited:

DDeveloper

1/3 Games Approved
Aug 12, 2020
25
13
3
sbenny.com
i was modding a game but the functions were obfuscated. I asked him that is there anything we can do to deobfuscate it, so he sent a tool with which i ended up liked the 2nd screenshot. i did some Google searches and ended up here. so i hope Legacy won't troll me next time. thankfully i did some Trial and error with which i successfully found what i was looking for and i published the mod at the forum. @AndnixSH
 

AndnixSH

PMT Elite Modder
Original poster
Staff member
Modding-Team
Jun 27, 2017
4,685
297,073
1,213
Modding World
i was modding a game but the functions were obfuscated. I asked him that is there anything we can do to deobfuscate it, so he sent a tool with which i ended up liked the 2nd screenshot. i did some Google searches and ended up here. so i hope Legacy won't troll me next time. thankfully i did some Trial and error with which i successfully found what i was looking for and i published the mod at the forum. @AndnixSH
Oh ok hahaha
Good to hear that this thread helped you :face46:
 
  • Love
Reactions: DDeveloper

Yaskashije

PMT Elite Modder
Staff member
Modding-Team
Sep 9, 2018
4,554
834,806
1,213
Minkowski Space
We must make new de4dot version that can hack into specific companys computer or internal repo server to retrieve all original names for deobfuscation, For example hack Innersloth LLC for Among Us deobfuscation :face31::face31::face31:
I have better idea.
Let's build an AI that automatically mods the game for you. And incidentally, also bypases its security. :face45:
 

Myster_1086

Solid & Active Platinian
Apr 23, 2019
58
80
18
36
United States
Why not use the gifts the internet gives us and dump unencrypted memory with GG, find what you're looking for in maps file, convert it using the appropriate method and then you have your names and likely addresses, isn't that easier?
 

AndnixSH

PMT Elite Modder
Original poster
Staff member
Modding-Team
Jun 27, 2017
4,685
297,073
1,213
Modding World
Why not use the gifts the internet gives us and dump unencrypted memory with GG, find what you're looking for in maps file, convert it using the appropriate method and then you have your names and likely addresses, isn't that easier?
No, it has nothing to do with obfuscation. Obfuscated isn't encrypted. You can never get back original names once renamed
 
Last edited:
  • Like
Reactions: Myster_1086

Myster_1086

Solid & Active Platinian
Apr 23, 2019
58
80
18
36
United States
That's strange, using il2cpp on apk gives me less readable info than if I dump it using gg. Its going to be changed at one point otherwise it would be the changed name in source. Example get a server based apk. Use il2cpp. Now dump same game and find il2cpp.main. The obfuscation is longer present, and you can find the addresses and functions as well as some instructions from dev comments if present, it's like you cloned it from github. Nothing is impossible.
 

AndnixSH

PMT Elite Modder
Original poster
Staff member
Modding-Team
Jun 27, 2017
4,685
297,073
1,213
Modding World
That's strange, using il2cpp on apk gives me less readable info than if I dump it using gg. Its going to be changed at one point otherwise it would be the changed name in source. Example get a server based apk. Use il2cpp. Now dump same game and find il2cpp.main. The obfuscation is longer present, and you can find the addresses and functions as well as some instructions from dev comments if present, it's like you cloned it from github. Nothing is impossible.
That's an encryption or half encrypted blocks that prevents il2cppdumper from working correctly. Half encrypted blocks makes it dump incorrect info, i know that. Still nothing to do with obfuscation and any sort. Obfuscation (scramble names and codes) is NOT called encryption, idk why people think it's a same thing. Tell me the name of game and I can give you excat answer, or compare both dumped il2cpp and encrypted il2cpp. Very huge difference means it's encrypted. Difference only at the bottom means something else, it just how memory works, it changes after execution. Game codes are not located at the bottom

Try make a your own obfuscated zip file with scramble filenames you make, and sent to your friend to see if he can guess your correct filenames. No cheating
And try to dump Block Strike game, it's unencrypted game but obfuscated. Names come from global-metadata.dat, not il2cpp lib so try dump global-metadata.dat as well, then you will realize you are wrong at this point

"Nothing is impossible" are already explained in the OP thread

And djkaty, the maker of Il2CppInspector is right as well, you need an unobfuscated or less obfuscated games to perform auto deobfuscation: Release Il2CppInspector 2021.1 · djkaty/Il2CppInspector

1613401811268.png


Well i'm not going to argue with the confusion with obfuscation and encryption, so here the link about the difference Hashing vs. Encryption vs. Encoding vs. Obfuscation | Daniel Miessler

And thread edited