Have you ever wonder why does Il2CppDumper dump result field offsets start at 0x8? Have you ever thought about how to access a static field in Il2cpp memory area? or maybe wondering how to get a class name by just using this? well then let's start learning!
INTRODUCTION
Every Unity games back then were using .dll because Unity uses Mono as a translator for Intermediate Language so that android will able to run the game, just like Il2Cpp.
But Goole Play Store app requirements now needs arm64-v8a support for developer to able to upload their app to Play Store, unfortunately Unity doesn't have license for Mono, which makes Unity stuck at armeabi-v7a source code for Mono. So born Il2cpp with arm64-v8a support for Unity.
Both Mono and Il2cpp works the same, translation IL to C++. with that, their system structure has significant similarities. like how Il2cpp has
STRUCTURES
Have you wondered why does first field start at 0x8 in a class? let's take a look at this example:
Il2cppDumper only shows dump necessary stuff for reverse engineering, this is how the class looks like originally:
You see that 2 extra field? it's exists in every class in Il2CppClass structure, but not for Il2Cpp struct.
What's Il2CppClass? is that even useful? hell yeah it is! take a look at little example I have created:
Curious what's we can do with Il2CppClass? wait and Part 2 is coming soon!
INTRODUCTION
Why do most games now using Il2cpp? why don't they just keep using .dll? wouldn't that be easier for us to hack games?
Every Unity games back then were using .dll because Unity uses Mono as a translator for Intermediate Language so that android will able to run the game, just like Il2Cpp.
But Goole Play Store app requirements now needs arm64-v8a support for developer to able to upload their app to Play Store, unfortunately Unity doesn't have license for Mono, which makes Unity stuck at armeabi-v7a source code for Mono. So born Il2cpp with arm64-v8a support for Unity.
Both Mono and Il2cpp works the same, translation IL to C++. with that, their system structure has significant similarities. like how Il2cpp has
to iterate from classes and fields to get a single field offset, mono has that same function too but I kinda forgot since it's been so long I haven't see DLL games.
STRUCTURES
Have you wondered why does first field start at 0x8 in a class? let's take a look at this example:
Code:
class Player // TypeDefIndex: 0
{
public float Health; // 0x8
}Il2cppDumper only shows dump necessary stuff for reverse engineering, this is how the class looks like originally:
Code:
class Player // TypeDefIndex: 0
{
Il2CppClass* klass; // 0x0
void *monitor; // 0x4
public float Health; // 0x8
}What's Il2CppClass? is that even useful? hell yeah it is! take a look at little example I have created:
Code:
struct VirtualInvokeData
{
uintptr_t methodPtr;
void* method;
};
struct Il2CppType
{
void* data;
unsigned int bits;
};
struct Il2CppClass
{
void* image;
void* gc_desc;
const char* name;
const char* namespaze;
Il2CppType* byval_arg;
Il2CppType* this_arg;
Il2CppClass* element_class;
Il2CppClass* castClass;
Il2CppClass* declaringType;
Il2CppClass* parent;
void *generic_class;
void* typeDefinition;
void* interopData;
void* fields;
void* events;
void* properties;
void* methods;
Il2CppClass** nestedTypes;
Il2CppClass** implementedInterfaces;
void* interfaceOffsets;
void* static_fields;
void* rgctx_data;
Il2CppClass** typeHierarchy;
uint32_t cctor_started;
uint32_t cctor_finished;
uint64_t cctor_thread;
int32_t genericContainerIndex;
int32_t customAttributeIndex;
uint32_t instance_size;
uint32_t actualSize;
uint32_t element_size;
int32_t native_size;
uint32_t static_fields_size;
uint32_t thread_static_fields_size;
int32_t thread_static_fields_offset;
uint32_t flags;
uint32_t token;
uint16_t method_count;
uint16_t property_count;
uint16_t field_count;
uint16_t event_count;
uint16_t nested_type_count;
uint16_t vtable_count;
uint16_t interfaces_count;
uint16_t interface_offsets_count;
uint8_t typeHierarchyDepth;
uint8_t genericRecursionDepth;
uint8_t rank;
uint8_t minimumAlignment;
uint8_t packingSize;
uint8_t bitflags1;
uint8_t bitflags2;
VirtualInvokeData vtable[255];
};
