Video tutorial by TechX Original
il2cpp dumper helps you to find the right function + offset to mod.
This guide is for advanced modder only!
Requirements:
- IDA Pro: Download IDAPRO68.zip
- Notepad++: Notepad++ v7.3.3 - Current Version
- Any Hex Editor software. I'm using Hex Workshop: Hex Workshop: Hex Editor, Sector Editor, Base Converter and Hex Calculator for Windows (You can modify hex in IDA but editing the file in hex editor is the fastest way for me)
- Online ARM converter: ARM To HEX Converter Online
- Basic C# and ARM knowledge. You don't really need to learn C# but know simple codes of C#
- Know how to use IDA Pro
Extract required files from APK file:
Open the APK and extract the following files to dump:
\lib\armeabi-v7a\libil2cpp.so
\assets\bin\Data\Managed\global-metadata.dat
Using Perfare's Il2CppDumper:
Download released version: Releases · Perfare/Il2CppDumper · GitHub
Launch Il2CppDumper.exe, the program want you to select the ELF file or Mach-O file. Select libil2cpp.so file. The dialog box should appear again. Select global-metadata.dat file.
The program asks you to select mode. Manual (1) or auto (2)
Auto mode:
Automatically find the required offsets to dump il2cpp.
Press 2 and the file dump.cs will be created
Skip reading manual mode if you don't want to use manual mode.
Manual mode:
The manual mode is the complicated steps to dump il2cpp. Auto mode does tell you the offsets, but I would like to show you how to find offsets to manually dump il2cpp.
Disassemble libil2cpp.so in IDA Pro. Click on Search -> Sequence of bytes...
Search this hex
Code:
1C 00 9F E5 20 10 9F E5 00 20 8F E0Click OK
IDA should jump to this function
But there's no unk offsets, right? now try this trick:
Right click on loc_xxxxxxx and select Create Function, you will get the unk offsets
In the console app, press 1, it will ask you to input the CodeRegistration(R0). Input the unk offset of R0, R12, R2. Example: 15C70C4. Hit enter. Input MetadataRegistration(R1), and Hit enter.
The dump.cs file will be created
Using Katy's Il2CppInspector:
Download released version: Releases · djkaty/Il2CppInspector · GitHub
Skip this if you are using Perfare's Il2CppDumper
Extract the ZIP file. The il2cppdumper.exe can't run with just double-click, so you have to use CMD, "cd" to the path of Il2CppInspector or click File -> Open commandprompt, and type this command.
Usage:
Code:
Il2CppDumper [<binary-file> [<metadata-file> [<output-file>]]]Il2CppDumper = Execute Il2CppDumper.exe file
<binary-file> = Path of libil2cpp.so
<metadata-file> = Path of global-metadata.dat
<output-file> = Output file. You can name the file. Example: dumpedfile.cs
This is my example:
Code:
il2cppdumper "D:\Android apps + data\Craft Royale\libil2cpp.so" "D:\Android apps + data\Craft Royale\global-metadata.dat" "D:\Android apps + data\Craft Royale\dumped.cs"If you want to use command anywhere, add the PATH environment variable in Advanced System Properties
View the dumped file with Notepad++:
Right click on the dumped file and select Edit with Notepad++
You'll see a C# code. It's not a full code but the code tells you function names and offsets to mod.
To search, click Search -> Find...
To find all keyword, click on Find All in Current Document
If you never seen C# code before, I'll explain a bit what this method mean
Code:
public static int get_IsCheater(); // e8e9ccstatic is a static modified to declare a static member. This is not important to know
int is a data type. It can be float, double, boolean etc....
// e8e9cc is a comment. This tells you the real offset (sub_xxxxxx) to mod. You can search it in functions window in IDA
Fields and Properties are not modable, so don't look at them. Only look at fuctions under // Methods
Modding il2cpp game is the same as modding other .so file.
That's all.
Happy modding!
Credits:
iAndroHacker (this tutorial)
djkaty (Il2CppInspector)
Perfare (Il2CppDumper)
Last edited:
