Tutorial How to hack Unity Games | il2cpp resolver [ Level: Beginner ]

[Batch 8.6k iPhone 7 15.7]

Hello everyone, today i'll show you how to hack Unity Game using il2cpp resolver

Level: Beginner

Game: Subway Surf

Requirements:
- Theos (https://theos.dev/docs/installation)
- DNSpy (https://github.com/dnSpy/dnSpy) / IlSpy (https://github.com/icsharpcode/ILSpy)
- Batchh Mod Menu Template (Template)
- Follow the tutorial carefully! 

What we will make:
- Will make this: Subway Surf All Version Hack
- SOO Let's START!!!

Step 1 (Dump our game):
- What "Dump our game" means: Dumping is extracting data or code from a binary file for analysis or modification. IL2CPPDumper is a tool used to extract metadata and code from Unity games that use the IL2CPP scripting backend.
- To perform the dump we'll use: https://armconverter.com/il2cppdumper but first we need to get our decrypter game, from here https://armconverter.com/decryptedappstore/us/Subway surf
- Now to perform the dump just extract the zip of the decrypted game, and you need to get two files: UnityFramework and global-metadata.dat
- UnityFramework is located in "Frameworks/UnityFramework.framework/"
- global-metadata.dat is located in "Data/Managed/Metadata"
- Drop the UnityFramework (Executable) on the left box and drop the global-metadata.dat in the right box
- Wait and then download the results! 
(If you're lazy here the dumped zip: https://iosddl.net/07d83ef42134a41e/com.kiloo.subwaysurfers-3.31.0-Decrypted.ipa-il2cppdumper.zip)

Step 2 (Open the dumped data):
- Open DNSpy / ILSpy then choose files and open the folder where you extracted the dump zip you need to select all the file insinde DummyDll

Step 2.5 (Open the Batchh mod menu template):
- Theos need to be installed!
- To open the mod menu template you simply run this command in your terminal inside the folder you want your mods:

$THEOS/bin/nic.pl

- Fill all the information required, for the information about the app they can be found in: https://armconverter.com/appinfo

Step 3 (Let's search values in the DNSpy/ILSpy):

- Open a txt file to write down what we find! (it will be useful after)
- What we want to achieve is: Unlimited Jumps, Unlimited currency, No Collision 
- But first let's change our search options to "Method", for our purpose:

- Let's search for "Jump", maybe we can the checker that handles the jump:

- As you can see there are alot, so how can we find it? After some time it will became more easy to find! My though process for unlimited jump is to find the handler of "can jump", so let's search it!

- We found two result, the first one is the right one! "System....", that is not correlate with what we want. So double click the "CanJump" Method:

- As you can see we get direct to the Class that contains out method, also in the left you can open the toggle arrow to reveal all the methods and fields inside the class. 
- So let's write down in our txt file, the Assembly we're in, this can be found by scrolling all the way up:

- Right now we are in "Assembly-CSharp.dll", now let's write down our Class, namespace, method name, to find this scroll all the way up inside the CanJump class:

- We see that our Namespace is "SYBO.RunnerCore.Character", our Class is "CharacterMotor", our Method name is "get_CanJump".
- Before searching for Unlimited currency or No Collision let's explore class CharacterMotor and see if we can find anything.
- In this class we can find two methods related to collision "CheckFrontalImpact" and "CheckSideImpact", we will use this for our no collision, also as you can see in these two there are 1 arguments "impactState", write it down that too.
- Let's search for the currency, the first thing it comes to my mind is to search GetCurrency:

- Note that also this one has 1 argument "CurrencyType" it indicates the type of currency
- We also need Class, namespace, do as before! Namespace = SYBO.Subway.Meta, Class = WalletModel

Step 4 (Coding):
- I've made my template as simple as possible, all the changes and coding will be done in Cheat/ folder, for this particular hack we'll use Patches.h and Offset.h
- First let's change our Offset.h this is where all the offsets are stored, with my new method "il2cpp resolver" we now don't need to hard code the offset anymore!
 

//Offset.h
namespace offset
{
    namespace CharacterMotor
    {
        uint64_t CheckSideImpact = 0x0;
        uint64_t CheckFrontalImpact = 0x0;
        uint64_t get_CanJump = 0x0;
    }

    namespace WalletModel
    {
        uint64_t GetCurrency = 0x0;
    } 
}

- So as you can see from the code i defined with Class and Method inside them, this will be for having more clarity! You can do how you like it, this is my method of storing them. 
- Now let's go to Patches.h where the real code begin (Don't worry it's not hard, even if you don't know how to code!)
 

//Patches.h
#ifndef PATCHES_H
#define PATCHES_H

#include "../KittyMemory/MemoryPatch.hpp"
#include "Offset.h"
#include "Settings.h"
#include "Util.h"
#include "il2cpp.h"

struct PatchInfo {
    MemoryPatch patch;
    bool* setting;
};

std::vector<PatchInfo> patch_infos;

void addNewPatch(uintptr_t offset, const char* hexPattern, bool* setting) {
    MemoryPatch newPatch = createUnityFrameworkPatch(offset, hexPattern);
    if (!newPatch.isValid()) return;
    patch_infos.push_back({newPatch, setting});
}

void initPatch() {
    //here init your patches
}
#endif // PATCHES_H

- This is how it should look like, now let's edit it! All the edit will be inside the initPatch function.
- For this hack we'll use as i said my Il2cpp resolver what does that do? Retrieve information of the game based on Assembly, Class, Method, and other stuff we'll cover in next tutorial!
- So let's finish our code!
 

void initPatch() {

    Il2CppAttach();

    Il2CppMethod AsmMethod("Assembly-CSharp.dll");

    offset::CharacterMotor::CheckSideImpact = AsmMethod.getClass("SYBO.RunnerCore.Character", "CharacterMotor").getMethod("CheckSideImpact", 1);
    offset::CharacterMotor::CheckFrontalImpact = AsmMethod.getClass("SYBO.RunnerCore.Character", "CharacterMotor").getMethod("CheckFrontalImpact", 1);
    offset::CharacterMotor::get_CanJump = AsmMethod.getClass("SYBO.RunnerCore.Character", "CharacterMotor").getMethod("get_CanJump", 0);

    offset::WalletModel::GetCurrency = AsmMethod.getClass("SYBO.Subway.Meta", "WalletModel").getMethod("GetCurrency", 1);

}

- As you can see this uses all the information we gathered before! What does this do? Retrieve information!
- Now we need to execute the hack! How? by calling function patch(offset, modify)
 

void initPatch() {

    Il2CppAttach();

    Il2CppMethod AsmMethod("Assembly-CSharp.dll");

    offset::CharacterMotor::CheckSideImpact = AsmMethod.getClass("SYBO.RunnerCore.Character", "CharacterMotor").getMethod("CheckSideImpact", 1);
    offset::CharacterMotor::CheckFrontalImpact = AsmMethod.getClass("SYBO.RunnerCore.Character", "CharacterMotor").getMethod("CheckFrontalImpact", 1);
    offset::CharacterMotor::get_CanJump = AsmMethod.getClass("SYBO.RunnerCore.Character", "CharacterMotor").getMethod("get_CanJump", 0);

    offset::WalletModel::GetCurrency = AsmMethod.getClass("SYBO.Subway.Meta", "WalletModel").getMethod("GetCurrency", 1);

    //ADD PATCHES
    patch(offset::CharacterMotor::CheckSideImpact, "C0035FD6"); //return so it doesn't execute the check
    patch(offset::CharacterMotor::CheckFrontalImpact, "C0035FD6"); //return
    patch(offset::CharacterMotor::get_CanJump, "20008052C0035FD6"); //Set the can jump to 'true'
    patch(offset::WalletModel::GetCurrency, "007C009B007C009BC0035FD6"); //Multiply the value by it self 2 times
}

- And this is it! the hack are already enabled it! On the next tutorial we'll see how to add options, and use checkboxes 
- Now it's you're turn to add more hacks to it!
- I know you are wondering what is "C0035FD6", "2008052C0035FD6" those are assembly code, how can you get them? from using this converter: https://armconverter.com/

Step 5 (Bonus arm code):
- C0035FD6 = ret = return
- 20008052 = movz w0, #1 = set boolean to true
- 00008052 = movz w0, #0 = set boolean to false
- 00F0271E = fmov s0, #31 = High float value
- 007C009B = mul x0, x0, x0 = Multiply int
- 00E284D2 = mov x0, #10000 = Set int to 10k
- You can figure out the rest or google it!  

This is the end! Thanks for reading and hope this will help you create a Unity hack on your own, if you need any help feel free to comment, i'll try to respond to everyone!  

Credits:
- @batchh

Updated July 7, 2024 by batchh

[KyosukeNanbu 6.5k iPhone 17 Pro 26.0 Donor]

Amazing work and thank you for sharing with the community! ♥️

[Fenzz 20 iPhone 11 Pro Max 17]

Great tutorial !!

[SubSeven 12.2k iPhone SE (2020) 15.8.3 Donor]

You insane !

[Puddin 90.1k iPhone 14 Pro Max 17.0 Donor]

Thanks for sharing bro!

[trungtoan337 1.8k iPad Air 12.4.6]

Yooo it so good bro great job 

[Laxus 809.5k iPhone 5s 10.3.3]

Very detail tutorial, thank you batchh!!!

[Duelist 927 iPhone X 16.0]

Very nice guide. This will help a lot of people interested in learning.

[sukiop 17 iPhone 12.0.1]

If I use this method does it mean that I don't need to use hook update to modify the set_ function

[Batch 8.6k iPhone 7 15.7]

4 hours ago, sukiop said:

If I use this method does it mean that I don't need to use hook update to modify the set_ function

In the next tutorial, I’ll show invoke function for it