Help/Support help with Mario Kart Tour iOS IL2CPP dumping — Registration Pointers (static analysis)

Taylor Meyer · 2026-06-08T05:55:06Z

@Batch

Hi everyone don't mean to be a bug

I'm working on dumping Mario Kart Tour (iOS, Unity 2022.3.68f1) using a custom Il2CppDumper and I'm stuck on the correct `Il2CppCodeRegistration` and `Il2CppMetadataRegistration` pointers.

I think the pointers are correct but whatever I do, it just refuses to dump the Global-Metadata.dat. It might be something with the XOR key? I obtained the Global-Metadata.dat at runtime using iGameGod. Because they embedded the metadata in the iOS binary. I'm also trying to get better at this and learn. (I do not have a jailbroken device)

I've done extensive static analysis already:

### Key Findings

- **Metadata Loader**: `sub_2478B14` (0x2478B14) — simple per-dword XOR decryptor.

  - Key: `dword_7AE6128` = `0x20015111`  <--- the key might be wrong but not sure

  - Encrypted table: `dword_5F0FD1C`

  - Called from `sub_518AEF0` (main init function at 0x518AEF0)

- **Registration Setup**:

  - `sub_518AEF0` loads decrypted metadata into `qword_7C8CBA0` / `qword_7C8CBA8`

  - Populates `qword_7C8CB98` (CodeRegistration) and `qword_7C8CBC0` (MetadataRegistration)

  - Pointer chain: `unk_5B96820` → `off_70E1050` → `unk_7A1D788`

- **Critical Static Pointers** (from detailed xref tracing):

 ```c

  #define IL2CPP_OVERRIDE_CODE_REG 0x6E6C478     // 0x6E6C478

  #define IL2CPP_OVERRIDE_META_REG 0x5B96820     // 0x5B96820

  ```

These come from the stub `sub_24F51D8` which does:

 ```arm

  ADRL X0, unk_6E6C478

  ADRL X1, unk_5B96820

  ADRL X2, unk_54F5004

  B    sub_51382B4

  ```

I tried 2 different dumpers and none worked, then resorted to running and debugging this one in VS Code via Kilo Code with the Rust Analyzer Via my SuperGrok Oauth Subscription:

https://github.com/rodroidmods/il2cpp-dumper-rs

Note: I did end up deleting the modified il2cpp-dumper-rs cloned project because I just could not get it to work

additionally, I checked the iL2cpp classes and methods in the Binary and they seemed correct to me or I could have missed something. and the other thing is I noticed is as soon as I added the XOR key decryption function in the VS Code it seemed like it wanted to work but was still getting hung up on something.

This is purely for educational / research purposes.

Thanks in advance for any help or tips on what to try! :hug:

Updated yesterday at 05:56 AM by Taylor Meyer

Batch · 2026-06-08T07:25:12Z

I think maybe the magic bytes are different from the normal one and straight up refuse it? Also if you dumper global-metadata.dat from igg, should be fully decrypted. And are you sure the CodeRegistration and MetadataRegistration are correct? And also those dumpers may not support new metadata version, so you need to adjust them as well, the hung up probably on this or on how you decrypt.
I suggest you to:

Find the metadata version
See if your CodeRegistration and MetadataRegistration are correct
See if they modified any Struct

Taylor Meyer · 2026-06-08T08:13:01Z

47 minutes ago, Batch said:

I think maybe the magic bytes are different from the normal one and straight up refuse it? Also if you dumper global-metadata.dat from igg, should be fully decrypted. And are you sure the CodeRegistration and MetadataRegistration are correct? And also those dumpers may not support new metadata version, so you need to adjust them as well, the hung up probably on this or on how you decrypt.
I suggest you to:

Find the metadata version

See if your CodeRegistration and MetadataRegistration are correct

See if they modified any Struct

thank you Batch I will check when I have a chance then let you know appreciate it 🙏

Batch · 2026-06-08T21:17:30Z

So i analyzed this one, im adding into my dumper with static analysis, can confirm that your CodeRegistration and MetadataRegistration are correct, there's no struct changes and metadata version is 31. Also note that this game is really really hard to dump

Taylor Meyer · 2026-06-08T21:35:50Z

22 minutes ago, Batch said:

So i analyzed this one, im adding into my dumper with static analysis, can confirm that your CodeRegistration and MetadataRegistration are correct, there's no struct changes and metadata version is 31. Also note that this game is really really hard to dump

interesting would like to know what the issue is so I can learn from this? like is it one of the _IL2cpp functions?

Edit: or maybe a bug with the XOR Decryption?

Updated 19 hours ago by Taylor Meyer

Batch · 2026-06-09T10:57:37Z

13 hours ago, Taylor Meyer said:

interesting would like to know what the issue is so I can learn from this? like is it one of the _IL2cpp functions?

Edit: or maybe a bug with the XOR Decryption?

They encrypted the sh!t out of it ahah, you need to reconstruct everything lol

But if you dump clean global-metadata.dat i think it's just XOR decryption bug. Use AI to help you out, here a hint:

const ZAKA_CODEGEN_MODULES_VA: u64 = 0x7B01720;
const ZAKA_NAME_XOR_KEY_VA: u64 = 0x706CF50;
const ZAKA_NAME_XOR_KEY_LEN: usize = 128;
const ZAKA_NAME_XOR_KEY_PREFIX: [u8; 8] = [0x2C, 0xC5, 0xD5, 0x9F, 0xCC, 0xCE, 0x8C, 0xFE];
const MAX_ZAKA_MODULE_NAME_BYTES: usize = 256;