Tutorial How to dump Il2Cpp-based Unity Games to find functions + offsets to hack (iOS)

ThePianoGuy · September 10, 2018

As requested, here is the tutorial how to dump il2cpp of iOS Unity games. With Il2CppDumper, it will be much easier to find useful functions and offsets to hack. No need to waste your time debugging the game.

Requirements:

- ARM/ASM knowledge

- IDA hacking experience

- IDA Pro. Download link

- Notepad++. Download link

- Il2CppDumper (Windows). Download link

- Clutch or Rasticrac for jailbroken devices or visit appvn.com to download latest cracked free games

- Winrar or 7-zip to open .ipa file

Instructions:

Download Il2CppDumper released version by Perfare and extract the program

To open .ipa file, simply rename file extension to .zip and open it

If you are using 7-zip, right click -> 7-zip -> Open Archive to open .ipa file directly

Navigate to \Payload\<app or game name>.app\ and extract the big binary file that doesn't have file extension

Navigate to \Payload\iosfps.app\Data\Managed\Metadata\ and extract global-metadata.dat

32-bit:

Press 1 for 32-bit and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required pointers (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find,

As you used auto mode, the program will tell the pointers, but you do not need to know it if you have no idea what it is.

Skip 64-bit steps if you are working with 32-bit

64-bit:

Auto mode does not work on 64-bit binary yet. Here is dev's response

"I have to say, these same questions will make me feel that adding auto feature is a bad decision

We have to find 2 required offsets (CodeRegistration and MetadataRegistration) in IDA to dump. Open IDA Pro 64-bit (idaq64.exe), and disassemble the binary in 64-bit. Search function name InitFunc_1.

Above InitFunc_1, there is sub function that contains 2 pointers we need.

sub_100C46D8C ; DATA XREF: InitFunc_1+8o

ADRP X0, #unk_101D48FE8@PAGE

ADD X0, X0, #unk_101D48FE8@PAGEOFF

ADRP X1, #dword_101D948C8@PAGE

In Il2CppDumper, Press 2 for 64-bit and Press 1 for manual. Input your pointers:

Input CodeRegistration(X0): your first pointer

Input MetadataRegistration(X1): your second pointer

The dump.cs file should be created at the location where Il2CppDumper.exe is located

Open dump.cs with Notepad++ by right click and select Edit with Notepad++

Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.

launch Il2CppDumper.exe. It will open the dialog twice to select file. For ELF file or Mach-O file, select the binary file. For global-metadata.dat, select global-metadata.dat

It will ask you to select platform, 32-bit or 64-bit. Press 1 for 32-bit or press 2 for 64-bit. Now for Mode, Press 1 for manual and press 2 for auto. Please use Auto mode to get the program to find offsets and dump code for you because looking for 2 required offsets (CodeRegistration and MetadataRegistration) in IDA Pro to dump is too complicated and Unity already stripped all names of functions which means it will be harder to find, and I haven't find out where to find 2 offsets in 64-bit binary yet. As you used auto mode, the program will tell the offsets, but you do not need to know it if you have no idea what it is.

The dump.cs file should be created at the location where Il2CppDumper.exe is located

Open dump.cs with Notepad++ by right click and select Edit with Notepad++

Inside dump.cs, you'll see C# codes. Method bodies are not dumped but it's a very simple code that tells you function names and offsets to mod.

To search, click Search -> Find...

To find all keyword, click on Find All in Current Document

If you never seen C# code before, I'll explain a bit what the codes mean. I'm bad at explaining what these code means but I hope it goes well

This comment you see on top is just a list .dll files that are been converted into il2cpp

// Image 0: mscorlib.dll - 0

// Image 1: System.Security.dll - xxxx

…

// Image xx: Assembly-CSharp.dll - xxxx

The Assembly-CSharp.dll (Android users know this) is a game logic thing and it is what we looking for. The full code of "Assembly-CSharp.dll" thingy is always located somewhere at the bottom of the dumped file

This class body is like a group to make programmers easier to find codes. For example PlayerAntiHack class contains anti-hack code related.

// Namespace:

public class PlayerScript : MonoBehaviour // TypeDefIndex: 4303

{

}

In IDA you'll probarly see function names like

Player::Get_Gold…

Player::Get_Cash…

Player::Isbanned…

….

I'll bring this better details for you:

A class is a construct that enables you to create your own custom types by grouping together variables of other types, methods and events. A class is like a blueprint. It defines the data and behavior of a type. ... Unlike structs, classes support inheritance, a fundamental characteristic of object-oriented programming.

In the class, you'll see something like this:

// Fields

private int primaryWeaponIndex; // 0x10

private float minSpread; // 0x820

private float spread; // 0x824

private float visualSpread; // 0x828

….

Fields is not what we looking for so let's look into Methods.

// Methods

private int findNextAvailableWeapon(int currentWeaponIndex); // 1e704c

private bool IsLookingAtPlayer(PlayerScript player); // 1f3894

public bool HasBeenVisible(); // 1f2fa0

….

public int get_Gold_Example(); // 1a2b3c

public float float_example(); // 1a2b3d

….

This is what we looking for. These simple codes explains the name of the methods/functions, what type and the REAL IDA OFFSETS are written in the green commenented text.

public, private, protected etc, are access modifier. It's not important to know

static is a static modified to declare a static member. It's not important to know

int, float, double, boolean etc are data type.

If you look up the offset in IDA, you will see a sub_xxxxxx

Write down all useful functions + offsets you found inside the dumped .cs file and start writing your code injection.

Note: It is suggested that you disassemble the binary file and look up the offsets to see if there are enough spaces to replace the instructions to hack.

That's all. Good luck hacking iOS games!

Credits:

AndnixSH#

Perfare (Il2CppDumper https://github.com/Perfare/Il2CppDumper)

If you have any issues with Il2CppDumper, please report the issue at: https://github.com/Perfare/Il2CppDumper/issues/

Updated September 10, 2018 by AndnixSH

Joka · September 20, 2017

Nice!

TheArmKing · September 20, 2017

NICE

WaveCheck · September 24, 2017

how do you go about hacking a "IEnumerator"

ThePianoGuy · September 26, 2017

On 24/9/2017 at 10:50 PM, oZarmo said:

how do you go about hacking a "IEnumerator"

Why do you want to hack IEnumerator? I don't think it's useful

QuasaR · October 2, 2017

First of all, thank you very very much for this tutorial.
I was wondering if you have an example Tweak.xm for a game with how to hook the class functions.

I have found the following info for the game I am trying to 'hack'

// Namespace: IAS.Proto
public class ItemDefinition : IExtensible // TypeDefIndex: 3153
{

	// Methods
	public void .ctor(); // 100dbd3f8
	public int get_water(); // 100dbd5c0
	public void set_water(int value); // 100dbd5c8
	public int get_premium(); // 100dbd600
	public void set_premium(int value); // 100dbd608
}

In IDA I have the following code on offset 100dbd5c0:
__text:0000000100DBD5C0 sub_100DBD5C0                           ; CODE XREF: sub_1002E1114+378↑p
__text:0000000100DBD5C0                                         ; sub_100DD1FF8+A88↓p
__text:0000000100DBD5C0                                         ; DATA XREF: ...
__text:0000000100DBD5C0                 LDR             W0, [X0,#0x70]
__text:0000000100DBD5C4                 RET
__text:0000000100DBD5C4 ; End of function sub_100DBD5C0

Which translates to the following pseudocode:
__int64 __fastcall sub_100DBD5C0(__int64 a1)
{
  return *(unsigned int *)(a1 + 112);
}

What I want is to display the current value (so I know I am in the right place) and then hook the set_ functions to set a new value.

I am hoping you can help me.
If you need more info please let me know.

[edit]

In my search of more tools I stumbled across something interesting.

https://github.com/nevermoe/unity_metadata_loader

This little tool lets you add the strings from the global*.dat file directly into IDA which makes searching easiere

Updated October 3, 2017 by QuasaR

ThePianoGuy · October 3, 2017

19 hours ago, QuasaR said:

First of all, thank you very very much for this tutorial.
I was wondering if you have an example Tweak.xm for a game with how to hook the class functions.

I have found the following info for the game I am trying to 'hack'

What I want is to display the current value (so I know I am in the right place) and then hook the set_ functions to set a new value.

I am hoping you can help me.
If you need more info please let me know

[edit]

In my search of more tools I stumbled across something interesting.

https://github.com/nevermoe/unity_metadata_loader

This little tool lets you add the strings from the global*.dat file directly into IDA which makes searching easiere

If there is no class names in ida, you can't hook the class function. do code injection instead.

There are lot of tutorials in iosgods. Just search and search

Nevermoe's loader is unstable

Updated October 3, 2017 by evildog1

QuasaR · October 3, 2017

Ok, but code injection mostly assumes it's a mov /add instruction and about R registers, not W or X and not an STR instructionlike in the following example (set_water):

__text:0000000100DBD5C0                 LDR             W0, [X0,#0x70]
__text:0000000100DBD5C4                 RET
__text:0000000100DBD5C4 ; End of function ItemDefinition$$get_water
__text:0000000100DBD5C4
__text:0000000100DBD5C8
__text:0000000100DBD5C8 ; =============== S U B R O U T I N E =======================================
__text:0000000100DBD5C8
__text:0000000100DBD5C8
__text:0000000100DBD5C8 ItemDefinition$$set_water               ; CODE XREF: ProtoSerializer$$Read_85953+C5C↓p
__text:0000000100DBD5C8                                         ; DATA XREF: __const:00000001022EB878↓o
__text:0000000100DBD5C8                 STR             W1, [X0,#0x70]
__text:0000000100DBD5CC                 RET
__text:0000000100DBD5CC ; End of function ItemDefinition$$set_water
__text:0000000100DBD5CC

The set_water is called from the following code:

__text:0000000100DDF618 loc_100DDF618                           ; CODE XREF: ProtoSerializer$$Read_85953+698↑j
__text:0000000100DDF618                 MOV             X0, X21
__text:0000000100DDF61C                 MOV             X2, #0
__text:0000000100DDF620                 BL              ItemDefinition$$set_water
__text:0000000100DDF624                 B               loc_100DDFB00
__text:0000000100DDF628 ; ---------------------------------------------------------------------------

Updated October 3, 2017 by QuasaR

ThePianoGuy · October 3, 2017

51 minutes ago, QuasaR said:

Ok, but code injection mostly assumes it's a mov /add instruction and about R registers, not W or X and not an STR instructionlike in the following example (set_water)

The set_water is called from the following code:

Sorry but I'm not familiar with code injection. Please create a new thread to ask question. Thank you