What is Unity Il2cpp Reverse Engineering?

Unity Il2cpp reverse engineering is the process of analyzing and restoring DLL files from Unity games using the Il2CppDumper tool, allowing you to extract MonoBehaviour and MonoScript components.

What formats does Il2CppDumper support?

Il2CppDumper supports ELF, ELF64, Mach-O, PE, NSO, and WASM formats.

What versions of Unity are supported by Il2CppDumper?

Il2CppDumper supports Unity versions ranging from 5.3 to 2022.2.

Can Il2CppDumper bypass protection mechanisms?

Yes, Il2CppDumper supports bypassing simple PE protection and Android memory-dumped libil2cpp.so files.

What are the key output files generated by Il2CppDumper?

Key outputs include DummyDll files, ida.py, ghidra.py, Il2CppBinaryNinja scripts, il2cpp.h, stringliteral.json, and script.json.

How can I view restored DLL files?

Restored DLL files can be viewed using tools like dnSpy, ILSpy, or other .NET decompiler tools.

What is the use of the ida.py script?

The ida.py script is used for IDA Pro to assist in analyzing il2cpp files.

How does the il2cpp.h file help?

The il2cpp.h file contains structure information that can be applied in IDA to improve analysis.

What is Ghidra and how does Il2CppDumper support it?

Ghidra is a software reverse engineering tool. Il2CppDumper generates Ghidra-compatible scripts to analyze il2cpp files effectively.

What should I do if the metadata file is invalid?

Ensure that the correct metadata file is chosen. If it has been obfuscated for protection, deobfuscation is required, which is beyond Il2CppDumper's scope.

What is the DummyDllAddToken option?

The DummyDllAddToken option determines whether tokens are added to DummyDll files during generation.

How do I bypass executable file protections?

You can dump the libil2cpp.so file from the game memory using tools like GameGuardian and then use Il2CppDumper to analyze it.

What is the Zygisk-Il2CppDumper?

Zygisk-Il2CppDumper is an advanced tool for bypassing most il2cpp file protections on rooted Android phones.

What is ForceIl2CppVersion in the configuration?

ForceIl2CppVersion allows the user to specify a parser version for il2cpp binaries, useful for older il2cpp versions.

How does Il2CppDumper handle WASM files?

Il2CppDumper generates Ghidra-compatible scripts to work with WASM files, often using the Ghidra-WASM plugin.

Can Il2CppDumper extract MonoBehaviour?

Yes, it can extract MonoBehaviour and MonoScript components.

What are the common errors when using Il2CppDumper?

Common errors include invalid metadata files, protected files, and issues in auto mode processing. Solutions often involve using manual mode or additional tools like GameGuardian.

How do I use Il2CppDumper with command-line arguments?

Run the program with the syntax: Il2CppDumper.exe .

What is the educational purpose of this guide?

This guide is intended for educational purposes only, providing insights into the process of Unity il2cpp reverse engineering.

What is Il2CppBinaryNinja?

Il2CppBinaryNinja is a script generated by Il2CppDumper to assist with Binary Ninja software analysis.

Can I analyze Android dumped libil2cpp.so files?

Yes, Il2CppDumper supports analyzing Android memory-dumped libil2cpp.so files.

How do I configure Il2CppDumper?

All configurations are in the config.json file. Options include DumpMethod, DumpField, GenerateDummyDll, and more.

What is the script.json file for?

The script.json file is used in conjunction with other scripts like ida.py and ghidra.py to provide structured data.

What is the stringliteral.json file?

The stringliteral.json file contains all stringLiteral information extracted from il2cpp files.

What are the requirements to run Il2CppDumper?

Il2CppDumper requires the il2cpp executable file and the global-metadata.dat file.

What does the RequireAnyKey option do?

The RequireAnyKey option determines whether the program waits for a keypress to exit.

What is the ForceDump option?

The ForceDump option forces files to be treated as dumped files during processing.

What if my file is protected?

If the file is protected, you can use tools like GameGuardian or Zygisk-Il2CppDumper to bypass protections and dump the file.

Where can I download Il2CppDumper?

Il2CppDumper can be downloaded from its official GitHub repository at https://github.com/Perfare/Il2CppDumper.

Unity IL2CPP Reverse Engineering: A Comprehensive Guide

If you’re delving into the world of Unity game development or modding, you might have come across the term IL2CPP. Reverse engineering IL2CPP files can be a valuable skill for modders, developers, or researchers aiming to understand how Unity-powered games work under the hood. In this guide, we’ll explore the features, usage, and practical applications of the popular tool Il2CppDumper, designed to aid in reverse engineering Unity IL2CPP files. This article is for educational purposes only.

What is IL2CPP?

IL2CPP, short for "Intermediate Language to C++," is Unity’s scripting backend that converts .NET code into C++ before compiling it into native code. This enhances performance and security but also makes reverse engineering Unity games more challenging. Tools like Il2CppDumper simplify this process by restoring the IL2CPP environment to a state closer to its original .NET form.

Key Features of Il2CppDumper

Il2CppDumper is a powerful tool with several features that make it indispensable for reverse engineering Unity IL2CPP files:

Complete DLL Restore: Restores DLL files (except code), enabling the extraction of MonoBehaviour and MonoScript.
Wide Format Support: Supports ELF, ELF64, Mach-O, PE, NSO, and WASM formats.
Version Compatibility: Compatible with Unity versions from 5.3 to 2022.2.
Script Generation: Creates scripts for IDA, Ghidra, and Binary Ninja to aid in analyzing IL2CPP files.
Structure Header File Generation: Produces a header file (il2cpp.h) containing structure information.
Protection Bypass: Supports Android memory-dumped libil2cpp.so files and bypasses simple PE protections.

Getting Started with Il2CppDumper

Installation and Setup

Download the latest version of Il2CppDumper from its official GitHub repository.
Extract the downloaded files into a working directory.

Basic Usage

Run the Tool: Open Il2CppDumper.exe.
Select Files: Choose the IL2CPP executable file (e.g., GameAssembly.dll or libil2cpp.so) and the global-metadata.dat file.
Follow Prompts: Enter the required information as prompted by the tool.
Output Files: The tool will generate all output files in the current working directory.

Command-Line Usage

You can also run Il2CppDumper via the command line:

Il2CppDumper.exe <executable-file> <global-metadata> <output-directory>

This will generate the same outputs as the GUI version.

Output Files

DummyDll: Contains all restored DLL files, viewable in .NET decompilers like dnSpy or ILSpy.
ida.py: Script for IDA to analyze IL2CPP files.
ida_with_struct.py: IDA script that includes structure information from il2cpp.h.
il2cpp.h: Header file with structure information.
ghidra.py: Script for Ghidra.
Il2CppBinaryNinja: Script for Binary Ninja.
ghidra_wasm.py: Ghidra script for WASM files, compatible with the ghidra-wasm-plugin.
script.json: Metadata for the generated scripts.
stringliteral.json: Contains string literal information.

Configuration Options

Configuration options are available in the config.json file. Key settings include:

DumpMethod, DumpField, DumpProperty: Toggle output of specific data in dump.cs.
GenerateDummyDll, GenerateScript: Enable or disable generation of DummyDll files and scripts.
ForceIl2CppVersion: Specify a version parser for older IL2CPP versions.
NoRedirectedPointer: Treat pointers in dumped files as unredirected (useful for certain devices).

Common Errors and Troubleshooting

Error: Metadata file supplied is not valid metadata file.

Ensure you select the correct global-metadata.dat file.
Note: Some games may obfuscate metadata files for protection. Deobfuscating such files is outside the scope of Il2CppDumper.

Error: Can't use auto mode to process file, try manual mode.

Ensure you are using the correct executable file (e.g., GameAssembly.dll or libil2cpp.so).
If the issue persists, open a GitHub issue with the file for assistance.

Error: This file may be protected.

Use tools like GameGuardian to dump libil2cpp.so from game memory. Then, process the dumped file with Il2CppDumper.
For rooted Android devices, try using Zygisk-Il2CppDumper for advanced protection bypass.

Practical Applications

Il2CppDumper is widely used for:

Game Modding: Extract and modify Unity MonoBehaviours and MonoScripts for custom modifications.
Debugging: Analyze Unity IL2CPP files to debug and understand application behavior.
Research: Study the internal workings of Unity-powered applications.

Conclusion

Il2CppDumper is a versatile tool that simplifies the challenging task of reverse engineering Unity IL2CPP files. Whether you’re a developer, modder, or researcher, understanding its features and capabilities can significantly enhance your workflow. For more details, visit the official GitHub repository. Remember, use this tool responsibly and always respect intellectual property laws.

This guide is for educational purposes only. Any misuse of this tool is strictly discouraged.

Basanta Sapkota

Unity IL2CPP Reverse Engineering