IL2CPP Games

Fallschirmjäger

New User
Oct 19, 2016
4
dontrread
As your script kiddie fellow, i enjoy to read infosec and try it out my own environment. I have planned to write a tutorial about binary patching with radare2 on android this weekend. But something big is released, CVE-2016-5195 publicly disclosed. Attacks Linux kernel 2.6.22 and higher where mostly android kernel version at. So, i got a bit distracted, then playing with it and r2 (idea: What is the Dirty COW vulnerability and how does it impact mobile...). Thus, ended up forgot about the plan :p. Anyway, i decided to write about il2cpp a bit.​

Introduction
>What is il2cpp?
From An introduction to IL2CPP internals – Unity Blog
The technology that we refer to as IL2CPP has two distinct parts.
  • An ahead-of-time (AOT) compiler
  • A runtime library to support the virtual machine
The AOT compiler translates Intermediate Language (IL), the low-level output from .NET compilers, to C++ source code. The runtime library provides services and abstractions like a garbage collector, platform-independent access to threads and files, and implementations of internal calls (native code which modifies managed data structures directly).​
>Any support on this thread?
No.

Main Content
0. The purpose is
"To get a feel of modding il2cpp games. :3"
-GiMPY, 2016
1. git clone/Download the source GitHub - Jumboperson/Il2CppDumper: Better version of https://github.com/Jumboperson/PokemonGoDumper
2. Some important note before compiling
Code:
line 358
// These two pointers are the first two arguments passed to il2cpp::vm::MetadataCache::Register in the libil2cpp.so binary.
// Updating them manually should be fairly trivial, just find where il2cpp::vm::MetadataCache::Register is called and use the first two args for code and metadata respectively.
pCodeRegistration = (Il2CppCodeRegistration*)MapVATR(0x14860F8, pLibIl2Cpp);
pMetadataRegistration = (Il2CppMetadataRegistration*)MapVATR(0x14A7F78, pLibIl2Cpp);
The comment is straight forward, i dont have to explain it.
Code:
line 381
LoadMetadata("C:\\Projects\\Android\\PokeGo\\0.35.0\\assets\\bin\\Data\\Managed\\Metadata\\global-metadata.dat");
Well, its obvious that you (may) have to change this.
3. Compile.
4. Run it with `progname.exe > blabla.cs` since the output is directly written to stdout.​

After words
Thanks to Pokemon Go massive development, the modding community isnt going to dead anytime soon(probably).
Quote
Code:
[0x00000000]> fo
-- This software comes with no brain included. Please use your own.

Credits
  • John (JumboPerson) for his awesome Il2cpp dumper
  • Fallschirmjaeger

88x31.png

This work is licensed under a Creative Commons
Attribution 4.0 International License