Decompiling IL2CPP Android Unity games

This guide is based on this guide byWanghzo(sections 1-4) and this guide byIroniaTheMaster(section 5), which itself is based on this guide bykoo00

The guide was changed to use Ghidra instead of IDA Pro and the scriptwas modified accordingly

This guide was only tested on Linux

Warning: this was only tested on an arm64 device

Prequisites

Aquiring GetMetadata function pointer

  1. Extract the APK file

  2. Find libil2cpp.so in the lib directory

  3. Create a new ghidra project

  4. Select "Menu" > "File" > "Import File..." and importlibil2cpp.so

  5. Open and analyze the file

  6. Select "Menu" > "Search" > "Memory"

  7. Change "Hex" to "String" and input global-metadata.dat

  8. Press "Search" and double-click on the only result

  9. Right click on the name (s_global-metadata.dat...)

  10. Select "References" > "Show references to s_global-metadata.dat..."

  11. Double-click on the only reference

  12. Find the first bl instruction after the selected one

  13. Find the function name (e.g. FUN_0074e9b4)

  14. Write down the characters after the underscore (e.g. 0074e9b4)

Finding global-metadata.dat in memory

  1. Start GameGuardian

  2. Follow the Frida installation guide (I used frida v16.6.6)

  3. Aquire script.js

  4. Replace the Value in 0xValue on line 9 with the numbers you gotearlier

  5. Exit the game if it is running

  6. Run frida -Uf com.game.package.name -l ./script.js

  7. A red line should appread saying Address : ...

  8. Write down everything after the colon (this will be different onevery launch)

Dumping global-metadata.dat

  1. Open the GameGuardian overlay

  2. Select the game process

  3. Click on the 4-th tab and open the menu

  4. Select "Dump memory"

  5. In the "From" input box enter the console value without the "0x"

  6. Tap on the down arrow to the right of it

  7. The first (selected) menu option should have global-metadata.datin it, and should start with O: numbers1-numbers2 r--s ...

  8. Write down numbers2

  9. Click away from the menu

  10. Input numbers2 into the "To:" input box

  11. Press "Save" and wait for the process to finish

  12. (On the PC) runadb shell "cat /storage/emulated/0/dump/*.bin" > global-metadata.dat

Decompiling the game

  1. Unzip the APK file

  2. Find libil2cpp.so in lib

  3. Create the decomp folder

  4. RunIl2CppDumper path/to/libil2cpp.so path/to/global-metadata.dat decomp

  5. Go to the decomp

  6. Run python3 path/to/Il2CppDumper/il2cpp_header_to_ghidra.py

  7. Start ghidra and make a new project

  8. Click the Code Browser (dragon head) icon

  9. In the new window select "File" > "Import file"

  10. Import and analyze libil2cpp.so

  11. Select "File" > "Parse C Source..."

  12. Change the "Parse Configuration" to "VisualStudio22_64.prf"

  13. Remove all entries from "Source Files to Parse", "IncludePaths", and "Parse Options"

  14. Add decomp/il2cpp_ghidra.h to the "Source Files to Parse"section

  15. Click "Parse to Program" and then "Continue". If prompted,select "Use Open Archives". This may take a while

  16. Open the script manager (green play icon)

  17. Press "Manage Script Directories" (the list icon in the top bar)

  18. In the new window press "Display file chooser to add bundles to thelist" (the green plus in the top bar)

  19. Add path/to/Il2CppDumper

  20. Close the "Bundle Manager" window

  21. Run the ghidra_with_struct.py script

  22. When prompted, select script.json from the decomp folder

  23. Wait for all analysis to finish