TheMasterArchiver

Decompiling IL2CPP Android Unity games

This guide is based on this guide by Wanghzo (sections 1-4) and this guide by IroniaTheMaster (section 5), which itself is based on this guide by koo00

The guide was changed to use Ghidra instead of IDA Pro and the script was modified accordingly

This guide was only tested on Linux

Warning: this was only tested on an arm64 device

Prequisites

Aquiring GetMetadata function pointer
  1. Extract the APK file
  2. Find libil2cpp.so in the lib directory
  3. Create a new ghidra project
  4. Select "Menu" > "File" > "Import File..." and import libil2cpp.so
  5. Open and analyze the file
  6. Select "Menu" >"Search" > "Memory"
  7. Change "Hex" to "String" and input global-metadata.dat
  8. Press "Search" and double-click on the only result
  9. Right click on the name (s_global-metadata.dat...)
  10. Select "References" > "Show references to s_global-metadata.dat..."
  11. Double-click on the only reference
  1. Find the first bl instruction after the selected one
  2. Find the function name (e.g. FUN_0074e9b4)
  3. Write down the characters after the underscore (e.g. 0074e9b4)

Finding global-metadata.dat in memory
  1. Start GameGuardian
  2. Follow the Frida installation guide (I used frida v16.6.6)
  3. Aquire script.js
  4. Replace the Value in 0xValue on line 9 with the numbers you got earlier
  5. Exit the game if it is running
  6. Run frida -Uf com.game.package.name -l ./script.js
  7. A red line should appread saying Address : ...
  8. Write down everything after the colon (this will be different on every launch)

Dumping global-metadata.dat
  1. Open the GameGuardian overlay
  2. Select the game process
  3. Click on the 4-th tab and open the menu
  4. Select "Dump memory"
  5. In the "From" input box enter the console value without the "0x"
  6. Tap on the down arrow to the right of it
  7. The first (selected) menu option should have global-metadata.dat in it, and should start with O: numbers1-numbers2 r--s ...
  8. Write down numbers2
  9. Click away from the menu
  10. Input numbers2 into the "To:" input box
  11. Press "Save" and wait for the process to finish
  12. (On the PC) run adb shell "cat /storage/emulated/0/dump/*.bin" > global-metadata.dat

Decompiling the game
  1. Unzip the APK file
  2. Find libil2cpp.so in lib
  3. Create the decomp folder
  4. Run Il2CppDumper path/to/libil2cpp.so path/to/global-metadata.dat decomp
  5. Go to the decomp
  6. Run python3 path/to/Il2CppDumper/il2cpp_header_to_ghidra.py
  7. Start ghidra and make a new project
  8. Click the Code Browser (dragon head) icon
  9. In the new window select "File" > "Import file"
  10. Import and analyze libil2cpp.so
  11. Select "File" > "Parse C Source..."
  12. Change the "Parse Configuration" to "VisualStudio22_64.prf"
  13. Remove all entries from "Source Files to Parse", "Include Paths", and "Parse Options"
  14. Add decomp/il2cpp_ghidra.h to the "Source Files to Parse" section
  15. Click "Parse to Program" and then "Continue". If prompted, select "Use Open Archives". This may take a while
  16. Open the script manager (green play icon)
  17. Press "Manage Script Directories" (the list icon in the top bar)
  18. In the new window press "Display file chooser to add bundles to the list" (the green plus in the top bar)
  19. Add path/to/Il2CppDumper
  20. Close the "Bundle Manager" window
  21. Run the ghidra_with_struct.py script
  22. When prompted, select script.json from the decomp folder
  23. Wait for all analysis to finish