Il2CppInspector
Il2CppInspector copied to clipboard
djkaty
Some needs and suggestions
Hello djkaty, I am very happy to see that Il2CppInspector has become perfect. I have some needs and suggestions here, hoping to help Il2CppInspector become better.
- Output restore dll The restored dll can be used to deserialize Unity MonoBehaviour, this is why I wrote Il2CppDumper. Restored dll can be applied to AssetStudio, UtinyRipper or UABE. I know that Il2CppInspector provides a reflection-like api, but deserialization works in both mono and il2cpp environments, in mono, we use Cecil to load the dll for analysis, so if Il2CppInspector can output the restored dll, we can directly deserialize it without rewriting any code. In addition, this function can continue to be extended in the future, such as implementing cpp2il to restore it to a complete managed dll.
- Support Android .so files dumped from memory Many Android games are now protected, according to the principle of protection, .so file needs to be decrypted in memory, so if it can support the dumped .so file, it will be able to bypass 99% of the protection. The main difference between the dumped so and the original so is that the dumped so has no section information and the data in the .rel segment has been redirected, for example, the pointer will add the address of the so in memory.
- Support protected PE executable file Similar to Android, some games on pe also use protection like Themida, we can also bypass the protection by dumping the dll file in the memory, but there is an easier way to bypass the protection in the windows environment, we can use LoadLibrary to load the protected dll into the memory, at this time the dll has been decrypted in the memory, and then we can continue to process the il2cpp data.
- Support WASM format This format is used in Unity WebGL games and is also compiled by il2cpp.
Here is the code of Il2CppDumper related to the above, I hope to provide some reference.
- https://github.com/Perfare/Il2CppDumper/blob/master/Il2CppDumper/Utils/DummyAssemblyGenerator.cs
- https://github.com/Perfare/Il2CppDumper/blob/650ca2e67ed5a0edd1955cc8dacc46abecc63565/Il2CppDumper/ExecutableFormats/Elf.cs#L33-L60
- https://github.com/Perfare/Il2CppDumper/blob/master/Il2CppDumper/Utils/PELoader.cs
- https://github.com/Perfare/Il2CppDumper/blob/master/Il2CppDumper/ExecutableFormats/WebAssembly.cs https://github.com/Perfare/Il2CppDumper/blob/master/Il2CppDumper/ExecutableFormats/WebAssemblyMemory.cs
I am not a programmer, and writing programs is just my hobby, so I do very poorly in programming and coding, and I am not good at providing pull. If you have other information you need, you can directly ask me, I will try to answer.
Hey Perfare,
I think it's awesome you want to team up! When I originally forked Il2CppDumper in March 2017, it was because I wanted to add a model/API to let me query the IL2CPP app for some work I was doing with protobuf. This turned out to be really difficult and as I think you know I ended up re-writing most of the tool to accomplish that.
If I'm understanding your post correctly, you would basically like me to add all of the features of Il2CppDumper that Il2CppInspector doesn't currently implement? Given your permission I'll be happy to do that and provide you with the credit 🚀
For dealing with dumped files, protected PEs and WebAssembly, I would need some of those types of files to test it on. If you have some, it would be really helpful if you could upload them somewhere so I have something to check that everything is working as it should.
It's been a couple of years since I used UABE or AssetStudio (very good tool btw, thank you for writing it!) as I mostly just work with code, so I don't actually know anything about loading DLLs into that. I seem to remember just loading asset bundles and then exporting the items inside? I'll download AssetStudio again and play with it. I also have no idea how to use Mono.Cecil so I would have to more or less just copy your code for that part while I learn it.
I looked at cpp2il recently and have been thinking about it, but I honestly think that getting a working decompilation would be exceedingly difficult, maybe nearly impossible. The Address Map / AppModel in Il2CppInspector 2020.2 is the first step towards that and I currently have unpublished test code which can dereference vtable calls and such automatically from ARM code disassembly, so we can build a control flow graph of what methods call what other methods now, but re-constructing the entire application seems very far away.
I'm really happy you reached out Perfare, thank you! If you can upload those dumped/PE/WebGL files I'll get to work 🙂
Here are some sample files v24 android arm64 dumped, address is 0x7a22600000 https://mega.nz/file/KVkBSASY#VXQMV0qE6OkN_KAdGO3CxkoUKea1gluXfoTgy_RvvWc
v24.3 pe, protected by Themida https://mega.nz/file/mB0lwISZ#jlxkyirby4C1DnbAMBKXOajVDWEkZLwRCRei7vz1OU0
v24.3 wasm https://mega.nz/file/SJlBSa4Q#ZvV-ElePoZ218mELlh9OEvYYb7_OyY4NPvjKuDMGkyo
If you need more examples of dump files, you can use a rooted Android phone or emulator, just use GameGuardian to dump the memory, no need to care whether the game is protected.
In Unity you can switch the project to WebGL to generate wasm code, which exists in a file with the name code.unityweb, it is usually compressed by gzip and needs to be decompressed first.
Cpp2il is indeed very difficult to implement. Unity uses some special techniques to implement the features on c#, such as vtable and rgctx, they all increase the difficulty of decompilation, but I think it still has some features worth implementing, which can be discussed later.
Added note, you can load the dump file into ida using manual load, ida will prompt you to enter image base.
Sweet that's all really useful, thanks! I've downloaded the files.
I'm only used to reverse engineering WIndows stuff (although I can code in ARM fortunately); what Android emulator do you like to use? I want to make the next version of Il2CppInspector generate projects for Cydia Substrate in the same way the new release does now for PE files on Windows. At the moment for Cydia you have to copy all the header files generated and write your own initialization function so I'd like to automate that but I need to get myself set up with an Android environment.
Thanks for the tip on Unity, forgot about that, I'll install the WebGL target.
I never actually bothered to figure out RGCTX since it didn't matter too much for what I was doing, would you like to explain it to save me figuring it out? 🙂
Are you planning to continue working on Il2CppDumper?
If you need to use GameGuardian, it seems to only support Nox or Bluestacks. RGCTX means runtime generic context, you can easily find it existence in the generic instance method. For example, the following code.
public class Dic<T1, T2>
{
public void T(T1 t1, Action<T2> a1, Action<T2> a2)
{
var t2 = T1ToT2(t1);
a1(t2);
a2(t2);
}
public T2 T1ToT2(T1 t1)
{
return default(T2);
}
}
It looks like this in Dic.T() generic instance method
As I said earlier, I write programs only for my own needs and hobbies. I usually cannot continue to maintain the programs for a long time. It is only recently that I have been idle due to the impact of the covid -19, so I have time to continue writing code. If Il2CppInspector becomes perfect enough, I obviously have no need to continue to maintain Il2CppDumper.
I'm actually usually the same on github - just writing hobby projects, but people keep asking for features and I keep finding new uses for it so it has kind of evolved out of control... it has a lot more features now than I ever intended it to have or needed for my own use 😂
I've been in the same situation, covid-19 messed with my schedule so I've also got more time on my hands at the moment. Hope you are safe.
I'll post here as I get each feature implemented (I'll do the DLL last because it's the most complicated I think) and I'm sure I'm going to have questions along the way so I'll just write more here if I get stuck. Besides that, I'll get to work 🙂
Two questions for you regarding the DLL output:
- Is there any reason not to just use Reflection.Emit instead of Mono.Cecil?
- Do the special attributes you've defined have to be exactly in the format they are now for the DLL to work with Asset Studio or are they just for convenience for humans to read?
Thanks!
I have used Mono.Cecil for a long time to modify Unity games in the mono environment, so I am more familiar with Mono.Cecil than Reflection.Emit. I can guarantee that Mono.Cecil can do what I want, but I am not sure whether Reflection.Emit can do it. In addition, there are some other differences that cause me to always use Mono.Cecil when modifying the assembly, but they may not affect the output of the dll.
- Reflection.Emit does not have a resolver, when you need to reference custom class in another dll, you need to write a resolver yourself.
- System.Reflection is not designed to conform to the actual situation of .net. It does not distinguish between TypeRef and TypeDef, and there is no TypeSpec.
- Reflection.Emit has poor performance and consumes a lot of memory
The attribute in Il2CppDummyDll is for people to read. In fact, I think dll can completely replace the output of cs file. People can use dnSpy or ILSpy to view dll and easily filter the classes, fields or methods they want. You don't need to spend time on c# syntax, nested classes, enumerated classes, and other problems you will encounter when outputting cs files.
Hey Perfare, covid-19 has caused long delays on me being able to work on the tool. I think I'm caught up with most of the outstanding stuff now. I have a very, very long list of things I need to fix and want to add besides the stuff in this issue, but I hope I can at least start working on the items soon. The packed PE files seem to be the most requested thing at the moment so I'll deal with that first I think.
I was able to get GameGuardian working on Nox and dump Subway Surfers so I have a working environment for that now.
I have a couple of ideas on how to improve the dumped ELF and WebAssembly handling. It also seems that the WebGL app format has changed somewhat in more recent Unity versions. Will write again when I have something new to report, but just wanted to let you know I haven't forgotten about all this!
Issue (2) is now implemented. You can also drag a GameGuardian maps.txt file in and it will create libil2cpp.so for you. Hope that helps :)
Issue (3) is now implemented. The unpacked binary can be saved and loaded into IDA so the method pointers line up.
Issue (1) is now implemented, with a few bug fixes on top. I think it works as it should and I have tested it a fair bit, but I'd be very happy if you could try it and let me know if you find any problems. It's a complete re-write using dnlib and the type model, so the actual binary bytes output are not identical, but I went through my entire test suite using output from Il2CppDumper and from the new code in Il2CppInspector and compared them line by line in dnSpy and they seemed to match. I can't catch every case of course. If you don't have time to look at it I'll just make a release in a couple/few days and hope for the best 😂 Hope you are well!
Edit: I will deal with wasm support in a later release, along with NSO files
o/ got linked this thread by someone in the MelonLoader discord - I'm the guy behind Cpp2IL.
With regards to implementing full IL reconstruction, I can say with 100% certainty that it's possible, at least for x86 instruction sets - but hard. That said, I have an initial working example for vtables in my rewrite branch, but I haven't looked into the rgctx stuff yet - so thanks for the info on that, Perfare.
Slightly off-topic, but with regards to MelonLoader - if Perfare does discontinue Il2CppDumper, it is likely going to make our lives harder once games start using later unity versions (and therefore metadata versions) - we already were planning on switching to Cpp2IL anyway, but that's only tested on windows-targeted unity games at the moment (not that ML works on anything else, but it limits our options). We can't use Il2CppInspector because of licensing concerns (AGPL is not the most friendly license).
Feel free to reach out at any time.
Greetings @SamboyCoding o7!
It's possible - as you know - because the generation of the C++ is deterministic and loses minimal information so you can strip out all of the IL2CPP-specific init gunk and convert the remaining instructions back to IL.
I've only skimmed your repo very briefly but your life will probably be a lot easier if you use the app model in Il2CppInspector rather than textual analysis. The APIs allow you to query all of this stuff at a higher abstracted level programmatically. The Beebyte Deobfuscator plugin (currently a work in progress), and the DLL output (AssemblyShims.cs) shows how to use this effectively. Naturally, ARM and x86-32 are already supported and - unless anything crazy in real life comes up - I will make my best effort to push compatibility updates as and when new Unity versions are released, as I have for Unity 2020.1 and 2020.2.
That being said, thank you for respecting the license, I do appreciate that. There is an unfortunate undercurrent of people selling modified closed-source versions of these tools for "hacks", the MIT license permits this and I specifically chose the AGPLv3 license to prevent both that and the rental of networked versions of the tooling. Therefore I won't be changing the license. I have no problems with other people linking to the libraries and indeed there is a vast range of APIs provided at this point to encourage exactly that! You will, of course, need to keep such software open source as per the license. I feel this is in the spirit of an open community where knowledge should be shared rather than withheld to play power games. I know that rational people can disagree with this, but I hope that explains my concerns :) If you do decide to use the tool and need assistance with integration, or just want to chit chat about IL2CPP, let me know your Discord handle and I can add you to our small informal group.
Yeah, I came to a similar conclusion with regards to textual analysis... definitely working on that in the rebuild haha, I have a more strongly-typed system now.
To be clear - I and the wider team have no problem disclosing our source - all of our projects are already published here on Github. The issue we have is that the AGPLv3 requires all dependent software to match the license - which would mean we would have to change our license, which we'd rather not do.
With regards to a group chat in discord - my account is Samboy#0063 - it's probably easier to continue this discussion in discord.
is there any progress on implementing WASM yet? I really would like to use it with this fabolous project. Thanks in advance
