MemoryDumpIl2Cpp
this is dump unity Il2Cpp CS Struct and IDA Script without global-metadata.dat in Runtime. but need others to analyse it;
as shown in the figure
How to Use
need one root android phone.
push so to /system/lib64
create config to same path such as
config
{
"outDir":"/data/data/com.imy.i2lcpp", //outPath
"forceVer":0 //force unity ver
}
// UnityVersion Compatible list
// 5.3.0f4 | 5.3.0f4 - 5.3.1f1 | v16
// 5.3.2f1 | 5.3.2f1 | v19
// 5.3.3f1 | 5.3.3f1 - 5.3.4f1 | v20
// 5.3.5f1 | 5.3.5f1 | v21
// 5.3.6f1 | 5.3.6f1 | v21
// 5.3.7f1 | 5.3.7f1 - 5.3.8f2 | v21
// 5.4.0f3 | 5.4.0f3 | v21
// 5.4.1f1 | 5.4.1f1 - 5.4.3f1 | v21
// 5.4.4f1 | 5.4.4f1 - 5.4.6f3 | v21
// 5.5.0f3 | 5.5.0f3 | v22
// 5.5.1f1 | 5.5.1f1 - 5.5.6f1 | v22
// 5.6.0f3 | 5.6.0f3 - 5.6.7f1 | v23
// 2017.1.0f3 | 2017.1.0f3 - 2017.1.2f1 | v24
// 2017.1.3f1 | 2017.1.3f1 - 2017.1.5f1 | v24
// 2017.2.0f3 | 2017.2.0f3 | v24
// 2017.2.1f1 | 2017.2.1f1 - 2017.4.40f1 | v24
// 2018.1.0f2 | 2018.1.0f2 - 2018.1.9f2 | v24
// 2018.2.0f2 | 2018.2.0f2 - 2018.2.21f1 | v24
// 2018.3.0f2 | 2018.3.0f2 - 2018.3.7f1 | v24.1
// 2018.3.8f1 | 2018.3.8f1 - 2018.4.36f1 | v24.1
// 2019.1.0f2 | 2019.1.0f2 - 2019.2.21f1 | v24.2
// 2019.3.0f6 | 2019.3.0f6 - 2019.3.6f1 | v24.2
// 2019.3.7f1 | 2019.3.7f1 - 2019.4.14f1 | v24.3
// 2019.4.15f1 | 2019.4.15f1 - 2019.4.20f1 | v24.4
// 2019.4.21f1 | 2019.4.21f1 - 2019.4.29f1 | v24.5
// 2020.1.0f1 | 2020.1.0f1 - 2020.1.10f1 | v24.3
// 2020.1.11f1 | 2020.1.11f1 - 2020.1.17f1 | v24.4
// 2020.2.0f1 | 2020.2.0f1 - 2020.2.3f1 | v27
// 2020.2.4f1 | 2020.2.4f1 - 2020.3.15f2 | v27.1
// 2021.1.0f1 | 2021.1.0f1 - 2021.1.16f1 | v27.2
use frida to inject
find this in IDA
let s_GlobalMetadataHeader=0XC1D130
let s_Il2CppMetadataRegistration=0XC1D100
let s_Il2CppCodeRegistration= 0XC1D0F8
get il2cppso handle
let dlopen = Module.findExportByName(null,"dlopen");
if (dlopen != null) {
Interceptor.attach(dlopen, {
onEnter: function (args) {
let path = args[0].readCString();
if (path.indexOf(soName) !== -1) {
this.hook = true;
}
},
onLeave: function (retval) {
if (this.hook) {
il2cppHandler = new NativePointer(s);
}
}
})
}
load so
let module = Process.findModuleByName('libil2cpp.so');
let il2CppGlobalMetadataHeader = module.base.add(s_GlobalMetadataHeader).readPointer();
let il2cppMetadataRegistration = module.base.add(s_Il2CppMetadataRegistration).readPointer();
let il2cppCodeRegistrantion = module.base.add(s_Il2CppCodeRegistration).readPointer();
let dumperSo = Module.load("/system/lib64/libdumper.so");
let dumpstartAddr = dumperSo.findExportByName("_ZN8CSDumper5startEPvS0_S0_S0_");
let start_fun = new NativeFunction(dumpstartAddr,"void",['pointer','pointer','pointer','pointer']);
start_fun(il2CppGlobalMetadataHeader,il2cppMetadataRegistration,il2CppCodeRegistration,il2cppHandler);
if you need loginfo filter "Imy" in Logcat
IDA Script create Done!
generating il2cpp.h
il2cpp.h create done!
when dump success this info will appear , and it will be create dump.cs il2cpp.h script.json stringLiteral.json in /data/data/pkgName/files/
this so only support 64 and unity version in 2018.3.0f2-2018.4.36f1, other version not support
if you want more version Contact
email: [email protected]
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent