Il2cpp lib tool killer protection and bypass

[Snailsoft]

I was recently presented with a game that when loaded would not allow the il2cpp tools run.
It actively kills the tools
As many know, these modding tools allow modification of Unity games.
Upon researching, I found functions similar to those that kill MT, LP, GG etc.
libtool checker.so is the culprit.
Using MT it is easy to locate the library call.


It has a simple protection that can be easily fooled.
The library itself is protected, so we just remove the call and lie about the test result.


Now we can simply delete the anti mod library.



You may now add whatever tool you use normally.


While easy to deal with now, clearly developers are catching on and creating counter measures.
Expect this to get worse.
For now, a simple fix.

 

[Draken88]

Great tutorial thank you

 

[Poison Modz]

Some images doesn’t show

 

[Snailsoft]

I have attached a PDF of this thread, having all images, for those unable to view content here.

 

[LadyOnePunch]

funny today i found my 1st which use this - thx for nfo

 

[Snailsoft]

I have found a new variant that is better protected and more aggressive.
My method of removal doesn't work on this one.

It is a part of BugSnag, a proposed Google crash analytics alternative.
BugSnag is in fact a data mining tool and their analytic software is a combination malicious analytics and debugger and mod killer.

In this game I am trying to mod, I easily removed standard protection and license without issue.
As soon as MT, LP, or LibTools is loaded, the game shuts down and tries to send an anonymous report to Smart Bear. Blocked by firewall.

I am working on this protection but the code is spread through and obfuscated.

 

[Draken88]

We started our journey with browndust2 game i want to see where it goes they keep enhancing this protection

 

[SteweEliteModder]

If smali use blackdex on emulator to get obfuscated code dumping dex

 

[Snailsoft]

An update.
BugSnag is not per se' a tool to kill libtool, rather, it detects any debugger in memory.
Unlike libtoolcheck.so that seeks out the libtool.so file, BugSnag doesn't bother looking. The tool can be present, so long as it isn't active.
Too, it isn't looking for a name, rather, it is monitoring for a function(s). Was a process called from outside the base apk?
The code is in the DEX/Smali, libl2cpp, unity libraries, unity data, global-metadata. Without the source code it cannot be easily removed.

Fortunately for Unity modders, the old school approach still works.
Use Windows/Linux/external libtool.
Extract the library and data, dump the .cs file, and hunt for the offsets.
Adding the mod menu still works as it is internal and not debugging.

 

[LadyOnePunch]

all i know is - bugsnag can be removed or patched - looking for some more info