📖 Tutorial How to hack Unity Android Games when there's no Assembly-Csharp.dll (libil2cpp.so method)

Sbenny.com is trusted by 1,312,954 happy users since 2014.
Register

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
I was helping a friend of mine about modding unity games without Assembly-Csharp.dll (or other dlls) files, so after typing this simple tutorial, I decided to share it with you all, in the hope it helps new modders to climb the ladder of success.

The first thing to do is to make sure this is the right method to follow. Well, if you previously modded your apk by editing the Assembly-Csharp.dll file and now, in the newest update you go to Assets/Bin/Data/Managed/ and SURPRISE! there are no dll files anymore, then you're definitely need to keep reading this tutorial.

The reason you don't find dlls anymore is because Unity recently added an option to export games using the il2cpp method, which unlike dlls, exports all the game codes into a file called "libil2cpp.so". It won't be as easy as modding dll files, but with a bit of practice, you'll find out you could even be faster using this new method than modding normal dlls, as soon as you know what to look for.

This tutorial would ideally require you to have a bit of shared library modding knowledge (modding .so files) as this method isn't too far from editing a normal lib game, but helps somehow since it provides the exact position and the names of the functions you need to edit, unlike most lib games.


Difficulty: Medium
Required Time: 30 minutes the first time, then 5 minutes or so
Required Skills: Medium modding knowledge + optional ARM language knowledge



1) The first thing to do is to grab the last version of the Il2cpp dumper: Perfare/Il2CppDumper and unzip it

2) Now, from the APK file you need to extract the files:

assets/bin/Data/Managed/Metadata/global-metadata.dat
lib/armeabi-v7a/libil2cpp.so (I suggest to keep an additional copy of this file)

It's advised to extract them in the same folder of the il2cpp dumper.

3) If there's a lib/x86 folder, you can delete it from the apk file (unless you know x86 opcodes, and anyways you'll need to make double work, while most devices can read apk files even without the x86 version, so you could avoid this unnecessary step)

4) Now, execute the "Il2CppDumper.exe" file and it'll ask you to select two files. The first you need to select is the libil2cpp.so file you previously moved from the apk file, and the second one is the global-metadata.dat.

5) if you're using the last version of it, SKIP STEP 5 and 6 and move to step 7.
Then, it might ask you about the Unity version (depending on the il2cpp dumper version you downloaded), you can try by typing 1 first and if it gives an error, you can repeat the process and type 2 instead (as far as I know, there's no fast and simple way for a modder to know the Unity version used to build the game, but if I'm wrong, please let me know and I'll update this step).

6) It'll ask you to select the dump method, by offering you a range to select from 1 (Manual) to 5 (Symbol), I usually select 4.

7) The script will now generate a file named dump.cs and a folder called "Managed", if it doesn't, you'll probably have to refer to step 5 and try again, or the game is probably protected against dumping.

8) The dump.cs is a simple txt file (open it with Notepad++) with a list of functions followed by an offset like: public int get_accuracy //0x123456. You can find your function by searching for its name if you know it already, otherwise refer to step 8a

where:
public int indicates this is an Int32 function (other common function types are bool = Boolean, float = Single, and Void);
get_accuracy
is the name of the function (identical to the function name you have in the old dll version of the game);
0x123456 which, simplified, is just: 123456, is the offset (the position of that funcion in the libil2cpp.so file);

8a) the Managed folder contains the usual .dll files, but with empty functions, it's useful only to find the function if you don't know yet how it's called. If you want to proceed with this alternative method to find a function then, simply drag all the dlls in NET Reflector (or DnSpy) and find the function you need to edit, then move into the dump.cs file and search for the same function to find the offsets as shown in the step 8.

9) Open "Hxd" if you don't have it, download it from here.

10) Drag the libil2cpp.so file in the Hxd window, press Ctrl+G to open the Search Offset window, and paste the offset from the function you found (in this example, 123456) and press enter

11) If the function you're modified is an INT32 and you simply want to return a very high value, do the following: select the first 8 bytes from the Hxd window starting from the point it took you after pressing Enter (a byte is a sequence of 2 letters/numbers, such as 4F, or 4C and so on), and, once selected, paste the following bytes in place of them: FF 04 E0 E3 1E FF 2F E1 (make sure you're replacing only 8 bytes with these other 8 bytes).

What's it?

FF 04 E0 E3 = MOV R0, 0xFFFFFF = ldc.i4 -> ‭16777215‬
1E FF 2F E1 = BX LR = ret

so you're returning a very very high value.

If you want to return just 1 (true) you can write:

01 00 A0 E3 = MOV R0, 1 = ldc.i4.1
1E FF 2F E1 = BX LR = ret

and if you want to return 0 (false) you can write:

00 00 A0 E3 = MOV R0, 0 = ldc.i4.0
1E FF 2F E1 = BX LR = ret


This guide isn't about ARM opcodes, anyways the codes above are the HEX equivalent of ARM values, which are used in the libil2cpp.so file and many other lib files you'll edit in your modding life 😜

A good way to test ARM opcodes is to use our exclusive BEST ARM CONVERTER but I'll not cover this aspect in this tutorial as it'd end up being too long otherwise. Maybe in the future I'll write a more extensive tutorial focusing on ARM opcodes or IDA general hacking.

It's important to always make sure you're not adding (or deleting) bytes from a .so file, so ALWAYS replace 4, 8, 16 etc bytes with 4, 8, 16 bytes respectively, or the lib itself will break. The reason is behind the structure of shared libraries, which defines the start and the end of functions in its headers, and adding or removing bytes, would cause all functions to start/end at different positions, which would break the entire library.


Now, after doing your changes just save by pressing Ctrl+S or by clicking on the Floppy Disk icon at the top of Hxd and drag back the modified libil2cpp.so file into the apk file.

You'll notice Hxd will also create a libil2cpp.so.bak file, which is the file you had before saving it (which isn't exactly a backup of the original file, but just a step before you saved it). It's still handy, altough I prefer starting from scratch when things get too complicated (such as editing 10+ functions) as it's faster and easier, that's why I suggested to take a copy of the libil2cpp.so file at the top of this simple guide.

Now, as always, to see if it worked, just resign the apk file (unless you're rooted/patched) and install it.

If you previously modded this game when it was using the older version of Unity (Assembly-Csharp.dll), it'll be a lot easier for you, because you'll know which functions to look for, and how to edit them.

It's also important to specify that, unlike dll editing, this approach is simple only when you're completely replacing a function (such as when you return true, false, a high value or simply null it by adding only ret). If you instead did an advanced mod, editing lines at the middle/end of the function, you'll most likely fail at it, unless you have a good understanding of a good piece of software called IDA (which would be required in this case as you'll have to examine the whole function).

Hope it helps. For any suggestions or questions, feel free to ask me below and I'll be happy to assist you :)
 
Last edited:

LolHacksRule

Novice Lv1️⃣
Member for 5 years
How about help modifying IL2CPP games with no global-metadata.dat? Good tutorial though.
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
It requires debugging which will be probably covered in one of my next tutorials.
 

AndnixSH

Savage Lv6️⃣
SB Mod Squad ⭐
Member for 8 years
Regarding point 5, probably you are looking for that
Open APK file using Winrar or 7-zip. Go to \assets\bin\Data\ open one of assets files in Notepad++ or go to Go to \assets\bin\Data\Resources and open unity_builtin_extra and you will see Unity version like below

View attachment 32175
In my Il2CppDumper GUI version, i've implemented getting unity version automatically when dropping any asset file or APK file :)
Try it out: Il2CppDumper GUI Tool
 

Elyprince

Apprentice Lv2️⃣
Member for 7 years
In step 5, after I select the mode it says, "detected this may be a dump file. If not, it must be protected. Input dump address:"

I dont know what to do here (I'm completely new at modding btw)
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
In step 5, after I select the mode it says, "detected this may be a dump file. If not, it must be protected. Input dump address:"

I dont know what to do here (I'm completely new at modding btw)
Make sure you first selected the libil2cpp.so file and then the global-metadata.dat file. This should fix the problem.
 

Presian

Lurker Lv0️⃣
Member for 4 years
I got Dummy Dll folder, containing the assembly cs harp, which i edited the normal way. Will this work, and how to recompile it ( if i have to) , so i can drop it back into the apk folder ? Tnx
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
I got Dummy Dll folder, containing the assembly cs harp, which i edited the normal way. Will this work, and how to recompile it ( if i have to) , so i can drop it back into the apk folder ? Tnx
You're not supposed to be able to edit "the normal way" that dll, as it's empty (didn't you notice each function had just a "nop"?). You can't mod them this way, you need to follow the above tutorial. If a simpler way was available, I would've described it.
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
i tried unity version 1 and 2 but give me error
If this is the case (and if I understand correctly), you need to download the newest version of il2cpp dumper, as it gives you the option to specify which version of unity the apk file is based off, instead of the older version asking you to type 1 or 2.
 

atkins2080

Apprentice Lv2️⃣
Member for 5 years
I have an old version of a modified C Sharp.dll from a previous game of Oz Magic Match, its was for the moves number mod which I still have, but don't know what to do with because I don't know the new method and I just extracted the dummy dll files from version 1.0.4059 of the game which is the newest update.
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
I have an old version of a modified C Sharp.dll from a previous game of Oz Magic Match, its was for the moves number mod which I still have, but don't know what to do with because I don't know the new method and I just extracted the dummy dll files from version 1.0.4059 of the game which is the newest update.
Open dummy.cs, search for the same function you edited in the previous version and edit the relative offset's HEX Values :)
 

atkins2080

Apprentice Lv2️⃣
Member for 5 years
Hi, I have the dummy.cs open and found the bonus moves section and opened it in the hex editor in DNspy, but can't find where it says bonus moves at, here is a screenshot of what I am doing so far.
37955
 

atkins2080

Apprentice Lv2️⃣
Member for 5 years
Hi, I tried using notepad++, but can't open the hex editor on it to find the values, I read something about IDS decompiler, but can't afford that program.
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
Hi, I tried using notepad++, but can't open the hex editor on it to find the values, I read something about IDS decompiler, but can't afford that program.
Please refer to my guide which explains everything carefully. I didn't mention IDS decompiler anywhere, so I guess you're mixing up two different guides (mine and something else found elsewhere), which isn't going to help you solving your issues.
 

chu121su12

Lurker Lv0️⃣
Member for 4 years
Hy,

Can I ask the return value for both boolean true and false?
Also, is it matter the return value if I am editing public vs private vs static function?

Thanks
 
Top