📖 Tutorial How to hack Unity Android Games when there's no Assembly-Csharp.dll (libil2cpp.so method)

[kapeyy]

Hello, I'm trying to mod a game...
I don't know how to code with ARM

All I want to do is just replace the Random function
Here's a pic from dnSpy (its from the older version of the game)

Spoiler: pic0

The random range is actually (40f, 300f), (-50, 80), 0
I already tried with the method you given, and this is what I got

Spoiler: pic1

I'm seriously don't understand about ARM opcodes... and I can't understand tutorials I found at google.

 

[Whistler]

Hey, I've very recently started to try and get into modding so i dont know a lot and maybe theres something I'm missing, but I've been trying my luck with a singleplayer mobile game, night of the full moon, it does have global metadata and an il2cpp folder, but no lib folder or libil2cpp.

Maybe it was changed recently? Maybe mobile builds are different?

 

[TheLGL]

Nice tutorial!
It's called Il2Cpp scripting backend. Unity Editor have option to choose Mono (DLL) or Il2Cpp backend (SO)
Native is basically faster than mono because it does not need translation or anything

 

[agriz]

After editing, i build the game using apktool.
But it is not installing and throws error. Unable to install apk.

Editing part is confusing.
Can you please write in details?

 

[Sbenny]

If it doesn't install it means you didn't sign the apk.

 

[tahooo]

hello, man i have a question
lets say that i dumped a protected ilcpp2.so from memory and then i used the dumper to extract function names and classes .
so,after i get the values that i want to change.
the question is :how iam gonna be able to modify the original library with hex editor and it is protected,any idea.

 

[Sbenny]

The file dump.cs has the offset position of the funcion inside hxd. For example:

get_Money // 0x123456

where 123456 is the offset, so you just press Ctrl+G from hxd and paste your offset, then, press enter. It will show you the beginning of the function, and it's from that point that you need to replace the original values with the modified ones you want to put there.

 

[tahooo]

i know but did that work even if libil2cpp.so is protected because the bytes from offset is diffrent from the dump of libil2cpp.so.

 

[bestkings]

could you help me know how to return a double value?
ldc.i8
ret
with mov r0 isn't work

 

[Sbenny]

Double isn't ldc.i8 but ldc.r8, please explain better what you'd like to do, if an INT64 or a DOUBLE value, thanks

 

[Dementor99]

Does anyone know a good binary to Arm/arm64 opcode convertor

 

[Gourov]

I use this one ....

ARM converter

armconverter.com

Post automatically merged: Jun 2, 2020

You mean hex to Arm right ?

Post automatically merged: Jun 2, 2020

could you help me know how to return a double value?
ldc.i8
ret
with mov r0 isn't work

Double isn't ldc.i8 but ldc.r8, please explain better what you'd like to do, if an INT64 or a DOUBLE value, thanks

Bro @Sbenny I have a same kind of question ...
If I have Int64 or Single or Double should I also use Mov r0 , #xxxx or something else ?

And as you know ,
Max return value of 4 bytes Mov is 65535 . So for returning more should I use like
Mov r0 , #xxxx
Mul/Add r0 , r0
Or,
Ldr r0 , =xxxx ?

 

[Dementor99]

No I ment a tool/plugin that could take raw ARM ML bytes and convert them into ARM opcodes, guess I'd have to write one myself BTW, could we modify these elfs the same way it's done to MONO dlls, as in add/remove instructions and recalculate offsets and the final binary still be valid?

Or do you think the ELF format puts stricter limitations on applicable changes?

 

[Sbenny]

No I ment a tool/plugin that could take raw ARM ML bytes and convert them into ARM opcodes, guess I'd have to write one myself BTW, could we modify these elfs the same way it's done to MONO dlls, as in add/remove instructions and recalculate offsets and the final binary still be valid?

Or do you think the ELF format puts stricter limitations on applicable changes?

On the same site there's also HEX to ARM converter, which converts bytes into readable ARM instructions.

As per @Gourov 's question, when talking about float (single) it's a different story. Look at this example I created: Float (IEEE754 Single precision 32-bit)

Basically, if you want to return 128 in float you need to write MOV R0, 0x43000000 but unforutnately you can't return ANY values in this way. This is a "hacky" way to put a float value into an INT32 instruction, because normally R registers (like R0, R1 and so on) are used to store INT32 values, and not float which are usually put into S registers (where S stands probably for Single).

So, to return 128 float you can do:

MOV R0, 0x43000000
BX LR

I hope it helps.

 

[Gourov]

On the same site there's also HEX to ARM converter, which converts bytes into readable ARM instructions.

As per @Gourov 's question, when talking about float (single) it's a different story. Look at this example I created: Float (IEEE754 Single precision 32-bit)

Basically, if you want to return 128 in float you need to write MOV R0, 0x43000000 but unforutnately you can't return ANY values in this way. This is a "hacky" way to put a float value into an INT32 instruction, because normally R registers (like R0, R1 and so on) are used to store INT32 values, and not float which are usually put into S registers (where S stands probably for Single).

So, to return 128 float you can do:

MOV R0, 0x43000000
BX LR

I hope it helps.

Thanks a lot bro ... At least now I can do some experiment Lol @Sbenny bro , I will annoy you again if come across any problem

 

[Sbenny]

Anytime Also, please note you can't put any values you want in float, you have a limited range in multiples of 2 (16 - 32 - 64 - 128 - 256 and so on)

 

[Gourov]

Anytime Also, please note you can't put any values you want in float, you have a limited range in multiples of 2 (16 - 32 - 64 - 128 - 256 and so on)

Ok I will keep that in mind

 

[bestkings]

Double isn't ldc.i8 but ldc.r8, please explain better what you'd like to do, if an INT64 or a DOUBLE value, thanks

Sorry my wrong, it's double value. In C# it look like "public double blahblah"
I don't know about ARM. Go around, I have this thing, but it's only half work (mean have double value but can't control it). Please teach me
bvc #0xff851ec0
eormi sl, r8, r4, lsl lr

 

[Legacy]

Anytime Also, please note you can't put any values you want in float, you have a limited range in multiples of 2 (16 - 32 - 64 - 128 - 256 and so on)

Its kinda possible using the IEEE-754 Floating-Point Conversion from Floating-Point to Hexadecimal. The range is only from 1 - 2000 and only works for ARMv7.

Post automatically merged: Jun 4, 2020

No I ment a tool/plugin that could take raw ARM ML bytes and convert them into ARM opcodes, guess I'd have to write one myself BTW, could we modify these elfs the same way it's done to MONO dlls, as in add/remove instructions and recalculate offsets and the final binary still be valid?

Or do you think the ELF format puts stricter limitations on applicable changes?

I did find a tool a while ago. I has its limitations but overall it does the job. Link

 

[Gourov]

Its kinda possible using the IEEE-754 Floating-Point Conversion from Floating-Point to Hexadecimal. The range is only from 1 - 2000 and only works for ARMv7.

Yesterday I find out that the range is not limited on 1-2000 but you can also return more high value as long as you have 2 bytes hex. Like you can return 4000 , 16000 , 32000 , 64000 , 128000 , 512000 and so on. Also possible to return like 4128 , 4256 , 4512 , 4640 and so on.