Powerful automated tool for reverse engineering Unity IL2CPP binaries


[Project maintainer is on hiatus until May 2021. Critical bug fixes and compatibility updates only during this time window]

Il2CppInspector 2021.1

Il2CppInspector helps you to reverse engineer IL2CPP applications, providing the most complete analysis currently available.

Il2CppInspector GUI

Main features

Tutorials and Guides

You can read more about how IL2CPP works in my series IL2CPP Reverse Engineering:

How IL2CPP works

Part 1: Hello World and the IL2CPP Toolchain

Part 2: Structural Overview & Finding The Metadata

Il2CppInspector guides

Il2CppInspector Plugin Development Wiki

How to create, use and debug IL2CPP DLL injection projects

Working with code in IL2CPP DLL injection projects

Using Il2CppInspector's type model to extract protobuf-net definitions (Case Study: Fall Guys)

Reverse engineering walkthroughs

Finding loaders for obfuscated global-metadata.dat files - explains how to find the loader, deobfuscation and/or decryption code for global-metadata.dat in almost any IL2CPP application

Enable loading of League of Legends: Wild Rift - covers XOR decryption, XOR string decryption, API export ROT decryption, data obfuscation of binary metadata

Enable loading of Honkai Impact (3 parts) - covers finding functions in an image, data obfuscation of global-metadata.dat, IDA decompiler techniques, how to write a plugin

VMProtect control flow obfuscation in Honkai Impact - covers extrapolating the code path from a function with control flow flattening using x64dbg and the IDA decompiler

Reverse engineering Genshin Impact with PowerShell - covers writing a test harness to find a function in an obfuscated binary via brute-force attack / reverse fuzzing

Other features

File format and architecture support:

  • Supports ELF (Android .so), PE (Windows .exe), Mach-O (Apple iOS/Mac), Universal Binary (Fat Mach-O) and FSELF (PlayStation 4 .prx/.sprx) file formats
  • Also supports single and split APK (Android), AAB (Android App Bundle), XAPK, Zip and decrypted IPA (iOS) application package files as input
  • Supports ELF files created from memory dumps
  • Supports Linux process maps + corresponding .bin files - such as those produced by GameGuardian - without the need to manually extract the IL2CPP binary
  • 32-bit and 64-bit support for all file formats
  • Supports ARMv7, Thumb-2, ARMv8 (A64), x86 and x64 architectures regardless of file format
  • Supports applications created with Unity 5.3.0 onwards (full IL2CPP version table below)

Nice to have:

  • Support for assemblies, classes, methods, constructors, fields, properties, enumerations, events, interfaces, structs, pointers, references, attributes, nested types, generic types, generic methods, generic constraints, default field values and default method parameter values
  • C# syntactic sugar for CTS value types, compiler-generated types, delegates, extension methods, operator overloading, indexers, user-defined conversion operators, explicit interface instantiations, finalizers, nullable types, unsafe contexts, fixed-size arrays, variable length argument lists, method hiding and escaped strings
  • Partition C# code output by namespace, assembly, class, full tree or single file; sort by index or type name; output flat or nested folder hierarchy. Each file includes the necessary using directives. Scope and type name conflicts are resolved automatically to produce code that compiles.
  • API function export processing for PE, ELF, Mach-O and SELF (PRX) binaries
  • Symbol table processing and name demangling for ELF and Mach-O binaries
  • Relocation processing for ELF binaries
  • Automatically defeats certain basic obfuscation methods
  • Test chassis for automated integration testing of IL2CPP binaries

Class library targets .NET Core 3.1. Built with Visual Studio 2019.

NOTE: Il2CppInspector is not a decompiler. It can provide you with the structure of an application and function addresses for every method so that you can easily jump straight to methods of interest in your disassembler. It does not attempt to recover the entire source code of the application.

Build instructions

git clone --recursive https://github.com/djkaty/Il2CppInspector
cd Il2CppInspector

Build the CLI and Windows GUI versions:

dotnet publish -c Release

Get all current plugins (optional):

powershell -f get-plugins.ps1
Mac OS X

Build the CLI version:

cd Il2CppInspector.CLI
dotnet publish -r osx-x64 -c Release

Get all current plugins (optional):


Build the CLI version:

cd Il2CppInspector.CLI
dotnet publish -r linux-x64 -c Release

Get all current plugins (optional):


For other operating systems supporting .NET Core, add -r xxx to the final command where xxx is a RID from https://docs.microsoft.com/en-us/dotnet/articles/core/rid-catalog

The output binary for command-line usage is placed in Il2CppInspector/Il2CppInspector.CLI/bin/Release/netcoreapp3.0/[win|osx|linux]-x64/publish/Il2CppInspector.exe.

The output binary for Windows GUI is placed in Il2CppInspector/Il2CppInspector.GUI/bin/Release/netcoreapp3.1/[win|osx|linux]-x64/publish/Il2CppInspector.exe.

The plugins folder should be placed in the same folder as Il2CppInspector.exe.

Command-line Usage

Run Il2CppInspector.exe at the command prompt.

File format and architecture are automatically detected.

All outputs are generated by default. To generate only specific outputs, use the --select-outputs switch in combination with the output selection switches.

  -i, --bin                   (Default: libil2cpp.so) IL2CPP binary, APK, AAB, XAPK, IPA, Zip or Linux process map text input file(s) (single file or comma-separated list for split APKs)

  -m, --metadata              (Default: global-metadata.dat) IL2CPP metadata file input (ignored for APK/AAB/XAPK/IPA/Zip)

  --image-base                For ELF memory dumps, the image base address in hex (ignored for standard ELF files and other file formats)

  --select-outputs            Only generate outputs specified on the command line (use --cs-out, --py-out, --cpp-out, --json-out, --dll-out to select outputs). If not specified, all outputs are generated

  -c, --cs-out                (Default: types.cs) C# output file (when using single-file layout) or path (when using per namespace, assembly or class layout)

  -p, --py-out                (Default: il2cpp.py) Python script output file

  -h, --cpp-out               (Default: cpp) C++ scaffolding / DLL injection project output path

  -o, --json-out              (Default: metadata.json) JSON metadata output file

  -d, --dll-out               (Default: dll) .NET assembly shim DLLs output path

  --metadata-out              IL2CPP metadata file output (for extracted or decrypted metadata; ignored otherwise)

  --binary-out                IL2CPP binary file output (for extracted or decrypted binaries; ignored otherwise; suffixes will be appended for multiple files)

  -e, --exclude-namespaces    (Default: System Mono Microsoft.Reflection Microsoft.Win32 Internal.Runtime Unity UnityEditor UnityEngine UnityEngineInternal AOT JetBrains.Annotations) Comma-separated list of namespaces to suppress in C# output, or 'none' to include all namespaces

  -l, --layout                (Default: single) Partitioning of C# output ('single' = single file, 'namespace' = one file per namespace in folders, 'assembly' = one file per assembly, 'class' = one file per class in namespace folders, 'tree' = one file per class in assembly and
                              namespace folders)

  -s, --sort                  (Default: index) Sort order of type definitions in C# output ('index' = by type definition index, 'name' = by type name). No effect when using file-per-class or tree layout

  -f, --flatten               Flatten the namespace hierarchy into a single folder rather than using per-namespace subfolders. Only used when layout is per-namespace or per-class. Ignored for tree layout

  -n, --suppress-metadata     Diff tidying: suppress method pointers, field offsets and type indices from C# output. Useful for comparing two versions of a binary for changes with a diff tool

  --suppress-dll-metadata     Diff tidying: suppress method pointers, field offsets and type indices attributes from DLL output. Useful for comparing two versions of a binary for changes

  -k, --must-compile          Compilation tidying: try really hard to make code that compiles. Suppress generation of code for items with CompilerGenerated attribute. Comment out attributes without parameterless constructors or all-optional constructor arguments. Don't emit
                              add/remove/raise on events. Specify AttributeTargets.All on classes with AttributeUsage attribute. Force auto-properties to have get accessors. Force regular properties to have bodies. Suppress global::Locale classes. Generate dummy parameterless
                              base constructors and ref return fields.

  --separate-attributes       Place assembly-level attributes in their own AssemblyInfo.cs files. Only used when layout is per-assembly or tree

  -j, --project               Create a Visual Studio solution and projects. Implies --layout tree, --must-compile and --separate-attributes

  --cpp-compiler              (Default: BinaryFormat) Compiler to target for C++ output (MSVC or GCC); selects based on binary executable type by default

  -t, --script-target         (Default: IDA) Application to target for Python script output (IDA or Ghidra) - case-sensitive

  --unity-path                (Default: C:\Program Files\Unity\Hub\Editor\*) Path to Unity editor (when using --project). Wildcards select last matching folder in alphanumeric order

  --unity-assemblies          (Default: C:\Program Files\Unity\Hub\Editor\*\Editor\Data\Resources\PackageManager\ProjectTemplates\libcache\com.unity.template.3d-*\ScriptAssemblies) Path to Unity script assemblies (when using --project). Wildcards select last matching folder in
                              alphanumeric order

  --unity-version             Version of Unity used to create the input files, if known. Used to enhance Python, C++ and JSON output. If not specified, a close match will be inferred automatically.

  --unity-version-from-asset  A Unity asset file used to determine the exact Unity version. Overrides --unity-version.

  --plugins                   Specify options for plugins. Enclose each plugin's configuration in quotes as follows: --plugins "pluginone --option1 value1 --option2 value2" "plugintwo --option...". Use --plugins  to get help on a specific plugin

  --help                      Display this help screen.

  --version                   Display version information.

File format considerations

Apple Universal Binaries and APKs/XAPKs with binaries for multiple architectures: when using the CLI, multiple output files will be generated, with each filename besides the first suffixed by the index of the image in the binary. Unsupported images will be skipped.

IPA packages: the executable must be decrypted first. Encrypted executable binaries are not supported.

Split APK packages: when using the CLI, specify a list of APK files with a comma between each filename.

ELF binaries created from memory dumps: specify the image base (in hex) using --image-base. If the supplied image base is incorrect, the application may crash.

GameGuardian dumps (and other Linux process map dumps): you can use a *-maps.txt file in place of an IL2CPP binary. Il2CppInspector will scan the folder containing the maps file for matching .bin files and reassemble and rebase libil2cpp.so automatically. You therefore don't need to create the file manually or provide an image base address when using this kind of dump. For this to work, neither the text file nor any of the binary files must be renamed, and all must be in the same folder.

Packed PE files (DLLs): WARNING: Loading a packed PE file will cause the DLL's entry point and initialization functions to execute. Do not load malicious DLLs and never run Il2CppInspector as an administrator when handling packed PE files. USE AT YOUR OWN RISK.

Creating C# prototypes

Il2CppInspector can create C# code stub files with pointer metadata to allow you to explore the IL2CPP binary in an easy-to-read format.

Specify the -c switch to choose the C# output file or path.

To exclude types from certain namespaces from being generated in the C# source file output, provide a comma-separated list of case-sensitive namespaces in --exclude-namespaces. The following namespaces will be excluded if no argument is specified:


Providing an argument to --exclude-namespaces will override the default list. To output all namespaces, use --exclude-namespaces=none. This only applies to C# prototypes output.

You can specify the output layout with the --layout switch:

  • single - all types in a single file
  • namespace - one namespace per file (each file will be given the namespace name)
  • assembly - one assembly per file (each file will be given the assembly name)
  • class - one class per file
  • tree - one class per file in a tree-like folder structure with top-level assembly folders and second-level namespace folders

You can specify the intra-file type ordering with the --sort switch:

  • index - sort by type definition index as found in the IL2CPP metadata
  • name - sort alphabetically by type name

This switch has no effect when using class or tree layout.

The --flatten switch allows you to flatten a hierarchy of nested namespaces when layout is class or namespace, ie. a series of sub-folders System/IO/Compression will instead be a single top-level sub-folder System.IO.Compression.

The --suppress-metadata switch allows you to suppress the output of comments including method pointers, field offsets and type indices. This is useful when you want to diff the changes between two versions of an application to see only which types have changed.

The --seperate-attributes switch directs Il2CppInspector to put assembly-level attributes in their own AssemblyInfo.cs files rather than at the top of the first file generated for each assembly, when layout is assembly or tree.

Adding metadata to your IDA workflow

Simply run Il2CppInspector with the -p switch to choose the IDA script output file. Load your binary file into IDA, press Alt+F7 and select the generated script. Observe the Output Window while IDA analyzes the file - this may take a long time.

Three files are generated by Il2CppInspector for IDAPython: the Python script itself, a JSON metadata file and a C++ type header file (this is cpp/appdata/il2cpp-types.h by default if you used the CLI, or il2cpp.h if you used the GUI). These files must be present for the script to run successfully.

If you know which version of Unity the binary was compiled with, you can improve the output by specifying this with --unity-version, for example --unity-version 2019.3.1f1. You can also supply any asset file from the application to detect the Unity version with --unity-version-from-asset. Otherwise Il2CppInspector will make an educated guess based on the contents of the binary.

Il2CppInspector generates the following data for IDA projects:

  • Type declarations for all IL2CPP internal types
  • Type declarations for every type in the IL2CPP application including generic instances
  • Addresses for every known type
  • Names for all regular .NET methods
  • Names for all constructed generic methods
  • Names and typed signatures for all IL2CPP custom attributes generator functions
  • Names, .NET argument type lists and typed signatures for all IL2CPP runtime invoker functions for both regular and constructed generic methods (per-signature Method.Invoke endpoints)
  • Function boundaries for all of the above
  • Comments at each function entry point with .NET method signatures for all of the above
  • Names and type declarations for all of the following IL metadata references: Type, TypeInfo, MethodDef, FieldInfo, StringLiteral, MethodRef (this includes all generic class and method instantiation metadata)
  • Comments for all IL string literal metadata pointers containing the value of the string
  • Names and types for some IL2CPP-specific data structures and functions
  • Names and typed signatures for all IL2CPP API functions that could be identified

Example IDA C++ decompilation after applying Il2CppInspector (initialization code omitted for brevity):

Il2CppInspector annotated IDA project

Adding metadata to your Ghidra workflow

Run Il2CppInspector with the -p switch to choose the Ghidra script output file, and -t Ghidra (case-sensitive) to specify Ghidra as the script type you wish to produce.

Three files are generated by Il2CppInspector for Ghidra: the Python script itself, a JSON metadata file and a C++ type header file. These files must be present for the script to run successfully.

If you know which version of Unity the binary was compiled with, you can improve the output by specifying this with --unity-version, for example --unity-version 2019.3.1f1. You can also supply any asset file from the application to detect the Unity version with --unity-version-from-asset. Otherwise Il2CppInspector will make an educated guess based on the contents of the binary.

NOTE: For best results, choose No when Ghidra asks if you would like to perform auto-analysis when the binary is first loaded. If you receive a Conflicting data exists at address error when running the script below, re-load the binary into the project and choose No at the auto-analysis prompt.

NOTE: To significantly speed up analysis for ELF files, set the image base to zero (0x00000000) in the load options for the binary. For compatibility reasons, executing the Ghidra Python script on an ELF file will change the file's image base to zero for you if necessary, however if the current image base is non-zero this may take a very long time to complete. Other file formats will retain the same image base.

To import metadata into an existing Ghidra project:

  1. From the Code Browser, choose File -> Parse C Source...

  2. Create a new profile and add the generated C++ type header file. This is cpp/appdata/il2cpp-types.h by default if you used the CLI, or il2cpp.h if you used the GUI.

  3. Ensure the Parse Options are set exactly as follows:


  4. Click Parse to Program and accept any warnings. This may take a long time to complete.

  5. Open the Script Manager and add the output folder you chose in Il2CppInspector as a script folder.

  6. If you have used scripts from Il2CppInspector for other binaries, ensure the Python files are named differently, or disable use of the previous script folder(s).

  7. Click Refresh to make the script appear in Script Manager.

  8. Right-click the script and choose Run. This may take a while to complete.

Ghidra import help

Il2CppInspector generates identical data for Ghidra projects as it does for IDA - see the above section for details.

Example Ghidra C++ decompilation after applying Il2CppInspector:

Il2CppInspector annotated Ghidra project

Creating C++ scaffolding or a DLL injection project

Il2CppInspector generates a series of C++ source files which you can use in a variety of ways, for example:

  • with a tool like x64dbg to analyze the memory of the application at runtime
  • with a tool like Cydia Substrate (MSHookFunction) for accessing types, methods and IL2CPP API functions
  • to run custom code via DLL injection on Windows (see below)

Run Il2CppInspector with the -h switch to choose the C++ output folder.

If you know which version of Unity the binary was compiled with, you can improve the output by specifying this with --unity-version, for example --unity-version 2019.3.1f1. You can also supply any asset file from the application to detect the Unity version with --unity-version-from-asset. Otherwise Il2CppInspector will make an educated guess based on the contents of the binary.

You can target which C++ compiler you wish to use the output files with: specify --cpp-compiler MSVC for Visual Studio and --cpp-compiler GCC for gcc or clang.

Il2CppInspector performs automatic name conflict resolution to avoid the use of pre-defined symbols and keywords in C++, and to handle re-definition of same-named symbols in the application.

Some IL2CPP binary files contain only a partial set of API exports, or none at all. For these cases, Il2CppInspector will build scaffolding using only the available exports to ensure that the project compiles successfully.

Il2CppInspector GUI

The following files are generated:

  • appdata - this folder contains project-agnostic binary-specific declarations:
    • ilc2pp-types.h:

      • Type declarations for all internal IL2CPP types (a minimal version of the Unity headers)
      • Type declarations for every type used in the application including all arrays, enums, concrete generic type instances and inferred usages from metadata.
      • Boxed versions for types where applicable
      • VTables for every type
    • il2cpp-functions.h:

      • The function pointer signature and offset from the image base address to every C#-equivalent method
      • The offset from the image base address to every method information class (MethodInfo **)
    • il2cpp-types-ptr.h:

      • The offset from the image base address to every type information class (Il2CppClass **)
    • il2cpp-api-functions.h:

      • The function pointer signature to every IL2CPP API function (copied directly from Unity for the version used to compile the binary). Functions not found in the binary's export list will be elided
    • il2cpp-api-functions-ptr.h:

      • The offset from the image base address to every IL2CPP API function export (functions starting with il2cpp_)
    • il2cpp-metadata-version.h:

      • A #define for the IL2CPP version used by the target binary

The above files contain all the data needed for dynamic analysis in a debugger.

In addition, the following files are generated for DLL injection:

  • framework - project-agnostic binary-agnostic boilerplate code and scaffolding:

    • dllmain.cpp:

      • Provides a DLL injection stub which calls init_il2cpp() (see below) and starts Run() (see below) in a new thread
    • helpers.cpp and helpers.h:

      • Provides various helper functions. See the comments in helpers.h for details.
    • il2cpp-init.cpp, il2cpp-init.h and il2cpp-appdata.h:

      • Provides the void init_il2cpp() function which uses all of the above headers to generate usable function pointers and class pointers that are mapped to the correct places in the in-memory image at runtime
    • pch-il2cpp.cpp and pch-il2cpp.h:

      • Provides the necessary scaffolding to enable pre-compiled headers (PCH) for all of the headers in the appdata folder
  • user - project-specific binary-agnostic user code which you can modify as desired:

    • main.cpp and main.h:
      • Contains a stub Run() function which denotes the entry point for your custom injected code. The function executes in a new thread and therefore does not block DllMain.

    This is the only folder whose files you should edit.

For Visual Studio users, the following files are also generated:

  • IL2CppDLL.vcxproj, Il2CppDLL.vcxproj.filters and Il2CppDLL.sln:
    • The project and solution files for a DLL injection project. The first time you load the solution into Visual Studio, you will be asked to re-target the platform SDK and C++ toolchain. Accept the default suggestions. WARNING: Compilation may fail if you don't do this.

The default main.cpp includes commented code to allow you to write to a log or open a new console using the functions from helpers.h. To specify a log file target in your source code, use extern const LPCWSTR LOG_FILE = L"my_log_file.txt".

Tip: When a new version of the target application is released, you can re-output the C++ scaffolding project in-place. The appdata and framework folders will be overwritten but the user folder and project/solution files will not be changed. This makes it easy to update your project when the target application has been updated!

Compatibility: It is recommended to use Visual Studio 2019 (MSVC++ Build Tools v142 or later). The scaffolding projects have been tested with Visual Studio 2019 and Visual Studio 2017 (MSVC++ Build Tools v141), however some helper code is omitted when using Visual Studio 2017 in order to enable compilation to succeed.

DLL Injection workflow

  1. Use Il2CppInspector to create C++ scaffolding output for the executable binary of interest
  2. Load the generated solution (Il2CppDLL.sln) into Visual Studio
  3. Add the code you wish to execute in the Run() function in main.cpp
  4. Compile the project
  5. Use a DLL injection tool such as Cheat Engine or RemoteDLL to inject the compiled DLL into the IL2CPP application at runtime

You have access to all of the C#-equivalent types and methods in the application, plus all of the available IL2CPP API functions. No additional function pointer or type declarations are required.

Example (create a Vector3 and log its y co-ordinate to a file):

// in main.cpp
void Run()
    // Vector3 example

    // (Call an IL2CPP API function)
    Vector3__Boxed* myVector3 = (Vector3__Boxed*) il2cpp_object_new((Il2CppClass*) *Vector3__TypeInfo);

    // (Call an instance constructor)
    Vector3__ctor(myVector3, 1.0f, 2.0f, 3.0f, NULL);

    // (Access an instance field)

More detailed tutorials can be found here:

How to create, use and debug IL2CPP DLL injection projects

Working with code in IL2CPP DLL injection projects

Creating a Visual Studio C# code stubs solution

Il2CppInspector can create a complete Visual Studio workspace with a solution (.sln) file, project (.csproj) files and assembly-namespace-class tree-like folder structure. Each project creates a single assembly.

Use the --project switch to generate a solution workspace.

In order for Il2CppInspector to be able to create .csproj files which contain the correct Unity assembly references, you must provide the path to an installed Unity editor and a project template or ScriptAssemblies folder of an existing Unity project.

NOTE: The default settings will select the latest installed version of Unity and the latest installed version of the default 3D project template, if they have been installed in the default location.

Typical Unity editor location (specified with --unity-path): C:\Program Files\Unity\Hub\Editor\20xx.y.z

Typical Unity project template location (specified with --unity-assemblies): C:\Program Files\Unity\Hub\Editor\20xx.y.z\Editor\Data\Resources\PackageManager\ProjectTemplates\libcache\

Typical Unity script assemblies location in existing project (specified with --unity-aseemblies): X:\MyProject\Library\ScriptAssemblies

Replace x, y and z with your Unity version number. Replace with the desired template.

NOTE: You can use the asterisk wildcard (*) one or more times when specifying these paths. Il2CppInspector will select the last matching folder in alphanumeric order. This is useful if you have multiple side-by-side Unity installs and wish to always select the latest version or template.

In the event that the assembly references are not correctly resolved the first time you load a solution, simply close and re-open the solution to force them to be resolved.

Il2CppInspector Auto-generated Visual Studio solution

Generating JSON metadata

Il2CppInspector can create a JSON file containing various metadata about the application.

Use the -o switch to specify the JSON output path.

The output schema is as follows:

  • addressMap (object)

    An address map of all IL2CPP-related content in binary

    • methodDefinitions (array) The virtual address, binary symbol, C++ function signature and .NET method signature of every .NET-equivalent method in the binary

    • constructedGenericMethods (array) The virtual address, binary symbol, C++ function signature and .NET method signature of every .NET-equivalent concrete generic method in the binary

    • customAttributesGenerators (array) The virtual address, name and C++ function signature of every custom attributes generator function in the binary

    • methodInvokers (array) The virtual address, name and C++ function signature of every Method.Invoke thunk function in the binary

    • stringLiterals (array) For Unity versions lower than 5.3.2: the ordinal, name and text of every string literal in the binary For Unity version 5.3.2 and later: the virtual address, name and text of every string literal in the binary

    • typeInfoPointers (array) The virtual address, name, C++ derived type name and .NET type name equivalent of every class definition pointer (Il2CppClass *) in the binary

    • typeRefPointers (array) The virtual address, name and .NET type name equivalent of every type reference pointer (Il2CppType *) in the binary

    • methodInfoPointers (array) The virtual address, name and .NET method signature of every runtime method definition pointer (MethodInfo *) in the binary

    • functionAddresses (array) The virtual addresses of the start of every known function in the binary, including all of those above plus any others detected but not included in the above categories

    • typeMetadata (array) The virtual address, name and C++ type name of key metadata items in the binary. This includes Il2CppCodeRegistration and Il2CppMetadataRegistration, and depending on the binary version may also include a pointer to each Il2CppCodeGenModule

    • arrayMetadata (array) The virtual address, name, C++ type name and size of key metadata arrays in the binary

    • functionMetadata (array) The virtual address, name and C++ function signature of key metadata functions in the binary. Depending on how the binary was analyzed by Il2CppInspector, this may include il2cpp_codegen_register.

    • apis (array) The virtual address, name and C++ function signature of every IL2CPP API function identified in the binary

    • exports (array) The virtual address and name of every export in the binary

    • symbols (array) The virtual address, name and symbol type of every named (non-zero name length) and non-zero address function definition, type, field name and import (for ELF) defined in the binary. Not currently supported for PE files.

Universal IL2CPP Build Utility

Three Powershell scripts are provided to enable easy building and testing of IL2CPP binaries:

  • il2cpp.ps1 is the main workhorse and compiles each specified C# source file in TestSources (or all of them if none supplied) as a separate assembly, and outputs them to TestAssemblies. It then takes every specified assembly in TestAssemblies and compiles each one as a separate IL2CPP project for each of these architectures:

    • Windows x86 standalone
    • Windows x64 standalone
    • Android ARMv7 (32-bit)
    • Android ARMv8-A (64-bit)

    These are placed into the TestBinaries folder. The C++ source code for each build is placed into the TestCpp folder. It then calls generate-tests.ps1.

    Specify a comma-separated list of source files (without the .cs extension) to process as the first argument (or -assemblies).

    You can optionally specify a Unity version or Unity install path with the 2nd argument (or -unityVersion). If none is supplied, the latest installed Unity version will be used. You can also specify wildcards, eg. 2019* will use the latest installed version of Unity 2019, 2018.3* will use the latest installed version of Unity 2018.3 etc. Use Unity Hub to install the desired versions.

    Therefore with one command you can generate an assembly DLL, C++ source code and IL2CPP binary for each architecture for any given list of source files, one set of outputs per source file, for a specified version of Unity.

  • generate-tests.ps1 generates a file called Tests.cs in the Il2CppTests project, containing one test per IL2CPP project in TestBinaries. This file will be compiled by the Il2CppTests project. You will then be able to see one test per IL2CPP project in Visual Studio's Test Explorer.

    The auto-generated tests generate C#, JSON and C header files in the test IL2CPP binary's folder in TestBinaries (each filename prefixed with test) and compares them (whitespace-insensitive) with the corresponding project name files in TestExpectedResults. In this way, you can check for files with known structure that the analysis is being performed correctly, or step through the analysis of specific binaries in the debugger without having to change the project's command-line arguments.

  • update-expected-results.ps1 copies all of the output test results from TestBinaries into TestExpectedResults, therefore updating the files that will be used to verify correct test results.

Example uses:


builds each C# source file ìnto a .NET assembly DLL, a C++ source folder and one IL2CPP binary per supported architecture

./il2cpp.ps1 MyFirstTest

builds MyFirstTest.cs into MyFirstTest.dll, creates a C++ source folder named MyFirstTest and an IL2CPP binary for each supported architecture

./il2cpp.ps1 MyFirstTest,MySecondTest 2019.3.1f1

builds MyFirstTest.cs and MySecondTest.cs into individual assembly DLLs, C++ source folders and IL2CPP binaries, using Unity 2019.3.1f1

./il2cpp.ps1 MyFirstTest,MySecondTest F:\Unity\Hub\Editor\2019.3.1f1

as above but specifies a custom path for your Unity installation.

The minimum supported Unity version is 2017.1.0f3.

To learn more about these features, see the section entitled Using Il2CppInspector to generate IL2CPP code in IL2CPP Reverse Engineering Part 1.

Using the APIs for programmatic analysis

NOTE: The Il2CppInspector APIs are also available as a NuGet package! (search: NoisyCowStudios.Il2CppInspector)

Il2CppInspector offers the following re-usable class library APIs:

  • Il2CppInspector - low-level access to the binary image and metadata
  • TypeModel - high-level .NET Reflection-like query API for all of the .NET types in the source project as a tree model
  • AppModel - access to all of the C++ types and methods, plus the IL2CPP API exports, with detailed address and offset data and mappings to their .NET equivalents

Use these APIs to easily query IL2CPP types, create new output modules and integrate Il2CppInspector with your own static analysis applications.

To utilize Il2CppInspector in your own projects, add a reference to Il2CppInspector.Common.dll.

Include the following using directives:

  • using Il2CppInspector to use Il2CppInspector.
  • using Il2CppInspector.Reflection to use TypeModel.
  • using Il2CppInspector.Model to use AppModel.

See the source code for further details or the tutorials above.

Using plugins

Plugins should be placed in the plugins folder in the same folder as Il2CppInspector.exe. Each plugin should be placed into its own sub-folder with any dependencies or configuration files needed.

From the GUI you can enable and disable plugins, change the execution order and configure individual plugin settings via the Manage plugins... button.

From the CLI you can specify which plugins and settings to use as follows.

For one plugin:

Il2CppInspector.exe --plugins "myplugin --firstOption value1 --secondOption value2"

For multiple plugins:

Il2CppInspector.exe --plugins "plugin1 --option1 ..." "plugin2 --option2 ..." ...

Plugins will be executed in the order specified.

Core plugins (those that are part of Il2CppInspector's base functionality) are always enabled when using the CLI, but can be disabled in the GUI.

When using the CLI, core plugins always execute first by default. You can force the core plugins to execute in a different order by specifying their names in the desired execution order. For example:

Il2CppInspector.exe --plugins "analytics --output foo.csv"

will run the core plugins first then the analytics example plugin, but:

Il2CppInspector.exe --plugins "analytics --output foo.csv" "xor"

will cause the xor core plugin to run after analytics.

For help on a specific plugin, specify the plugin name with no arguments:

Il2CppInspector.exe --plugins myplugin

To get more plugins, click Get Plugins in the Manage Plugins window in the GUI, visit the Il2CppInspectorPlugins repository or use the get-plugins.ps1 or get-plugins.sh scripts to update to the latest plugin releases.

Il2CppInspector Plugins

Creating plugins

Plugins let you extend the functionality of Il2CppInspector. For example you can pre and post-process metadata and binaries to enable inspection of IL2CPP applications that Il2CppInspector cannot handle automatically.

Plugin support is currently experimental and has limited functionality.

Details on how to create your own plugins can be found in the Il2CppInspector Plugin Development Wiki.

You can find out more about plugins, and browse the source code of current plugins and examples in the Il2CppInspectorPlugins repository.

Extending Il2CppInspector's Python output to support other targets

The current version of Il2CppInspector can output Python scripts targeting the IDA and Ghidra disassemblers.

When Il2CppInspector generates such a script, it generates a concatenation of a shared block of code (Outputs/ScriptResources/shared-main.py) which parses the JSON metadata and dispatches it to a set of implementation-specific functions to be processed, and a block of code specific to the target application which implements these functions (a file from Outputs/ScriptResources/Targets).

If you would like to add support for a new target application, create a new Python script in Outputs/ScriptResources/Targets with the nane .py and implement the following functions:

  • CustomInitializer() - perform any custom initialization required for the target before applying the metadata
  • DefineCode(code) - parse and apply the specified C++ declaration text (this is not required for Unity 5.3.2 and later; if you don't need to support earlier versions, just specify pass as the implementation)
  • GetScriptDirectory() - retrieve the directory that the Python script is running in. This will normally be os.path.dirname(os.path.realpath(__file__))
  • MakeFunction(start, name=None) - define address start as the start of a function, optionally with name name
  • SetComment(addr, text) - place the comment text at address addr
  • SetFunctionType(addr, sig) - parse the C++ function signature in sig and apply it to the function at address addr
  • SetHeaderComment(addr, text) - place the header/plate/pre-item comment text at address addr
  • SetName(addr, name) - set the symbol (or label or name) of address addr to name
  • SetType(addr, type) - define address addr to be an item of the C++ type type

Refer to the source code of IDA.py and Ghidra.py for examples.

When you add a new target and re-compile Il2CppInspector:

  • the target will automatically be available for selection via the -t (--script-target) switch via the CLI
  • the target will automatically appear in the drop-down selection box for script targets in the GUI

If you develop an API for a target that you think might be useful to others, please feel free to submit a PR with the code!

Version support

Unity version IL2CPP version Support
4.6.1+ First release Unsupported
5.2.x 15 Unsupported
5.3.0-5.3.1 16 Working
5.3.2 19 Working
5.3.3-5.3.4 20 Working
5.3.5-5.4.6 21 Working
5.5.0-5.5.6 22 Working
5.6.0-5.6.7 23 Working
2017.1.0-2018.2.21 24 Working
2018.3.0-2018.4.x 24.1 Working
2019.1.0-2019.3.6 24.2 Working
2019.3.7-2019.4.14 24.3 Working
2019.4.15-2019.4.20 24.4 Working
2019.4.21-2019.4.x 24.5 Working
2020.1.0-2020.1.10 24.3 Working
2020.1.11-2020.1.17 24.4 Working
2020.2.0-2020.2.3 27 Working
2020.2.4-2020.3.x 27.1 Working
2021.1.0-2021.1.x 27.2 Partial

Please refer to the companion repository https://github.com/nneonneo/Il2CppVersions if you would like to track the changes between each IL2CPP release version.


If you have files that don't work or are in an unsupported format, please open a new issue on GitHub and attach a sample with details on the file format, and I'll try to add support. Include both the IL2CPP binary and global-metadata.dat in your submission.

Please check the binary file in a disassembler to ensure that it is a plain IL2CPP binary before filing an issue. Il2CppInspector is not intended to handle packed, encrypted or obfuscated IL2CPP files.


If you found Il2CppInspector useful, you can really help support the project by making a small donation at http://paypal.me/djkaty!

You can also donate with bitcoin: 3FoRUqUXgYj8NY8sMQfhX6vv9LqR3e2kzz

Much love! - Katy


Thanks to the following major contributors!

This project uses:

Thanks to the following individuals whose code and research helped me develop this tool:

The following books and documents were also very helpful:

Pizza spinner animation in the GUI made by Chris Gannon - https://gannon.tv/


This software is licensed under AGPLv3.

  • Call the methods il2cpp exports.

    Call the methods il2cpp exports.

    [Originally from @DannyParker0001]

    This is only somewhat related, but something I remembered that would also be cool is to be able to call the methods il2cpp exports. All methods in il2cpp-api.cpp are exported (I think there were some quirks with it in very old versions of il2cpp). The methods let you get runtime type information, and they include some very cool methods such as being able to get the value of a static member at runtime (Game I'm interested has a god object with a static instance, so being able to use this would be pretty huge!) These methods require the metadata headers (Il2cppObject, Il2cppClass, etc) which is why I think it should be auto-generated and put into a header.

    On x86/x64 you can get the Virtual Addresses of these and then call them via DLL injection, you could also use GetProcAddress on windows to get their address if wanted. I have written code in the past to list of all the exported methods in a x86/x64 binary, I could quite easily implement that if you wanted.

    Since code is clearer than words: Exports of a dll (dumpbin /EXPORTS /path/to/your/dll, found in Start Menu -> Visual Studio (XXXX) -> xXX native tools...)

        ordinal hint RVA      name
              1    0 001CDDF0 CloseZStream
              2    1 001CDEA0 CreateZStream
              3    2 001CDFC0 Flush
              9    8 001CE0C0 WriteZStream
             10    9 00159180 il2cpp_add_internal_call
             11    A 00159190 il2cpp_alloc
             12    B 001591A0 il2cpp_array_class_get
             13    C 001591B0 il2cpp_array_element_size

    In the il2cpp-api.cpp file there'd be something like:

    void* il2cpp_alloc(size_t size)
        return IL2CPP_MALLOC(size);

    So in the header something like

    // ImageBase = 0x0B00000000 
    void*(*il2cpp_alloc)(size_t size) = (void*(*)(size_t))0x0B00159190 

    Alternatively you could use __declspec(dllimport) (Compiler specific!) for the same effect, may be better, not sure...

    I'm not sure about other architectures, I could probably manage to do a PR of most of this for x86/x64 once you've mostly implemented the header generation system, I'm not sure how I'd get the symbol purely from the name though. I'm wondering if you'd be happy for me to do the PR (in future) even if its just for the one arch & possibly incomplete? Or if there would be a better way for me to contribute?

    Originally posted by @DannyParker0001 in https://github.com/djkaty/Il2CppInspector/issues/37#issuecomment-649350228

    opened by djkaty 32
  • [Feature Request] Generate a C++ header for easy use in DLL's

    [Feature Request] Generate a C++ header for easy use in DLL's

    I asked for this in il2cppdumper, prefare didn't want to do it, it wont hurt to ask here. I don't understand il2cpp enough to implement this myself, but... Here's the idea: In the il2cppDummyDll you might have:

    void foo(string bar){

    Then (the planned feature) the C++ header

    // ...
    typedef struct Il2CppObject
            Il2CppClass *klass;
            Il2CppVTable *vtable;
        MonitorData *monitor;
    } Il2CppObject;
    // One of the many classes/types exported
    namespace System{
        struct String{
            Il2cppObject obj;
            int32_t length;
            char* m_firstChar;
            String(char* value){
                // Function pointer to the virtual address of the System.String constructor that receives a char*
                void (*ctor)(char* value) = (void (*)(char*))0xabcdefg
    // ...
    // A Function pointer to the Virtual Address.
    void (*foo)(System::String bar) = (void (*)(System::String))(0x1ABCDEF)

    Which would allow something like

    #include "Il2cppHeader"
    void main(){
    System::String str("Hello World");

    Then you compile the project as a DLL, Inject it, and call it.

    This is a simple use case for the sake of the example. If it contained every class from every game, you should be able to just write code for it like in mono. Huge potential for being able to mod games but also probably a lot of effort.

    opened by DannyParker0001 27
  • "C++ scaffolding header" Your project is perfect! But i need more simples for android platform !

    "C++ scaffolding header" Your project is perfect! But i need more simples for Android platform !

    By try and try hard!

    The ndk compiler passed !

    But in case runing the project with unity3d so files il2cpp.so & Other problem happend!

    long base = baseAddr("libil2cpp.so");
     __android_log_print(ANDROID_LOG_ERROR, "xNative", " %p",base);
     init_il2cpp(base);//mod the oringal api 
    __android_log_print(ANDROID_LOG_ERROR, "xNative", " Vector3__TypeInfo %p",Vector3__TypeInfo);
     __android_log_print(ANDROID_LOG_ERROR, "xNative", " il2cpp_object_new%p",il2cpp_object_new);
    long a = 0x77a69e8dc8;
    long b = 0x77a6041000;
    long c = a-b;
     __android_log_print(ANDROID_LOG_ERROR, "xNative", " rollback il2cpp_object_new %p",c);
    Vector3__Boxed* myVector3 = (Vector3__Boxed*) il2cpp_object_new((Il2CppClass*) Vector3__TypeInfo);
    Vector3__ctor(myVector3, 1.0f, 2.0f, 3.0f, NULL);
    float y = myVector3->fields.y;`


    2020-08-28 13:05:40.709 17480-17480/com.ttgame.titanxyz E/xNative:  0x77a5f81000
    2020-08-28 13:05:40.713 17480-17480/com.ttgame.titanxyz E/xNative:  Vector3__TypeInfo 0x0
    2020-08-28 13:05:40.713 17480-17480/com.ttgame.titanxyz E/xNative:  il2cpp_object_new 0x77a68e8dc8
    2020-08-28 13:05:40.713 17480-17480/com.ttgame.titanxyz E/xNative:   rollback il2cpp_object_new 0x9a7dc8


    ctrash Vector3__Boxed* myVector3 = (Vector3__Boxed*) il2cpp_object_new((Il2CppClass*) Vector3__TypeInfo);

    I mod nothings of the "c++scaffolding" except init_il2cpp method for baseadress transfer and .h ref change like "#include "../appdata/il2cpp-types.h""

    the environment with out the "c++scaffolding" for my hook works is running ok & for do "c++scaffolding" running i have colsed all of other working code !

    support ticket 
    opened by plastor 20
  • IDA Structure Types

    IDA Structure Types

    This is the final patch set which introduces structure, function, enumeration and TypeInfo types to the IDA script output, enabling IDA to automatically resolve structure offsets, function calls, and enumeration values. These changes combine to significantly improve decompilation output.

    Here's a random example, decompiled with IDA 7.0 (x86). First is the output from the old script generator:

    // Void WriteLine()
    int __fastcall TextWriter_SyncTextWriter_WriteLine(int a1)
      int v1; // r4
      v1 = *(_DWORD *)(a1 + 20);
      if ( !v1 )
      return (*(int (__fastcall **)(_DWORD, _DWORD))(*(_DWORD *)v1 + 444))(
               *(_DWORD *)(a1 + 20),
               *(_DWORD *)(*(_DWORD *)v1 + 448));

    And here's the output from the new script generator:

    void __cdecl TextWriter_SyncTextWriter_WriteLine(struct TextWriter_SyncTextWriter *this, struct MethodInfo *method)
      struct TextWriter *v2; // r4
      v2 = this->_out;
      if ( !v2 )
      ((void (__fastcall *)(struct TextWriter *, const MethodInfo *))v2->klass->vtable.WriteLine.methodPtr)(

    Compared with the previous version of this patch (#24), this version has proper generics support, outputting concrete generic methods and type structures (thanks to #35), support for GCC and MSVC compilers, and header files for every version of Il2Cpp from 5.3.0 to 2019.3.8.

    Further ideas for improvements (for future PRs/issues, to be prioritized by whatever makes reversing real programs easier):

    • Resolving "shared" functions, which occur when the linker merges functions with identical bodies together (even if they have vastly different function signatures). Often, these are tiny no-op functions which are easy to recognize, but getting the signature wrong can result in suboptimal decompilation (until fixed manually by the reverser).
    • Resolving vtable function call types (not just the names). I have experimented with enabling this, but (a) it only improves decompilation if the virtual invoker code is inlined (which doesn't always happen), and (b) it significantly increases script size & complexity because every vtable needs lots of sub-structures. We may want to consider adding this as an option for reversers who are dealing with a lot of virtual method calls.
    • Resolving generic library methods like il2cpp_object_new. These functions return pointers whose types can be determined statically from their arguments; a semi-automated way to scan the disassembly or decompiled output and retype their return values would help a lot.
    • Resolving rgctx references for shared generic methods (basically, adding a struct for rgctx per-class by interpreting the rgctx range structures).
    opened by nneonneo 19
  • Generate IDA structures to resolve vtable and structure offsets

    Generate IDA structures to resolve vtable and structure offsets

    This patch augments the IDA output module to add structure, function and TypeInfo types, which enable IDA to automatically resolve structure offsets and improve the decompilation massively. Take a look at the following decompiler sample (IDA 7.0, x86) for a pretty much randomly chosen function:


    // Int32 GetParametersCount()
    int __cdecl MethodBase_GetParametersCount(int a1)
      int v1; // eax
      v1 = (*(int (__cdecl **)(int, _DWORD))(*(_DWORD *)a1 + 484))(a1, *(_DWORD *)(*(_DWORD *)a1 + 488));
      if ( !v1 )
      return *(_DWORD *)(v1 + 12);

    After (v1 manually annotated with ParameterInfo__Array * type)

    // Int32 GetParametersCount()
    int32_t __cdecl MethodBase_GetParametersCount(struct MethodBase *this)
      ParameterInfo__Array *v1; // eax
      v1 = (ParameterInfo__Array *)((int (__cdecl *)(struct MethodBase *, const void *))this->klass->vtable.GetParametersInternal.methodPtr)(
      if ( !v1 )
      return v1->max_length;

    Across the board, this patch enables IDA to automatically pick up static fields (via typed TypeInfo structs), regular fields (via typed value and reference class structures), vtables (via TypeInfo structs), and even interface calls if the relevant InterfaceInvoker code has been inlined. By typing all functions, it produces significantly better code for direct function calls, and improves type inference.

    Unfortunately, I'm not that proficient with the internals of Il2CppInspector or with Il2Cpp metadata, so there are a few current limitations to be aware of:

    • vtables have no types. This is probably an easy fix, except for:
    • generics basically don't work at all. I could not figure out how to easily monomorphize generics, especially genericized vtables. Most of this is just me not fully understanding how generics work. This unfortunately breaks generic fields and makes their offsets wrong, so it's definitely something that needs to be fixed.
    • this requires the Il2CppClass structure for the specific version of Il2Cpp being targeted. I don't have access to the headers for historic versions of Il2Cpp, so I couldn't add their headers.
    • this is untested on anything except MSVC-produced x86/x64 .dlls on Windows. More testing is needed for different environments (particularly, calling conventions might need adjusting on other platforms).

    If anyone could provide a little nudge towards any of these issues, I'll happily work on them. I'm leaving this as a draft right now but would appreciate feedback at this stage on anything (code quality, general approach, willingness to merge, etc.) so I can make adjustments.

    opened by nneonneo 19
  • enum and struct Align problem in IDA

    enum and struct Align problem in IDA

    very cool project! currently generated enum and struct type has align problem when import to IDA,I found enum's ToString() commented out the size restriction code // Don't output " : {underlyingType.Name}" because it breaks C, but when import to IDA,the size of enum are important,especially in 64bit.sometimes IDA will align enum member to 8bytes.this make all members of struct after this enum member's offset are wrong,so the final code would be wrong. sometimes there will generate enum ElementType__Enum _Element_k__BackingField; to struct also made the members' offset goes wrong. BTW:some "keyword" are not allowed import to IDA,like struct abc{ float near; },the "near" are not allowed by IDA,I think this is IDA's bug,but if Il2CppInspector can avoid generate these member name,This would be very great.

    opened by lifeengines 18
  • Progress with IDA Script generation

    Progress with IDA Script generation

    Hey! I've been trying to pull apart something and I've found your work really helpful! To that end, I've had a go at the script generation.

    I only have a vague idea what I'm doing, but it seems to be doing what I want it to do, so I figured I'd share what I have so far.

    Most of it is based on the original Prefare/Il2CppDumper

    opened by carterbush 14
  • Many of this type of unity framework of generics of methods cant call success !

    Many of this type of unity framework of generics of methods cant call success !

    DO_APP_FUNC(0x007BAF20, Font *, Resources_GetBuiltinResource_2, (String * path, MethodInfo * method)); This is a unity framework method!

    Call this method crash with a singal ‘fault addr 00000018’!

    The corresponding c# code is

    public static T GetBuiltinResource<T>(string path)
    			where T : UnityEngine.Object;

    Many of this type of methods cant call success !

    Under current conditions,other common methods is work well !

    Mabe other feature 'static'!

    opened by plastor 13
  • Crash parsing Unity version string

    Crash parsing Unity version string

    I'm not sure I'm doing everything correctly, but it doesn't seem like there is any other way.

    First I'm selecting the metadata file: global-metadata.dat. Then I select the binary file: GameAssembly.dll Application crashes after a few moments inside the KERNELBASE.dll.

    opened by reyaz006 13
  • --suppress-metadata still yielding type indices

    --suppress-metadata still yielding type indices

    Bug description

    Using CLI, type indices are still emitted even if the flag --suppress-metadata is specified. (At least for Dragalia Lost)

    This is the diff between the dump of v2.2.0 and v2.3.0.

    Steps to reproduce

    1. Try to dump the libil2cpp. Dragalia Lost v2.2.0 and upload the dump results to Github.
      • The libil2cpp.so for v2.2.0 can be found here.
    2. Try to dump the libil2cpp.so of Dragalia Lost v2.3.0 and upload the dump results to Github
      • The libil2cpp.so for v2.3.0 can be found here.
    3. Check the commit diff.

    The workflow I used can be found here. I tried executing this locally. The results are the same.

    Note: I use dump-metadata.exe in my repository to dump the metadata, then input it to this IL2CPP dumper.

    opened by RaenonX 12
  • Fix Nested Type Generate

    Fix Nested Type Generate

    sometimes we wan't keep the nested types even it's compiler generated, this patch made there names works for c#.e.g: made output like:

    	private sealed class __c__DisplayClass20_0 // TypeDefIndex: 7165
    		// Fields
    		public CharacterItem script; // 0x10
    		// Constructors
    		public __c__DisplayClass20_0() {} // 0x00B0B320-0x00B0B328
    		// Methods
    		internal bool _UpdateInFormation_b__1(DungeonData.CombatHero e) => default; // 0x00B0B634-0x00B0B680

    instead of:

    	private sealed class <>c__DisplayClass20_0 // TypeDefIndex: 7165
    		// Fields
    		public CharacterItem script; // 0x10
    		// Constructors
    		public <>c__DisplayClass20_0() {} // 0x00B0B320-0x00B0B328
    		// Methods
    		internal bool <UpdateInFormation>b__1(DungeonData.CombatHero e) => default; // 0x00B0B634-0x00B0B680
    opened by lifeengines 12
  • Unable to dump metadata version 29. Can a guide be made to self update?

    Unable to dump metadata version 29. Can a guide be made to self update?

    Il2CppInspector.exe -i "E:\Slime Rancher 2\GameAssembly.dll" -m "E:\Slime Rancher 2\SlimeRancher2_Data\il2cpp_data\Metadata\global-metadata.dat" Il2CppInspector Command-Line Edition Version 2021.1 (c) 2017-2021 Katy Coe - www.djkaty.com - www.github.com/djkaty

    Using plugin: IL2CPP API Discovery Using plugin: Binary metadata field order deobfuscator Using plugin: Metadata strings XOR decryptor Using plugin: Binary file XOR decryptor The supplied metadata file is not of a supported version (29). Analyze IL2CPP data: 0.03 sec

    global-metadata.zip GameAssembly.zip

    I understand that the Unity 2022.1 is not supported but a guide on how to manually update these each time one comes out. Well if its that simple.

    opened by AndrianiP 0
  • V Rising does not work.

    V Rising does not work.

    This works with il2cppdumper.

    PS C:\Users\Dimentox\Downloads\Il2CppInspector-2021.1 (1)> .\Il2CppInspector-cli.exe -i "C:\Program Files (x86)\Steam\steamapps\common\VRising\GameAssembly.dll" -m "C:\Program Files (x86)\Steam\steamapps\common\VRising\VRising_Data\il2cpp_data\Metadata\global-metadata.dat" Il2CppInspector Command-Line Edition Version 2021.1 (c) 2017-2021 Katy Coe - www.djkaty.com - www.github.com/djkaty

    Using plugin: IL2CPP API Discovery Using plugin: Binary metadata field order deobfuscator Using plugin: Metadata strings XOR decryptor Using plugin: Binary file XOR decryptor Detected metadata version 27 Container format: PE32+ Container endianness: Little Architecture word size: 64-bit Instruction set: x64

    Global offset: 0x0000000180000C00 No symbol table present in binary file No matches via code heuristics No matches via data heuristics Could not process IL2CPP image. This may mean the binary file is packed, encrypted or obfuscated in a way Il2CppInspector cannot process, that the file is not an IL2CPP image or that Il2CppInspector was not able to automatically find the required data. Please ensure you have downloaded and installed the latest set of core plugins and try again. Check the binary file in a disassembler to ensure that it is a valid IL2CPP binary before submitting a bug report! Analyze IL2CPP data: 153.66 sec PS C:\Users\Dimentox\Downloads\Il2CppInspector-2021.1 (1)>

    global-metadata.zip Cant seem to attach game assembly.

    opened by dimentox 2
  • Problems with Il2CppInspector. Metadata error.

    Problems with Il2CppInspector. Metadata error.

    Code: Read config... Initializing metadata... System.NotSupportedException: ERROR: Metadata file supplied is not a supported version[920093868]. в Il2CppDumper.Metadata..ctor(Stream stream) в Il2CppDumper.FormGUI.Init(String il2cppPath, String metadataPath, Metadata& metadata, Il2Cpp& il2Cpp) в Il2CppDumper.FormGUI.Dumper(String file, String metadataPath, String outputPath) Error

    opened by Limon4ik349 2
  • il2cpp-api-functions.h is empty

    il2cpp-api-functions.h is empty

    BEFORE YOU SUBMIT AN ISSUE follow these steps:

    1. Make sure you are using the latest commit of Il2CppInspector, which is usually ahead of the latest pre-compiled release
    2. Make sure you have the latest set of plugins by using get-plugins.ps1 or get-plugins.sh
    3. If using the GUI, make sure all Il2CppInspector Core Plugins are enabled and all other plugins are disabled

    To submit an issue relating to a crash or error message when processing files or generating outputs:

    1. We require the output from the Il2CppInspector CLI. Include the complete command line with all arguments and paste the entire output.
    2. Attach global-metadata.dat and the IL2CPP binary to the issue.

    To submit an issue for behavioral bugs (eg. incorrect outputs, options not working as expected, broken features etc.):

    1. Provide a clear and concise description of the bug. identifier "il2cpp_thread_attach" is undefined il2cpp-api-functions.h is empty
    2. Provide the exact steps you took to produce the bug, so that we can reproduce it ourselves. https://drive.google.com/file/d/12QnYMVDcDqE8hVMfVj3ho6eLLdGrxRwR/view?usp=sharing This is the metadata and so files. The address is 983e2000. The unity version is 2018.4.30f1 I seletec C++ scaffolding / DLL injection project The options were 2018.4.18-2018.4.31 and MSVC Then I clicked export The result il2cpp-api-functions.h is empty, leading to identifier "il2cpp_thread_attach" is undefined. Is this supposed to be empty and added manually? I checked other project such as the Among Us Menu. The il2cpp-api-functions.h does have the APIs. Issues not meeting these criteria will be automatically closed and tagged as invalid.
    opened by krulci 0
  • 2021.1(Jan 31, 2021)

    We Inspected (almost) Everything.

    Il2CppInspector 2021.1 brings an avalanche of new features and bug fixes, with a focus on enabling as many IL2CPP applications as possible to be analyzed.

    In addition, Perfare - author of the popular Il2CppDumper tool - has asked us to port some features of Il2CppDumper over to Il2CppInspector in order to create a single unified tool going forwards. This release brings Il2CppInspector to feature parity with Il2CppDumper in addition to all of the pre-existing extra functionality, with the exception of WebAssembly and NSO file format support (coming soon).

    Major new features:

    • Plugins: You can now create plugins that allow you to completely edit the load pipeline and implement custom deobfuscation, decryption, perform additional analysis and generate additional outputs.

      This enables you to write standalone code for specific workloads without needing to fork and edit the source code of Il2CppInspector, and your code will continue to work when we release new updates.

      We're really excited about this new feature and have created a Plugin Wiki with information to help you get started writing your own plugins. We've also created many example plugins you can check out to learn more! You can also submit your own plugins, and we will bundle the current set of plugins with each new release.

    • DLL output support: You can now output assembly shim DLLs that are semantically compatible with those produced by the "dummy DLL" function of Il2CppDumper. This is a complete rewrite of Il2CppDumper's DLL output using dnlib and Il2CppInspector's type model, and brings the following enhancements:

      • Orphaned property methods are now handled correctly
      • Events are now handled correctly
      • ref type method parameters are now output correctly
      • Static field offsets are now output (StaticFieldOffset attribute)
      • Assembly-level attributes are now output for each assembly
      • Assembly and module metadata tokens are now output
      • Attributes with zero arguments are applied directly rather than via the Attribute attribute for improved readability
      • Static array initializers include an 8-byte preview of the array contents (MetadataPreview attribute)
      • The generated output is self-contained with no external references to mscorlib.dll - this means the generated DLLs can be used with Il2CppAssemblyUnhollower without modification even on .NET Core
      • You can now suppress all output of all metadata attributes (use --suppress-dll-metedata on the CLI or the corresponding GUI option) - handy if you just want to browse or compare the raw type definitions
    • Dumped memory image support: memory dumps can now be loaded and rebased (use --image-base at the CLI or Import Options in the GUI to specify the image base address)

    • GameGuardian dump / Linux process map support: you can load a GameGuardian dump or Linux process map without needing to split or extract libil2cpp.so first or know the image base address. Specify the *-maps.txt file in place of the binary file and Il2CppInspector will reconstruct and rebase libil2cpp.so for you

    • Automated deobfuscation:

      • The new Beebyte Deobfuscator is our first 3rd party plugin and can deobfuscate .NET type and field names when supplied with an earlier, unobfuscated version of the same application by performing a differential analysis and applying renaming to the obfuscated version. The unobfuscated input can be either an IL2CPP or Mono build. You can also optionally output a text file containing a list of name translations, or a plugin source code file for use with Il2CppTranslator

        NOTE: You MUST supply an unobfuscated (or less obfuscated) version of the application in order to perform automatic deobfuscation!

        NOTE: This plugin is still a work in progress and may contain bugs. Properties and method names are not currently deobfuscated.

      • Most types of packed PE files (Windows DLLs) can now be loaded automatically (eg. Themida DRM)

      • Automatic reconstruction of the correct field order for Il2CppCodeRegistration and Il2CppMetadataRegistration in most cases where it has been obfuscated (eg. Riot Games workloads)

      • Automatic decryption of XOR-encrypted .NET symbols

      • More sophisticated heuristics are now used to determine binary file XOR keys and block sizes, this should improve compatibility with some encrypted workloads (eg. Arknights, Call of Duty Mobile, Garena Free Fire + many others)

      • Automatic binary XOR decryption now also works on 64-bit (ARMv8) binaries

      • ROT-encrypted API exports will now be resolved automatically (eg. Legends of Runeterra, League of Legends Wild Rift)

      • Honkai Impact and Genshin Impact can now be loaded using the miHoYo plugin (bundled) (you must supply a UnityPlayer.dll from a matching version, even if analyzing a mobile release)

      • Tale of Immortal (鬼谷八荒 / Guigubahuang) can now be loaded using the guigubahuang plugin (bundled)

        WARNING ON THE USE OF AUTOMATIC PE UNPACKING: Loading a packed PE file enables arbitrary 3rd party code execution. Do not load potentially malicious DLLs and never run Il2CppInspector as an administrator when handling packed PE files. USE AT YOUR OWN RISK.

        PLEASE NOTE: We will not be providing deobfuscators for every workload; the functionality above is provided by plugins for example purposes and we recommend you use the provided APIs to write your own plugins if you need to analyze an application not directly supported by Il2CppInspector. We do not take requests - please do not file issues asking for specific applications, they will be ignored.

    • Tutorials and guides: We've published a tranche of new guides for you:

    Minor features:

    • XAPK package files are now supported

    • ZIP files containing APKs are now supported directly

    • You can now save extracted, decrypted or deobfuscated global-metadata.dat and binary files via the CLI or GUI (use --metadata-out and --binary-out at the CLI)

    • You can now specify a Unity asset file to give Il2CppInspector the precise Unity version used, rather than specifying the version by hand or letting Il2CppInspector guess. This can be used to improve the accuracy of some types of output (use --unity-version-from-asset at the CLI or Get Unity version from asset file... in the GUI)

    • We hired someone who can use Paint to make an application icon for Il2CppInspector's GUI, yay!

    • We hit some things with a hammer and some types of file will now load much faster - huzzah!

    Minor improvements:

    • C++: enums will now be output as enum classes for scaffolding projects
    • C++: Scaffolding projects have il2cpp_thread_attach(il2cpp_domain_get()) added to the start of Run() to prevent fatal unmanaged exceptions when calling certain methods
    • CLI: You can now select individual outputs by specifying --select-outputs; this will cause all outputs to be suppressed except those you specify as arguments. The default is still to output everything
    • IL2CPP: Archive files won't be read-locked when loading anymore, allowing you to run Il2CppInspector when they are open elsewhere
    • Type model: Removed no longer necessary thread locking when generating custom attribute data

    Notable bug fixes:

    • C#: Fix failure to generate class/tree folder layout when there are invalid namespace names
    • C#: Fix assembly type indices were still being emitted when --suppress-metadata was specified
    • C#: Fix crash outputting 64-bit Flags-style enums with the top bit set
    • C++: Signed enum type output did not match the enums underlying type
    • C++: Signed enum values that are negative will no longer be output in hexadecimal
    • C++: Fixed a compilation error in scaffolding projects "fields is not a member of app::String" for certain IL2CPP applications
    • Formats/ELF: Don't crash trying to fetch a section by name that doesn't exist
    • Ghidra: Dumped ELF images were not rebased correctly
    • GUI: The GUI won't crash silently on startup anymore if an error occurs
    • IDA: Fixed "abstract declaration is not allowed here" error when parsing C headers for certain IL2CPP applications
    • IDA: Fixed "SetType failed!" error when applying script to an IDB where some duplicate types already exist
    • IL2CPP: Fixed an edge case causing a rare crash when analyzing metadataUsages list
    • IL2CPP: Fixed an edge case causing a workload with an unusually large number of reversePInvokeWrappers to fail to load
    • IL2CPP: Fixed method pointer offsets output being off-by-1 in certain types of non-PE x86/x64 binaries
    • Type model: Fix crash that occurred on invalid/obfuscated assembly or namespace strings
    • Type model: Fix crash that occurred when resolving generic type arguments in 32-bit binaries that have been rebased
    • Type model: Fix GetType() and GetGenericMethod() incorrectly returned null when searching for a type or method in the global namespace
    • Unity: Fix crash comparing Unity versions when one of the version ranges is open-ended (caused crash on the latest Unity releases)
    • ...and more

    Unity support:

    • Support was added or tested where applicable for Unity versions up to Unity 2018.4.31, Unity 2019.4.18 and Unity 2020.2.2 (the current latest)

    New APIs for developers:

    • Formats: FileFormatReader classes can now receive a LoadOptions argument with custom load options
    • Formats: Added FileFormatReader<T>.DefaultFilename to fetch the default filename for a given file format
    • Formats: Added Section class and IFileFormatStream.GetSections() / IFileFormatStream.TryGetSections() for universal processing of sections regardless of file format (ELF files will use the PHT if the SHT has been destroyed)
    • Formats: File types can now have multiple "load strategies" which will be tried in sequence once the file format has been identified (eg. unpacked, packed); see IFileFormatReader.TryNextLoadStrategy()
    • IL2CPP: Metadata and Il2CppBinary now derive from the new BinaryObjectStream allowing easy reading and writing of types to the underlying streams
    • IL2CPP: Added IsModified property to Metadata and Il2CppBinary
    • IL2CPP: Added Il2CppBinary.SaveToFile(), Metadata.SaveToFile() and equivalent surrogates Il2CppInspector.SaveBinaryToFile() and Il2CppInspector.SaveMetadataToFile() to enable saving of modified files
    • Plugins: An entire new API set was created for plugins, and many previously private or internal types, fields and properties were made public. See the Il2CppInspector Plugin Wiki for full details. Users developing standalone apps using the Il2CppInspector API can disable the entire plugin system with PluginManager.Enabled = false
    • Type model: A small number of MemberAttributes flags that were omitted are now included (eg. FieldAttributes.RTSpecialName). PropertyAttributes and MethodImplementationFlags were added as per the .NET Reflection API
    • Type model: MetadataToken was added to all type model objects as per the .NET Reflection API
    • ...and more

    We're going to take a little break now, but we'll be back in May to cause more trouble (critical bug fixes will still be posted). Happy hacking!

    Many thanks to @std-nullptr, @Perfare, @OsOmE1, @cctgapp, @AndnixSH, @MerzZly, @badluck13, @rustyx, @RaenonX and everyone else who provided input and contributions to this release!

    Source code(tar.gz)
    Source code(zip)
    Il2CppInspector-2021.1.zip(91.15 MB)
  • 2020.2.1(Nov 26, 2020)

    Il2CppInspector 2020.2.1 is a minor feature update and maintenance release, containing dozens of bug fixes and small improvements.

    • Universal IL2CPP Build Utility: The old binary generator script has been replaced with a significantly revamped build utility for PowerShell - il2cpp.ps1. Type ./il2cpp.ps1 -help for usage instructions

      • The Roslyn C# compiler will now only be invoked for the specified files, rather than all source files in the folder
      • You can now specify which installed Unity version to use as the build target. This allows wildcards, so 2019.3* will use the latest install of Unity 2019.3 etc.
      • You can also optionally specify a full Unity path as the version argument to bypass the automatic installation search; this also supports wildcards
      • The Unity bytecode stripper will now be run on each assembly before being transpiled to reduce the total build time
      • Each assembly will now only be transpiled to C++ once, rather than once per architecture target (this was wasteful as the C++ code doesn't change)
      • The build cache will now be created in a child folder of the output folder and deleted upon completion (previously it would be in the user's Temp folder and not deleted before a reboot, causing the rapid consumption of disk space when performing many builds)
      • Fix for the MapFileParser.exe path not being passed to il2cpp.exe correctly
      • Android builds will be skipped rather than aborting the whole script if the Android toolchain is unavailable
      • The Cpp source folder will be wiped before a re-build to avoid conflicting source files
      • The utility will now work on all versions of Unity from 2017.1.0 - 2021.1.0+ (previously only supported Unity 2018.3.x - 2019.3.x); please see the source code comments for build tool requirements and other dependencies for the different Unity versions
      • The utility is now compatible with PowerShell 7 (previously only 5.1)
      • Various bug fixes
    • Android file format improvements: Split APKs and AAB (Android App Bundle) files are now supported via the API, CLI and GUI

    • Breaking change to C++ scaffolding: All __TypeInfo variables are now double-indirected rather than single-indirected pointers. You will need to update your projects to take this into account.


    • C#: Static array initializers (ie. PrivateImplementationDetails) now show an 8-byte preview of the array and the offset into global-metadata.dat of the whole array
    • C#: The generation of type definitions is now parallelized giving a substantial speed up
    • C++: Allow the parsing of enums with negative values
    • C++ scaffolding: All IL2CPP surrogate versions of .NET managed types are now included in the output headers, giving access to many more important types
    • C++ scaffolding: All types from vm/MemoryInformation.h are now included in the output headers
    • C++ scaffolding: All MethodInfo pointers are now available via the new <method-name>__MethodInfo variables (double-indirected pointers)
    • C++ scaffolding: The helper API names were refactored to start with il2cppi_
    • C++ scaffolding: il2cppi_to_string() added to convert Il2CppString* and app::String* to std::string
    • C++ scaffolding: il2cppi_is_initialized() added to allow you to check if a metadata item (TypeInfo, MethodInfo etc.) is initialized before using it
    • C++ scaffolding: The IL2CPP metadata version is now defined in il2cpp-metadata-version.h
    • C++ scaffolding: The contents of user folder will now be preserved, allowing you to re-build scaffolding in-place when the target application is updated without losing your work
    • C++ scaffolding: Projects can now be built with Visual Studio 2017 as well as 2019 (some API features will be disabled)
    • Formats/ELF: Dramatic speed up when processing encryption
    • Formats/ELF: Handle striped XOR encryption
    • Formats/MachO: Dynamic libraries and other non-executables will now be accepted
    • Formats/PE: Auto-detect binaries packed with Themida and others and give a descriptive error message (Note: an unpacker will be added in a future update)
    • Ghidra: C++ enums with a derived type can't be parsed by Ghidra; now we output C-style enums instead. Fields in structs which have a C++ enum type that has an underlying type with a memory size different to uint32_t will be replaced with a non-enum field of the correct size to maintain an accurate memory layout of the struct
    • Ghidra: Ghidra script will now prompt you if you forget to parse the C headers before running the script
    • GUI: Select All / Select None buttons added to the namespace tree selector
    • GUI: More descriptive progress updates while analysing files
    • GUI: The 'Building application model' phase will be skipped if it has already been built with the same parameters
    • IDA: Python 3 support added for IDA Pro 7.4+
    • IDA: The placement of function boundaries is now more accurate
    • IDA/Ghidra: Il2CppCodeGenModule array (g_CodeGenModules) is now typed
    • IL2CPP: Auto-detect re-arranged fields designed to obfuscate Il2CppMetadataRegistration and Il2CppCodeRegistration and give a descriptive error message
    • IL2CPP: Handle files using metadata v24.4 (2019.4.15+ and 2020.1.11+)
    • Unity: Existing headers updated and new headers added for 2019.4.15 and 2020.1.5+
    • ...and more

    Bug fixes:

    • C#: Fix indexer names were corrupted if the name length was not exactly 4 characters
    • C#: Type, method, parameter, field and event names could contain invalid characters
    • C#: Unicode characters in identifiers are now handled correctly
    • C#: Scoped names referencing the global namespace (global::) are now handled correctly
    • C#: floats and doubles could be output with the wrong decimal separator when using a non-English locale
    • C#: Fix for invalid characters in generic types that use other generic types as their type parameter(s)
    • C++: Unused concrete value types were incorrectly omitted from il2cpp-types.h
    • C++: Unicode characters in identifiers are now handled correctly
    • C++ scaffolding: init_il2cpp() would sometimes populate __TypeInfo variables with zero if not all of the IL2CPP application types have been initialized when init_il2cpp() is called, causing a crash when creating new objects. This was solved via the breaking change above
    • C++ scaffolding: Compiler warning 4359 when compiling for 32-bit architectures
    • C++ scaffolding: 32-bit Debug build was misconfigured
    • Formats: Fix crash reading certain types of files with 0-length arrays mapped to virtual addresses
    • Ghidra: Ghidra script is now compatible with Ghidra 9.2
    • Ghidra: structs with fields called _extension would fail to parse
    • Ghidra: structs with self-referential fields would fail to parse
    • IDA: Fix failure to process C header if the script and binary folders are not the same
    • IDA: Fix additional reserved keyword naming conflicts
    • IDA: Worked around a bug in IDA causing leading underscores to be removed from parameter names if present
    • IL2CPP: Assemblies containing only interfaces, abstract methods or open generic methods will no longer cause a crash
    • ...and more

    API-only NuGet install: search for NoisyCowStudios.Il2CppInspector from the NuGet Package Manager.

    The next release will continue to focus on improvements and bug fixes to C++ scaffolding, which is still early in its life!

    Enjoy the update and happy hacking!

    Thanks to @eliphatfs, @anonymous1753, @kotori2, @lifeengines, @exp111, @cctgapp, @ianpei, @jakecrowley, @pandaboy1942, @camas, @Warpten, @AxelHu, @CiberBot13, @shazgames, @MerzZly, @vfsfitvnm, and of course, the ever-present @DannyParker0001 for their input and contributions to this release!

    Source code(tar.gz)
    Source code(zip)
    Il2CppInspector-2020.2.1.zip(47.57 MB)
  • 2020.2(Aug 17, 2020)

    Hold onto your disassemblers, IlCppInspector 2020.2 is here to get up in your business and steal yo' girl!

    This release contains a slew of major new features:

    • New C++ scaffolding header generation: In addition to the existing scaffolding, Il2CppInspector now outputs C++ typedef signatures and pointer base offsets for every function pointer in the application - for both .NET methods and IL2CPP APIs - plus pointers to every type definition (Il2CppClass *) in the binary. This works on Windows, Android and iOS (include the appdata headers with your project for eg. Cydia Substrate) - no more searching through files for function pointers and writing your own definitions! This means you can now write code like this:

      	// Use IL2CPP API and an Il2CppClass* to create a .NET-mapped object
      	Vector3__Boxed* myVector3 = (Vector3__Boxed*) il2cpp_object_new((Il2CppClass*) Vector3__TypeInfo);
      	// Call a constructor on an object
      	Vector3__ctor(myVector3, 1.0f, 2.0f, 3.0f, NULL);
      	// Access an instance field of an object
      	float y = myVector3->fields.y;
      	// Access a static field of an object
      	auto playerHealth = GameManager__TypeInfo->static_fields->m_PlayerHealth;

      This code will work in any IL2CPP application - no need to know the binary layout, just re-run Il2CppInspector to produce new C++ scaffolding for each new application or patch and all the addresses and offsets will be adjusted for you without having to change your code!

      Il2CppInspector will also handle binaries with partial or no API exports by using heuristics to match the found functions to the closest Il2CPP API version possible, and omitting missing API calls from the C++ output.

    • Visual Studio DLL injection projects: Il2CppInspector can now automatically generate a complete DLL injection project and Visual Studio solution for Windows IL2CPP applications, using all of the scaffolding above plus a ready-made DLL template. Just edit main.cpp with your desired code, compile, load it into a DLL injector such as Cheat Engine and you're good to go!

    • Full Ghidra support: Not just names and labels, but fully typed functions and decompilation plus the exact same set of rich metadata output for IDA users is now available for Ghidra! (make sure to check the tutorial in the README to see how to use this)


    • Application Model API: Complementing the existing .NET type model, the AppModel allows you to query every part of an IL2CPP application programmatically, providing composite mappings between .NET and C++ types and methods, all of the C++ classes and functions used in the application with complete field and type information, non-.NET functions such as custom attribute generators, Method.Invoke thunks and typed IL2CPP APIs, as well as centralized access to versioned Unity headers, string literals, all of the binary's symbols and exports and any known metadata references.

    • Address Map (experimental): Building on the AppModel API, you can now query any virtual address in the IL2CPP binary and retrieve information about the address contents, including any .NET mappings if applicable. All of the information managed by the AppModel API is also available in the Address Map.

    • IDA functionality enhancements: Il2CppInspector now generates type signatures for CustomAttributesCacheGenerator and MethodInvoker functions, instead of just labels. Plus, detected IL2CPP API exports with known function signatures will now also be converted into typed functions (these improvements are also included in the Ghidra support)

    • JSON metadata output: You can now generate the same data provided to IDA and Ghidra as a JSON file (in fact, this file is now used by the disassembler scripts), allowing you to query it from other applications (Note: there is a huge amount of metadata available and only a fraction of it is output; edit Outputs/JSONMetadata.cs to add more details)

    • NuGet package: Il2CppInspector's API components are now available on NuGet! Just install NoisyCowStudios.Il2CppInspector from the NuGet Package Manager.

    • Tutorials and guides: We're slowly building a library of articles on how IL2CPP works, and practical guides on using Il2CppInspector to solve real-world reverse engineering problems. Check out this guide on Using Il2CppInspector's type model to extract protobuf-net definitions (using the game Fall Guys as a case study) - more guides are on the way!

    Minor features:

    • Multi-architecture APK files are now supported. If you import an APK with multiple IL2CPP binaries, all of the binaries in the package will be analyzed.

    • The GUI now has drag & drop support for all supported file formats. You can also drag a metdata and binary file together!

    • A third method to find the required metadata: Il2CppInspector has previously looked at the symbol table - and if that failed, disassembled parts of the code - to find the needed data to inspect the binary. It can now also brute-force scan the data of the binary looking for this data if the first two methods fail. This improves detection on dumped files and binaries with non-standard compilation.

    • Python script target extensibility: You can now add support for other disassemblers or script targets by implementing a simple single-file Python API - see the README for details

    • Minor improvements to C# code stubs output (async methods now get the async keyword; [DefaultMemberAttribute] is no longer suppressed if a type doesn't have an indexer)

    • Manipulating binary files directly from code has had a number of convenience features added (see FileFormatReader class)

    Other notable API enhancements:

    • You can fetch all of the IL2CPP API exports in a binary using Il2CppBinary.GetAPIExports(), and all of the available typed IL2CPP API exports available both in the binary and corresponding Unity headers with AppModel.AvailableAPIs
    • You can now fetch the machine code for custom attributes generators and method invokers with GetMethodBody() in the same way you already can for .NET methods
    • Silent analysis options
    • ...and many more not listed here

    Unity support:

    • Full Unity 2020.1 support: Unity 2020.1 introduced changes to the initialization code and is now supported
    • Full Unity 2020.2 (alpha) support: Unity 2020.2 introduces significant changes to metadata usage references - making it necessary to use heuristics to locate this data - plus small changes to custom attributes generators and generic class references. But don't worry, we've got your back! Il2CppInspector 2020.2 provides the exact same feature set for Unity 2020.2 as every other version of Unity (including C++ header output).
    • Support was added or tested where applicable for all Unity LTS versions up to Unity 2018.4.26 and Unity 2019.4.8 (the current latest)

    Notable bug fixes:

    • Visual Studio solution generation now works on MacOS X
    • Fixed a fatal crash in Unity version parsing when using Il2CppInspector with a non-English locale
    • The image suffix digit was only applied to the C# code stubs output and no other outputs, causing them to be overwritten when using the CLI with a multi-image binary
    • Fixed two GUI crashes when working with multiple IL2CPP applications in one session
    • C++ scaffolding for Unity 5.3.6-5.4.6 would not compile due to a missing struct VirtualInvokeData definition
    • Fixed the C++ signatures in IDA output for MethodInvokers for Unity 5.3.0-5.6.7
    • The signature for il2cpp_codegen_register was incorrect for Unity 5.3.4 and lower
    • The C++ scaffolding for System.Array was incorrectly output as an array instead of a class
    • Field offsets in C++ structs were calculated incorrectly in some cases
    • ...and more

    Enjoy the update and happy hacking!

    Thanks to @DannyParker0001 and @vivalavladislav for their contributions to this release!

    Source code(tar.gz)
    Source code(zip)
    Il2CppInspector-2020.2.zip(47.01 MB)
  • 2020.1(Jul 3, 2020)

    Il2CppInspector 2020.1 delivers dozens of improvements including several major new features:

    • IDA functionality enhancements: Il2CppInspector now outputs type declarations for all IL2CPP internal types and types used by the application, including all generic instances, plus address mapping for every type definition and method argument types. Boxed types are generated as required. Memory-mapped vtables are generated for every type. Function boundary mapping has also been improved.

    • C++ scaffolding output module: You can now output C++ headers with type declarations for all IL2CPP internal types and types used by the application, including all generic instances and inferred usages from metadata, plus all vtables and applicable boxed types. You can select which C++ compiler to target for the output (MSVC or GCC). Perfect for use with x64dbg among others!

    • Native APK and (decrypted) IPA support: You can now specify an APK or IPA file on the command-line or via the GUI - Il2CppInspector will automatically unzip the package into memory and locate the IL2CPP component files for analysis - no need to find the binary and metadata files first!

    • Generic types overhaul: This is a complete overhaul to the management of .NET generic types, improving the completeness and accuracy of all outputs (C#, IDA, C++). All closed generic types including those not defined directly but referenced by types or methods in the application are now accounted for. Nested and inherited open and closed generic types are handled correctly. New APIs are available for inspecting generic types.

    • Battle-hardened: Il2CppInspector is now compatible with all 205 releases of IL2CPP from Unity 5.3.0 to 2019.4.2+. For IDA and C++ outputs, Il2CppInspector will attempt to auto-detect both the Unity version and C++ compiler used to generate the IL2CPP application and generate a complete set of type definitions for the corresponding Unity version with the corresponding compiler-defined memory layout. You can override these options if you wish. Il2CppInspector will also perform automatic name conflict resolution to avoid the use of pre-defined symbols and keywords in C++, and to handle re-definition of same-named symbols in the application.

    • Many new API calls for the package (Il2CppInspector) and .NET type model (Il2CppModel) for automated analysis of IL2CPP applications (see the source code for details; these are primarily for the handling of generic types and C++ declarations; you can now also use MethodBase.GetMethodBody() to retrieve the executable machine code for any method)

    • Many bug fixes for IL2CPP processing

    • Minor improvements to C# prototypes output

    • Minor improvements to ELF handling and de-obfuscation

    • Using the generate-binaries.ps1 script now allows you to examine the generated C++, not just the final IL2CPP binary

    • Output paths now work correctly for Linux and other POSIX filesystems

    We're already working on some exciting new features for the next version, and hope you enjoy this update!

    Thanks to @AntyMew , @carterbush and @nneonneo for their contributions to this release!

    IDA C++ decompilation example: IDA_Preview

    C++ scaffolding example: Cpp_Preview

    Source code(tar.gz)
    Source code(zip)
    Il2CppInspector-2020.1.zip(46.41 MB)
  • 2.1(Feb 26, 2020)

    Il2CppInspector 2.1 brings initial compatibility for PlayStation 4 .prx files and various fixes to support to IL2CPP applications compiled with Unity 2019.3, as well as compatibility with a broader range of x64 binaries.

    ChangeLog from 2.0 to 2.1:

    • Initial support for Sony PlayStation 4 FSELF (PRX) files (NOTE: PS Vita is not currently supported)
    • Improvements to x64 binary analysis in multiple scenarios
    • Unity 2019.3 compatibility fix for 32-bit ARM binaries
    • Minor improvements to ELF handling
    • Minor improvements to C# output
    • Minor GUI improvements
    Source code(tar.gz)
    Source code(zip)
    Il2CppInspector-2.1.zip(46.17 MB)
  • 2.0(Feb 10, 2020)

    Il2CppInspector 2 is a complete overhaul of the original Il2CppInspector dumper tool, with massively improved usability and tons of new features, including:

    • Support for all IL2CPP versions from Unity 5.3 to 2020

    • Generates accurate well-formed C# code with syntactic sugar and language features up to C# 7.3

    • Generate stub code Visual Studio solutions (with .sln and .csproj files) including assembly references for your Unity install

    • The most detailed IDA script output available including full .NET method signatures, generic method instantiation and custom attribute support, plus support for Method.Invoke thunks, basic IL2CPP metadata structures and all available IL metadata

    • Customize your output: exclude unwanted namespaces, split types by assembly, namespace and/or class, produce a flattened set of files or folder hierarchy, sort types within files, separate assembly-level attributes into their own files, suppress metadata comments in C# code, and even attempt to produce code stubs that compile. using directives and scope resolution conflicts for each file are resolved automatically

    • Enhanced file format support for PE32+, ELF64, Mach-O, multi-image Universal Binaries, relocations, symbol tables and more

    • New architecture support for ARMv8 / ARM64 (A64), Thumb-2 and x64. Enhanced support for ARMv7 and x86

    • An internal type model based on the .NET Reflection APIs allowing you to re-use a high-level representation of all IL2CPP data in your own applications using an already familiar API

    • Much more robust handling of nested types, generic methods, nested generic type references and derivations plus hundreds of other code output improvements and bug fixes

    • A brand new GUI for Windows users. The command-line tool is still available for Windows, MacOS X and Linux users.

    • Automatic processing of some very basic obfuscation

    • Integrated test suite. Each build is automatically tested on over 50 IL2CPP applications

    I hope you enjoy the new version of Il2CppInspector!


    Source code(tar.gz)
    Source code(zip)
    Il2CppInspector-2.0.zip(46.16 MB)
A lightweight ARM reverse engineering tool.

eydis A lightweight (basic and slow) ARM reverse engineering tool. I. Requierements macOS/Linux, Basics compiling tools, The SQLite3 + readline framew

Yui Aioi 18 Aug 15, 2022
Block Cipher Reverse Engineering: A Challenge by Nintendo European Research & Development

My algorithm cracks NERD HireMe for any output within 1 Second without Brute-Force! Read more if you want to find out how this was accomplished or execute this algorithm yourself on Wandbox - Online C++ Compiler

Alexander Töpfer 58 Nov 15, 2021
Resources gathered for reverse engineering the FNIRSI-1013D scope

# FNIRSI-1013D-Hack Resources gathered for reverse engineering the FNIRSI-1013D scope As part of what is on EEVBLOG, resources for the reverse engine

null 75 Dec 25, 2022
The purpose of these streams is to be educational and entertaining for viewers to learn about systems architecture, reverse engineering, software security, etc., and NOT to encourage nor endorse malicious game hacking.

Memestream This repository holds the code that I develop during my live game "modding" ?? sessions. When I stream, I like to speedrun making a success

Stephen Tong 28 Jul 6, 2022
Info & tools for reverse engineering the M6 smart fitness band

m6-reveng This repo contains information and tools for reverse engineering the $7 M6 smart fitness band. Hardware The SoC (system-on-a-chip) is a Teli

null 41 Dec 26, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
Reverse engineering the V831 npu

v831-npu Reverse engineering the V831 Neural Network Accelerator (NNA) Hardware is primarily based off NVIDIA Deep Learning Accelerator(NVDLA) archite

Jasbir 79 Jan 7, 2023
Reverse engineering / documenting the SSC (qcom Snapdragon Sensor Core) or SLPI.

QRTR / QMI sensor daemon Device setup (pmos) Install deps sudo apk add alpine-sdk sshfs eudev-dev qrtr-dev Mount build dir First on host setup USB net

Caleb Connolly 12 Jul 26, 2022
Reverse engineering Genshin Impact anticheat to study how anticheats work on the Windows operating system.

mhyprot2 - Reverse engineering Genshin Impact anticheat for study 1. Demonstration video 2. Screenshots 2.1 Panel 3. Future updates and questions As I

João Vitor 57 Nov 16, 2022
OverRide - Binary Exploitation and Reverse-Engineering (from assembly into C)

OverRide Explore disassembly, binary exploitation & reverse-engineering through 10 little challenges. In the folder for each level you will find: flag

Anya Schukin 69 Sep 22, 2022
Cutter is a free and open-source reverse engineering platform powered by rizin

Cutter is a free and open-source reverse engineering platform powered by rizin. It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers.

Rizin Organization 12.4k Jan 1, 2023
A tool for analyzing x86-64 binaries.

reopt Reopt is a general purpose decompilation and recompilation tool for repurposing application logic. It does this by analyzing machine code to rec

Galois, Inc. 263 Dec 23, 2022
OS X command line tool to inject Frameworks and dylibs on mach-o binaries (iOS & Mac Apps).

macho-inject OS X command line tool to inject Frameworks and dylibs on mach-o binaries. It does the injection of the framework and the codesigning. It

Jon Gabilondo 6 Nov 8, 2022
Proof-of-concept implementation for the paper "Osiris: Automated Discovery of Microarchitectural Side Channels" (USENIX Security'21)

Osiris This repository contains the implementation of the Osiris framework discussed in the research paper "Osiris: Automated Discovery of Microarchit

CISPA 41 Nov 11, 2022
Automated hydroponics with Home Assistant & ESP8266 controllers

ESPonics Automated hydroponics with ESP8266 microcontrollers & Home Assistant I absolutely want to credit Reddit user u/ghoofman for both the inspirat

jjensn 16 Aug 27, 2022
The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

Sorav Kumar Sharma 1 Nov 7, 2021
The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

Sorav Kumar Sharma 1 Nov 8, 2021
The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

Sorav Kumar Sharma 0 Dec 26, 2021
Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

NtRays NtRays is a Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation. Features Cleanup of instrumentation and sch

Can Bölük 359 Jan 3, 2023