Il2cppDumper Manually Finding CodeRegistration and MetadataRegistration
INTRODUCTION
While trying to dump the game marvel strike force. I encountered this error
I have no idea what to do, so i do a google search and found this thread in unknowncheats
https://www.unknowncheats.me/forum/general-programming-and-reversing/355005-il2cppdumper-tutorial-finding-coderegistration-metadataregistration.html
I tried it myself, but i just cant get it to work with the patter creation part. Scrolling down, i found this comment This is really interesting so lets check it out.
Reversing Our Own Game
So i made a blank game, from unity, for android, and compiled it with unity. And then, i opened it up in ida. I went to the strings window, and searched for global-metadata.dat
I looked for cross references and found one
It is referenced in il2cpp::vm::GlobalMetadata::Initialize
. This is the function responsible for parsing the global metadata file. Lets look for cross references again on this function and found one cross reference again.
It is referenced in il2cpp::vm::MetadataCache::Initialize
. Again, it is not what we are looking for, so lets check for a cross references into this function again.
It has one cross reference. This time, in il2cpp::vm::Runtime::Init
This cross reference is interesting. Above the cross reference, we can see that, it calls a function, pointed out by the address in g_CodegenRegistration_ptr
If we double cliked that address, we can see that it points out to the function g_CodegenRegistration
.
And g_CodegenRegistration
points to s_Il2CppCodeGenRegistration
And in there, we can indeed see, what we are looking for.
The metadataRegistration
and codeRegistration
. They are passed as an argument to the function il2cpp_codegen_register
. codeRegistration
as the first argument and metadataRegistration
as the second argument. Now lets try it in marvel super war.
Reversing Marvel Super War
Note, use the 32 bit version of the game. Idk why but i cant get it to work in 64 bit.
Once again, we searched for global-metadata.dat
in the strings window, and searched for cross references on it.
We found one cross references. We can assume that this function is the il2cpp::vm::GlobalMetadata::Initialize
.
Then, we looked for cross references in that function and found one.
We can again assume that this is il2cpp::vm::MetadataCache::Initialize
. Look again for cross references and we found one
We can assume that this function is il2cpp::vm::Runtime::Init
.
Above our cross reference, we can see that it made a function call in the address stored in the R0 register. We can assume that this points to s_Il2CppCodeGenRegistration
. The address of g_CodegenRegistration
is in off_3460F40 - 0xB31598
. Visiting that address, it points to a function, which, we can assume is the s_Il2CppCodeGenRegistration
Visiting this function
It does look similar on s_Il2CppCodeGenRegistration
function. In there, we can assume that the address stored in R0 is the codeRegistration
and R1 is the metadataRegistration
. Their address are unk_341F640
and unk_341FBD4
which are 0x341F640
and 0x341FBD4
in hex. Now lets try dumping the game with these offsets.
It succeed.
Alternative Route
Alternatively, if in any chance, we cant find the global-metadata.dat string, eg its encrypted, we can also start from the function il2cpp_init
.
You can see a function call to sub_B31484
which is the il2cpp::vm::Runtime::Init
. Scroll down until you see 4.0
, and you will know that you are close.
Conclusion
There you have it. This is how you can get the CodeRegistration
and metadataRegistration
manually. Thanks for reading.