This guide will walk through how to decompile/reverse engineer IL2CPP games for modding usage.
Note: expect this entire process to take upwards of an hour. Have something ready to do on the side while waiting for processing to finish.
- Download Il2CppDumper
- Download Ghidra
- Ghidra requires a supported installation of OpenJDK 17 - I recommend Amazon Corretto
- Download a current version of Python. Honestly I don't even know what version is set as my default so I suspect any python3 will work.
Decompiling the assembly with Ghidra will lose most symbol information by default. Fortunately, IL2CPP preserves symbol information for us as global metadata. We will use Il2CppDumper to extract the relevant metadata.
- Open up a command line in your game folder
- Create a directory which will hold your outputs
- Run the following:
Path/To/Il2CppDumper/Executable GameAssembly.dll GameName_Data/il2cpp_data/Metadata/global-metadata.dat Path/To/Output/Folder - Il2CppDumper will generate a variety of files for you.
- In the DummyDll folder, you will find stub assemblies similar to what you would get from MelonLoader.
- il2cpp.h contains C header files with type information.
- script.json provides configuration info for Ghidra and IDA scripts.
- stringliteral.json provides information of all the string literals in the program.
- The default file generated by Il2CppDumper has compatibility issues with Ghidra, so we will have to address them. Fortunately
there is an easy script to do this.
- Navigate to your output directory
- Run the following:
python Path/To/Il2CppDumper/Folder/il2cpp_header_to_ghidra.py - Observe that il2cpp_ghidra.h has been generated.
- Navigate to your Ghidra installation and run ghidraRun.bat
- File -> New Project
- Set the project name as desired (I like the format GameName_X_Y_Z where X, Y, and Z make up the version number).
- Finish
- Click the Code Browser (dragon head) icon.
- File -> Import File. Select GameAssembly.dll. When prompted, the default settings should be sufficient.
- You will be prompted to do an auto-analysis, select no as it will make Ghidra run much slower.
- Import type data
- File -> Parse C Code
- Under Parse Configuration, select VisualStudio22_64.prf
- Click "Save Profile to New Name" (2nd icon in the top bar)
- Remove all entries from "Source Files to Parse", "Include Paths", and "Parse Options"
- Add the generated il2cpp_ghidra.h to the "Source Files to Parse" section.
- Click "Parse to Program" and then "Continue". If prompted, select "Use Open Archives". This may take a while.
- If the parser encounters syntax errors, open the file in a text editor like Notepad++ and navigate to the line in question. Note down the line number for later and comment out the entire body of the struct where the syntax error appears. Often, the syntax error Ghidra is complaining about is not a real error so we'll just work around it until Ghidra is happy.
- If needed, we can later use the Structure Editor in Ghidra to re-populate the struct
- Repeat as needed until Ghidra successfully parses the header.
- You can view the imported types in the data types window
- Import function data. Open the script manager (green play icon) and run ghidra_with_struct.py.
When Prompted, select the script.json that Il2CppDumper generated earlier.
- If this is your first time, you'll have to add the Il2CppDumper scripts to Ghidra by clicking "Manage Script Directories" (third-to-last icon in the script manager top bar) and adding your Il2CppDumper install directory to the list
- Wait patiently while Ghidra decompiles the code. You can watch the progress in the lower right corner. This will take a while.
- Use Window -> Functions to open the function display. Here we can search for the methods we want. Start with
ClassName$$MethodNameorClassName$$if you don't know the specific method you want yet. - Dealing with async functions and coroutines - these get generated as anonymous state machine classes. For example,
they might appear in
ClassName.<MethodName>d__44$$MoveNext(the numbers are compiler generated). When you decompile the original method, you should easily be able to identify the calls to these state machines, and can track them down in functions window as you normally would. Again, the MoveNext method is where the state machine is actually implemented. - You can right click variables to rename them for easier readability.
Holy crap, it finally finished. Definitely was an issue with run order though.
My theory on the speed issue is this: From what I can tell the issue is that Ghidra is incredibly slow at deleting/replacing type definitions. When parsing
il2cpp_ghidra.hfails partway through, Ghidra still stores all successfully parsed type definitions. However, trying to parse the header file again at this point leads to a bunch of replacement operations which are known to be incredibly slow in Ghidra: NationalSecurityAgency/ghidra#4431 . I tried manually deleting the definitions from the "Data Type Manager" (bottom left in Ghidra), but this too looked like it would take millenia.The fastest way to actually retry was to (crazily enough) recreate a Ghidra project and do all of the steps from the beginning again. When I did this with a
il2cpp_ghidra.hwith no parse errors, parsing took only 5 minutes (vs. I had let it run for 2 hours previously and it had not terminated).For people coming to this thread in the future: I'd recommend making sure your
il2cpp_ghidra.his completely free of parse errors before trying to parse in Ghidra to avoid this issue and having to recreate your Ghidra project. I tried messing around withgccto do this, but I didn't find a good set of options for only giving you the fatal cases that would causeGhidraparse errors.gcc -fsyntax-only -Wfatal-errorswas close, but I think the issue is that theil2cpp_ghidra.huses compiler directives that gcc doesn't understand. My guess is there's probably a way to properly do it with MSVC. (Edit: Yeah, seems like it's an MSVC thing.gccwas getting upset by __int8 directives: https://learn.microsoft.com/en-us/cpp/cpp/int8-int16-int32-int64?view=msvc-170)