Il2CppInspector 2021.1

We Inspected (almost) Everything.

Il2CppInspector 2021.1 brings an avalanche of new features and bug fixes, with a focus on enabling as many IL2CPP applications as possible to be analyzed.

In addition, Perfare - author of the popular Il2CppDumper tool - has asked us to port some features of Il2CppDumper over to Il2CppInspector in order to create a single unified tool going forwards. This release brings Il2CppInspector to feature parity with Il2CppDumper in addition to all of the pre-existing extra functionality, with the exception of WebAssembly and NSO file format support (coming soon).

Major new features:

• Plugins: You can now create plugins that allow you to completely edit the load pipeline and implement custom deobfuscation, decryption, perform additional analysis and generate additional outputs.

  This enables you to write standalone code for specific workloads without needing to fork and edit the source code of Il2CppInspector, and your code will continue to work when we release new updates.

  We're really excited about this new feature and have created a Plugin Wiki with information to help you get started writing your own plugins. We've also created many example plugins you can check out to learn more! You can also submit your own plugins, and we will bundle the current set of plugins with each new release.

• DLL output support: You can now output assembly shim DLLs that are semantically compatible with those produced by the "dummy DLL" function of Il2CppDumper. This is a complete rewrite of Il2CppDumper's DLL output using dnlib and Il2CppInspector's type model, and brings the following enhancements:

  • Orphaned property methods are now handled correctly
  • Events are now handled correctly
  • ref type method parameters are now output correctly
  • Static field offsets are now output (StaticFieldOffset attribute)
  • Assembly-level attributes are now output for each assembly
  • Assembly and module metadata tokens are now output
  • Attributes with zero arguments are applied directly rather than via the Attribute attribute for improved readability
  • Static array initializers include an 8-byte preview of the array contents (MetadataPreview attribute)
  • The generated output is self-contained with no external references to mscorlib.dll - this means the generated DLLs can be used with Il2CppAssemblyUnhollower without modification even on .NET Core
  • You can now suppress all output of all metadata attributes (use --suppress-dll-metedata on the CLI or the corresponding GUI option) - handy if you just want to browse or compare the raw type definitions

• Dumped memory image support: memory dumps can now be loaded and rebased (use --image-base at the CLI or Import Options in the GUI to specify the image base address)

• GameGuardian dump / Linux process map support: you can load a GameGuardian dump or Linux process map without needing to split or extract libil2cpp.so first or know the image base address. Specify the *-maps.txt file in place of the binary file and Il2CppInspector will reconstruct and rebase libil2cpp.so for you

• Automated deobfuscation:

  • The new Beebyte Deobfuscator is our first 3rd party plugin and can deobfuscate .NET type and field names when supplied with an earlier, unobfuscated version of the same application by performing a differential analysis and applying renaming to the obfuscated version. The unobfuscated input can be either an IL2CPP or Mono build. You can also optionally output a text file containing a list of name translations, or a plugin source code file for use with Il2CppTranslator

    NOTE: You MUST supply an unobfuscated (or less obfuscated) version of the application in order to perform automatic deobfuscation!

    NOTE: This plugin is still a work in progress and may contain bugs. Properties and method names are not currently deobfuscated.

  • Most types of packed PE files (Windows DLLs) can now be loaded automatically (eg. Themida DRM)

  • Automatic reconstruction of the correct field order for Il2CppCodeRegistration and Il2CppMetadataRegistration in most cases where it has been obfuscated (eg. Riot Games workloads)

  • Automatic decryption of XOR-encrypted .NET symbols

  • More sophisticated heuristics are now used to determine binary file XOR keys and block sizes, this should improve compatibility with some encrypted workloads (eg. Arknights, Call of Duty Mobile, Garena Free Fire + many others)

  • Automatic binary XOR decryption now also works on 64-bit (ARMv8) binaries

  • ROT-encrypted API exports will now be resolved automatically (eg. Legends of Runeterra, League of Legends Wild Rift)

  • Honkai Impact and Genshin Impact can now be loaded using the miHoYo plugin (bundled) (you must supply a UnityPlayer.dll from a matching version, even if analyzing a mobile release)

  • Tale of Immortal (鬼谷八荒 / Guigubahuang) can now be loaded using the guigubahuang plugin (bundled)

    WARNING ON THE USE OF AUTOMATIC PE UNPACKING: Loading a packed PE file enables arbitrary 3rd party code execution. Do not load potentially malicious DLLs and never run Il2CppInspector as an administrator when handling packed PE files. USE AT YOUR OWN RISK.

    PLEASE NOTE: We will not be providing deobfuscators for every workload; the functionality above is provided by plugins for example purposes and we recommend you use the provided APIs to write your own plugins if you need to analyze an application not directly supported by Il2CppInspector. We do not take requests - please do not file issues asking for specific applications, they will be ignored.

• Tutorials and guides: We've published a tranche of new guides for you:

  • IL2CPP: IL2CPP Reverse Engineering Part 2: Structural Overview & Finding The Metadata

  • Il2CppInspector: How to create, use and debug IL2CPP DLL injection projects

  • Il2CppInspector: Working with code in IL2CPP DLL injection projects

  • Walkthrough: Enable loading of League of Legends: Wild Rift - covers XOR decryption, XOR string decryption, API export ROT decryption, data obfuscation of binary metadata

  • Walkthrough: Enable loading of Honkai Impact (3 parts) - covers finding functions in an image, data obfuscation of global-metadata.dat, IDA decompiler techniques, how to write a plugin

  • Walkthrough: VMProtect control flow obfuscation in Honkai Impact - covers extrapolating the code path from a function with control flow flattening using x64dbg and the IDA decompiler

  • Walkthrough: Reverse engineering Genshin Impact with PowerShell - covers writing a test harness to find a function in an obfuscated binary via brute-force attack / reverse fuzzing

Minor features:

• XAPK package files are now supported

• ZIP files containing APKs are now supported directly

• You can now save extracted, decrypted or deobfuscated global-metadata.dat and binary files via the CLI or GUI (use --metadata-out and --binary-out at the CLI)

• You can now specify a Unity asset file to give Il2CppInspector the precise Unity version used, rather than specifying the version by hand or letting Il2CppInspector guess. This can be used to improve the accuracy of some types of output (use --unity-version-from-asset at the CLI or Get Unity version from asset file... in the GUI)

• We hired someone who can use Paint to make an application icon for Il2CppInspector's GUI, yay!

• We hit some things with a hammer and some types of file will now load much faster - huzzah!

Minor improvements:

• C++: enums will now be output as enum classes for scaffolding projects
• C++: Scaffolding projects have il2cpp_thread_attach(il2cpp_domain_get()) added to the start of Run() to prevent fatal unmanaged exceptions when calling certain methods
• CLI: You can now select individual outputs by specifying --select-outputs; this will cause all outputs to be suppressed except those you specify as arguments. The default is still to output everything
• IL2CPP: Archive files won't be read-locked when loading anymore, allowing you to run Il2CppInspector when they are open elsewhere
• Type model: Removed no longer necessary thread locking when generating custom attribute data

Notable bug fixes:

• C#: Fix failure to generate class/tree folder layout when there are invalid namespace names
• C#: Fix assembly type indices were still being emitted when --suppress-metadata was specified
• C#: Fix crash outputting 64-bit Flags-style enums with the top bit set
• C++: Signed enum type output did not match the enums underlying type
• C++: Signed enum values that are negative will no longer be output in hexadecimal
• C++: Fixed a compilation error in scaffolding projects "fields is not a member of app::String" for certain IL2CPP applications
• Formats/ELF: Don't crash trying to fetch a section by name that doesn't exist
• Ghidra: Dumped ELF images were not rebased correctly
• GUI: The GUI won't crash silently on startup anymore if an error occurs
• IDA: Fixed "abstract declaration is not allowed here" error when parsing C headers for certain IL2CPP applications
• IDA: Fixed "SetType failed!" error when applying script to an IDB where some duplicate types already exist
• IL2CPP: Fixed an edge case causing a rare crash when analyzing metadataUsages list
• IL2CPP: Fixed an edge case causing a workload with an unusually large number of reversePInvokeWrappers to fail to load
• IL2CPP: Fixed method pointer offsets output being off-by-1 in certain types of non-PE x86/x64 binaries
• Type model: Fix crash that occurred on invalid/obfuscated assembly or namespace strings
• Type model: Fix crash that occurred when resolving generic type arguments in 32-bit binaries that have been rebased
• Type model: Fix GetType() and GetGenericMethod() incorrectly returned null when searching for a type or method in the global namespace
• Unity: Fix crash comparing Unity versions when one of the version ranges is open-ended (caused crash on the latest Unity releases)
• ...and more

Unity support:

• Support was added or tested where applicable for Unity versions up to Unity 2018.4.31, Unity 2019.4.18 and Unity 2020.2.2 (the current latest)

New APIs for developers:

• Formats: FileFormatReader classes can now receive a LoadOptions argument with custom load options
• Formats: Added FileFormatReader<T>.DefaultFilename to fetch the default filename for a given file format
• Formats: Added Section class and IFileFormatStream.GetSections() / IFileFormatStream.TryGetSections() for universal processing of sections regardless of file format (ELF files will use the PHT if the SHT has been destroyed)
• Formats: File types can now have multiple "load strategies" which will be tried in sequence once the file format has been identified (eg. unpacked, packed); see IFileFormatReader.TryNextLoadStrategy()
• IL2CPP: Metadata and Il2CppBinary now derive from the new BinaryObjectStream allowing easy reading and writing of types to the underlying streams
• IL2CPP: Added IsModified property to Metadata and Il2CppBinary
• IL2CPP: Added Il2CppBinary.SaveToFile(), Metadata.SaveToFile() and equivalent surrogates Il2CppInspector.SaveBinaryToFile() and Il2CppInspector.SaveMetadataToFile() to enable saving of modified files
• Plugins: An entire new API set was created for plugins, and many previously private or internal types, fields and properties were made public. See the Il2CppInspector Plugin Wiki for full details. Users developing standalone apps using the Il2CppInspector API can disable the entire plugin system with PluginManager.Enabled = false
• Type model: A small number of MemberAttributes flags that were omitted are now included (eg. FieldAttributes.RTSpecialName). PropertyAttributes and MethodImplementationFlags were added as per the .NET Reflection API
• Type model: MetadataToken was added to all type model objects as per the .NET Reflection API
• ...and more

We're going to take a little break now, but we'll be back in May to cause more trouble (critical bug fixes will still be posted). Happy hacking!

Many thanks to @std-nullptr, @Perfare, @OsOmE1, @cctgapp, @AndnixSH, @MerzZly, @badluck13, @rustyx, @RaenonX and everyone else who provided input and contributions to this release!