{"id":20520904,"url":"https://github.com/ac3ss0r/il2cpp-exploitation-poc","last_synced_at":"2025-07-16T23:35:42.481Z","repository":{"id":65791266,"uuid":"597956052","full_name":"ac3ss0r/Il2Cpp-Exploitation-POC","owner":"ac3ss0r","description":"Il2Cpp android unity game exploitation by patching assembly in runtime proof-of-concept.","archived":false,"fork":false,"pushed_at":"2023-04-19T12:23:50.000Z","size":22101,"stargazers_count":48,"open_issues_count":0,"forks_count":7,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-14T02:34:04.742Z","etag":null,"topics":["asm-patching","game-modding","reverse-engineering","unity"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ac3ss0r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-06T04:26:37.000Z","updated_at":"2025-04-09T20:01:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"61a4561c-cc55-49ca-94eb-0029139f3108","html_url":"https://github.com/ac3ss0r/Il2Cpp-Exploitation-POC","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ac3ss0r/Il2Cpp-Exploitation-POC","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac3ss0r%2FIl2Cpp-Exploitation-POC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac3ss0r%2FIl2Cpp-Exploitation-POC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac3ss0r%2FIl2Cpp-Exploitation-POC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac3ss0r%2FIl2Cpp-Exploitation-POC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ac3ss0r","download_url":"https://codeload.github.com/ac3ss0r/Il2Cpp-Exploitation-POC/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ac3ss0r%2FIl2Cpp-Exploitation-POC/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265550423,"owners_count":23786565,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["asm-patching","game-modding","reverse-engineering","unity"],"created_at":"2024-11-15T22:24:16.361Z","updated_at":"2025-07-16T23:35:42.426Z","avatar_url":"https://github.com/ac3ss0r.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Il2Cpp Exploitation POC (Proof-Of-Concept)\n### Theory\nIl2cpp is a technology used for converting from [CIL](https://ru.wikipedia.org/wiki/Common_Intermediate_Language) to machine code. It is used in Unity game engine for game optimization and most popular Unity games, for example Pixel Gun 3d.\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/acessors/Il2Cpp-Exploitation-POC/blob/main/il2cpp.png?raw=true\"\u003e\u003c/p\u003e\nThere is no way to fully convert Il2cpp binaries back to CIL so for cracking those games and applications we need to patch the native assembly code itself. \n\nThere are 2 main methods of assembly patching:\n\n- By byte (hex) signatures - in this method the algorithm searches in memory the specified signature and replaces it with new bytes. The advantage of this method is that the method signatures often stay the same for a while (so the patch will be working fine even in different game versions). The disadvantage is that method signatures sometimes match, causing you to patch not only the method you wanted to, but other ones too (and possibly crash the application).\n\n- By offsets - in his method the algorithm searches a specified offset in memory (from the start of specified .so library) and replaces the bytes, starting at that offset. This method is more efficient and stable in many cases, but the disadvantage is that the offsets almost always change in different game versions, and you'll need to find them over and over so the patch works in newer updates.\n\n### Practice\nI've created a test application made in unity with Il2cpp to show in can be exploited.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/acessors/Il2Cpp-Exploitation-POC/blob/main/Poc1.jpg?raw=true\"\u003e\u003c/p\u003e\n\nAnd made a lua Game Guardian library that supports patching using both HEX signature and offset methods, it can be found in \u003ca href=\"https://github.com/acessors/Il2Cpp-Exploitation-POC/blob/main/patchLib.lua\"\u003epatchLib.lua\u003c/a\u003e. So now we can start exploiting.\n\nFirst I dump the assemblies using \u003ca href=\"https://github.com/Perfare/Il2CppDumper\"\u003eIl2CppDumper\u003c/a\u003e, this gives us every method signature\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/acessors/Il2Cpp-Exploitation-POC/blob/main/dnspy.png?raw=true\"\u003e\u003c/p\u003e\n\nThe bool in the application itself always returns true. Lets change the return value to false, for example.\n\n```lua\nrequire('patchLib') -- we import the library\n\ngg.setRanges(gg.REGION_CODE_APP | gg.REGION_C_DATA) -- set up memory regions \nprintOffset(\"libil2cpp.so\", 0x524EA4, 8) -- we print out the bytes before the patch\npatchOffset(\"libil2cpp.so\", 0x524EA4, \"00 00 A0 E3 1E FF 2F E1\") -- patch by offset\nprintOffset(\"libil2cpp.so\", 0x524EA4, 8) -- print bytes after the patch\n```\n\nThe \"00 00 A0 E3 1E FF 2F E1\" is basically \n\n``` asm\nmov r0, #0\nbx lr\n```\n\nin arm assembly which means return 0 or  return false.\n\n\nNow we execute the script using game guardian and press \"Get values\". And it works as expected - the method now returns false always and we see that in output.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/acessors/Il2Cpp-Exploitation-POC/blob/main/Poc2.jpg?raw=true\"\u003e\u003c/p\u003e\n\nWe can patch each method in the same way we did with the boolean one. All the examples used in this project are avaliable in this repository.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fac3ss0r%2Fil2cpp-exploitation-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fac3ss0r%2Fil2cpp-exploitation-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fac3ss0r%2Fil2cpp-exploitation-poc/lists"}