How to use il2cpp.h, script.json & stringliteral.json files from Il2CppDumper

By

When you dump il2cpp games using Il2CppDumper, you will get the following files:

- il2cpp.h: Structure information header file
- script.json: For ida.py/ida_py3.py and ghidra.py
- stringliteral.json: Contains all stringLiteral information

The scripts are in the same folder of the Il2CppDumper executeable, if you extracted all. Otherwise, you can get them from Il2CppDumper releases. We only need following scripts for Android games

ida.py and ida_py3.py: Script for IDA to read script.json file
ida_with_struct.py and ida_with_struct_py3.py: Script for IDA to read script.json file and il2cpp.h file to apply structure information. It helps IDA load faster
ghidra.py: Script for Ghidra to read script.json file
ghidra_with_struct.py: Script for Ghidra to read script.json file and il2cpp.h file to apply structure information. It helps Gridra load faster

IDA Pro

The first thing to do is to make sure you have Python installed. You need Python 2 if using IDA 7.3 or below, and Python 3 if using IDA 7.4 or above (Correct me if i’m wrong)

Open IDA and load the il2cpp binary file straight forward

While the binary is loading, you can click File -> Script file… and load the .py script already. Navigate to the il2cppdumper directory and open one of the py files for your IDA version

1608928484162.png

ida.py or ida_py3.py: Script for IDA to read json file
ida_with_struct.py or ida_with_struct_py3.py: Script for IDA to read json file and read il2cpp.h file and apply structure information. It helps IDA load things faster

1608928514260.png

Note: If the .py files are not shown, check the dropdown like the screenshot above. If it only shows Script files (*.idc), means python hasn’t been installed correctly or enviorment path as not been set. Please make sure you have installed Python Correctly. It must show *Script files (*.idc, py)

Wait for the script to load. If you got bad declaration warning, just click OK. You can check “Don’t display this message again” if the warning is shown again

1608928524909.png

After that, you have now function names to search

1608928546515.png

Do not load stringliteral.json manually, it is automatically loaded

Ghidra

Python 3 needs to be installed on the system in order to use Python scripting in Ghidra.

Open Ghidra and load the il2cpp binary file straight forward

While the binary is loading, click the green Play button to open the Script Manager

1608928560356.png

Click List icon to open Bundle Manager

1608928565643.png

Click plus button to open file selection dialog

1608929074597.png

Navigate to the Il2CppDumper location that contains ghidra.py file, select the Il2CppDumper folder or other desired location and click OK

1608929085848.png

Your directory will be added to Bundle Manager.

1608929112688.png

Now close it

Search ghidra.py, select it on the list and click Play

1608929099457.png

The script will run and ask you to select script.json, select it and click Open. The type is not filtered but notice the title that it says script.json

1608929125414.png

Wait for it to load…

1608929133979.png

After that, you have now function names

1608929139011.png

Using ghidra_with_struct.py
If you want to use ghidra_with_struct.py, you first need to convert il2cpp.h to ghidra using il2cpp_header_to_ghidra.py. This script is broken, so download my modified script and replace it in the il2cppdumper location you have just selected https://github.com/AndnixSH/Il2CppDumper-GUI-1/raw/patch-1/Il2CppDumper/il2cpp_header_to_ghidra.py

Open Script Manager (The green Play button), and run select il2cpp_header_to_ghidra.py

Image 2023 05 23 18 40 31.png

Choose il2cpp.h file

Image 2023 05 23 18 50 32.png

If successful, the file il2cpp_ghidra.h will be generated

Image 2023 05 23 20 33 01.png

Open Script Manager again, and run select ghidra_with_struct.py

Image 2023 05 23 20 04 38.png

Select script.json file

Image 2023 05 23 20 21 13.png

Since it doesn’t ask for il2cpp.h or il2cpp_ghidra.h, unlike in IDA script, i’m not certain if it detects il2cpp_ghidra.h or not. I’m not familar with Ghidra so I can’t really tell. Feel free to comment if you have any infomation about it

Popular Posts

[TOOL] Unity Assets Bundle Extractor

By
Image
Unity .assets and AssetBundle editor UABE is an editor for Unity 3.4+/4/5/2017/2018 .assets and AssetBundle files. It can create standalone mod installers from changes to .assets and/or bundles. Type information extracted from Unity is used in order to generate text representations of various asset types. Custom MonoBehaviour types also are supported. There are multiple plugins to convert Unity assets from/to common file formats : The Texture plugin can export and import .png and .tga files and decode&encode most texture formats used by Unity. The TextAsset plugin can export and import .txt files. The AudioClip plugin can export uncompressed .wav files from U5's AudioClip assets using FMOD, .m4a files from WebGL builds and Unity 4 sound files. The Mesh plugin can export .obj and .dae (Collada) files, also supporting rigged SkinnedMeshRenderers. The MovieTexture plugin can export and import .ogv (Ogg Theora) files.
Read more

Il2CppDumper GUI Android App

By
Image
This is @Perfare’s Modified version of il2cppDumper (GUI) for Android Supported Versions Android 5 - Android 13 API Level 21 - API Level 33 Tested Tested in Android 6, 10, 11, 12L physical device Download Download: Releases · Poko-Apps/Il2cppDumpDroidGUI Before Downloading the apk file , you should know this app may have one or multiple bugs maybe your device not compatible for this app Installation While installation process , play protect might warn you . Like this : If so then click ‘Install Anyway’. If installation failed for any reason, uninstall the previous version and try again !! Notes Protected Target’s can’t be dump by this dumper (same as @Perfare’s one) If you find any bug or problem then please kindly report it with proper information, I’ll try my best to resolve it. In low-end devices it take a while to dump . Output files directory is under ‘DumpDroid’ folder App is on active devlopment Often Asked Question Does it supports dumping w
Read more