Is it possible to deobfuscate Il2Cpp game?
I know many modders were looking il2cpp deobfuscation and asked for it, so I thought to explain if it’s possible
Is it possible? Technically yes, if you have some reliable infomation somewhere, like older version of the game, otherwise, no. Obfuscation simply rename everything without storing original names. Tools like de4dot doesn’t know anything, it would just change obfuscated names to GClassXXXX, smethod_XX, Int32_XX etc.
Before:
After:
It’s important to note that obfuscation is not a properly encryption but rather an obstacle. Encryption however, can often be decrypted with a decryption key or by dumping infomation from the memory. Other times it is simply a manual process that takes time to work through.
Getting copy of older versions:
Sometimes, older versions do not have obfuscation. Take a look at the older versions of the game and dump them one by one until you find one that does not have obfuscation. This process may provide hints and make the analysis easier. For example, in Among Us, versions up to v2020.9.9 are not obfuscated, while v2020.10.22 and later versions are obfuscated.
APK sites like Apkpure, Apkcombo, Apkmirror, and Apk4fun allow you to download older versions. Apk4fun, in particular, can hold versions that are more than 4 years old.
On iOS, you need to use the AppStore++ tweak to downgrade the app and decrypt the IPA/binary again.
As for PC, I’m not sure. It’s possible that Steam has a special tool to downgrade.
Whenever possible, remember to make a backup of the game with each update. Old versions can be useful.
If there are no unobfuscated versions available, you’re out of luck.
To get started, you can begin reverse-engineering both the unobfuscated and obfuscated versions of the game, compare various elements, and conduct pattern searches. However, please note that this is a time-consuming task, and I won’t delve into the details here. You can seek assistance from existing tools like AUDeobfuscator, or Il2CppInspector to deobfuscate using the unobfuscated (or less obfuscated) version of the game. It’s important to mention that these tools may be outdated, so you might need to modify them to support newer Unity versions. Rest assured that some modders have used this approach successfully
**Other ways to deal with obfuscations
- Analyzing in IDA or Ghidra:** It’s always a good idea to load python scripts for dumped il2cpp for disassemblers, IDA or Ghidra, making it easier to analyze How to use il2cpp.h, script.json and stringliteral.json (Il2CppDumper) - Platinmods.com - Android & iOS MODs, Mobile Games & Apps and guess which methods to mod. Although guessing can take a little bit longer
- Memory hacking: Memory hacking like GameGuardian, Cheat Engine etc. can already do all fun stuff by just searching for a value, you don’t need function names and offsets to mod.
On GameGuardian, you can write your own lua script with mod menu, not recommended though since encrypted lua is still leechable. If you are familar with C++, you can port your GG values to C++ using this source mrcang09/Android-Mem-Edit
- Debugging: Debugging can be useful sometimes. Find any debugging methods like Frida you want to do it.
Can you get the original names back by dumping memory?
No! What do you expect? Nothing are recovered on runtime. Obfuscation is not encryption
IF you anyhow manage to get original names back after dumping lib, then it was because the lib was encrypted caused il2cppdumper to dump incorrect infomation. Nothing do to with obfuscation at all! Try dump Block Strike to see if the same trick works
But… bro, there must be a way to get original names directly without using any tricks above?
sigh
Only way is to tell game developers to give you unobfuscated APK, or hoping they provide unobfuscated APK by accident every update or by joining beta tester. Good luck with that