Practical IL2CPP Reverse Engineering: Extracting Protobuf definitions from applications using protobuf-net (Case Study: Fall Guys)

DISCLAIMER: The following information and source code is provided for educational purposes only. I do not condone cheating in online multiplayer games and expressly discourage this behaviour. This tutorial is intended to demonstrate the thought processes and techniques involved in reverse engineering. It is not intended to enable cheating, the modification of gameplay or any interference or alteration of any server-side components of the analysed product in any way whatsoever. Check your local laws before using this software. At the time of writing I have never connected to a Fall Guys network endpoint or launched the client.

You can download the full source code for this tutorial from the Il2CppProtoExtractor-FallGuys GitHub repo.

[Updated 7th December 2020: added instructions for using Il2CppInspector’s NuGet package in preference to creating a git clone; added link to commit with an example showing how to find attribute values automatically with a disassembly framework]

Introduction

Il2CppInspector provides several powerful tools to interact with IL2CPP application code and data via static analysis:

• A low-level binary representation (Il2CppInspector) which allows you to query the IL2CPP metadata in its original format
• A .NET type model (TypeModel) which provides a Reflection-style API to all of the types in the application
• An application model (AppModel) which provides an API to query the compiled C++ types, methods and other symbols in the binary, including those not represented by .NET types

In this article, we will leverage the .NET type model to inspect a game and derive a Google Protobuf .proto file encapsulating its network protocol.

Pre-requisites:

• Knowledge of .NET, C# and LINQ
• Basic awareness with what IL2CPP is and what it does (no in-depth knowledge needed)
• Basic awareness of what Google Protobuf is
• Basic knowledge of how to use a disassembler such as IDA and how to read basic x86-64 assembly code
• An inquisitive mind

In this article, you will learn:

• How to set up a new Visual Studio project which uses Il2CppInspector
• How to load an IL2CPP application and create a type model
• How to use LINQ to query .NET types, interfaces, fields, properties, generic type arguments, arrays and attributes in an IL2CPP application
• How to extract constructor arguments to custom attributes not retained by IL2CPP in the metadata
• How to transform all of the combined data into a .proto file

The game at hand today is Fall Guys published by Devolver Digital, a Battle Royale-style party game where 60 players race around in bright colorful maps vying for victory. The game requires an upfront purchase and then has microtransactions on top. Being asked to pay more for the rest of the content when I’ve already purchased a game makes me very cantankerous, and Fall Guys also happens to be compiled with IL2CPP, which makes it the perfect target for some reverse engineering fun!

Although I’m using Fall Guys for this example, many of the techniques described below are applicable to any game deployed with IL2CPP and using Protobuf.

Read more…

Advertisement