IL2CPP Reverse Engineering Part 2: Structural Overview & Finding the Metadata

[You can use Il2CppInspector to help automate the techniques outlined in this series]

In part 1 of this series we learned what IL2CPP is, how to setup a build environment, and compared the C#, IL, C++ and disassembly of a simple function.

In this article, you will learn:

• an overview of the key files in an IL2CPP application from a reverse-engineering perspective
• how an IL2CPP application loads the metadata we are interested in
• how to find the application binary’s metadata by hand in a disassembler (x64 and ARM)
• beginner-level disassembly navigation and tidying in IDA
• how to interpret C++ function calls in assembly language

Pre-requisites:

• Basic knowledge of high-level programming
• Basic knowledge of disassembly (the article uses IDA but Ghidra works equally well)
• Basic knowledge of what IL2CPP is – I recommend that you read part 1 first if you’re new to IL2CPP

Read more…

Advertisement