Practical IL2CPP Reverse Engineering: Extracting Protobuf definitions from applications using protobuf-net (Case Study: Fall Guys)

August 10, 2020 Leave a comment

DISCLAIMER: The following information and source code is provided for educational purposes only. I do not condone cheating in online multiplayer games and expressly discourage this behaviour. This tutorial is intended to demonstrate the thought processes and techniques involved in reverse engineering. It is not intended to enable cheating, the modification of gameplay or any interference or alteration of any server-side components of the analysed product in any way whatsoever. Check your local laws before using this software. At the time of writing I have never connected to a Fall Guys network endpoint or launched the client.

You can download the full source code for this tutorial from the Il2CppProtoExtractor-FallGuys GitHub repo.


Il2CppInspector provides several powerful tools to interact with IL2CPP application code and data via static analysis:

  • A low-level binary representation (Il2CppInspector) which allows you to query the IL2CPP metadata in its original format
  • A .NET type model (TypeModel) which provides a Reflection-style API to all of the types in the application
  • An application model (AppModel) which provides an API to query the compiled C++ types, methods and other symbols in the binary, including those not represented by .NET types

In this article, we will leverage the .NET type model to inspect a game and derive a Google Protobuf .proto file encapsulating its network protocol.


  • Knowledge of .NET, C# and LINQ
  • Basic awareness with what IL2CPP is and what it does (no in-depth knowledge needed)
  • Basic awareness of what Google Protobuf is
  • Basic knowledge of how to use a disassembler such as IDA and how to read basic x86-64 assembly code
  • An inquisitive mind

In this article, you will learn:

  • How to set up a new Visual Studio project which uses Il2CppInspector
  • How to load an IL2CPP application and create a type model
  • How to use LINQ to query .NET types, interfaces, fields, properties, generic type arguments, arrays and attributes in an IL2CPP application
  • How to extract constructor arguments to custom attributes not retained by IL2CPP in the metadata
  • How to transform all of the combined data into a .proto file

The game at hand today is Fall Guys published by Devolver Digital, a Battle Royale-style party game where 60 players race around in bright colorful maps vying for victory. The game requires an upfront purchase and then has microtransactions on top. Being asked to pay more for the rest of the content when I’ve already purchased a game makes me very cantankerous, and Fall Guys also happens to be compiled with IL2CPP, which makes it the perfect target for some reverse engineering fun!

Although I’m using Fall Guys for this example, many of the techniques described below are applicable to any game deployed with IL2CPP and using Protobuf.

Read more…
Categories: IL2CPP Tags:

IL2CPP Reverse Engineering Part 1: Hello World and the IL2CPP Toolchain

June 24, 2020 3 comments

[You can use Il2CppInspector to help automate the techniques outlined in this series]

In this article, you will learn:

  • what IL2CPP is and why it exists
  • what the generated C++ source code and binary disassembly of a simple function looks like compared to native C#, IL and C++ code
  • how to setup your environment to generate C++ source code and IL2CPP binaries from your own C# code so that you can examine and compare them with your original code
  • how to use IL2CPP at the command-line on arbitrary code without Unity

Introduction to IL2CPP

IL2CPP is an alternative application deployment model introduced into Unity in 2015 which is designed to bring significant performance improvements to Unity games. It’s a beautiful mess, and today we’re going to start picking it apart.

A standard Unity game is distributed as a series of .NET assemblies which are executed by the managed runtime (CLR) on the target platform of choice as per the norm for any .NET application. The premise of IL2CPP is to take these assemblies, parse the IL, generate C++ equivalent source code from it, then compile this C++ into machine code for faster, unmanaged execution. This is described quite well on this page of the Unity manual with this diagram:

A diagram of the automatic steps taken when building a project using IL2CPP

There are several excellent guides about how IL2CPP generates code such as Unity’s own IL2CPP Internals blog series and Jackson Dunstan’s exquisitely detailed musings, so I’m not going to repeat that work here. Instead, I want to focus on the opposite perspective: how do we reverse engineer compiled IL2CPP binaries?

Unity games have traditionally been exceptionally easy to reverse engineer, generally requiring nothing more than a copy of ILSpy (or my preferred tool Telerik JustDecompile) and a dream. IL2CPP changes all that: we go from neat assemblies – often with all of the function and variable names intact – to straight up machine code that we have to wade through in a disassembler. Suddenly, even finding the areas of interest becomes magnitudes tougher. How can we make this task easier?

To answer that question, we’re going to need to develop a deep understanding of how IL2CPP manages types and data under the hood, and that’s what this series is all about. Buckle up!

Read more…
Categories: IL2CPP Tags:

Change to Twitter account

July 27, 2015 3 comments

Please note I have created a new Twitter account specifically for following my coding activities and blog updates/articles, separate from my personal and gaming life 🙂 If you are currently following @TheLittlestKaty or @KatyHearthstone on Twitter, please follow @KatysCode instead for code stuff!


Categories: Blog Updates

The Future of my Blog: I’m Still Alive

July 20, 2015 11 comments

It’s been 15 months since I last posted. I know many of you have been wondering where I got to. Those of you who are regular readers will also know I have been struggling with chronic illness in the form of M.E. – a rather crippling condition which has far more extensive symptoms than just extreme fatigue.

If you want a quick catch-up from last year, see my earlier posts Living with M.E. as a Software Developer and Dying with M.E. as a Software Developer.

What was the conclusion of the last 12 months?

KatyLast year was a year of extreme stress on all fronts. My residency in Norway – where I have lived most of my adult life – was in jeopardy due to not producing my own income and relying on state welfare. My health was deteriorating and I was hospitalized several times, the last trip for a month. Debt was mounting. The threat of not being entitled to further welfare was looming. I was not getting the help that the state is paid to provide, with several treatment disputes (tribunals) in the works and forced to rely on my friends for things like groceries, cooking and making sure I didn’t injure myself in the shower. Huge battles were to be fought, yet lying in bed most of the time I was in no shape to come out fighting.

Well, in all areas I’m pleased to report that things have improved dramatically. Acquiring a lawyer who was an expert in immigration law and kind enough to discount her services on account of my financial state helped me to secure permanent residency. The combined help of my doctor, nurses, hospitals and medical consultants, plus others who had fought the system before over their M.E.-related need for welfare led me to – after 4 years of financial insecurity – secure a permanent state pension. It’s a meager amount which only accounts for basic living necessities, but at least I won’t get thrown out of my home. I still don’t get the practical help I need from the state and have given up pursuing it, but the rest is a huge weight off my shoulders – so much so that I didn’t realize just how stressed out I was or how damaging to my health it was until the issues were solved.

Fighting with my last breath has pulled me back from the brink of disaster.

What about your actual health?

Contrary to expectations, we have all noticed an improvement. While I am still housebound most of the time and still sleeping very much, my pain level is somewhat reduced and my energy level slightly increased, although it comes in phases of medium and very low energy.

Besides the continuing support from my friends and the teenagers which I’ve talked about before, one thing did happen which changed my perception about “mind over matter”. For the first time in 9 years, in April 2015, I found love. I’ve never been one to function well without a partner; I always find myself more motivated and focused when I have a reason to do things other than for myself. This effect is at its strongest for me in a loving relationship. What I didn’t expect was that I now feel more energetic and more inclined to try and take up tasks that may produce a little income.

I’ve been very lucky to find an understanding partner who realizes when I’m not able to do things and helps out tremendously, doesn’t get upset that I’m poor and has the same work ethic. With a strong interest in maths and science and the same drive to learn and work on our own projects together in our spare time, we are able to pursue our interests separately yet together. Yet she still does the housework without being asked – which may sound amusing but it is really of genuine importance with my physical health. I really hope it lasts.

At this point, the predictions of my death from the doctors seem to be exaggerated. At the end of 2013 I really felt like I was on death’s door, but I’ve stabilized. It may improve, get worse or stay the same. We just don’t know, so I’ll try to make good use of each day as it comes.

To those who wrote or donated

Over the last 15 months, I’ve received donations from time to time, both large and small. I’ve also received many comments and kind words of encouragement from my readers. Most of the time I have not replied for one reason or another, but I can say that I have read each and every message and your kindness has really touched my heart; actually it has brought a tear to my eye on occasion. Many of you offered advice and tips on M.E. and I really appreciate that.

If you are one of the people who wrote or donated, and I didn’t reply, I would like to say sorry for that. Oftentimes, an inbox full of email you have to reply to is a ghastly affair as I’m sure many of you know, but I absolutely appreciated every message and every donation, so thank you all so much!

What’s happening with the blog?

I really want to get back to blogging. I have to plan it in a way that doesn’t cause me to over-exert myself. This means shorter, snappier articles and no late nights doing 8 hours of research and writing. Writing my articles a little at a time rather than trashing myself for 2 days writing then being sick for a week.

I’ve cleaned up hundreds of spam comments the last days so the blog is finally clean again. After working a lot with C++ and PHP in recent years, I’ve recently had reason to refresh my knowledge on .NET and web development technologies. This means the likely focus of my next articles will be on topics such as C# language features, jQuery, AngularJS, ASP.NET MVC, Azure and so on, as these are my current focus. I have also done a pile of 2D collision detection examples of various kinds from last year, which need to be written up. As always, I’m open to suggestions for any topics on any software development area whatsoever, so if there’s an article you’d like to see, just let me know on the contact page 🙂

Become a supporter!

Support Katy via PatreonI’ve never taken the traditional female role in relationships. I like to be the breadwinner while my partner does the housework 🙂 Given my overall life situation, I think it is appropriate now to ask for support in my article writing. To this end, I have set up a Patreon page which allows you to pledge a fixed monthly amount (Update 2020: I also stream on Twitch, so the Patreon account references that). Just a few small pledges from a few people will soon add up and this will surely motivate me to keep blogging, then hopefully it will be a win-win for us all.

So please go check out the Patreon page and of course don’t forget to follow the blog here on WordPress to get an email when I write new content.

Here’s to some fun programming ahead!

Thank you all again,


LightSwitch for Games Part 4: OData Access from C++ Client Code with the C++ REST SDK

April 2, 2014 7 comments

NOTE: Although this series is aimed at small game developers, it is equally applicable to anyone wishing to learn how to use LightSwitch.

In Part 2 of this series we built a user account and profile database on our LightSwitch server, and in part 3 we showed how to make a web interface to allow users to edit their account details. In this part, we will look at how to enable new users to register and existing users to log in direct from your C++ game (or application) code. If you’ve ever played a console game which requires log in to EA’s Origin servers or something similar, you will be familiar with this workflow and why it is useful to have in your game; that is, it saves users from having to go to a web site to make an account before they can play.

You don’t need to have completed part 3 in order to follow along with the tutorial below, but your LightSwitch project and database need to be in a state that matches at least the end of part 2. The web interface from part 3 is a fully distinct code path from what we will do below so it is not required for this code to work.

This article assumes some familiarity with:

  • HTTP requests and responses, methods and headers
  • JSON
  • OData transactions (covered in part 2)
  • a moderate understanding of C++ (including C++11 lambda functions)
  • a basic understanding of threading
  • setting up include and library directories for a project in Visual Studio

You will learn:

  • How to interact with LightSwitch OData endpoints using the C++ REST SDK (codename ‘Casablanca’)
  • How to use PPL(X) tasks and continuations
  • How to use OData to create new users (write table rows) and fetch user profiles (read table rows) from our server’s database programmatically in C++
  • How to update and delete rows with HTTP/OData directly or from within C++ programmatically
  • How to make the code error-resistant (for example if the user is disconnected from the internet)
  • How to separate the client-side logic (interacting with the server) from the user interface
  • How to access the server asynchronously (that is, using multiple threads so that the rest of your game or application does not stall or block while waiting for the server to respond)
  • How to create a basic framework of C++ classes to make your code easily re-usable and extensible

Project Goals

We need a client-side framework for communicating with the LightSwitch server before we start adding game-specific features and plugging the code into an actual game, so for this part our goal will be to create a simple console test application which allows us to create new users and fetch their profiles.

NOTE: The code presented below makes heavy use of C++11 features. You need Visual Studio 2013 Preview or later to complete the tutorials in this article. You can re-write portions of the code without these features if you need to compile it with Visual Studio 2012. Read more…

How to statically link the C++ REST SDK (Casablanca)

April 1, 2014 19 comments

You are trying to use the C++ REST SDK (Casablanca) in your Windows application. You have one of the following problems:

  • you need Windows XP support
  • when your code executes you receive a debug assertion: _pFirstBlock == pHead
  • you get unpredictable behaviour or random crashing
  • you need to build an application which links against static libraries

You have 30 minutes to solve the problem. Here is how:

The issue is that the C++ REST SDK only supports dynamic linking. The solution is to re-build the SDK with static linking. Read more…

Simple2D 1.13 now available

March 28, 2014 4 comments

A new major release of Simple2D is now available (the download link can be found at the bottom of the page).

Version 1.13 is a small update with the following main changes:

  • Visual Studio 2013 compatibility and pre-compiled binaries
  • Significant usability updates to the Animation class
  • A small number of new math & time functions
  • Some bug fixes

Read more…

Final Wishes: Crowdfund Update

March 27, 2014 7 comments

[If you’d like to donate to my final wishes, please click here: Final Wishes Crowdfund]

This post is an update to what’s been happening since I asked for donations in the article Dying with M.E. as a Software Developer.

First I want to thank everyone who has donated so far for their incredible generosity. Although I haven’t replied to you guys individually, I was really excited to see donations appearing in my mailbox, and although every donation big and small counts, I was particularly stunned by those of you who sent in 3-figure sums, that was really amazing kindness from strangers, thank you so much! Of course, even those of you who sent in $5 or $10 were much appreciated, every penny counts!

The fundraiser reached $1505 of its $3000 goal. In addition, a few of you sent contributions via PayPal directly which bumped it up to somewhere between $1700 and $1800. We charged teenagers about $8 (50 Norwegian crowns) for entry to the party and adults $16 (100 Norwegian crowns) to cover the rest of the costs, and that together with wardrobe and glowstick sales raised a further $1100, which was just enough to cover the costs. Amazing!

The Party

After one month of solid planning every day by several of us, the party for the teenagers took place on 27th February 2014 from 5pm-9pm local time. Although quite a lot of people were away because of winter vacation, we nevertheless somehow managed to cram in just under 100 underage kids into Drammen’s largest nightclub. For the first time in many of their lives they were bombarded by spot lights, strobes, smoke machines and loud party music. Many of these teenagers suffer from mass anxiety but thanks to having a couple of adults on tap that volunteered especially to help out for the purpose of helping them to relax, we got almost everyone onto the dancefloor eventually. I ran around for 4 hours making sure everyone was ok and really only got to dance with them for the last hour, and slept for an entire week afterwards (no exaggeration), but it was worth it!

Afterwards, some of the girls wrote to me. Here are a few of their messages:


“Can I say this in Norwegian? Tonight, you really hit the mark [Norwegian literally: ‘the big drums’], I’m never going to forget this! This was totally sick! [that’s teenager speak for ‘amazing’]

Katy, I’m not alone about this, but I love you! For real, I really love you! You’re a party queen!

I’ll never forget this night” – Ida S


“Goodnight everyone ❤ ❤ Have had a f*cking great day ❤ Thanks to Katy who had the world’s best alcohol-free party ❤ Enjoyed myself incredibly much ❤ <3” – Victoria N (Facebook post)


“I just had an AWESOME night at Klubbteateret with a bunch of great people! I love all of you, and you b*tches I can’t/forgot to tag. Big thanks to everyone who made it possible and the ones shaking loose on the dancefloor. My feet hurt, so thank you.” – Marie (Facebook post)


Many more came to me in person and told me their own stories of the night and about the good time they had.

Perhaps the most important thing to come out of the party were three of the girls – Christina, Emine and one other I can’t name – who told me afterwards that the party had helped them a little with their social anxiety. To me, knowing how many years I suffered for, that was worth the money on its own. I used to hate parties, for all of my life, until a couple of years ago, so it was blissfully ironic.

But let’s not forget, none of this would have been possible without a big pile of money. And it was you, my blog readers, who made this possible. Between you, you have touched the lives of many suffering children, and I just wish you could see their faces and how grateful they were that some people wanted to give them a good time, and make them happy in a way other than sitting down listening to their problems and sending them to therapists – which by the way, I do on a regular basis anyway. So thank you all so much!

At the party, I spoke the names of all of the people who helped financially and practically towards the party on the mic from the DJ booth, and they cheered and whooped for each and every one of you. Personally speaking, at 34 years old, it was extremely surreal to see such an enormous amount of my friends in the same place at the same time, and I would have to say that it’s the most fun I have ever had in my entire life – without a drop of alcohol, love or sex involved. The power of friendship and bringing people together.

Here are some videos from the party:

There is plenty of video footage left to edit and upload, I’ll add more to the YouTube playlist as they are ready:

I’d like to thank the following people and organizations for their financial or practical contributions to the party, without which it would not have been possible:

Mina Engnes Horne
Alexander M. Høyer
Ian Boyd
JesĂşs Alberto Villegas Mata
Chu Hoang
Geoff Smith
Christiane Reneè Belsby Johansen
Juan Mata Wong
Raja Naga
Will Jordan
Jez Simon Ward
Carson Morrow
Melissa Bolstad
PĂ©ter Szakszon
Michael Vach
Michael Longbottom
Robert Wise
Lisa Kremer
Orlando Selenu
Dustin Carlino
Spencer Park
Ajit P Musalgavkar
Adalberto Neves
Liv Iren Hennum
Kevin Stordal
Martin Hellström (the owner of Klubbteateret; a club with a 23-year age limit who told me after the party they had never let any underage people into the premises before)

SB Net Services
Glow Brothers
Klubbteateret (and all their volunteer staff for the wardrobe, security, bartender – Jon, Camilla et al for working for almost no pay that day)

Thanks to the following people for working as volunteer staff, in some cases at the cost of a day off work:

Thomas Johannesen
Kenneth Jensen
Marius Sørum Moe
Marita Chruicshank Kagiavas
Esther Elise Langørgen Fredriksen

Thank you to Dina Williamson Madsen and Marie (Lex Motionless Wooch) for helping to organize stuff and fixing my hair 🙂

I’d also finally like to point out that while we spent $2065 in total on the party, the true value of all the items and services we used came to over $6000, but thanks to the kindness and generosity of the people above, we managed to secure heavy discounts on almost everything, and get some things for free.

What’s Left

Now it’s all about the bucket list; specifically, I’m looking to raise enough money to travel from Norway to Minnesota and Romania to see those of my friends who live too far away and can’t fund their own travel one last time. If you can help out with that, I truly believe I will have covered all the main points of what I really feel I need to get done before I get too sick to travel (technically, I already am; I’m just going to choose to ignore the hospital’s advice – “lay in bed for the rest of your life” – on this one).

Please donate here: Final Wishes Crowdfund. Every penny counts.

Thank you once again.



%d bloggers like this: