Good day, Katy and everyone!
I'm facing problems for 3 days... and don't know what to do so, I was debugging in IDA and researching for the CodeRegistration and MetadataRegistration, after that I did used Game Guadian to dump the il2cpp and got the function Il2CppCodegenRegistration(), but can't dump the data.
I've read your blog and tried to reverse this, so I think my level can't decrypt this, but your blog is so interesting. Hope you can teach me how to reverse this and dump the resource. Thank you in advance.
Using plugin: IL2CPP API Discovery
Using plugin: Binary metadata field order deobfuscator
Using plugin: Metadata strings XOR decryptor
Using plugin: Binary file XOR decryptor
Plugin Metadata strings XOR decryptor: Decrypting strings
The plugin Metadata strings XOR decryptor encountered an error while executing PostProcessMetadata: Unable to read beyond the end of the stream.. Plugin has been disabled.
Detected metadata version 23
Processed 1211784 relocations
Plugin Binary file XOR decryptor: Detecting encryption
Plugin Binary file XOR decryptor: Decrypting (key: 0x02, stripe size: 0x0000)
Container format: ELF
Container endianness: Little
Architecture word size: 32-bit
Instruction set: ARM
Global offset: 0x0000000000000000
Symbol table(s) found with 799 entries
No matches in symbol table
Required structures acquired from code heuristics. Initialization function: 0x000000000094A354
CodeRegistration struct found at 0x0000000007C433AC (file offset 0x07C433AC)
MetadataRegistration struct found at 0x0000000007C433E4 (file offset 0x07C433E4)
Plugin IL2CPP API Discovery: Decrypting API export names
The detected Il2CppCodeRegistration / Il2CppMetadataRegistration structs do not pass validation. This may mean that their fields have been re-ordered as a form of obfuscation and Il2CppInspector has not been able to restore the original order automatically. Consider re-ordering the fields in Il2CppBinaryClasses.cs and try again.
Analyze IL2CPP data: 10.27 sec
`
Using plugin: IL2CPP API Discovery
Using plugin: Binary metadata field order deobfuscator
Using plugin: Metadata strings XOR decryptor
Using plugin: Binary file XOR decryptor
Plugin Metadata strings XOR decryptor: Decrypting strings
The plugin Metadata strings XOR decryptor encountered an error while executing PostProcessMetadata: Unable to read beyond the end of the stream.. Plugin has been disabled.
Detected metadata version 23
Processed 1211784 relocations
Plugin Binary file XOR decryptor: Detecting encryption
Container format: ELF
Container endianness: Little
Architecture word size: 32-bit
Instruction set: ARM
Global offset: 0x0000000000000000
Symbol table(s) found with 796 entries
No matches in symbol table
Sequence contains no matching element
Analyze IL2CPP data: 8.01 sec
`
Good day, Katy and everyone! I'm facing problems for 3 days... and don't know what to do so, I was debugging in IDA and researching for the CodeRegistration and MetadataRegistration, after that I did used Game Guadian to dump the il2cpp and got the function Il2CppCodegenRegistration(), but can't dump the data.
I've read your blog and tried to reverse this, so I think my level can't decrypt this, but your blog is so interesting. Hope you can teach me how to reverse this and dump the resource. Thank you in advance.
Here is the log from original APK: global-metadata.dat: https://drive.google.com/file/d/1FOhhMX1FN-njCudTAYlhoKgRJg6D-Ofs/view?usp=sharing il2cpp.so: https://drive.google.com/file/d/1d2ZyizsqXvPxI14Nywut2D8thu4iSoi4/view?usp=sharing il2cpp.so.idb: https://drive.google.com/file/d/1jYIUg1chwKQlRiN-eMIHICaaW29ao4PV/view?usp=sharing
` Il2CppInspector Command-Line Edition Version 2021.1 (c) 2017-2021 Katy Coe - www.djkaty.com - www.github.com/djkaty
Using plugin: IL2CPP API Discovery Using plugin: Binary metadata field order deobfuscator Using plugin: Metadata strings XOR decryptor Using plugin: Binary file XOR decryptor Plugin Metadata strings XOR decryptor: Decrypting strings The plugin Metadata strings XOR decryptor encountered an error while executing PostProcessMetadata: Unable to read beyond the end of the stream.. Plugin has been disabled. Detected metadata version 23 Processed 1211784 relocations Plugin Binary file XOR decryptor: Detecting encryption Plugin Binary file XOR decryptor: Decrypting (key: 0x02, stripe size: 0x0000) Container format: ELF Container endianness: Little Architecture word size: 32-bit Instruction set: ARM Global offset: 0x0000000000000000 Symbol table(s) found with 799 entries No matches in symbol table Required structures acquired from code heuristics. Initialization function: 0x000000000094A354 CodeRegistration struct found at 0x0000000007C433AC (file offset 0x07C433AC) MetadataRegistration struct found at 0x0000000007C433E4 (file offset 0x07C433E4) Plugin IL2CPP API Discovery: Decrypting API export names The detected Il2CppCodeRegistration / Il2CppMetadataRegistration structs do not pass validation. This may mean that their fields have been re-ordered as a form of obfuscation and Il2CppInspector has not been able to restore the original order automatically. Consider re-ordering the fields in Il2CppBinaryClasses.cs and try again. Analyze IL2CPP data: 10.27 sec `
And here is the dump from Game Guardian: global-metadata.dat: https://drive.google.com/file/d/1iYKlmhAp8U3qfCJtDdkFWCvmpkgtHu0_/view?usp=sharing il2cpp.so: https://drive.google.com/file/d/1ryxCO7gtLTaNCkawsvxbmcflMNSCYIdR/view?usp=sharing il2cpp.so.idb: https://drive.google.com/file/d/1pLWKS2lyYDbx224UKYTOAHSRtGLZxdUi/view?usp=sharing ` Il2CppInspector Command-Line Edition Version 2021.1 (c) 2017-2021 Katy Coe - www.djkaty.com - www.github.com/djkaty
Using plugin: IL2CPP API Discovery Using plugin: Binary metadata field order deobfuscator Using plugin: Metadata strings XOR decryptor Using plugin: Binary file XOR decryptor Plugin Metadata strings XOR decryptor: Decrypting strings The plugin Metadata strings XOR decryptor encountered an error while executing PostProcessMetadata: Unable to read beyond the end of the stream.. Plugin has been disabled. Detected metadata version 23 Processed 1211784 relocations Plugin Binary file XOR decryptor: Detecting encryption Container format: ELF Container endianness: Little Architecture word size: 32-bit Instruction set: ARM Global offset: 0x0000000000000000 Symbol table(s) found with 796 entries No matches in symbol table Sequence contains no matching element Analyze IL2CPP data: 8.01 sec `