Hi everyone,
as I had to dig through a lot of information by myself, I thought that I could do a small tutorial on how to modify Unity games for cheating (and not only, e.g. for modding etc.).
You will need the following tools:
1) NXDump https://github.com/DarkMatterCore/nxdumptool
2) IL2CPP Dumper https://github.com/Perfare/Il2CppDumper
3) IDA Pro https://hex-rays.com/ida-pro/ or Ghidra https://ghidra-sre.org/ (free)
4) NX2ELF https://gbatemp.net/threads/about-the-main-file-in-exefs-folder.533701/post-8554295
5) dnSpy https://github.com/dnSpyEx/dnSpy
So now in very short the procedure:
(1) use NXDump on the Unity game you want to modify, select the proper last used patch version (not the base game version!!) there and dump "main" from ExeFS. then dump "global-metadata.dat" from RomFS (search in subdirectories for this file, this is by the way the easiest way to see if it's a Unity game or not)
(2) use NX2ELF on "main" to get uncompressed "main.elf"
(3) load "main.elf" with IDA Pro or Ghidra, remember that Switch uses big endian byte order, so select it in the disassembling settings (ARMB processor type)
(4) use IL2CPP Dumper on "main.elf" + "global-metadata.dat", which will create a lot of useful additional files about the executable binary. for a quick look you can use "dump.cs" (e.g. to briefly patch a bool return function by using its offset with "return true/false"). "DummyDll" can be used with dnSpy for a quick look through functions, attributes etc. (primary target there is always "Assembly-CSharp.dll", where most game functionality is located)
(5) run Python scripts "ida_with_struct_py3.py" within IDA Pro (File -> Script file...) or "ghidra_with_struct.py" within Ghidra, to populate the disassembled code database with comprehensive meta information (class names, method names, attribute names, struct names etc.). it will help you to understand the code almost perfectly. Without this step you are pretty much totally lost in IDA/Ghidra.
(6) look for code parts and offsets you want to change and write "04000000" or "08000000" cheat codes from ARM64 Assembler commands (https://developer.arm.com/documentation/100076/0100/a64-instruction-set-reference) by using tools like https://armconverter.com (don't forget to use "GDB/LLDB" flag to create big endian hex codes with proper byte order) . you can learn basics of ARM assembly here https://azeria-labs.com/writing-arm-assembly-part-1/ (unfortunately it's for a 32bit Arm v7, not for 64bit Arm v8, but I guess similar guides for Arm64/AArch64/Arm8 can be found as well, this was just a quick web search). For different cheat code generation you can use such tools as https://github.com/DarkFlare69/SXCheatTool and https://gbatemp.net/attachments/sxos_codebuilder-zip.146262/ .
Some additional notes:
a) if you have an access to the PC version of the same game and it's NOT compiled with IL2CPP on PC, you can load its "Assembly-CSharp.dll" with dnSpy and enjoy the full power of .NET decompilation, where ALL source code is available in highly readable form (unless obfuscated), so you can easily analyze it and even modify it. the learnings from the PC version of the game can be used for any other platform of the same game version/build (e.g. for the Switch version of the game). this way you can also easily mod any game, just by using C# and modifying classes, methods, attributes etc. highly recommended ;-). In addition you can even debug a Unity game with dnSpy (requires modified mono DLL files) in a very comfortable way.
b) you can also create permanent patches for a given game by using IPS patches, e.g. by using this tool https://github.com/3096/ipswitch
c) you can use Atmosphere's built-in layered FS and place the patched "main" file (you need to compress the modified "main.elf") into /atmosphere/contents/<game ID>/exefs/ directory, if you patched the "main.elf" directly with IDA/Ghidra. Atmosphere will load the modified file instead of the original one.
d) you can reverse engineer previous cheats (see exactly what they are patching/modifying) if you have an access to the previous game versions. then basically you do everything as described above for the previous "main.elf" and look for the given offset from the cheat file (if it's an ASM hack of course) in IDA/Ghidra. this way you can save a lot of time and just "migrate" previous ASM cheats into new versions.
Special thanks to @TomSwitch , @masagrator and @crazy_p for important hints/information/tools.
as I had to dig through a lot of information by myself, I thought that I could do a small tutorial on how to modify Unity games for cheating (and not only, e.g. for modding etc.).
You will need the following tools:
1) NXDump https://github.com/DarkMatterCore/nxdumptool
2) IL2CPP Dumper https://github.com/Perfare/Il2CppDumper
3) IDA Pro https://hex-rays.com/ida-pro/ or Ghidra https://ghidra-sre.org/ (free)
4) NX2ELF https://gbatemp.net/threads/about-the-main-file-in-exefs-folder.533701/post-8554295
5) dnSpy https://github.com/dnSpyEx/dnSpy
So now in very short the procedure:
(1) use NXDump on the Unity game you want to modify, select the proper last used patch version (not the base game version!!) there and dump "main" from ExeFS. then dump "global-metadata.dat" from RomFS (search in subdirectories for this file, this is by the way the easiest way to see if it's a Unity game or not)
(2) use NX2ELF on "main" to get uncompressed "main.elf"
(3) load "main.elf" with IDA Pro or Ghidra, remember that Switch uses big endian byte order, so select it in the disassembling settings (ARMB processor type)
(4) use IL2CPP Dumper on "main.elf" + "global-metadata.dat", which will create a lot of useful additional files about the executable binary. for a quick look you can use "dump.cs" (e.g. to briefly patch a bool return function by using its offset with "return true/false"). "DummyDll" can be used with dnSpy for a quick look through functions, attributes etc. (primary target there is always "Assembly-CSharp.dll", where most game functionality is located)
(5) run Python scripts "ida_with_struct_py3.py" within IDA Pro (File -> Script file...) or "ghidra_with_struct.py" within Ghidra, to populate the disassembled code database with comprehensive meta information (class names, method names, attribute names, struct names etc.). it will help you to understand the code almost perfectly. Without this step you are pretty much totally lost in IDA/Ghidra.
(6) look for code parts and offsets you want to change and write "04000000" or "08000000" cheat codes from ARM64 Assembler commands (https://developer.arm.com/documentation/100076/0100/a64-instruction-set-reference) by using tools like https://armconverter.com (don't forget to use "GDB/LLDB" flag to create big endian hex codes with proper byte order) . you can learn basics of ARM assembly here https://azeria-labs.com/writing-arm-assembly-part-1/ (unfortunately it's for a 32bit Arm v7, not for 64bit Arm v8, but I guess similar guides for Arm64/AArch64/Arm8 can be found as well, this was just a quick web search). For different cheat code generation you can use such tools as https://github.com/DarkFlare69/SXCheatTool and https://gbatemp.net/attachments/sxos_codebuilder-zip.146262/ .
Some additional notes:
a) if you have an access to the PC version of the same game and it's NOT compiled with IL2CPP on PC, you can load its "Assembly-CSharp.dll" with dnSpy and enjoy the full power of .NET decompilation, where ALL source code is available in highly readable form (unless obfuscated), so you can easily analyze it and even modify it. the learnings from the PC version of the game can be used for any other platform of the same game version/build (e.g. for the Switch version of the game). this way you can also easily mod any game, just by using C# and modifying classes, methods, attributes etc. highly recommended ;-). In addition you can even debug a Unity game with dnSpy (requires modified mono DLL files) in a very comfortable way.
b) you can also create permanent patches for a given game by using IPS patches, e.g. by using this tool https://github.com/3096/ipswitch
c) you can use Atmosphere's built-in layered FS and place the patched "main" file (you need to compress the modified "main.elf") into /atmosphere/contents/<game ID>/exefs/ directory, if you patched the "main.elf" directly with IDA/Ghidra. Atmosphere will load the modified file instead of the original one.
d) you can reverse engineer previous cheats (see exactly what they are patching/modifying) if you have an access to the previous game versions. then basically you do everything as described above for the previous "main.elf" and look for the given offset from the cheat file (if it's an ASM hack of course) in IDA/Ghidra. this way you can save a lot of time and just "migrate" previous ASM cheats into new versions.
Special thanks to @TomSwitch , @masagrator and @crazy_p for important hints/information/tools.
Last edited by switcherjoe,
