found at:
https://github.com/Perfare/Il2CppDumper
To get the scripts.py to populate in IDA you need to run nx2elf.exe and load up that generated .elf file in ida then run scripts.py on that, make your edits then run elf2nx.exe to convert it back
https://github.com/Mila432/switch_rom_hacking#uncompressing-main-recommended
https://github.com/Perfare/Il2CppDumper
To get the scripts.py to populate in IDA you need to run nx2elf.exe and load up that generated .elf file in ida then run scripts.py on that, make your edits then run elf2nx.exe to convert it back
https://github.com/Mila432/switch_rom_hacking#uncompressing-main-recommended
Code:
xtract .NET metadata from il2cpp binaries. (types, methods, fields, etc.)
Extraction code is based on Il2CppDumper
Features
Supports il2cpp binaries in ELF, ELF64, Mach-O, NSO and PE format
Supports global-metadata version 16 and 19-24
Extracts .NET metadata including types, fields, properties, methods and attributes
Supports automated IDA script generation
name and tag methods
store dynamic string literals in comments
makefunction to improve ida analysis
Generates dummy DLLs that can be viewed in .NET decompilers
Usage
Run Il2CppDumper.exe and choose the main il2cpp executable (in ELF, Mach-O, NSO or PE format) and global-metadata.dat file, then select the extraction mode. The program will then generate all the output files in current working directory.
Extraction Modes
Manual
The parameters (CodeRegistration and MetadataRegistration) that are passed to il2cpp::vm::MetadataCache::Register() needs to be manually reverse engineered and passed to the program.
Auto
Automatically finds the il2cpp_codegen_register() function by signature matching and read out the first (CodeRegistration) and second (MetadataRegistration) parameter passed to the il2cpp::vm::MetadataCache::Register() method that will be invoked in the registration function. May not work well due to compiler optimizations.
Auto(Advanced)
Matches possible pointers in the data section. Generally works better than Auto mode.
Supports metadata version 20 and later (only CodeRegistration address can be found on metadata version 16).
Auto(Plus) - Recommended
Matches possible pointers in the data section with some guidance from global-metadata. Works better than Auto(Advanced) mode on certain binaries.
Supports metadata version 20 and later (only CodeRegistration address can be found on metadata version 16).
Auto(Symbol)
Uses symbols in the il2cpp binary to locate CodeRegistration and MetadataRegistration.
Only supports certain Android ELF files.
Output files
dump.cs
C# pseudocode. Can be viewed in text editors (syntax highlighting recommended)
script.py
Requires IDA and IDAPython. Can be loaded in IDA via File -> Script file.
DummyDll
DLLs generated by Mono.Cecil which contain the .NET metadata extracted from the binary (no code included). Can be viewed in .NET decompilers.
Configuration
All the configuration options are located in config.json Available options:
DumpMethod, DumpField, DumpProperty, DumpAttribute, DumpFieldOffset, DumpMethodOffset, DumpTypeDefIndex
Whether or not the program should extract these information
DummyDll
Whether or not the program should generate dummy DLLs
ForceIl2CppVersion, ForceVersion
If ForceIl2CppVersion is true, the program will use the version number specified in ForceVersion to choose parser for il2cpp binaries (does not affect the choice of metadata parser). This may be useful on some older il2cpp version (e.g. the program may need to use v16 parser on ilcpp v20 (Android) binaries in order to work properly)
Last edited by DaRockLobsta,
