Today, I will teach you how you can Dump and MOD an il2cpp unity game made for Windows PC. There are not many tutorials about this on the internet, so I thought I would make one and show how it’s done.
Modding il2cpp Games for Windows PC is a bit different that modding on IOS or Android, the dumping process is the same but modding the binary file is a little different, also PC games typically use x86 or x64 machine code, which is based on the Intel x86 architecture (including its 64-bit extension, x86-64 or x64).
In Today’s tutorial we will be modding a game called Booty Farm, it is available for free to download on STEAM. We will modify the currency in the game.
Requirements:
2) IDA PRO
3) DNSPY
4) ANY HEX EDITOR (I use 010 Editor)
Let’s begin!
Please make sure you have all the requirements ready, also extract the iL2cppDumper file in your desired folder.
1) Download Booty Farm from Steam, it is free.
2) Once the game is installed, hit the small GEAR icon on the screen.
3) Click on Manage > Browse Local Files, and it will open the location where the game files are
4) Go to \Booty Farm_Data\il2cpp_data\Metadata\global-metadata AND copy the global-metadata file to the il2cpp dumper folder THEN go back completely and copy the GameAssembly.dll file to il2cpp dumper folder.
5) Launch the il2cpp Dumper and first choose the GameAssembly.dll and then the global-metadata file. The dumping process should begin.
Once done you will have the DummyDLL files from where will get our RVA (Relative Virtual Address) but wait I thought we get the offsets?
- Offset refers to positions within a file.
- RVA refers to positions in memory when a file is loaded into memory for execution.
Relative Virtual Address (RVA) is used in IDA instead of a direct file offset because RVA provides a consistent addressing scheme irrespective of the base address where the executable or module is loaded in memory.
6) Load the DummyDLL file in DNSPY and Load the GameAssembly.dll in IDA Pro and your preferred HEX editor.
In IDA Pro, if you get this Pop-Up, click NO
7) Since we want to MOD the game currency, we should look for keywords related to it. Like coins, gold, currency, currencies, diamonds, crystal, gems etc. Since I already know the currency name in the game is called Crystal, I will search that.
Change the Search For to Method, since we will be working with METHODS only most of the time.
Now we scroll through each result to find something useful. I didn’t find any method that was worth modding, let’s try searching something else like currencies.
Interesting! We have a class called Currencies with some interesting methods to work with. Let’s take a look at the “take” method.
So we have Take(Gold) and Take(Crystal) which are Boolean. So I am assuming this controls the subtraction of your crystal and gold every time you spend it. How about we make it so that it never subtract our currency when we use?
Since we are debugging on IDA Pro you have to copy the RVA in order for it to point you to the right function, and if we are modifying offsets in HEX editor then we have to use the Offset for it to point us to the correct address.
In simpler terms:
- Imagine a book: RVA is like referencing a page number, while offset is like pointing to a specific word on a page.
- RVA (
0x22DAD0) is like saying “Chapter 5” in the book; it’s the same chapter regardless of where the book is placed. - Offset (
0x22C0D0) is like saying “10 words from the start of Chapter 5”; the exact location changes if you move the chapter to a different book.
8) Once your Binary file is Loaded in IDA Pro, click on Jump > Jump to a function (Or press CTRL + P) and then right click and click on “Quick Filter”
Now go to the function.
Let’s understand what the function does, but since we are interested in not letting our currency decrease when spent, let’s look for a SUBS or SUB in the function.
We found one. In general, methods with the name take, remove, deduct, subtract should have sub since the method indicated removal of an item, or currency, or anything.
If we move the HEX tab we can see that it holds the value of 2B C7, how about we NOP it completely. Now you can even Modify the HEX value directly here, but I recommend the HEX editor.
9) Load the Binary in the Hex Editor now and copy the Offset of the method from Dummy DLL file then in Hex editor press CTRL + G to go to the address.
As you can see the Hex values match with the one in IDA despite we used an offset and not RVA, that’s because When using an RVA as an offset in a hex editor, you’re attempting to find a spot within the file that corresponds to where code or data exists in memory.
However, because RVAs and file offsets measure different positions in memory versus file content, the file spot might not match the expected memory location.
Conversely, if an offset from a hex editor is used as an RVA in a disassembler, trying to pinpoint a memory address from a file position might lead to inaccuracies, as file positions and memory addresses represent distinct locations, potentially resulting in a mismatch between the expected memory address and the actual location in memory where the code or data resides.
10) Find 2B C7, it should be somewhere near, use HEX view from IDA Pro for reference.
11) Replace it with 90 90 Which is NOP. The “90” hexadecimal value represents a NOP (No Operation) instruction in x86 and x64 assembly
12) We did this for Crystal, now do it for Take(Gold), the process should be exactly the same. I won’t show you, it’s your test.
13) Once you have done it for Gold also, save the binary file by pressing CTRL + S and then move the file back to the Booty Farm folder, if asked to replace, then replace it.
14) Now launch the game, and test it
So now what will happen is when you use GOLD or CRYSTAL in the game, it will look like they deducted however they won’t, if you have 10 Crystals, and they become 0 you can still buy anything inside the game that cost 10 Crystal or Less.
AND if you restart the game, your CRYSTAL and GOLD will be back to their default values.
If you are familiar to Android or IOS modding, you might ask why not make the method which was a Boolean TRUE? Well, in many cases, the function that starts with a PUSH cannot be modified or require a deeper understanding of how it works. Directly returning TRUE or FALSE will crash the game. Think of a function like a recipe. The PUSH at the start is like getting out the ingredients you need.
If you change how many or what ingredients you pull out at the beginning, the recipe won’t work right. It’s because those ingredients (like values or addresses) are crucial for the recipe (function) to turn out well. Messing with them might make the recipe not taste good (cause crashes or errors) because it needs those ingredients just as they are to work properly.
That’s it!
I hope you learned something new with this tutorial. If you have any questions, then please comment below. I will try to help you as much as I can.
