Tutorial Unity Cracking Unity Games - Ultimate Guide for dummies

[Uncle Eugene]

Unity Cracking Tutorial​

Quick[er] Navigation:

• Introduction and First Crack
• Level 1 - Unity Basics
• Level 2 - Removing password validation
• Level 3 - Writing BepInEx plugin
• Level 4 - Cracking Il2cpp game

This guide will teach you how to look inside a code of a Unity game and how to modify it to achieve whatever goal you have
I will explain everything as if I'm teaching the very beginner, so expect oversimplification of heavy tech stuff if you're experienced
I'll try to tell you only the things you need and drop everything that is not required to create a crack

You will learn how to:

• Remove paywalls
• Create cheats
• Add new functionality to the game
• Analyze how the game works
• Check if the game is free of malware

However this tutorial will be focused on removing paywalls from an example porn game, but with the skills you'll learn you will be able to do whatever you want
There will be a Unity Game attached to every level of difficulty. You're meant to follow along, download game for each level and crack it with me

You can preamtively download the archive with all the example games:

You must be registered to see the links

Prerequisites:

• You have to know very basics of programming or be willing to learn it elsewhere, this tutorial won't cover it, we will do basic programming in C#

That's it! Feel free to try even if you can't code, starting levels do not require any skills basically, but further it goes more skills are required. It will also help if you know anything about Unity development, but it's completely ok if you don't

Preparations​

Step 0 - Installing tools

Game Link:

You must be registered to see the links

DnSpy Link:

You must be registered to see the links

Forked DnSpy Link:

You must be registered to see the links

To start we will need a game itself and some tools. Our first and most important tool will be

You must be registered to see the links

, it allows us to "look inside" .dll files that contain C# code. Read and Modify them. So download everything we need and proceed...

You can download either one of provided links here, the official developer of DnSpy stopped supporting it in 2021, so if you want more features use the fork link instead

Step 1 - Figuring out the game engine
Before even starting a game there are some quick steps we should do that will help us understand the game better and know how to approach it.
The first and very obvious step is to make sure our game was made with Unity, let's look at file structure:


We have

• %GameName%.exe
• %GameName%_Data
• UnityCrashHandler
• UnityPlayer

Basic Unity game file structure, I'm sure you feel that this step is too obvious, so let's skip all the useless stuff I can write about that and proceed to the next step

Step 2 - Figuring out scripting backend
Now comes less obvious but very important step
You see, Unity offers two scripting backends to choose from: Mono and il2cpp.
To put it simply:
mono option compiles the game into those .dlls we can freely read and modify, so it will be easy for us
il2cpp option compiles game into assembly code. We can still modify il2cpp game, but it's the topic for later chapters

Let's open %GameName%_Data folder


Two options here:

• If there is Managed folder - it is mono
• If there is il2cpp_data folder - it is il2cpp

Conveniently for us author compiled this game with mono scripting backend, who would've thought (Like I didn't make this game myself), so we can proceed

Level 0 - First Crack​

Game Link:

You must be registered to see the links

It is finally time to run the game and see what it has to offer



Oh no! Look at that bitch, she wants our money to activate NSFW content, what a shame, $60/month! There is no way we're paying that for a game we already downloaded to our PC with all the content hidden inside

Let's not waste any more time and crack our first game.
Open %GameName%_Data/Managed folder, that is where all the .dlls with game code are located



There are bunch of dlls here, each of them contains different code that is used in the game, to make things simplier think of them as "modules" or "folders" for a code. For example UnityEngine.UI.dll is a part of Unity Engine that contains code for UI elements.

The one we're interested in is Assembly-CSharp.dll, that is where Unity puts the developer's code that is not part of Unity itself. By default. There could be exceptions if developer creates his own assemblies, but let's not focus on that for now

Let's open DnSpy



Not much to see right now, let's drag our Assembly-CSharp.dll onto Assembly Explorer window or open it via File menu



You can click on the assembly to open namespaces and classes it contains. DnSpy will also load other assemblies from the same folder that are being referenced by the code inside of our Assembly-CSharp, just ignore them and focus on Assembly-CSharp

We don't have a ton of code here because it's a small example game, however in real game you may find a lot of stuff inside, so be a good student and just imagine there are lots of classes with too much code to handle

There should be some kind of Patreon check inside the game, having experience with porn games I designed "levels" from the most common and easy to the rarest and more difficult examples of Patreon validations you can find in a wild

So lets do the most easy thing I always start with: open the search window (Ctrl+Shift+K or magnifying lens icon near start button) and search for the word patreon



Make sure the option "Search For:" is set to "All of the Above" or you may miss something

Would you look at that! We found a field called _isPatreonVersion inside GameManager class
looks like the very thing we need, double click it to navigate to it's location



Here we go. Basic static bool that seems to determine if the version we're running is patreon version or not
You can right click on it and hit "Analyse" to see where it is used. Check "Read By" section



You may navigate to the method this _isPatreonVersion field is referenced at and see how exactly it is used. We can skip this part since it's pretty obvious this is what we need. Not to mention I'm running out of available attachments on F95

So lets make it so our bool is set to true instead of false (it is false by default in C#)
For that we right click on this field or somewhere near it and choose "Edit Class (C#)..."
Make it so this bool is set to true like so:


We just add = true;

Then click "Compile"



We're done! Now we need to save recompiled dll back to where we took it from.
Click "File -> Save All..."



You can overwrite original dll or copy it beforehand in case you messed something up.
But we don't do that, we're pros, so destroy it is
Click "OK"

Lets run our game again and see if it made any effect



Voila!
Cool, we cracked our first game, lets go!
I've blurred the good parts on purpose so you would have more motivation to follow along and crack the game by yourself, though it's only a simple AI image made for educational purposes

And that's pretty much it for the very basics. Trust me, this is enough to crack at least 25% of the Unity games on F95

We've learned how to:

• Differentiate between mono and il2cpp scripting backends
• Use DnSpy to read source code of mono Unity game
• Modify default values for fields in assembly

Share you thoughts and progress in this thread I'm always happy to answer questions and read feedback

 

[Uncle Eugene]

Level 1 - Unity Basics​

Game Link:

You must be registered to see the links

You know the basics already, so just do it again



We have the Managed folder, so it is mono, nice, we can do our thing

Run the game to see what it's about



Her again, but on a different side of the screen, that's new. Lets proceed with the crack

Open Assembly-CSharp.dll in DnSpy

Search for the word patreon once again



We have a hit! Same class, a little bit different name, I didn't change much for this level, LAZY ME! HOW COULD I?

Spoiler: What if Patreon word search didn't work out?

You don't have permission to view the spoiler content. Log in or register now.

So I guess we just do what we've learnt in Level 0 then
Right click on public bool IsPatreon and choose "Edit Class (C#)..."



Make it so our bool equals to true by default
and click "Compile"



Oops... Seems like we have an error. 'Object' is an ambiguous reference between 'UnityEngine.Object' and 'object'
This is common error when recompiling Unity classes in DnSpy. Developers often use class from Unity called Object and its name matches the same class from default System namespace and DnSpy sometimes loses track of which one exactly it meant to be

Double click on the error, it will show you the line where it occured:
return Object.FindFirstObjectByType<GameManager>();

here. 99.5% of the time developers refer to UnityEngine.Object, so lets fix our line. It should be
return UnityEngine.Object.FindFirstObjectByType<GameManager>();

Try to "Compile" again



Seems like we're done, so "File -> Save All -> OK" to save our modified dll

Lets run our game again and see if we've succeeded



And... We're not... What happened?

Well, obviously I wouldn't give you the second example if it was exactly the same as first one, so let me explain:



Take a look at the class definition: public class GameManager: MonoBehaviour
Notice how it is inherited from MonoBehaviour class (: MonoBehaviour shows that)

Simplified explaination would be that it means this class is used by developer in Unity as Component
On the screenshot I've shown you two examples of fields:
public bool _name_
[SerializeField] private bool _name_

In first case we have public field
in second case we have private (but can be whatever) field with [SerializeField] attribute on top of it

If one of these is put into Component - Unity will initialize it's value to what developer has set in the inspector
this is how it looks for him:



So the developer has this little nice checkbox that defines the value of this variable and it will be set later, so changing default value to true does nothing since Unity overrides it afterwards. (So does changing it in constructor, if you know what this means)

What can we do about that? - Actually, it's pretty easy. We just need to set the value to what we need after Unity finishes doing it's serialization stuff

Conveniently for us, there is void Start() method inside this class.
void Start() method is a special method in Unity that will be called once after this component initializes, just what we need!

Spoiler: Some other "magic" built-in methods in Unity that do stuff

You don't have permission to view the spoiler content. Log in or register now.

Lets right click on the method Start() and choose "Edit Method"



Inside, we will just set isPatreon = true;



And compile



That's it, lets save our finished dll and replace the one from the Managed folder with it

And check what the game thinks about it now



Victory once again!

We've learned:

• About "magic" methods in Unity that do something
• About Unity inspector where developer can choose what value that variable will be initialized with
• How to edit methods in DnSpy
• How to fix common compilation errors in DnSpy

Spoiler: What if there is no "Start"/"Awake" method in the class

You don't have permission to view the spoiler content. Log in or register now.

Spoiler: What if modifying method didn't work

You don't have permission to view the spoiler content. Log in or register now.

Share you thoughts and progress in this thread I'm always happy to answer questions and read feedback

 

[Uncle Eugene]

Level 2 - Password? No, thanks
​

Game Link:

You must be registered to see the links

No time to waste, lets open up the game and see whats new



OMG! Eugene actually spent time to do the menu? No way...

The menu! Something new on the table
Check out what happens if we click the "Patreon Key" button



What we're doing today is a bit different, but very likely to be found in a real Unity porn game - The password input

I'm sure you've seen some games that require you to input some kind of a password to get something in return, like cheats, gallery, exclusive features etc.
Here's one of them

Our goal is to crack the game so we can somehow input the correct key

See you in DnSpy



Yeah... So, I took some time to actually add extra classes so you'd get better idea of what it looks like
Let's search for our favourite word patreon



Absolutely no matches this time, damn
What do we do now? - We need to find a code that is connected to some kind of password/key input or validation
Maybe let's try searching for a word key



Too many matches inside System libraries. "Key" is a common word
You see that dropdown on a top right saying "All Files"?
Select Assembly-CSharp in Assembly Explorer window on your left and then set this dropdown to Selected Files



That's better. We've found a few classes named KeyWindow and KeyButton
Sounds promising. Lets double click on anything from KeyWindow class and see whats inside



Too much stuff in this class to fit into one screenshot, but I can tell you already that this class is what we were looking for. It controls the Patreon Key Input window.

Can you find the line where validation happens? Try to look through the code yourself. If you have any experience with programming I'm sure it will be trivial for you

Do you remember that if the class is inherited from MonoBehaviour then Start is a magic method that will be called from Unity? Good.
So inside this Start developer subscribes OnSubmit method on _submitButton click event. Given the name I'm sure that this button is what we press after inputting the code in game

So we look inside OnSubmit and see that it takes text from Input Field, trims it, checks that it is not null and passes it to PasswordHasher.VerifyPassword
And depending on what VerifyPassword returns it does stuff

Cool, so we found where it happens, now it's time to decide what do we do with it
But first lets navigate to PasswordHasher.VerifyPassword and see what it does
Click on VerifyPassword to do that



Uff, some encryption going on, you see that?
Well, unlucky. Seems like developer cared about his password "security" and verifies it by comparing it to hashed encrypted strings. Scary stuff, totally uncrackable

I deliberately made it this way because that is very common in games I crack. I love it and I find it extremely funny.
When I see stuff like this I imagine a picture looking something like that:



Sorry for messy AI image

A proud developer looking at a huge gate with tons of locks on it made with unbreakable steel, he passionately tries to secure his goods behind it and sure they're safe
BUT THERE IS NO FUCKING WALL AROUND. Not even a tiny fence. That makes me laugh

It happens a lot with different validations, even including networking validations when developer pays for a server, hosts a validation on it so nobody can hack it nor see how validation happens and sends data on the server to validate.
And then I just close validation window...

Thats fun and all, but how we proceed with the crack?

I'd leave that up to you, you already know everything you need to reach our goal
Unfortunately, we really can't figure out the original password because game only contains it's hash and random salt, encryption algorithm developers are smarter then the ones who generally use them
But we can do a lot of other things. Remember - work smart, not hard

One good idea would be making it so password verification always returns true for any password!
Lets do this. Right click on VerifyPassword method and choose "Edit Method (C#)..."



Delete all this crap inside and just return true;
Click "Compile"

Done. Now we "File -> Save All... -> OK" to save our recompiled dll
Open the game to check what we've done



And try to submit any key

Every key is valid now! Encryption didn't help this time around didn't it? Nice!

But there is still more we could've done. Now people would need to enter a code in the game to get what they wanted. This is ok, it works, but you know... Two extra clicks for lazy ass users!? Do you have any compassion?
Can you make it so user won't even have to enter the code? You can surely figure this out

Some people say "We don't look for easy ways". Well, maybe they should. They're fucking easy
Do not overcomplicate things and they won't be complicated:
Can't get original password? - Get rid of validation entirely
Program opens a window and asks to validate code remotely using API and their server? - Just close the window!
Developer patched an .exe file, built a bunch of protections and obfuscated the assembly? - Replace it with clean Unity .exe file, it's just a launcher for .dll

 

[Uncle Eugene]

Level 3 - "Crack stopped working! Please, update"
​

Game Link:

You must be registered to see the links

BepInEx Link:

You must be registered to see the links

Visual Studio Link:

You must be registered to see the links

You know everything you need to know to crack pretty much all the games compiled with mono

But you probably have guessed that when developer updates his game he, most likely, will update the code as well. So Assembly-CSharp.dll won't be the same and you would need to patch it once again. And again. And again. After each update.

Maintaining the crack takes too much time, especially if you do a lot of them for different games, so how can we get rid of this burden?
That's where we change our approach a little bit a lot
With the right tools we can keep the original dll unmodified while still applying the changes we need

Do not skip this level if you want to learn how to patch il2cpp builds since we'll be using the same approach

This right tool is

You must be registered to see the links

is an open source modding framework for Unity games. Created for making mods for popular (and not so popular) games.
Technically it is a hook that injects your dll into Unity process and provides you with some tools to make your life as a modder easier

Preparations - IDE​

In this level we will be writing

You must be registered to see the links

plugin and for that we need an IDE where we'll create our stuff
I do suggest using

You must be registered to see the links

for that purpose

You must be registered to see the links

You will be asked by an Installer what modules would you like for your Visual Studio 2022
Install .NET desktop development
and make sure to install .NET 6.0 Runtime (Out of support) as an individual component (you may find it in "Individual components" tab on top)

Preparations - Templates
​

Now we need to install the BepInEx templates for our visual studio. This is very easy

Press Win+R, enter cmd and click OK
Or open console window in any other way

dotnet new install BepInEx.Templates::2.0.0-be.4 --nuget-source https://nuget.bepinex.dev/v3/index.json

Paste this command into console and click enter



Done, quick and easy, everything's ready

Preparations - BepInEx
​

BepInEx Link:

You must be registered to see the links

The last thing is to download

You must be registered to see the links

itself
Open the page, go the the last Artifact and download both Unity.Mono-win-x64 and Unity.IL2CPP-win-x64
You will need il2cpp one later probably, so it's nice to have right away

Spoiler: Why do we download BE builds and not Stable ones

You don't have permission to view the spoiler content. Log in or register now.

Make the Crack as Usual​

Finally we're ready. Pretend you didn't just go through a list of programs to download/install and commands to run
You won't have to do that ever again! Unless you format your hard drives and reinstall OS

So, we're ready to do the job. Lets open up our game and see what it has for today



So, the developer made some kind of a patch. Probably a file that goes into game folder that we're missing. And this file determines if the version of your game will include extra content

Nothing changes so far, open Assembly-CSharp.dll in DnSpy and see what it wants

Hopefully you did notice that Patreon has nothing to do with todays game and the word we need to look for is probably patch



Popular word, huh? Lets search in Assembly-CSharp only



GamePatcher and method CheckPatch, sign me in!



Simple enough method, checks some file in game directory, loads it as JSON and returns true if we have Unlimited version and false if we don't. You could figure how to create such file and where to place it so it works, but that's not the point of this level

So what do we do? Obviously nice straightforward solution would be to modify this method to always return true and that's it
This is correct and it works, you can test it by yourself. But as I already mentioned you would need to redo this work for every next version of the game which is tedious

Remember: We need to make it so bool CheckPatch() method of GamePatcher class always returns true

Creating BepInEx Plugin​

Now that we know what to do lets create BepInEx plugin that does just that!
Open some folder where you'll keep the patch and open console window there

You can do so by Shift+Right click on an empty area and clicking "Open PowerShell window here..." (This option is unavailable without Shift)
Or you can just open console and navigate to this folder using cd



In console or PowerShell window run the following command:

dotnet new bep6plugin_unity_mono -n MyFirstPlugin -T net472

Where MyFirstPlugin is the name of your project and folder that will be created
-T net472 is a target .NET framework, it can be net472, netstandard2.1 or other versions depending on how the game was built. Default is net472, if you run into any troubles try netstandard2.1. If still running into troubles - read error output in Visual Studio it will tell you which framework version game's dll is using

After command succesfully executes run this one:

dotnet restore .\MyFirstPlugin\

Where, once again, MyFirstPlugin is the name of your newly created folder
You can use Tab button to auto-complete the name



Done! You can close console now
Look, MyFirstPlugin folder was created with .csproj and Plugin.cs files in it

Open the .csproj file, it should open in Visual Studio 2022



Welcome to Visual Studio. This is where I work, this is where I live, this is where BepInEx plugins are made

On your right you can see "Solution Exploerer" window. Double click on Plugin.cs to open it



Here we have the BepInEx plugin template for Unity mono
You can do anything here, especially when you know that BaseUnityPlugin is inherited from MonoBehaviour
So this script will be spawned in Unity as component on a new Object and method Awake will run. This requires understanding of Unity, of course, and we don't need this now, but just so you know

Finally, the patch!

But first! Our project doesn't yet know anything about the game and what classes or methods it has, so we need to show it what we're working on
For that, navigate to "Solution Explorer" on your right and right click on Dependencies



Select "Add Project Reference..."
Click "Browse" and choose the Assembly-CSharp.dll from Managed folder. The one we were looking at in DnSpy before

Dont forget to click "OK"

Done. Now if we would start to write GamePatcher Visual Studio successfully picks up on what class it is and where it comes from



We're almost there, it's time to finally write our plugin

Do you remember our goal? Let me remind you:
We need to make it so bool CheckPatch() method of GamePatcher class always returns true

To achieve that we will use Harmony patcher. It allows us to hook methods that are about to be called and routes the call to us instead, so we can do whatever
Let's add reference to HarmonyLib at the very top



I've added using HarmonyLib;

Now, we create static bool method inside our Plugin. You can call it however you want



And let's add some Harmony attributes:

• HarmonyPrefix - means that this method should be called before the original
• HarmonyPatch - contains information about what method we're hooking. Here we reference method CheckPatch in GamePatcher class

There is also HarmonyPostfix attribute if you want to call your method after the original has been executed. Note that in this case your method must be static void instead of bool

Cool. Now we need to override the return value of the original method. For that we add a ref bool __result argument



You can find about other "magic" arguments on

You must be registered to see the links

Finally lets finish writing our method



Since our method is bool we need to return a value
The return value of HarmonyPrefix answers the question: "Should the original method be called after we finished?"

We don't need original CheckPatch to ever run, so we just block it and use our method instead. And in our method we set the result to true

There's one last thing to do and that is to actually patch the game with Harmony
Call Harmony.CreateAndPatchAll(typeof(Plugin)); in Awake()



Here is the finished plugin. There is not much, I just tried to explain as much as possible. Hopefully you're not overwhelmed.
We're finally done. Congratulations!

Spoiler: Final Code

You don't have permission to view the spoiler content. Log in or register now.

Click "Build -> Build Solution"



If you don't have any errors the build should succeed



If your build failed check the Error List, maybe you did a mistake in code or maybe there are other problems, it will show you what's wrong

Your plugin is located under %YourPluginFolder%/bin/Debug/net472/%PluginName%.dll
Find the output .dll



Here it is, your own .dll between a bunch of other stuff that came here along with Assembly-CSharp we included
You only need MyFirstPlugin.dll

Now just unpack the contents of BepInEx-Mono we downloaded before into game folder like so



We should've done it way earlier, but whatever. There was too much stuff to discuss

And copy your .dll into BepInEx/plugins folder
If you don't have plugins folder you can create one. Alternatively BepInEx will create it automatically after you launch the game

Run the game!



BepInEx console will open along with the game (it may take a little time to load)
And if you did everything right BepInEx should tell you that it's loading 1 plugin and the game should load cracked
Optionally you can disable this console in BepInEx/config/BepInEx.cfg file

Congratulations!
If you've made it this far I'm very proud of you, especially if you didn't have any experience with programming and Visual Studio before

Share you thoughts and progress in this thread I'm always happy to answer questions and read feedback

 

[Uncle Eugene]

Level 4 - Unnecessarily overcompicated IL2CPP
​

Game Link:

You must be registered to see the links

Unity Explorer:

You must be registered to see the links

Original Unity Explorer:

You must be registered to see the links

BepInEx Bleeding Edge:

You must be registered to see the links

Finally the time has come for ultimate BOSS of this guide

This level assumes you did everything from Level 3 and we won't come back to it!
Link to BepInEx IL2CPP is still provided here, everything else should be already installed, if not - navigate to Level 3 and complete it

Run the game to get the idea what we're working with



Ok, so the game wants us to login through Patreon API (Imagine that Patreon login appears in browser when you click "Patreon" and not this thread)

There's no way we're doing that, so let's better crack it!
Open "Managed" fo...



...lder. Well... il2cpp_data and no "Managed" folder, we're dealing with "professionals" here, the stakes are higher

To deal with such unlucky situation we shall, once again, get some help from our dear friend "BepInEx"
Install BepInEx IL2CPP for this game



Don't forget to put it near the game's .exe and not into "data" folder

Let's run the game with BepInEx installed



In case the game is il2cpp build - BepInEx will download default Unity assemblies from it's endpoint that you can see in console - This requires internet connection, and also read global-metadata.dat file to create hollow libraries for you to work with

Navigate to BepInEx/interop folder



Looks familiar? Here's your "Managed" folder, so to speak

Let's open Assembly-CSharp.dll in DnSpy and see if we can find anything



You may've noticed that code looks scary
In a nutshell: the only real part here are signatures, so: Properties, Fields, Classes, Methods and their names. Everything inside is just code that does "nothing" but compiles.

In about 90% of the cases it's enough to just know the classes, methods and their names to create a working crack!
You just find something that looks interesting, assume what it does looking at it's name, write a quick BepInEx plugin to test your idea and if it works - congratulations, if it doesn't you just repeat until it works or you're out of ideas

So let's try searching for patreon



Nothing. How about authentication



Hmm... A bunch of Unity classes but nothing in Assembly-CSharp.dll

I don't know... access?



Well... FUCK!
Luck is completely not on our side today. In such situations I usually look through the classes manually for a few minutes to see if I can find something that looks promising, but I can assure you this is not the case here

We will have to do some long boring trickery-fuckery to understand how the game works

We're about to use "Unity Explorer" BepInEx plugin that will basically create "Unity Editor" layout right in the game.
Original developer stopped supporting it few years ago and BepInEx released a major update that made plugin incompatible, so we'll have to use the Fork I've found that does include new (CoreCLR) version support

So, download

You must be registered to see the links

And install it like you would install any other plugin in BepInEx by dropping whole folder into BepInEx/plugins



Run the game with Unity Explorer installed



Well, I'm sorry for making it 1280x720 window rather than Full Screen, but Welcome!

Spoiler: In case Unity Explorer didn't work

You don't have permission to view the spoiler content. Log in or register now.

Here you can see Unity Explorer successfully loaded and it's UI enabled
On your left you can find "Object Explorer" window which shows you hierarchy of all Unity GameObjects that are currently loaded in the scene
It is useful to know that you can click on those "green boxes" to enable and disable Objects. This will probably break the game at some point, but that's the easiest way to figure out what Object you're looking at. Also, some objects are loaded into another scene called "DontDestroyOnLoad" that you may access through "Scene" dropdown. Be aware that "UniverseLib" in that scene is your Unity Explorer and disabling it will lead to Unity Explorer crashing

In this example there is not much, but some real games contain a lot of different objects. To find something that interests you you can open "Inspector" window from top menu and click on "Mouse Inspect" dropdown



Then you may select any objects that you want by clicking on them in the game view

That's real cool and all, but how will it help?
Everything is simple. You see that AuthManager object in "Object Explorer"?
Click on it



Inspector for this object pops up.

There is a "Components" section at the bottom right, you see?
Remember when I've told you that MonoBehaviour classes are used as Components in Unity and do stuff like calling code in Update method every frame or once in Start? - That's where you can see those components on each object!

This AuthManager object in particular seems to have some component called eZjBSqHxDtE2 on it.
Click on this component to open it in inspector



Here you can see all the Properties, Fields and Methods of this component (and it's parents)
But not only that, you can change the values in realtime or call the methods!
Pretty cool, right?

The name of the component looks strange - eZjBSqHxDtE2, but that just means that it has been obfuscated so you can't easily read it and figure out what it does just by looking at it's name. Greedy developer doesn't want us to figure out what this class is for, so WE'RE ON THE RIGHT TRACK

Look closely at the second line of the inspector:
Assembly: UncleEugene.Auth.dll
That's why we didn't find this class in Assembly-CSharp.dll we've been looking through! Because it exists in another assembly!

let me double check...



Here it is!
Tricky developer wanted to hide the authorization class from us. Not today, bro

But since we're already in game with Unity Explorer opened let's do one more thing:
Disable the checkboxes for everything but Methods to see what methods this component has




Obviously the method names are obfuscated, so it's not that easy to understand what they do
However we don't have to guess!
Just click "Evaluate" on any method to call it and see what happens



Look! I've just called a method and game was loaded!
The fun part is that one of those methods closes the game

The method that opened the game was vNLvTJgCYFFL
I have to remind you that this is heavily exaggerated stuff we're working with right now and real game would definitely have method names untouched, I just wanted to show you what to do in this scenario

So, let's summarize what we've learned:

• There is another assembly called UncleEugene.Auth.dll with authorization code in it
• Class that manages authorization is called eZjBSqHxDtE2
• The method that seems to pass authorization is called vNLvTJgCYFFL

Good. So all we have to do now is write a plugin that calls this method when game loads and we're done!

Now let's create BepInEx plugin that does that

Remember that you need to create il2cpp plugin template and not mono
Create plugin template with following command:

dotnet new bep6plugin_unity_il2cpp -n Level4Crack

il2cpp template doesn't need -T parameter, only -n for name

Don't forget to call dotnet restore .\Level4Crack\ afterwards! Where Level4Crack is your project name



Let's open .csproj file and write our plugin

We would need Dependencies. This time the assembly we need is not Assembly-CSharp.dll but UncleEugene.Auth.dll you can grab it from BepInEx/interop folder like you would normally do with "Managed" folder

Add Dependency to UncleEugene.Auth.dll



You may need to open this class in DnSpy to have it before your eyes, but I'll gratefully do that for you:



Some people may've noticed that there is no Awake() nor Start() or any other magic Unity method that we can hook and execute this vNLvTJgCYFFL to skip authorization window. Yeah, that's a shame...

WHY DOES IT HAVE TO BE SO COMPLICATED THIS TIME?

So how do we call this method if we have nothing to hook!? (create HarmonyPrefix/HarmonyPostfix for)
Here's the idea: we will create our own component and create it on a scene when game loads. Then we will find this strangely-named component on the scene and call the method we need! As simple as that.

Let's create MonoBehaviour component



Uh oh. Seems like Visual Studio wants another dependency
When you're working with MonoBehaviour you'll need to add dependency to UnityEngine.CoreModule.dll
And since MonoBehaviour is inherited from UnityEngine.Object you will also need dependency to Il2Cppmscorlib.dll
So add these dependencies. You can grab them from BepInEx/interop folder aswell



BepInEx explicitly tells in its documentation not to add dependencies on these two assemblies unless you really have to and know what you're doing. And we're what? We don't give a fuck, that's right. Proceed.

Don't forget to add using UnityEngine; at the very top



Now that our component is created add a magic Start() method that will be called once object with this component is loaded
Inside this method we will use Unity's method Object.FindObjectOfType<T>() to get reference to this eZjBSqHxDtE2 component and call it's method vNLvTJgCYFFL
Here's how it looks:



Note that this class was inside Authorization namespace, so I either have to write it explicitly as Authorization.eZjBSqHxDtE2 or add using Authorization; at the top of the file

Component is done, all that's left to do is to actually create it and put on Unity scene.
Add IL2CPPChainloader.AddUnityComponent<MyMagicComponent>(); into Load()

Spoiler: Final Plugin Code

You don't have permission to view the spoiler content. Log in or register now.

Everything is ready
Now all that's left to do is to build plugin and put it into BepInEx/plugins folder



Finally, everything is done!

I've put together too much stuff in this level, I know. In the real scenario this case would be over at the point you've installed BepInEx and got your interop folder, but If you've managed to survive through this whole level there is nothing more that can stop you

Congratulations!

 

[varie55526]

w

 

[Uncle Eugene]

Level 2 is out now.
Level 3 will be a transition between mono and il2cpp
And Level 4 will finally be about cracking il2cpp builds

This will conclude the main line for the tutorial and I will consider it done

After that I might throw in some extra "side quests" like a tiny projects with a goal to achieve by patching the game. Not necessarily paywall removal, just so you see and get some practice with different Unity specific stuff

 

[PhanTanTrung]

I can't believe I get free education on porno site

 

[lazylazyoni]

It is your decision but I would change the dnspy link to this maintained fork or add it as an extra source:

You must be registered to see the links

Thank you for the guides. The part I am stuck with is if the metadata of an il2cpp distribution is encrypted. I think if that is the case there is no other way around other than using assembly and trying to find the decryption method to then decrypt the metadata. On a project I tried I could not find the decryption method though. I hope you make a guide for that as well.

 

[Uncle Eugene]

It is your decision but I would change the dnspy link to this maintained fork or add it as an extra source:

You must be registered to see the links

Thank you for the guides. The part I am stuck with is if the metadata of an il2cpp distribution is encrypted. I think if that is the case there is no other way around other than using assembly and trying to find the decryption method to then decrypt the metadata. On a project I tried I could not find the decryption method though. I hope you make a guide for that as well.

Never faced such a project before tbh, can you provide a link here or in DM to the game so I can take a look? You're probably right tho, it is definitely out of scope for this guide and it requires individual approach for a project

For literally all the games on F95 writing hooks in BepInEx was always enough for me. Some of the "hardest" games required some analysis with Unity Explorer, but other than that no problems

The only game I "failed" to crack was "my time at sandrock" that costs shit ton of money on steam, does check for an appid swap (obviously) and uses it's own server to communicate with steam to verify if you own a copy. Server works as a relay server with some extra data passed around for multiplayer, so in order to crack that I'd need my own copy of server or to imitate it's functionality, which is unknown, so it just wasn't worth the effort

Don't like to provide links to unofficial stuff in guides, but this one is a good idea, I'll add it as optional

 

[Uncle Eugene]

I think if that is the case there is no other way around other than using assembly and trying to find the decryption method to then decrypt the metadata.

I've been thinking about it for a bit now and here's what I have to say:

I keep repeating - look for easy ways
If you get the reference, it's like building a killbox for enemies in a game like "RimWorld". You're building cool unpassable area with lots of traps, guns and so on... But suddenly all the mobs just turn away from your designed path and break your 2cm wooden wall to get inside.

People get tunnel vision a lot, and that's the case for those who make security as well, not only the ones who break it. Especially considering that if you want your product to be secure from all sides you'd have to spend maybe even more time than is required to crack it

So the idea of using assembly and decrypting data by yourself is straightforward and it will work, but it is hard and time consuming. And that is what developer wanted you to do. That is where "the killbox" is

Instead, we could think about that the meta file is required by unity engine and will be read in runtime (as far as I understand it). So the decrypted file should be passed to unity engine in some way.

Now there are few ways I can think of it getting passed, but let's think about how to retrieve it instead. First thing is to run the game and create a memory dump. Look inside it for the file we need. You'll probably get it.
The other way a bit harder is to imitate it as if we're the unity engine asking for a file

 

[lazylazyoni]

Never faced such a project before tbh, can you provide a link here or in DM to the game so I can take a look? You're probably right tho, it is definitely out of scope for this guide and it requires individual approach for a project

For literally all the games on F95 writing hooks in BepInEx was always enough for me. Some of the "hardest" games required some analysis with Unity Explorer, but other than that no problems

The only game I "failed" to crack was "my time at sandrock" that costs shit ton of money on steam, does check for an appid swap (obviously) and uses it's own server to communicate with steam to verify if you own a copy. Server works as a relay server with some extra data passed around for multiplayer, so in order to crack that I'd need my own copy of server or to imitate it's functionality, which is unknown, so it just wasn't worth the effort

Don't like to provide links to unofficial stuff in guides, but this one is a good idea, I'll add it as optional

I dont have the files anymore and it was couple months ago I think it was this game https://f95zone.to/threads/everlusting-life-by-pochemu-ltd.254825/

Yeah I read about dumping the code from the memory but I didn't know how to do that. There are tools for like .NET Apps but they don't work on il2cpp.

 

[Uncle Eugene]

I dont have the files anymore and it was couple months ago I think it was this game https://f95zone.to/threads/everlusting-life-by-pochemu-ltd.254825/

Yeah I read about dumping the code from the memory but I didn't know how to do that. There are tools for like .NET Apps but they don't work on il2cpp.

By the way, I had a look at the game. It surely does a lot of stuff trying to protect itself...
There's no original metadata file in memory dump, but it does encrypt/decrypt it, so should be possible to "steal" it by asking the process itself to give you the file

It does look for injectors and deliberately crashes the process when detects one, so one more pain in the ass

The game also is il2cpp and as I understood it devs do host a server to send data back and forth to validate some stuff

So, unless you're COMMITTED AF I would recommend to just drop this game and leave it be, some gacha does not worth so much time and effort. At least for me

 

[kullun]

By the way, I had a look at the game. It surely does a lot of stuff trying to protect itself...
There's no original metadata file in memory dump, but it does encrypt/decrypt it, so should be possible to "steal" it by asking the process itself to give you the file

It does look for injectors and deliberately crashes the process when detects one, so one more pain in the ass

The game also is il2cpp and as I understood it devs do host a server to send data back and forth to validate some stuff

So, unless you're COMMITTED AF I would recommend to just drop this game and leave it be, some gacha does not worth so much time and effort. At least for me

If the server communication is not encrypted, a server that could mimic those communications can be written without touching the client.

And some game servers don't even verify the data they are getting from the client and those are always fun lol

 

[Uncle Eugene]

Level 3 is finally out. One more to go... Hopefully it won't take that long to write, considering I'll have less free time now

 

[lazylazyoni]

By the way, I had a look at the game. It surely does a lot of stuff trying to protect itself...
There's no original metadata file in memory dump, but it does encrypt/decrypt it, so should be possible to "steal" it by asking the process itself to give you the file

It does look for injectors and deliberately crashes the process when detects one, so one more pain in the ass

The game also is il2cpp and as I understood it devs do host a server to send data back and forth to validate some stuff

So, unless you're COMMITTED AF I would recommend to just drop this game and leave it be, some gacha does not worth so much time and effort. At least for me

Thanks for the response.
I was stuck at this part:
"asking the process itself to give you the file"
I don't know how to dump the metadata from memory and I feel like reverse engineering guides are very scarce.
Didn't really want to patch the whole game and mock the server calls just wanted to know how to deal with il2cpp games that have encrypted metadata. There are no step for step guides for that.

 

[Aziien]

Neat and very well made guide! I will definetly use it as a reference in the future

 

[Uncle Eugene]

Thanks for the response.
I was stuck at this part:
"asking the process itself to give you the file"
I don't know how to dump the metadata from memory and I feel like reverse engineering guides are very scarce.
Didn't really want to patch the whole game and mock the server calls just wanted to know how to deal with il2cpp games that have encrypted metadata. There are no step for step guides for that.

Sorry for yet another late response, I didn't want to leave this unsolved

tl;dr; I did retrieve the metadata file through their process, which I assumed to be hooking file reading functions to decrypt the file. It does output the same exact file so either the assumtion is incorrect or the metadata file is not encrypted at all (I bet on the second one).
The game does check for presence of injectors tho, so this might be the only reason for BepInEx crashing. Check is embedded into GameAssembly.dll and is encrypted/obfuscated whatever, so it's not as simple as finding the "version.dll" string in assembly and removing it

The way I did extract the original file is that I remembered that there's UnityCrashHandler64.exe that starts as a subprocess for Unity game, so I just replaced this .exe with mine that does this file thingy

Not gonna mess with this particular game anymore though, sorry

 

[ble11123]

Hello! I really enjoy a game but it recently introduced a patreon lock. I followed your guide (which is very well structured, i must add) but unfortunatelly found out that its an il2cpp type of unity game. Since that chapter is not out yet, and all my attempts been for nothing so far, could you please have a try at cracking it?

here is a

You must be registered to see the links

 

[Uncle Eugene]

Hello! I really enjoy a game but it recently introduced a patreon lock. I followed your guide (which is very well structured, i must add) but unfortunatelly found out that its an il2cpp type of unity game. Since that chapter is not out yet, and all my attempts been for nothing so far, could you please have a try at cracking it?

Yeah, unfortunately, I didn't have much time to finish the last chapter recently, but overall patching il2cpp games would be just the same as making BepInEx plugin for mono game, but using il2cpp version of bepinex instead to help you create hollow methods library

What it means:
1. Drop the bepinex il2cpp files into your game folder
2. Run the game so bepinex initializes
3. Go to BepInEx/interop folder

That's it, treat it just like you would treat Managed folder. The only difference would be that:
1. You don't have method bodies, you only have signatures, but that's enough most of the time
2. You have to create il2cpp plugin template instead of mono template

dotnet new bep6plugin_unity_il2cpp -n MyFirstPlugin

And that's pretty much it.
If you have any errors when building plugin (it may ask for references to unity engine core lib or mscorlib) you can just add them just like you did with assembly-csharp.dll

If the game's code is hard enough to understand without method bodies - I use BepInEx plugin called "Unity Explorer". It is not supported on "bepinex 6.0.0-pre" version that I'm using in this guide, but there is a fork of it somewhere on github that is supported, but I've lost the link... Anyway it's always possible to downgrade bepinex at the end of the day

In "Unity Explorer" I do... Explore... Looking for components and stuff that is used in windows / elements that are connected to what I'm trying to achieve