Iil2cpp codegen add handles
The call to il2cpp_codegen_add handles any operator overloading of + in the expression a + b.
IL2CPP_RUNTIME_CLASS_INIT ensures that a class (Console in this case) has executed its static constructor before being used,
for example in Console.WriteLine. At the top of the function, we find a boolean check which IL2CPP generates for every static method,
again used to ensure that the proper initialization is done before execution proceeds.
So, why does any of this matter?
Obviously if you are reverse-engineering a game,
you won’t have the Unity project so you won’t be able to look at the generated C++.
But it’s important to remember that even if by some dark magic you achieve a perfect
decompilation of the target binary into C++, what you will end up with is very different
to the original C# source code. Whereas our idealized C++ version using printf disassembles like this on x64:
; int __cdecl main(int argc, const char **argv, const char **envp)
main proc near
sub rsp, 28h
mov edx, 3
lea rcx, _Format ; "Hello world: %d\n"
xor eax, eax
add rsp, 28h
The IL2CPP version, on the other hand, looks like this:
; void __fastcall Program_Main_m2325437134(Il2CppObject *__this, StringU5BU5D_t1642385972 *___args0, MethodInfo *method)
Program_Main_m2325437134 proc near
sub rsp, 20h
cmp cs:s_Il2CppMethodInitialized_8016, 0
jnz short loc_14038BFF1
mov ecx, cs:[email protected]@3IB
call [email protected]@[email protected]@@[email protected]
mov cs:s_Il2CppMethodInitialized_8016, 1
mov rcx, cs:?Int32_t2071877448_il2cpp_TypeIn[email protected]@[email protected]@EA
lea rdx, [rsp+48h]
mov dword ptr [rsp+48h], 3
call [email protected]@[email protected]@@[email protected]@[email protected]@[email protected]
mov rcx, cs:[email protected]@[email protected]@EA
mov rbx, rax
test byte ptr [rcx+10Ah], 1
jz short loc_14038C02B
cmp dword ptr [rcx+0BCh], 0
jnz short loc_14038C02B
call [email protected]@[email protected]@@[email protected]@@Z
mov rdx, cs:[email protected]@[email protected]@EA
xor r9d, r9d
mov r8, rbx
xor ecx, ecx
add rsp, 20h
and that disassembly is with the symbols included, which you initially won’t have.
Therefore, in order to be able to understand the disassembly of a method in an IL2CPP application,
we really have to understand all of the key data structures and internal API calls that IL2CPP provides and manages,
so we can cut through all of the boilerplate and drill down into the actual functionality of the application.
To this end, it can be very useful to compile small snippets of C# with IL2CPP and investigate what comes out
(cryptographers will recognize this as a sort of known plaintext attack).