IL2CPP Tutorial: Finding loaders for obfuscated global-metadata.dat files

Game publishers are loving it lately. Over the last few months I’m starting to see all kinds of weird and wacky obfuscation schemes designed to prevent Il2CppInspector from loading IL2CPP games.

While it’s quite amusing to see narrowly targeted attacks percolate, it does make the support tickets pile up on the issue tracker, and I unfortunately have neither the time nor the desire to sit and pick apart every file thrown at me. The old adage of giving a person a tool and they’ll hack for a day, but teach a person to write tools and they’ll hopefully stop spamming your social media seems pertinent here. At least I think that’s how the adage goes… or was it fish something? Either way, we all started off as plankton; hopefully you are thirsty to become a shark!

In this tutorial, I’ll walk (swim?) you through how to find the loader for global-metadata.dat in almost any IL2CPP application so that you can reverse engineer it yourself. This will include obfuscated metadata, encrypted metadata, and metadata embedded in the binary itself, plus light obfuscation of the code path to the loader. I’ll also throw in a couple of examples to whet your appetite.

>>How do I know if global-metadata.dat is obfuscated?

  • Open global-metadata.dat in a hex editor. Are the first four bytes AF 1B B1 FA? If so, this is a good sign that the file is not obfuscated – but not a guarantee.
    The start of an unobfuscated global-metadata.dat looks as follows – four magic bytes, a 4-byte version number and a list of file offsets and lengths for each table in the file – generally in sequential order.
alt

If it doesn’t look similar to this, it’s probably obfuscated or encrypted.

  • If you can’t find global-metadata.dat in its usual location (Android: assets/bin/Data/Managed/Metadata/global-metadata.dat, PC: <app-name>_Data/il2cpp_data/Metadata), scan all of the game files for any starting with the above magic bytes. If you find one, it’s probably a renamed global-metadata.dat. If you don’t, the metadata file is likely – but not guaranteed – to be embedded within the game binary itself or another file, or it may be encrypted and stored as one of the other files.
  • Assuming you’ve found a metadata file with a valid header, try to load it into Il2CppInspector. If the file fails to load with errors such as An item with the same key has already been added, Sequence contains no matching element or Index was outside the bounds of the array, there are a few possibilities, in this order of likelihood:
    • An obfuscated or encrypted metadata file
    • A bug in Il2CppInspector
    • A version of IL2CPP not yet supported by Il2CppInspector. Check which version of Unity the game was made with. It may take us a while to implement support for very recent versions of Unity.

If you have now determined the metadata file is obfuscated or hidden, or you are not sure, proceed to the next step.