Reverse Engineering Adventures: Honkai Impact 3rd (Houkai 3) (IL2CPP) (Part 1)
>>We came, we predicted, we scripted and decrypted
Of all the IL2CPP workloads that have landed on my office desk over the years, those published by miHoYo (web site in Chinese)
are what I consider to be the current gold standard for IL2CPP obfuscation. miHoYo has taken aim at our beloved (and sometimes hated)
IL2CPP tools and trashed them with customized metadata encryption and extensive struct reordering, encapsulated in an obfuscated
built from a modified Unity source code base. We had a good chuckle together
reverse engineering League of Legends: Wild Rift, but now it’s time to get serious.
People reverse engineer code for different reasons. If you’re a malware analyst, you don’t care how the payload is encrypted;
you just want to understand what threat vectors the malware exploits, what its key behaviour is, and how to create a signature
to detect it. If you’re the nefarious type who sells exploits for money, you probably don’t care how the target software works
either, as long as you can sell your exploitative trash (shame on you).
Some people have a quite different motive: reverse engineering is a hobby for them; they don’t use or care about the product,
they’re merely interested to learn about how different protections work – the reverse engineering is the game, so to speak.
When I rewrote the disassembly of a Sky pay-TV smartcard in C in 1997 (I know, I was an unruly teenager who turned into an
unruly adult, sorry) and the company who designed the smartcard
(NDS – now merged with Cisco)
wanted to “have a little chat” with me about this, one of the first questions they asked me was: if you wanted free TV,
why didn’t you just run the smartcard code in a CPU emulator once you’d dumped the ROM instead of spending 8 months
rewriting it in C? My answer was matter-of-fact: I already have a Sky subscription, I just wanted to know how the
card worked and prove it could be done. They subsequently paid me to fix it for them (this is the smart play by the
way: nobody can design security products as well as hackers; Sony would have done well to take this tip instead of suing GeoHot).
I’m sharing this humblebrag with you as a prelude to explaining my motivation regarding miHoYo’s games. Normally I make a
point of learning how a particular protection works, but this time I had a bee in my bonnet: after going on a blitz adding
various unpacking, decryption and deobfuscation functionality to
I was acutely aware that Honkai Impact was the only remaining title I knew about that my tool wouldn’t load. I also
knew from earlier investigation how to make it load, that it was highly tailored to the one specific game, and so –
unlike the other generalized deobfuscation code – had no place in a generic tool.
This failure to load every IL2CPP workload gnawed away at me, but as it happened I was also working on a plugin system,
so by fortuitous confluence it seemed like the perfect subject material for a demo plugin. I was getting burned out on
weeks of reverse engineering every day though, so I got lazy: the example we will present today demonstrates how to break
protection in the “malware analyst” way: just get it to decrypt and don’t bother about the details of how it works beyond
Today’s volunteer is Honkai Impact 3rd. Buckle up!
Tip: The walkthrough below uses version 4.3 but the process works
in an identical fashion all the way back to 3.8, which is the earliest version I’ve tested. We demonstrate how to
reverse engineer the Windows build of the game, however the algorithms used for the Android build are the same.
The Android version can therefore be decrypted merely by substituting the PC build’s global-metadata.dat examined
below with the Android version. How did we determine this is possible? Simply by trying it!
Info: You can view the complete, fully-commented source code of
the miHoYo loader plugin here. This plugin is the result of the work described below and shows how to modify
Il2CppInspector’s load pipeline to handle non-standard workloads without needing to fork or modify the original tool.