How to Hack Unity Games

[justAfaker]

This quick guide shows how to hack Unity games compiled with Mono and IL2CPP. The games I chose are free single-player Steam games with Overwhelmingly Positive ratings. When finished, feel free to leave a positive review for these fun and passionate games!

Also, please avoid hacking multiplayer games. Other people are trying to enjoy the game, so please don't ruin their fun.

Prequisite:

• Basic coding knowledge

• Cheat Engine hacking experience

Tools:

• Cheat Engine https://cheatengine.org/downloads.php

• ILSpy https://github.com/icsharpcode/ILSpy/releases

• Il2CppDumper https://github.com/Perfare/Il2CppDumper/releases

Games:
(Mono) Outpath: First Journey
(IL2CPP) Nova Lands: Emilia's Mission

Using ILSpy to Find Functions

1. Download a Unity game compiled with Mono

   • These will have a folder called GAMENAME_Data with a Managed folder inside. I will be using Outpath: First Journey

2. Download and open ILSpy

3. Click the Open button at the top left. Select GAMENAME_Data → Managed → Assembly-CSharp.dll file (on Steam, this is C:\Program Files (x86)\Steam\steamapps\common\Outpath First Journey\Outpath_Data)

   • Some games will use a different .dll file, usually with the game name

   

   1.png (5.01 KiB) Viewed 39656 times

4. Search for a function you want to hack. You can sort by Location and change the type of search to Method for an easier time

   • I will make it so crafting buildings does not take resources

   

   2.png (17.89 KiB) Viewed 39656 times

5. From here, you explore the different types of classes and their functions by double-clicking the search results to decompile what they do

   • I noticed that Build_Craft:SetItemToCraft has the function RemoveItemFromInv_NoUpdate which probably removes items so I double-click the function

   • This leads me to a class that has other RemoveItem functions, which can be helpful for the future

   

   4.png (4.73 KiB) Viewed 39656 times

6. Now, right-click the function and select Analyze. Then click Used By in the Analyze window

   • This shows what functions use this function, which helps find more helpful functions to edit and helps understand what removing this function will do

   

   3.png (34.03 KiB) Viewed 39656 times

Creating Assembly Scripts

1. Attach Cheat Engine to the game

2. Wait for Mono tab to appear

3. Click Mono → Activate mono features

4. Click Memory View. Press Ctrl + G and type in the name of the class and function

   • I will search InventoryManager:RemoveItemFromInv_NoUpdate

   • Alternatively, you can use Dissect mono from the Mono tab to find the function. This could be help find useful offsets for class fields

5. In Memory Viewer, select Tools → Auto Assemble or press Ctrl + A

6. Copy and paste this code template to create a script that will disable the function

   Code: Select all

   define(address, )
   define(bytes, 55)
   
   [ENABLE]
   assert(address, bytes)
   
   address:
     ret
   
   [DISABLE]
   address:
     db bytes
   

   • This script creates two variables, address and bytes

   • On enable, it will check with assert that the address has those bytes, else it fails and displays a message if you right-click the script once added to the cheat table

   • If the check succeeds, then it overwrites the address with your code

   • On disable, it will overwrite the new code with the old code

     • WARNING: If your new code takes up more bytes than the old code, then it will break the game, and it will crash. Make sure you never write more bytes than you define

     • In this case, Unity Mono game functions usually start with 55, which is 1 byte, and the ret function is C3, which is 1 byte, so this is fine

     • If you need more room, then you can allocate and jump to the new memory

7. Do right-click → Copy to clipboard → Addresses only for the first line of the function in Memory Viewer. Paste this into the script on define(address, HERE)

8. Do File → Assign to current cheat table

9. Your script is now finished. Enjoy!

IL2CPP Unity Games

Sometimes, you will find Unity games coded in IL2CPP instead of Mono. This removes helpful info for decompilers and makes hacking difficult. There is still a way to search for functions, but decompiling the code is unavailable.

1. Download the game

   • I will be using Nova Lands: Emilia's Mission

2. Download and open Il2CppDumper

3. Select GameAssembly.dll

   • This is found next to the .exe (C:\Program Files (x86)\Steam\steamapps\common\Nova Lands Emilia's Mission)

4. Select global-metadata.dat

   • This is found in GAMENAME_Data → il2cpp_data → Metadata (C:\Program Files (x86)\Steam\steamapps\common\Nova Lands Emilia's Mission\Nova Lands - Emilia’s Mission_Data\il2cpp_data\Metadata)

5. Wait for the program to finish creating DummyDll folder

6. Use ILSpy on DummyDll → Assembly-CSharp.dll

Tips

• Functions that haven't been called yet in Memory View will have random numbers instead of its address name

  • Ex: mov r11,0000020FF45BF82E call r11

• Instead of removing functions responsible for many results, scripts should be specialized into each function for more customizability and stopping bugs

  • Ex: Instead of disabling the function that removes resources, separate it into scripts that stop removing resources on build and on craft

• Functions with IEnumerator in their name are separated into different classes. You need to use Dissect mono and edit the MoveNext function

  • Ex: Craft:NewItem is actually Craft+<NewItem>d__15:MoveNext

• Ignore classes with System and UnityEngine in ILSpy. You can do a scoped search by right-clicking Assembly-CSharp → Scope search to this assembly

• Be careful with scripts that affect time. Developers tend to use Coroutines to continue functions after a wait which spawn a new thread. If you set it to a value of 0, then the original function will finish before the coroutine does which creates a race condition and stalls the game