In order to use il2cppdumper we need to first dump the libil2cpp.so shared object out of memory using game guardian. Simply install game guardian and run it.
<imgsrc="https://imgur.com/TeKK7xv.png"/>
After starting game guardian go into the game and open game guardian menu. Then go to the following tab and click the following button:
<imgsrc="https://imgur.com/NC0vyq7.png"/>
After that click on the following button (do not change any values!)
<imgsrc="https://imgur.com/qkGIZvK.png"/>
Now that we dumped all of the games memory to disk, we are going to transfer those files to your computer! if you are using LDPlayer copy the dump folder into your `Pictures` folder.
<imgsrc="https://imgur.com/KJLW9i5.png"/>
After the dump folder has been moved to the `Pictures` folder simply click the following button to view the files on your pc:
Now that we have the dump files we are going to need to cut the desired shared object file out of the `.bin` memory range that contains our shared object.
As you can see the dump generates a text file that gives you all of the memory ranges + lib names.
<imgsrc="https://imgur.com/loFpzH1.png"/>
Now find the `.bin` that contains your ENTIRE `.so` memory range. Not just one of them. For this dump the range is: `92154000` - `98495000`. In the dump folder we can see a `.bin` that contains
this memory range.
<imgsrc="https://imgur.com/L8pR07E.png"/>
Open the .bin in hxd and search for "ELF" if you scroll down to the bottom you will see an ELF header! This is the header for the il2cpp.so! now calculate the size of the .so by taking the end address
and subtracting it with the start address. (`0x98495000` - `0x92154000` = `0x6341000`).
<imgsrc="https://imgur.com/FWhDB73.png"/>
Now that we have the memory selected, click file->new then paste, save as `il2cpp.so`.
now that we have the dumped il2cpp.so, global-metadata.dat we can run il2cppdumper.exe and this will generate a few files for us inside of `output` folder.
you will be asked to provide the base address of the dump. Simply add the base address of the dump.bin and the offset into the dump file itself, this will give you the address
in memory of where the `.so` was when we dumped it! (this is called a linear virtual address).