How to Hack Unity Games using Mono Injection Tutorial

https://guidedhacking.com/threads/how-to-hack-unity-games-using-mono-injection-tutorial.11674/

Unity Game Hacking Guide & Tutorials

Hacking Unity Games is different than native games. Any game that uses a modern game engine requires a special approach and Unity games are no exception.

In a regular native game you can typically find pointers and offsets and use them easily. The way memory is mapped and the executable is loaded into memory is predictable and follows the same pattern every time, it's just how the PE file format and the Windows loader works. But game engines are large infrastructures that load and run the game logic that the developers of the actual game create. They have their own methods of loading dynamic code and data. Game engines add another layer of abstraction and often utilize alot of inheritance, overloading and polymorphism which makes reversing them more difficult.

First thing you will notice is that it is hard to find pointers that work after you restart the game in Unity games. For that reason pattern scanning and hooking is typically easier. I don't recommend trying to go after multilevel pointers in most Unity games.

Second thing you will see is that Unity games code is located in an Assembly-CSharp.dll module and not in the main EXE. What's good about this is you can easily de-compile and modify this file using dnSpywhich is a .NET de-compiler/debugger.

If you're thinking of using the native route of hacking and not using mono injection please view this thread to understand how much work it is. Thanks @Boboo99 for providing a ton of information on reversing this game

Static Analysis
You can statically analyze the game code using a .NET decompiler. You will see the structures and the functions. Keep in mind all the game engine code won't be in there, it's just the game logic. Not all the functions and structs the game uses will be in the Assembly-CSharp.dll. Sometimes it will include all the names of the structures, variables and functions. Other times the developer will strip these out or obfuscate it. Even with the names stripped, it is easy to reverse engineer functions like this.

L2CPP Compilation
Some games are using IL2CPP which compiles the game code to C++ then to assembly, which makes decompiling with dnSpy and mono injection impossible. This is more efficient and makes hacking the games more difficult so we are seeing more and more games use it.

If your game is using IL2CPP skip this tutorial and just use native game hacking methods is probably best. But here is a IL2CPPDumper as well:

Cheat Engine Mono Dissector
Cheat Engine has basic features to view Unity game data as well. We don't have tutorials for it but @ChrisFayte has a bunch:

SPOILER

Here's some mono tutorials from @DSASMBLR

SPOILER

Editing Assembly-CSharp.dll
If the game doesn't have integrity checks, and especially for single player games you can simple modify the Assembly-cSharp.dll using a decompiler and save it. If the game has integrity checks, which most good multiplayer games will, this will not work.

Mono Injection - the best way to hack unity games
Mono injection is a technique of writing your own C# assembly and injecting it into the game engine, you essentially override game functions with your own functions. It has the same effect as hooking a function basically, you run your code and the games original code. It is pretty easy to do.

Here is an excellent mono injection tutorial by @Truth
https://guidedhacking.com/threads/how-to-hack-unity-games-using-mono-injection-tutorial.11674/

Hello all
Here is my first tutorial I hope it is useful! Any reasonable questions are welcome!

First create a new project and in the Visual C# menu click on Class Library (.NET Framework) call it what you want. I just did "Darkwood_Hack"

which Then becomes our Namespace by default which is important but you can change it later if you want but you will need it for the injector.
Then we want to add references. So to the right in the solution explorer right click references and click add reference.

Browse to your games managed folder where Assembly-CSharp.dll is and you will want to add that as well as UnityEngine.dll
which should also be in that folder once done we can start the haxor codes.

Rename Class1.cs to Loader.cs
This class is what injectors use to initialize our hack 
The code for this is pretty simple and any google search would land you to what I'm going to show here so I take no credit for this code

using UnityEngine
namespace Gamename_Hack
{
    public class Loader
    {
        public static void Init()
        {
            _Load = new GameObject();
            _Load.AddComponent<Main>();
            GameObject.DontDestroyOnLoad(_Load);
        }
        public static void Unload()
        {
            _Unload();
        }
        private static void _Unload()
        {
            GameObject.Destroy(_Load);
        }
        private GameObject _gameObject;
    }
}

Once our injector has injected our DLL it uses the namespace class and method you define to run our DLL code
So in our Example here we would say
Gamename_Hack
Loader
Init

And the injector calls our Init function which if you know about Unity this is just creating a new GameObject adding our "main" cs file as a component which will contain our hacks.
I would suggest if you are interested to go read up on some Unity tutorials and it will teach you how it works as they will do a much better job that I will 

So next is the best part! actually learning how the game works and creating our hack!

Create a new file named Main.cs (can be what ever you want)

And it will look something like this

using UnityEngine
namespace Gamename_Hack
{
    class Main : MonoBehaviour
    {
        public void Start()
        {
        }
        public void Update()
        {
        }
        public void OnGUI()
        {
            // Here you can call IMGUI functions of Unity to build your UI for the hack :)
        }
    }
}

Open the Assembly-CSharp.dll in game spy or what ever disassembler you use. it will look like this.
Now in the {} section I found my Player class.

For my example I'm going to call the upgradeHealth() function 
so let's do that first we want to get the player using FindObjectOfType<Player>

I also added some GUI code so if you just want to inject and test everything is working that text should pop up on screen 
The finished code may look like this 

using UnityEngine
namespace Gamename_Hack
{
    class Main : MonoBehaviour
    {
        public void Start()
        {
             _Player = FindObjectOfType<Player>();
        }
        public void Update()
        {
            if(Input.GetKeyDown(KeyCode.U))
            {
                _player.upgradeHealth();
            }

            if(Input.GetKeyDown(KeyCode.Delete)) // Will just unload our DLL
            {
                Loader.Unload();
            }

        }
        public void OnGUI()
        {
            GUI.Label(new Rect(Screen.width / , Screen.height / , 150f, 50f), "GAME INJECTED"); // Should work and when injected you will see this text in the middle of the screen
        }
        private Player _player;
    }
}

You may need to open up properties in the solution explorer above references and edit AssemblyInfo.cs if when you unload the DLL and and re-inject it does not run updated code
This is because Unity can Cache your DLL once injected and even when re-injecting it will still load the old code. So to fix this we edit the line at the bottom to this:

Now you can compile your DLL and Inject it into the game and test it!
You can use the Guided Hacking Mono-Injector or what ever mono-injector you want.

I hope this is useful and you learned something from it 

As this is my first tutorial any feedback on the structure of it or any tips you may have would be awesome!