A Rust-based DLL loader and in-process trainer for a Unity 6000.3 IL2CPP target, built as a reverse-engineering exercise. Released for research and educational purposes.
This project is not affiliated with, endorsed by, or sponsored by the developers, publisher, or distributor of the target application. All trademarks belong to their respective owners.
A standalone winhttp.dll shim that uses the Windows DLL search-order to load itself into the target process, resolves the IL2CPP runtime by GetProcAddress, attaches to the managed domain, and drives the game's own functions directly. There is no signature scanning, no managed-runtime hosting, and no external framework — the loader is a single Rust cdylib.
Implemented as an exercise in:
- Unity / IL2CPP runtime introspection via the
il2cpp_*C exports. - DLL search-order hijacking and import forwarding (the shim re-exports the four
WinHttp*symbols UnityPlayer needs). - DirectX 11 swap-chain hooking for an in-process ImGui overlay (via
hudhook). - Direct field reads/writes against IL2CPP class layouts (
Vector3,List<T>_items/_size, etc.). - Method invocation through
il2cpp_runtime_invokefor UI button callbacks.
Requirements:
- Rust toolchain (stable, with the
x86_64-pc-windows-msvctarget). - Windows 10/11 x64.
cd loader
cargo build --release
The output is loader/target/release/winhttp.dll.
There is a one-shot iteration script at run.ps1 that builds the loader, copies the DLL into the target's install directory, and tails the in-game log. Edit the $gameDir and $AppId variables at the top to match your setup.
.\run.ps1
The shim reads/writes a plain-text config file (ConquestDarkTrainer.cfg) and writes a log file (ConquestDarkTrainer.log) next to the target executable.
The first iteration of this project used a popular IL2CPP plugin framework. Every launch crashed during the first scene transition — its bundled signature-scanner could not find the real il2cpp_class_init in this Unity build and installed a fallback shim that corrupted runtime state. Replacing the framework with a 16-export GetProcAddress lookup in a tiny Rust shim sidesteps the signature-scanning path entirely and is stable across launches.
loader/
Cargo.toml
src/
lib.rs DLL entry point, winhttp forwarders, bot loop
il2cpp.rs Typed wrappers around the il2cpp_* runtime exports
hook.rs MinHook-based detour onto Update for main-thread dispatch
overlay.rs DX11 swap-chain hook + ImGui overlay
config.rs INI-style config parser (no external deps)
run.ps1 Build / deploy / launch / tail helper
This software is provided "as-is" for research and educational purposes only. Modifying a running process can violate the terms of service of the target application. You are solely responsible for how you use this code. Do not use it on multiplayer or competitive titles. The author assumes no liability for any consequence arising from the use of this software.
MIT — see LICENSE.