Add overview and how it works section to README
Added detailed overview and explanation of the runtime reconstruction pipeline used by Endfield for IL2CPP metadata.
This commit is contained in:
Ilham
28
README.md
Normal file
28
README.md
Normal file
@@ -0,0 +1,28 @@
|
||||
## Overview
|
||||
|
||||
Endfield does **not** load IL2CPP metadata from `global-metadata.dat` in the standard Unity way.
|
||||
|
||||
Instead, it uses a **runtime reconstruction pipeline** designed to defeat static and file-based dumpers.
|
||||
|
||||
## How It Works
|
||||
|
||||
- A **decoy `global-metadata.dat`** is opened via `CreateFile`, but its contents are discarded.
|
||||
- The **real metadata is hidden** either:
|
||||
- as an embedded resource inside `GameAssembly.dll`, or
|
||||
- as an encrypted slice inside a large game archive.
|
||||
- A large buffer is allocated using `VirtualAlloc`.
|
||||
- Encrypted bytes are **decrypted / generated at runtime** into this buffer.
|
||||
- The engine’s metadata pointer (`s_GlobalMetadata`) is **manually assigned** to this buffer, bypassing Unity’s normal file loader.
|
||||
- The buffer is finalized with `VirtualProtect` to prevent modification.
|
||||
|
||||
## Result
|
||||
|
||||
- No usable metadata exists on disk.
|
||||
- Static extraction fails by design.
|
||||
- The only correct metadata exists **only in memory after initialization**.
|
||||
|
||||
## Why a Runtime Dumper
|
||||
|
||||
This project locates that runtime buffer, verifies it via the IL2CPP magic header, and dumps the fully reconstructed metadata.
|
||||
|
||||
We’re switching to a **runtime dumper** instead, because it’s simpler, more reliable, and honestly because I’m too lazy to hunt down where the encrypted metadata is embedded.
|
||||
Reference in New Issue
Block a user