From 90b1914801d5918f54781626ecce9393cedad9cb Mon Sep 17 00:00:00 2001
From: Ilham <96643975+Failzuma@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:53:55 +0700
Subject: [PATCH] Add overview and how it works section to README

Added detailed overview and explanation of the runtime reconstruction pipeline used by Endfield for IL2CPP metadata.
---
 README.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ec93f7d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+## Overview
+
+Endfield does **not** load IL2CPP metadata from `global-metadata.dat` in the standard Unity way.
+
+Instead, it uses a **runtime reconstruction pipeline** designed to defeat static and file-based dumpers.
+
+## How It Works
+
+- A **decoy `global-metadata.dat`** is opened via `CreateFile`, but its contents are discarded.
+- The **real metadata is hidden** either:
+  - as an embedded resource inside `GameAssembly.dll`, or
+  - as an encrypted slice inside a large game archive.
+- A large buffer is allocated using `VirtualAlloc`.
+- Encrypted bytes are **decrypted / generated at runtime** into this buffer.
+- The engine’s metadata pointer (`s_GlobalMetadata`) is **manually assigned** to this buffer, bypassing Unity’s normal file loader.
+- The buffer is finalized with `VirtualProtect` to prevent modification.
+
+## Result
+
+- No usable metadata exists on disk.
+- Static extraction fails by design.
+- The only correct metadata exists **only in memory after initialization**.
+
+## Why a Runtime Dumper
+
+This project locates that runtime buffer, verifies it via the IL2CPP magic header, and dumps the fully reconstructed metadata.
+
+We’re switching to a **runtime dumper** instead, because it’s simpler, more reliable, and honestly because I’m too lazy to hunt down where the encrypted metadata is embedded.