eesdf/MetadataDumper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
MetadataDumper/README.md
Ilham 90b1914801 Add overview and how it works section to README 
Added detailed overview and explanation of the runtime reconstruction pipeline used by Endfield for IL2CPP metadata.
2026-01-22 10:53:55 +07:00

29 lines
1.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Overview
Endfield does **not** load IL2CPP metadata from `global-metadata.dat` in the standard Unity way.
Instead, it uses a **runtime reconstruction pipeline** designed to defeat static and file-based dumpers.
## How It Works
- A **decoy `global-metadata.dat`** is opened via `CreateFile`, but its contents are discarded.
- The **real metadata is hidden** either:
- as an embedded resource inside `GameAssembly.dll`, or
- as an encrypted slice inside a large game archive.
- A large buffer is allocated using `VirtualAlloc`.
- Encrypted bytes are **decrypted / generated at runtime** into this buffer.
- The engines metadata pointer (`s_GlobalMetadata`) is **manually assigned** to this buffer, bypassing Unitys normal file loader.
- The buffer is finalized with `VirtualProtect` to prevent modification.
## Result
- No usable metadata exists on disk.
- Static extraction fails by design.
- The only correct metadata exists **only in memory after initialization**.
## Why a Runtime Dumper
This project locates that runtime buffer, verifies it via the IL2CPP magic header, and dumps the fully reconstructed metadata.
Were switching to a **runtime dumper** instead, because its simpler, more reliable, and honestly because Im too lazy to hunt down where the encrypted metadata is embedded.
Reference in New Issue View Git Blame Copy Permalink