Overview

Endfield does not load IL2CPP metadata from global-metadata.dat in the standard Unity way.

Instead, it uses a runtime reconstruction pipeline designed to defeat static and file-based dumpers.

How It Works

• A decoy global-metadata.dat is opened via CreateFile, but its contents are discarded.
• The real metadata is hidden either:
  • as an embedded resource inside GameAssembly.dll, or
  • as an encrypted slice inside a large game archive.
• A large buffer is allocated using VirtualAlloc.
• Encrypted bytes are decrypted / generated at runtime into this buffer.
• The engine’s metadata pointer (s_GlobalMetadata) is manually assigned to this buffer, bypassing Unity’s normal file loader.
• The buffer is finalized with VirtualProtect to prevent modification.

Result

• No usable metadata exists on disk.
• Static extraction fails by design.
• The only correct metadata exists only in memory after initialization.

Why a Runtime Dumper

This project locates that runtime buffer, verifies it via the IL2CPP magic header, and dumps the fully reconstructed metadata.

We’re switching to a runtime dumper instead, because it’s simpler, more reliable, and honestly because I’m too lazy to hunt down where the encrypted metadata is embedded.