90b1914801
Added detailed overview and explanation of the runtime reconstruction pipeline used by Endfield for IL2CPP metadata.
1.3 KiB
1.3 KiB
Overview
Endfield does not load IL2CPP metadata from global-metadata.dat in the standard Unity way.
Instead, it uses a runtime reconstruction pipeline designed to defeat static and file-based dumpers.
How It Works
- A decoy
global-metadata.datis opened viaCreateFile, but its contents are discarded. - The real metadata is hidden either:
- as an embedded resource inside
GameAssembly.dll, or - as an encrypted slice inside a large game archive.
- as an embedded resource inside
- A large buffer is allocated using
VirtualAlloc. - Encrypted bytes are decrypted / generated at runtime into this buffer.
- The engine’s metadata pointer (
s_GlobalMetadata) is manually assigned to this buffer, bypassing Unity’s normal file loader. - The buffer is finalized with
VirtualProtectto prevent modification.
Result
- No usable metadata exists on disk.
- Static extraction fails by design.
- The only correct metadata exists only in memory after initialization.
Why a Runtime Dumper
This project locates that runtime buffer, verifies it via the IL2CPP magic header, and dumps the fully reconstructed metadata.
We’re switching to a runtime dumper instead, because it’s simpler, more reliable, and honestly because I’m too lazy to hunt down where the encrypted metadata is embedded.