// Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.
Dump decrypted iOS app binaries (砸壳) from jailbroken devices using frida-ios-dump. Activate when the user wants to decrypt an iOS app, dump an IPA from a device, or extract a decrypted Mach-O binary for reverse engineering.
Reconstruct data structures by analyzing memory access patterns across functions
Restore function symbols by analyzing code patterns, strings, constants, and cross-references
Generate Frida hook scripts using modern Frida API. Activate when the user wants to write Frida scripts, hook functions at runtime, trace calls or arguments or return values, intercept native or ObjC or Java methods, dump memory or exports, or handle native module load timing for Android and other targets.
IDAPython and IDALib script reference for reverse engineering. Activate when the user needs to write IDAPython scripts in IDA, use IDALib for headless analysis, operate on IDB databases, debug with IDA, manipulate memory/registers, traverse functions/blocks/instructions, work with Hex-Rays decompiler API, handle obfuscation, or batch-process binaries.
Dump DEX files from a running Android app for unpacking/deobfuscation. Activate when the user wants to unpack an Android APK, dump DEX from memory, extract decrypted DEX files, or defeat class-loading packing.
| name | rev-u3d-dump |
| description | Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts. |
Extract C# method names, addresses, and type definitions from Unity IL2CPP builds for IDA/Ghidra analysis.
Unity IL2CPP compiles C# to native code. The original class/method names are stripped from the binary but preserved in global-metadata.dat. This skill recovers the mapping between native function addresses and their original C# names.
| File | Location | Purpose |
|---|---|---|
| Native binary | iOS: Frameworks/UnityFramework.framework/UnityFrameworkAndroid: lib/{arch}/libil2cpp.so | Compiled C# code (Mach-O / ELF) |
| Metadata | Data/Managed/Metadata/global-metadata.dat | All type/method/string info |
Use the v39 fork for Unity 6+ builds:
https://github.com/roytu/Il2CppDumper (branch: v39)script.json with function addresses — ready for IDA/Ghidra importThe original Il2CppDumper (https://github.com/Perfare/Il2CppDumper) only supports up to v29.
https://github.com/SamboyCoding/Cpp2IL[Address] attributesiOS (IPA):
# Unzip IPA
unzip -o app.ipa -d .
# Binary
BINARY="Payload/<AppName>.app/Frameworks/UnityFramework.framework/UnityFramework"
# Metadata
METADATA="Payload/<AppName>.app/Data/Managed/Metadata/global-metadata.dat"
Android (APK):
# Unzip APK
unzip -o app.apk -d .
# Binary (pick target arch)
BINARY="lib/arm64-v8a/libil2cpp.so"
# Metadata
METADATA="assets/bin/Data/Managed/Metadata/global-metadata.dat"
# First 8 bytes: magic (4) + version (4), little-endian
xxd -l 8 "$METADATA"
# Expected: af1b b1fa 2700 0000 → magic OK, version = 0x27 = 39
| Version | Unity | Tool |
|---|---|---|
| ≤ 29 | Unity 2021 and earlier | Original Il2CppDumper |
| 31 | Unity 2022 | Original Il2CppDumper (partial) |
| 39 | Unity 6 (6000.x) | roytu/Il2CppDumper v39 fork |
# Clone v39 fork
git clone -b v39 https://github.com/roytu/Il2CppDumper.git
# Build
cd Il2CppDumper
DOTNET_ROLL_FORWARD=LatestMajor dotnet build -c Release
# Run (use net8.0 framework)
DOTNET_ROLL_FORWARD=LatestMajor dotnet run \
--project Il2CppDumper/Il2CppDumper.csproj \
-c Release --framework net8.0 \
-- "$BINARY" "$METADATA" output_dir
Notes:
DOTNET_ROLL_FORWARD=LatestMajor allows running on .NET 9/10 even though the project targets .NET 6/8Console.ReadKey() at the end)codesign -s - <binary>Successful run produces these files in the output directory:
| File | Size (typical) | Purpose |
|---|---|---|
script.json | 50–100 MB | Function addresses + names + signatures (IDA/Ghidra import) |
dump.cs | 10–30 MB | C# class dump with RVA/VA addresses |
il2cpp.h | 50–100 MB | C struct definitions for type import |
ida_py3.py | ~2 KB | IDA Python import script |
Check script.json format:
{
"ScriptMethod": [
{
"Address": 40865744,
"Name": "ClassName$$MethodName",
"Signature": "ReturnType ClassName__MethodName (args...);",
"TypeSignature": "viii"
}
]
}
Check dump.cs format:
// RVA: 0x1A2B3C4 Offset: 0x1A2B3C4 VA: 0x1A2B3C4
public void MethodName() { }
script.json and ida_py3.py in the same directoryFile → Script file... → select ida_py3.pyscript.json and renames all functions automaticallyFile → Load file → Parse C header file... → select il2cpp.h for struct typesghidra.py or ghidra_with_struct.py script from Il2CppDumperWindow → Script Manager → Run with script.json in the same directory| Error | Cause | Fix |
|---|---|---|
not a supported version[39] | Using original Il2CppDumper | Switch to roytu/Il2CppDumper v39 fork |
| Exit code 137 (SIGKILL) | macOS unsigned binary | codesign -s - <binary> |
Cannot read keys (exit 134) | Non-interactive console | Ignore — dump completed successfully |
DOTNET_ROLL_FORWARD error | .NET version mismatch | Set DOTNET_ROLL_FORWARD=LatestMajor |
| Empty output | Wrong binary/metadata pair | Verify both files are from the same build |
dump.cs is the quickest reference — search for class/method names with RVA addressesscript.json Address values are decimal — convert to hex for IDA: hex(40865744) → 0x26F8FD0dump.cs (e.g., // 0x20) are relative to object base, useful for memory inspection with Frida