Rev U3d Dump

Name: Rev U3d Dump
Author: p4nda0s

p4nda0s/reverse-skills

Recover Unity IL2CPP C# symbol names and addresses from shipped iOS or Android builds for IDA or Ghidra analysis.

Install

npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-u3d-dump

What is this skill?

Maps stripped native IL2CPP code to original C# method names using global-metadata.dat
Documents iOS UnityFramework and Android libil2cpp.so paths plus metadata location
Recommends Il2CppDumper v39 fork for metadata v24–v39 and Unity 6+
Notes Cpp2IL as an alternative when dummy DLLs lack Address attributes
Outputs script.json-style artifacts for IDA and Ghidra import scripts

Adoption & trust: 596 installs on skills.sh; 1.3k GitHub stars; 0/3 security scanners passed (skills.sh audits).

Recommended Skills

Game Enginegithub/awesome-copilot

Game Engine is a 2D maze game template modeled on MDN Phaser device-orientation tutorials and the Cyber Orb demo. Solo b…10.2k installs·34.6k stars

Godot Gdscript Patternswshobson/agents

Godot GDScript Patterns is an agent skill aimed at solo indie game developers who need production-shaped Godot 4 code in…9.8k installs·36.5k stars

Unity Ecs Patternswshobson/agents

Unity ECS Patterns is an agent skill that teaches data-oriented game architecture for solo and indie builders shipping p…7.7k installs·36.5k stars

Game Developerjeffallan/claude-skills

Game Developer is an agent skill that teaches solo and indie builders a clean Entity Component System layout in C#, the …3k installs·9.7k stars

Game Developmentsickn33/antigravity-awesome-skills

Game-development is an orchestrator agent skill for solo and indie builders who are starting or restructuring a game pro…2.7k installs·40.1k stars

Unity Developerrmyndharis/antigravity-skills

unity-developer is an agent skill that positions your coding agent as a Unity 6 LTS specialist focused on high-performan…1.9k installs·815 stars

Journey fit

Primary fit

Canonical shelf is Ship because the workflow targets binaries and metadata from already-built Unity player packages, not live app authoring. Security subphase fits reverse-engineering and binary inspection of distributed game builds rather than day-to-day gameplay coding.

Common Questions / FAQ

Is Rev U3d Dump safe to install?

skills.sh reports 0 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Rev U3d Dump

# rev-u3d-dump - Unity IL2CPP Symbol Dumper

Extract C# method names, addresses, and type definitions from Unity IL2CPP builds for IDA/Ghidra analysis.

---

## Overview

Unity IL2CPP compiles C# to native code. The original class/method names are stripped from the binary but preserved in `global-metadata.dat`. This skill recovers the mapping between native function addresses and their original C# names.

### Key Files in Unity Build

| File | Location | Purpose |
|------|----------|---------|
| Native binary | iOS: `Frameworks/UnityFramework.framework/UnityFramework`<br>Android: `lib/{arch}/libil2cpp.so` | Compiled C# code (Mach-O / ELF) |
| Metadata | `Data/Managed/Metadata/global-metadata.dat` | All type/method/string info |

---

## Tool Selection

### Il2CppDumper (recommended for metadata v39+)

Use the **v39 fork** for Unity 6+ builds:

- Repo: `https://github.com/roytu/Il2CppDumper` (branch: `v39`)
- Supports metadata v24–v39
- Outputs `script.json` with function addresses — ready for IDA/Ghidra import

The original Il2CppDumper (`https://github.com/Perfare/Il2CppDumper`) only supports up to v29.

### Cpp2IL (alternative)

- Repo: `https://github.com/SamboyCoding/Cpp2IL`
- Supports metadata v39, but dummy DLLs lack `[Address]` attributes
- Useful for C# source reconstruction, not ideal for IDA import

---

## Step-by-Step Workflow

### Step 1: Locate IL2CPP Files

**iOS (IPA):**
```bash
# Unzip IPA
unzip -o app.ipa -d .

# Binary
BINARY="Payload/<AppName>.app/Frameworks/UnityFramework.framework/UnityFramework"

# Metadata
METADATA="Payload/<AppName>.app/Data/Managed/Metadata/global-metadata.dat"
```

**Android (APK):**
```bash
# Unzip APK
unzip -o app.apk -d .

# Binary (pick target arch)
BINARY="lib/arm64-v8a/libil2cpp.so"

# Metadata
METADATA="assets/bin/Data/Managed/Metadata/global-metadata.dat"
```

### Step 2: Check Metadata Version

```bash
# First 8 bytes: magic (4) + version (4), little-endian
xxd -l 8 "$METADATA"
# Expected: af1b b1fa 2700 0000  → magic OK, version = 0x27 = 39
```

| Version | Unity | Tool |
|---------|-------|------|
| ≤ 29 | Unity 2021 and earlier | Original Il2CppDumper |
| 31 | Unity 2022 | Original Il2CppDumper (partial) |
| 39 | Unity 6 (6000.x) | **roytu/Il2CppDumper v39 fork** |

### Step 3: Build & Run Il2CppDumper (v39 fork)

```bash
# Clone v39 fork
git clone -b v39 https://github.com/roytu/Il2CppDumper.git

# Build
cd Il2CppDumper
DOTNET_ROLL_FORWARD=LatestMajor dotnet build -c Release

# Run (use net8.0 framework)
DOTNET_ROLL_FORWARD=LatestMajor dotnet run \
  --project Il2CppDumper/Il2CppDumper.csproj \
  -c Release --framework net8.0 \
  -- "$BINARY" "$METADATA" output_dir
```

**Notes:**
- `DOTNET_ROLL_FORWARD=LatestMajor` allows running on .NET 9/10 even though the project targets .NET 6/8
- Exit code 134 is normal in non-interactive mode (caused by `Console.ReadKey()` at the end)
- On macOS, if the binary gets SIGKILL'd, ad-hoc sign it: `codesign -s - <binary>`

### Step 4: Verify Output

Successful run produces these files in the output directory:

| File | Size (typical) | Purpose |
|------|----------------|---------|
| `script.json` | 50–100 MB | Function addresses + names + signatures (IDA/Ghidra import) |
| `dump.cs` | 10–30 MB | C# class dump with RVA/VA addresses |
| `il2cpp.h` | 50–100 MB | C struct definitions for type import |
| `ida_py3.py` | ~2 KB | IDA Python import script |

Check `script.json` format:
```json
{
  "ScriptMethod": [
    {
      "Address": 40865744,
      "Name": "ClassName$$MethodName",
      "Signature": "ReturnType ClassName__MethodName (args...);",
      "TypeSignature": "viii"
    }
  ]
}
```

Check `dump.cs` format:
```csharp
// RVA: 0x1A2B3C4 Offset: 0x1A2B3C4 VA: 0x1A2B3C4
public void MethodName() { }
```

### Step 5:

What is this skill?

Maps stripped native IL2CPP code to original C# method names using global-metadata.dat

Documents iOS UnityFramework and Android libil2cpp.so paths plus metadata location

Recommends Il2CppDumper v39 fork for metadata v24–v39 and Unity 6+

Notes Cpp2IL as an alternative when dummy DLLs lack Address attributes

Outputs script.json-style artifacts for IDA and Ghidra import scripts

Adoption & trust: 596 installs on skills.sh; 1.3k GitHub stars; 0/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Rev U3d Dump

# rev-u3d-dump - Unity IL2CPP Symbol Dumper

Extract C# method names, addresses, and type definitions from Unity IL2CPP builds for IDA/Ghidra analysis.

---

## Overview

Unity IL2CPP compiles C# to native code. The original class/method names are stripped from the binary but preserved in `global-metadata.dat`. This skill recovers the mapping between native function addresses and their original C# names.

### Key Files in Unity Build

| File | Location | Purpose |
|------|----------|---------|
| Native binary | iOS: `Frameworks/UnityFramework.framework/UnityFramework`<br>Android: `lib/{arch}/libil2cpp.so` | Compiled C# code (Mach-O / ELF) |
| Metadata | `Data/Managed/Metadata/global-metadata.dat` | All type/method/string info |

---

## Tool Selection

### Il2CppDumper (recommended for metadata v39+)

Use the **v39 fork** for Unity 6+ builds:

- Repo: `https://github.com/roytu/Il2CppDumper` (branch: `v39`)
- Supports metadata v24–v39
- Outputs `script.json` with function addresses — ready for IDA/Ghidra import

The original Il2CppDumper (`https://github.com/Perfare/Il2CppDumper`) only supports up to v29.

### Cpp2IL (alternative)

- Repo: `https://github.com/SamboyCoding/Cpp2IL`
- Supports metadata v39, but dummy DLLs lack `[Address]` attributes
- Useful for C# source reconstruction, not ideal for IDA import

---

## Step-by-Step Workflow

### Step 1: Locate IL2CPP Files

**iOS (IPA):**
```bash
# Unzip IPA
unzip -o app.ipa -d .

# Binary
BINARY="Payload/<AppName>.app/Frameworks/UnityFramework.framework/UnityFramework"

# Metadata
METADATA="Payload/<AppName>.app/Data/Managed/Metadata/global-metadata.dat"
```

**Android (APK):**
```bash
# Unzip APK
unzip -o app.apk -d .

# Binary (pick target arch)
BINARY="lib/arm64-v8a/libil2cpp.so"

# Metadata
METADATA="assets/bin/Data/Managed/Metadata/global-metadata.dat"
```

### Step 2: Check Metadata Version

```bash
# First 8 bytes: magic (4) + version (4), little-endian
xxd -l 8 "$METADATA"
# Expected: af1b b1fa 2700 0000  → magic OK, version = 0x27 = 39
```

| Version | Unity | Tool |
|---------|-------|------|
| ≤ 29 | Unity 2021 and earlier | Original Il2CppDumper |
| 31 | Unity 2022 | Original Il2CppDumper (partial) |
| 39 | Unity 6 (6000.x) | **roytu/Il2CppDumper v39 fork** |

### Step 3: Build & Run Il2CppDumper (v39 fork)

```bash
# Clone v39 fork
git clone -b v39 https://github.com/roytu/Il2CppDumper.git

# Build
cd Il2CppDumper
DOTNET_ROLL_FORWARD=LatestMajor dotnet build -c Release

# Run (use net8.0 framework)
DOTNET_ROLL_FORWARD=LatestMajor dotnet run \
  --project Il2CppDumper/Il2CppDumper.csproj \
  -c Release --framework net8.0 \
  -- "$BINARY" "$METADATA" output_dir
```

**Notes:**
- `DOTNET_ROLL_FORWARD=LatestMajor` allows running on .NET 9/10 even though the project targets .NET 6/8
- Exit code 134 is normal in non-interactive mode (caused by `Console.ReadKey()` at the end)
- On macOS, if the binary gets SIGKILL'd, ad-hoc sign it: `codesign -s - <binary>`

### Step 4: Verify Output

Successful run produces these files in the output directory:

| File | Size (typical) | Purpose |
|------|----------------|---------|
| `script.json` | 50–100 MB | Function addresses + names + signatures (IDA/Ghidra import) |
| `dump.cs` | 10–30 MB | C# class dump with RVA/VA addresses |
| `il2cpp.h` | 50–100 MB | C struct definitions for type import |
| `ida_py3.py` | ~2 KB | IDA Python import script |

Check `script.json` format:
```json
{
  "ScriptMethod": [
    {
      "Address": 40865744,
      "Name": "ClassName$$MethodName",
      "Signature": "ReturnType ClassName__MethodName (args...);",
      "TypeSignature": "viii"
    }
  ]
}
```

Check `dump.cs` format:
```csharp
// RVA: 0x1A2B3C4 Offset: 0x1A2B3C4 VA: 0x1A2B3C4
public void MethodName() { }
```

### Step 5:

Install

What is this skill?

Recommended Skills

Journey fit

Is Rev U3d Dump safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Rev U3d Dump safe to install?

SKILL.md