: Look for the function il2cpp::vm::MetadataCache::Initialize . This is where the game loads and processes the metadata.
However, C# has certain characteristics—garbage collection and reflection, for example—that require metadata to function correctly. This is where global-metadata.dat comes in. It is a structured file that acts as a comprehensive database, containing all the class names, method signatures, property names, string literals, and attributes that the native binary needs at runtime. The native binary reads and parses this file to reconstruct the original C#-based logic. decrypt globalmetadatadat
[ Unity C# Source Code ] │ ▼ (Via IL2CPP compiler) ┌─────────────┴─────────────┐ │ │ ▼ ▼ [ Native Machine Code ] [ Structural Metadata ] (libil2cpp.so / (global-metadata.dat) GameAssembly.dll) This is where global-metadata
The script works by scanning the ELF (Executable and Linkable Format) relocation table for a known hex pattern to locate the metadata pointer, then reconstructing the metadata by identifying candidate offsets and sections to build the final output file. For example: python metadata_decryptor.py --libunity path/to/libunity.so --output path/to/decrypted-metadata.dat . This method is cross-platform and requires no reference metadata to work. [ Unity C# Source Code ] │ ▼
This memory dump approach is also crucial for dealing with cases where the file's header signatures are intentionally destroyed. For example, a standard global-metadata.dat file starts with the magic bytes AF 1B B1 FA . An attacker might change these to 00 00 00 00 to break header-based detection. By dumping the file from memory, you get the corrected, decrypted version, which you can then fix by simply replacing the first four bytes with the standard signature.