Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

p4nda0s/rev-u3d-dump

Name: rev-u3d-dump
Author: p4nda0s

skills/rev-u3d-dump/SKILL.md

npx skillsauth add p4nda0s/reverse-skills rev-u3d-dump

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

rev-u3d-dump - Unity IL2CPP Symbol Dumper

Extract C# method names, addresses, and type definitions from Unity IL2CPP builds for IDA/Ghidra analysis.

Overview

Unity IL2CPP compiles C# to native code. The original class/method names are stripped from the binary but preserved in global-metadata.dat. This skill recovers the mapping between native function addresses and their original C# names.

Key Files in Unity Build

| File | Location | Purpose | |------|----------|---------| | Native binary | iOS: Frameworks/UnityFramework.framework/UnityFramework<br>Android: lib/{arch}/libil2cpp.so | Compiled C# code (Mach-O / ELF) | | Metadata | Data/Managed/Metadata/global-metadata.dat | All type/method/string info |

Tool Selection

Il2CppDumper (recommended for metadata v39+)

Use the v39 fork for Unity 6+ builds:

Repo: https://github.com/roytu/Il2CppDumper (branch: v39)
Supports metadata v24–v39
Outputs script.json with function addresses — ready for IDA/Ghidra import

The original Il2CppDumper (https://github.com/Perfare/Il2CppDumper) only supports up to v29.

Cpp2IL (alternative)

Repo: https://github.com/SamboyCoding/Cpp2IL
Supports metadata v39, but dummy DLLs lack [Address] attributes
Useful for C# source reconstruction, not ideal for IDA import

Step-by-Step Workflow

Step 1: Locate IL2CPP Files

iOS (IPA):

# Unzip IPA
unzip -o app.ipa -d .

# Binary
BINARY="Payload/<AppName>.app/Frameworks/UnityFramework.framework/UnityFramework"

# Metadata
METADATA="Payload/<AppName>.app/Data/Managed/Metadata/global-metadata.dat"

Android (APK):

# Unzip APK
unzip -o app.apk -d .

# Binary (pick target arch)
BINARY="lib/arm64-v8a/libil2cpp.so"

# Metadata
METADATA="assets/bin/Data/Managed/Metadata/global-metadata.dat"

Step 2: Check Metadata Version

# First 8 bytes: magic (4) + version (4), little-endian
xxd -l 8 "$METADATA"
# Expected: af1b b1fa 2700 0000  → magic OK, version = 0x27 = 39

| Version | Unity | Tool | |---------|-------|------| | ≤ 29 | Unity 2021 and earlier | Original Il2CppDumper | | 31 | Unity 2022 | Original Il2CppDumper (partial) | | 39 | Unity 6 (6000.x) | roytu/Il2CppDumper v39 fork |

Step 3: Build & Run Il2CppDumper (v39 fork)

# Clone v39 fork
git clone -b v39 https://github.com/roytu/Il2CppDumper.git

# Build
cd Il2CppDumper
DOTNET_ROLL_FORWARD=LatestMajor dotnet build -c Release

# Run (use net8.0 framework)
DOTNET_ROLL_FORWARD=LatestMajor dotnet run \
  --project Il2CppDumper/Il2CppDumper.csproj \
  -c Release --framework net8.0 \
  -- "$BINARY" "$METADATA" output_dir

Notes:

DOTNET_ROLL_FORWARD=LatestMajor allows running on .NET 9/10 even though the project targets .NET 6/8
Exit code 134 is normal in non-interactive mode (caused by Console.ReadKey() at the end)
On macOS, if the binary gets SIGKILL'd, ad-hoc sign it: codesign -s - <binary>

Step 4: Verify Output

Successful run produces these files in the output directory:

| File | Size (typical) | Purpose | |------|----------------|---------| | script.json | 50–100 MB | Function addresses + names + signatures (IDA/Ghidra import) | | dump.cs | 10–30 MB | C# class dump with RVA/VA addresses | | il2cpp.h | 50–100 MB | C struct definitions for type import | | ida_py3.py | ~2 KB | IDA Python import script |

Check script.json format:

{
  "ScriptMethod": [
    {
      "Address": 40865744,
      "Name": "ClassName$$MethodName",
      "Signature": "ReturnType ClassName__MethodName (args...);",
      "TypeSignature": "viii"
    }
  ]
}

Check dump.cs format:

// RVA: 0x1A2B3C4 Offset: 0x1A2B3C4 VA: 0x1A2B3C4
public void MethodName() { }

Step 5: Import into IDA

Open the native binary in IDA (UnityFramework / libil2cpp.so)
Place script.json and ida_py3.py in the same directory
File → Script file... → select ida_py3.py
The script reads script.json and renames all functions automatically
Optional: File → Load file → Parse C header file... → select il2cpp.h for struct types

Step 5 (alt): Import into Ghidra

Open the binary in Ghidra
Use the ghidra.py or ghidra_with_struct.py script from Il2CppDumper
Window → Script Manager → Run with script.json in the same directory

Troubleshooting

| Error | Cause | Fix | |-------|-------|-----| | not a supported version[39] | Using original Il2CppDumper | Switch to roytu/Il2CppDumper v39 fork | | Exit code 137 (SIGKILL) | macOS unsigned binary | codesign -s - <binary> | | Cannot read keys (exit 134) | Non-interactive console | Ignore — dump completed successfully | | DOTNET_ROLL_FORWARD error | .NET version mismatch | Set DOTNET_ROLL_FORWARD=LatestMajor | | Empty output | Wrong binary/metadata pair | Verify both files are from the same build |

Output Usage Tips

dump.cs is the quickest reference — search for class/method names with RVA addresses
script.json Address values are decimal — convert to hex for IDA: hex(40865744) → 0x26F8FD0
Field offsets in dump.cs (e.g., // 0x20) are relative to object base, useful for memory inspection with Frida

p4nda0s/rev-u3d-dump

skills/rev-u3d-dump/SKILL.md

Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.

908 stars

development

Updated May 7, 2026

$ install --global

skillsauth

npx skillsauth add p4nda0s/reverse-skills rev-u3d-dump

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 7, 2026, 5:49 AM140.2s1 file scanned

SKILL.md

name:: rev-u3d-dump
description:: Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.

rev-u3d-dump - Unity IL2CPP Symbol Dumper

Extract C# method names, addresses, and type definitions from Unity IL2CPP builds for IDA/Ghidra analysis.

Overview

Key Files in Unity Build

Tool Selection

Il2CppDumper (recommended for metadata v39+)

Use the v39 fork for Unity 6+ builds:

Repo: https://github.com/roytu/Il2CppDumper (branch: v39)
Supports metadata v24–v39
Outputs script.json with function addresses — ready for IDA/Ghidra import

The original Il2CppDumper (https://github.com/Perfare/Il2CppDumper) only supports up to v29.

Cpp2IL (alternative)

Repo: https://github.com/SamboyCoding/Cpp2IL
Supports metadata v39, but dummy DLLs lack [Address] attributes
Useful for C# source reconstruction, not ideal for IDA import

Step-by-Step Workflow

Step 1: Locate IL2CPP Files

iOS (IPA):

# Unzip IPA
unzip -o app.ipa -d .

# Binary
BINARY="Payload/<AppName>.app/Frameworks/UnityFramework.framework/UnityFramework"

# Metadata
METADATA="Payload/<AppName>.app/Data/Managed/Metadata/global-metadata.dat"

Android (APK):

# Unzip APK
unzip -o app.apk -d .

# Binary (pick target arch)
BINARY="lib/arm64-v8a/libil2cpp.so"

# Metadata
METADATA="assets/bin/Data/Managed/Metadata/global-metadata.dat"

Step 2: Check Metadata Version

# First 8 bytes: magic (4) + version (4), little-endian
xxd -l 8 "$METADATA"
# Expected: af1b b1fa 2700 0000  → magic OK, version = 0x27 = 39

Step 3: Build & Run Il2CppDumper (v39 fork)

# Clone v39 fork
git clone -b v39 https://github.com/roytu/Il2CppDumper.git

# Build
cd Il2CppDumper
DOTNET_ROLL_FORWARD=LatestMajor dotnet build -c Release

# Run (use net8.0 framework)
DOTNET_ROLL_FORWARD=LatestMajor dotnet run \
  --project Il2CppDumper/Il2CppDumper.csproj \
  -c Release --framework net8.0 \
  -- "$BINARY" "$METADATA" output_dir

Notes:

DOTNET_ROLL_FORWARD=LatestMajor allows running on .NET 9/10 even though the project targets .NET 6/8
Exit code 134 is normal in non-interactive mode (caused by Console.ReadKey() at the end)
On macOS, if the binary gets SIGKILL'd, ad-hoc sign it: codesign -s - <binary>

Step 4: Verify Output

Successful run produces these files in the output directory:

Check script.json format:

{
  "ScriptMethod": [
    {
      "Address": 40865744,
      "Name": "ClassName$$MethodName",
      "Signature": "ReturnType ClassName__MethodName (args...);",
      "TypeSignature": "viii"
    }
  ]
}

Check dump.cs format:

// RVA: 0x1A2B3C4 Offset: 0x1A2B3C4 VA: 0x1A2B3C4
public void MethodName() { }

Step 5: Import into IDA

Open the native binary in IDA (UnityFramework / libil2cpp.so)
Place script.json and ida_py3.py in the same directory
File → Script file... → select ida_py3.py
The script reads script.json and renames all functions automatically
Optional: File → Load file → Parse C header file... → select il2cpp.h for struct types

Step 5 (alt): Import into Ghidra

Open the binary in Ghidra
Use the ghidra.py or ghidra_with_struct.py script from Il2CppDumper
Window → Script Manager → Run with script.json in the same directory

Troubleshooting

Output Usage Tips

dump.cs is the quickest reference — search for class/method names with RVA addresses
script.json Address values are decimal — convert to hex for IDA: hex(40865744) → 0x26F8FD0
Field offsets in dump.cs (e.g., // 0x20) are relative to object base, useful for memory inspection with Frida

Related Skills

p4nda0s/rev-unicorn-debug

development

VerifiedTrustedCommunity

Debug and emulate specific code fragments or functions using the Unicorn engine. Activate when the user wants to emulate a function with Unicorn, trace binary execution without running the full program, decrypt or decode data by emulating the algorithm, or bypass environment dependencies (JNI, syscalls, libc) during emulation.

908SKILL.mdUpdated May 7, 2026

p4nda0s/rev-unicorn-debug

p4nda0s/rev-symbol

development

VerifiedTrustedCommunity

Restore function symbols by analyzing code patterns, strings, constants, and cross-references

908SKILL.mdUpdated May 7, 2026

p4nda0s/rev-struct

data-ai

VerifiedTrustedCommunity

Reconstruct data structures by analyzing memory access patterns across functions

908SKILL.mdUpdated May 7, 2026

p4nda0s/rev-ios-dump

development

VerifiedTrustedCommunity

Dump decrypted iOS app binaries (砸壳) from jailbroken devices using frida-ios-dump. Activate when the user wants to decrypt an iOS app, dump an IPA from a device, or extract a decrypted Mach-O binary for reverse engineering.

908SKILL.mdUpdated May 7, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/p4nda0s/reverse-skills.git

# Copy into Claude Code skills folder (global)
cp -r reverse-skills/skills/rev-u3d-dump ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

p4nda0s/reverse-skills

908 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT