Reverse engineering IL2CPP metadata

Unity applications built using the IL2CPP backend compile C# code into native C++ code (like libil2cpp.so). This makes direct decompilation harder than standard Mono builds.

However, we use tools like Il2CppDumper to extract the class structures, method names, and namespace definitions from the application's global metadata file (global-metadata.dat).

This allows us to locate critical functions inside the binary. We then use Frida to hook these methods at runtime, allowing us to read variables, modify values (like wallet balances), and bypass local transaction verification checks.

Pentest finding

Local purchase verification bypassed in memory

During an audit of an interactive learning application, we used Il2CppDumper to find the validation method: IsSubscriptionActive(). By attaching a Frida script to the method's offset and forcing it to always return true, we unlocked the premium features without making a payment.

Auditing payment gateway integrations in Unity

The most common vulnerability we find in Unity deployments is verifying transaction status entirely on the mobile client.

Developers often write code where the Unity client calls a local payment API, receives a confirmation token, and tells the backend database to credit the account directly.

This is a critical security mistake. Attackers can intercept the network traffic using proxies like Burp Suite and replay successful transaction tokens or forge responses. All payment verifications must occur on the server. The backend must query the payment gateway (like Paystack or Flutterwave) directly to confirm the transaction status before updating the database.

Unity Security Checklist

To secure your Unity deployments, verify these defensive items:

  1. Server-Side Purchase Validation: The mobile client must never have the authority to update its own balance. Every transaction must be verified on the server.
  2. Metadata Obfuscation: Use specialized obfuscation tools designed for Unity to scramble the IL2CPP class metadata.
  3. Encrypt local data: If you store configuration values or local cache variables on disk, encrypt them using AES keys managed by the host OS secure storage layers.

Let Simpa Labs audit your Unity app

We specialize in reverse-engineering mobile binaries and testing API integrations. We will decompile your Unity application, check your backend endpoints, and verify your payment configurations.

Book a Unity Security Audit