Dumps protobuf-net messages and enums from an IL2CPP Unity game into a valid .proto file using Frida and frida-il2cpp-bridge
Injects into the game process via Frida and going through IL2CPP domain at runtime.
Finds all classes and enums decorated with [ProtoContract] using native IL2CPP exports, then reads their members via managed reflection to extract fields names, tags and types.
Generates a valid .proto3 schema.
- Python >= 3.7 for Frida
- Node.js
- Unity IL2CPP Game (protected or obfuscated games are probably not supported)
- Clone repo
git clone https://github.com/repinek/frida-il2cpp-proto-dumper
cd frida-il2cpp-proto-dumper
- Install dependencies
python -m venv .venv # Creating a virtual environment for Python
# Activate Python venv, it's depending on what OS you are. For example Linux with fish:
. .venv/bin/activate.fish
pip install -r requirements.txt
npm install
- Build script
npm run build
Script will be built into dist/agent.js
- Spawn script by using any method (frida-server, frida-gadget...) Once attached, the script will automatically dump and report the absolute output path.
Script and Il2cpp Loaded!
x assemblies loaded!
Found 2 custom_attrs exports!
Checking Assembly-CSharp...
Found proto classes in protobuf-net!
Dumping ABC.XYZ...
Done! Written to /abc/xyz/proto/dump.proto
This project is licensed under the MIT License.
See the LICENSE file for details.
This project was inspired by and based on the DJ Katy research
- Il2CppProtoExtractor-FallGuys - Original C# tool uses Il2CppInspector to generate
.protofile - Practical IL2CPP: Extracting Protobuf Definitions - djkaty's Article about reverse engineering
protobuf-netstructures and IL2CPP.