97.9% Semantic Coverage

VRChat IL2CPP Reverse Engineering

Deep deobfuscation of VRChat's GameAssembly.dll — 289,734 semantic methods, 100% class and field coverage. Beebyte ÌÍÎÏ obfuscation defeated via M1-M16 pipeline + 7 data sources + LLM predictions + Hex-Rays clustering.

0
Classes
0
Methods
0
Fields
97.9%
Semantic
VRChat 2026.1.3p1 (Build 22765958) · Unity 2022.3.x · IL2CPP v29.1 · GA 206.8 MB
Overview
Naming Quality
Pipeline
Systems
Tools & IDA

C Classes

40,896
Named (semantic)40,896 (100%)
Originally obfuscated5,522
Semantic (meaningful)3,423 (62%)
Fallback (hash)2,099 (38%)
Namespaces471

M Methods

296,089
Semantic289,734 (97.9%)
Originally obfuscated75,279
Semantic289,734 (97.9%)
Hash fallback6,355 (2.1%)
VA propagation v2+7,252 new

F Fields

35,925
Named (total)35,925 (100%)
Semantic32,460 (90.4%)
Originally obfuscated10,462
Hash fallback3,465 (9.6%)
Backing field cleanup1,168
Type-inferred (Frida)5,846

Overall Naming Quality

97.9%Semantic
Semantic names: 356,449
Hash fallback: 6,355
Total identifiers: 372,910

Every identifier in VRChat's IL2CPP binary has been named. 97.9% have meaningful semantic names derived from 7 data sources + VA propagation; the remaining 2.1% use stable hash-based names (m_XXX, f_XXX) consistent across sessions.

Zero obfuscated identifiers remain. All 5,522 ÌÍÎÏ class names, 75,279 obfuscated methods, and 10,462 obfuscated fields have been resolved. VA propagation v2 recovered +7,252 additional semantic method names. 11,190 LLM predictions applied; 10,670 functions decompiled via Hex-Rays.

Field Naming Strategies

4-strategy pipeline processes 10,462 obfuscated fields through increasingly sophisticated analysis.

StrategyCountMethod
Backing Field1,168<X>k__BackingField_x
Accessor Match16get_/set_ 1:1 correlation
Type Inference5,846Frida runtime types → semantic names
Hash Fallback4,397Stable f_XXX hash
90.4% semantic9.6% hash

Method Naming Strategies

75,279 obfuscated methods processed with VA propagation, call graph analysis, IDA string refs, and LLM predictions.

StrategyCountMethod
VA Propagation v27,252Address propagation + call graph analysis
Call Graph5,738Caller/callee relationship inference
IDA String Refs7,623String cross-reference naming
String-API425API string pattern matching
LLM Predictions11,190Hex-Rays decompiled → LLM inference + structural clustering
Hash Fallback6,355Stable m_XXX hash
97.9% semantic (all methods)2.1% hash

Runtime Type Inference Engine

Data Source
92,552 field types from Frida runtime extraction
Attached to offline VRChat via extract_field_types_v2.py
Type Maps
160+ known type → name mappings
Unity, VRChat, Photon, System, Collections
Recovery
40+ substring patterns for garbled types
Partial type recovery from corrupted metadata

Remaining Limitation: No Method Bodies

This is a structural dump — signatures, types, and RVA addresses only. Actual method logic lives as machine code in GameAssembly.dll (206.8 MB). 10,670 functions have been decompiled via Hex-Rays, yielding 11,190 LLM-predicted names. Load the IDA rename script (133K+ entries) into IDA Pro for full analysis, or use Ghidra.

Deobfuscation Pipeline

M1-M16 strategies + 7 external data sources + 2-pass rename → method & field renaming → output generation. 11,190 LLM predictions applied from 10,670 Hex-Rays decompiled functions.

0
Vocabulary Merge
7,926 names from 7 sources → unified_vocabulary.json
1
Compiler Artifacts
686 async state machines + delegates classified
2
Semantic Analysis
661 classes named by method signature patterns
3
Unity Components
893 MonoBehaviour/ScriptableObject subclasses identified
4
Inheritance Chain
570 classes named via parent → child propagation
5
Cross-Reference
593 by shared methods, sibling analysis, community maps
6
Fallback Hashing
2,099 remaining classes get stable hash-based names
7
Smart Field & Method Renaming
10,462 fields + 75,279 methods — 4 field strategies + VA propagation + context-aware inference

Data Sources

precise_dump.json40 MB
field_types.json (Frida)11 MB
unified_vocabulary.json806 KB
GameAssembly.dll206.8 MB
Community repos36 external

Output Files

deobfuscated_dump.json36.4 MB
deobfuscated_dump.cs18.3 MB
Source tree (output/src/)1,126 files
ida_apply_names.py133K+ renames
name_mapping.json8.9 MB

Deep Systems Analysis

Runtime-verified analysis of VRChat's core subsystems via Frida instrumentation.

VRC_Secondary — Anti-Tamper

499 methods75 fields

Per-frame Update + LateUpdate monitoring with three-tier sibling redundancy verification. Primary anti-cheat system — detects IL2CPP struct modifications, memory patches, and hook tampering.

PlayerNet — Network Serialization

FlatBuffer 8/32PoseEvent

Dual-precision FlatBuffer serialization. PoseEvent encodes full body pose: head/body/hip transforms + hand gestures + finger curl values + eye tracking. Interpolation/extrapolation for smooth networked movement.

Photon Message Pump

1,420/sHighest frequency

Network tick at 1,420 calls/sec — polls Photon transport buffer for incoming RPCs, events, and state updates. Heartbeat at 200/s keeps connection alive.

Udon VM — Sandbox

UdonHeapWhitelist/Blacklist

Factory-pattern virtual machine. UdonHeap bounds-checked memory with whitelist/blacklist + signature verification sandbox. Executes world creator scripts in isolation.

PhysBone — Avatar Physics

31 per-frameDependency graph

31 methods execute every frame per avatar. Dependency graph rebuilt each frame for bone chain simulation — hair, clothing, ears, tails. Major performance cost for crowded instances.

Global Namespace — Async Engine

13,908 classes1,012 state machines

Largest namespace. 928 async state machines are network-related (API calls, asset downloads, world loading). 930 hookable MoveNext RVAs identified for runtime analysis.

Runtime Probe Results (90s, 155 hooks)

MethodCalls/secFunction
PhotonConnectionHandler.m_FC81,420/sPhoton network tick (message pump)
*.m_ACA410/sAsync task dispatcher
*.m_DEE200/sHeartbeat / keep-alive
Offline mode: 6/155 hooks fired (room/udon/network/impostor all silent)

Pipeline Tools

run_full_pipeline.pyOrchestrator (5 stages)
deobfuscate.py8-phase + smart rename
extract_field_types_v2.pyFrida field type extraction
build_va_propagation_v2.py+7,252 methods via call graph
ida_hexrays_export.py10,670 functions decompiled
generate_source_tree.py1,126 organized .cs files
extract_precise_dump.pyIL2CPP struct scanner
deep_probe.py/jsRuntime hook framework

IDA Pro Integration

# Apply 133K+ deobfuscated names to IDA
File → Script File → ida_apply_names.py
Function renames133K+
Hex-Rays decompiled10,670
LLM predictions applied11,190
IDA database2.7 GB (.i64)
CompatibleIDA 9.x

Obfuscation Details — Beebyte

Character Set

Names encoded as 23-character strings using U+00CC (Ì), U+00CD (Í), U+00CE (Î), U+00CF (Ï). Regex: ^[\u00CC-\u00CF]{3,}$

IL2CPP Modifications

Struct layout altered: FieldInfo at +0xA0 (not +0x88), field_count at +0x124 (not +0x122). 264 IL2CPP exports renamed, only 3 left unobfuscated.

GitHub Repository · 40,896 classes · 296,089 methods · 35,925 fields · 97.9% semantic
Built with Python, Frida, IDA Pro · Last updated April 2026