Deep deobfuscation of VRChat's GameAssembly.dll — 478,923 named methods across the June 5 build. Beebyte ÌÍÎÏ obfuscation defeated via RVA propagation, Codex batch analysis, sibling-context inference, Hex-Rays pseudocode, and 7 community data sources.
90.7% of 528,135 methods have been named via RVA propagation (15.5K), Codex mega-batch analysis (2.8K), sibling-context inference (13.5K), Hex-Rays pseudocode, and 7 community sources. The remaining 9.3% use stable hash fallback identifiers (m_XXX).
June 5 field coverage from the current pipeline summary and final dump.
| Metric | Count | Coverage |
|---|---|---|
| Semantic fields | 2,712 | 94.5% of all fields |
| Renamed/fallback fields | 158 | 5.5% of all fields |
| Total fields | 2,870 | June 5 dump |
June 5 method coverage from the current pipeline summary and final dump.
| Metric | Count | Coverage |
|---|---|---|
| Named methods | 478,923 | 90.7% of all methods |
| Hash remaining (m_XXX) | 49,212 | 9.3% of all methods |
| Total methods | 528,135 | June 5 dump |
extract_field_types_v2.pyThis is a structural dump — signatures, types, and RVA addresses only. Actual method logic lives as machine code in GameAssembly.dll (206.8 MB). 10,670 functions have been decompiled via Hex-Rays, yielding 11,190 LLM-predicted names. Load the IDA rename script (133K+ entries) into IDA Pro for full analysis, or use Ghidra.
Multi-strategy pipeline: vocabulary merge → 11-phase deobfuscation → RVA propagation (v2 + cascade) → sibling-context LLM inference → Hex-Rays pseudocode analysis → output generation. 39,623 cross-version entries from 11+ data sources.
Runtime-verified analysis of VRChat's core subsystems via Frida instrumentation.
Per-frame Update + LateUpdate monitoring with three-tier sibling redundancy verification. Primary anti-cheat system — detects IL2CPP struct modifications, memory patches, and hook tampering.
Dual-precision FlatBuffer serialization. PoseEvent encodes full body pose: head/body/hip transforms + hand gestures + finger curl values + eye tracking. Interpolation/extrapolation for smooth networked movement.
Network tick at 1,420 calls/sec — polls Photon transport buffer for incoming RPCs, events, and state updates. Heartbeat at 200/s keeps connection alive.
Factory-pattern virtual machine. UdonHeap bounds-checked memory with whitelist/blacklist + signature verification sandbox. Executes world creator scripts in isolation.
31 methods execute every frame per avatar. Dependency graph rebuilt each frame for bone chain simulation — hair, clothing, ears, tails. Major performance cost for crowded instances.
Largest namespace. 928 async state machines are network-related (API calls, asset downloads, world loading). 930 hookable MoveNext RVAs identified for runtime analysis.
| Method | Calls/sec | Function |
|---|---|---|
PhotonConnectionHandler.m_FC8 | 1,420/s | Photon network tick (message pump) |
*.m_ACA | 410/s | Async task dispatcher |
*.m_DEE | 200/s | Heartbeat / keep-alive |
| Offline mode: 6/155 hooks fired (room/udon/network/impostor all silent) | ||
run_full_pipeline.pyOrchestrator (5 stages)deobfuscate.py8-phase + smart renameextract_field_types_v2.pyFrida field type extractionbuild_va_propagation_v2.py+7,252 methods via call graphida_hexrays_export.py10,670 functions decompiledgenerate_source_tree.py1,126 organized .cs filesextract_precise_dump.pyIL2CPP struct scannerdeep_probe.py/jsRuntime hook frameworkNames encoded as 23-character strings using U+00CC (Ì), U+00CD (Í), U+00CE (Î), U+00CF (Ï). Regex: ^[\u00CC-\u00CF]{3,}$
Struct layout altered: FieldInfo at +0xA0 (not +0x88), field_count at +0x124 (not +0x122). 264 IL2CPP exports renamed, only 3 left unobfuscated.