UnityReverseEngine
Decompile APK/IPA To UnityProject
Install / Use
/learn @IIIImmmyyy/UnityReverseEngineREADME
UREngine is undergoing a major refactoring phase and development has not been halted. Progress has simply slowed due to personal work commitments.
Attached is the current progress:
<img alt ="UI.ong" src="https://raw.githubusercontent.com/IIIImmmyyy/UnityReverseEngine/refs/heads/master/source/UREngine-UI.png" >
📖 Introduction
In the field of mobile game development and security research, Unity engine has occupied an important position with its cross-platform capabilities and IL2CPP backend technology. However, the process of IL2CPP converting C# code to native C++ code and then compiling it to machine code has brought unprecedented challenges to reverse engineering. Traditional decompilation tools often struggle when facing Unity IL2CPP-built applications, with low analysis efficiency and difficult-to-understand results.
It is against this technical background that UnityReverseEngine (UREngine for short) came into being - a completely independently developed professional Unity decompilation engine specifically designed to address the pain points of IL2CPP reverse engineering.
🎯 Technical Background and Challenges
Complexity of Unity IL2CPP
Unity's IL2CPP technology converts managed C# code to native machine code, which includes:
| Conversion Stage | Description | Challenge | |---------|------|------| | IL Conversion | C# → IL → C++ → Machine Code | Multi-layer conversion causes semantic loss | | Garbage Collection | Complex memory management logic | Reference relationships difficult to track | | Type Mapping | Managed type to native type conversion | Type information obfuscation | | Call Optimization | Inlining, virtual function tables, etc. | Control flow becomes complex |
Limitations of Traditional Tools
Problems faced by traditional decompilation tools:
- Slow Analysis Speed: Need to analyze the entire binary file comprehensively
- Serious Semantic Loss: Original C# semantics lost in multi-layer conversion
- Poor Readability: Generated pseudo-code is difficult to understand and use
🌟 UREngine's Technical Breakthroughs
⚡ Ultimate Decompilation Speed
UREngine abandons the full-analysis mode of traditional decompilers and adopts a revolutionary function-level precision analysis strategy:
Core Optimization Technologies
| Optimization Feature | Effect | Innovation | |---------|------|-------| | Metadata-Driven | Precise function signature identification | Avoid blind analysis | | Micro Runtime | Lightweight runtime simulation | No need for complete reconstruction | | Smart CFG | Remove redundant nodes | Highly optimized control flow |
Performance Metrics
| Metric | UREngine | Traditional Tools | Improvement Factor | |------|----------|----------|----------| | Single Function Analysis | Millisecond-level | Second-level | ×1000 | | Large Games (100K+ functions) | 2-5 minutes | Several hours | ×50 | | Memory Usage | Low consumption | High consumption | 80% savings |
Industry-Leading Pseudocode Analysis Capabilities
UREngine has reached unprecedented heights in ARM64 instruction semantic restoration:
Complex Instruction Processing Examples
1. BLR Indirect Jump Analysis
// Traditional tool output (hard to understand)
BLR X8
// X8 = *(_QWORD *)(v6 + 0x48)
// Completely unable to understand call intent
// UREngine output (clear and readable)
virtualMethod.Invoke(this, parameters);
// Perfect restoration of virtual function call semantics
2. SIMD Vector Operation Analysis
// Traditional tool output
FADD V0.4S, V1.4S, V2.4S
LD1 {V3.4S}, [X0]
ST1 {V0.4S}, [X1]
// UREngine output
Vector4 result = Vector4.Add(vector1, vector2);
transform.position = result;
3. Multi-level Pointer Dereference
// Traditional tool output
v8 = *(_QWORD *)(v6 + 0x20);
v9 = *(_QWORD *)(v8 + 0x18);
v10 = *(_DWORD *)(v9 + 0x10);
// UREngine output
int health = player.character.stats.health;
4. Unity Component System Analysis
// Traditional tool output
sub_1234ABCD(v7, v8, v9);
// Completely unclear what it's doing
// UREngine output
GetComponent<Rigidbody>().AddForce(Vector3.up * jumpForce);
Unique Direct C# Semantic Conversion
This is UREngine's most revolutionary feature - the world's only decompilation tool that supports direct conversion from ARM64 instructions to C# code:
Complete Class Restoration Example
Original Unity C# Code:
public class PlayerController : MonoBehaviour
{
public float moveSpeed = 5f;
public float jumpForce = 10f;
private Rigidbody rb;
void Start()
{
rb = GetComponent<Rigidbody>();
}
void Update()
{
float horizontal = Input.GetAxis("Horizontal");
Vector3 movement = new Vector3(horizontal, 0, 0) * moveSpeed;
transform.Translate(movement * Time.deltaTime);
if (Input.GetKeyDown(KeyCode.Space))
{
rb.AddForce(Vector3.up * jumpForce, ForceMode.Impulse);
}
}
}
UREngine Restoration Result:
// Nearly perfect restoration!
public class PlayerController : MonoBehaviour
{
public float moveSpeed; // = 5f (default value inferred from binary)
public float jumpForce; // = 10f
private Rigidbody rb;
private void Start()
{
// Automatically identifies Unity API calls
this.rb = base.GetComponent<Rigidbody>();
}
private void Update()
{
// Perfect restoration of input handling logic
float horizontal = Input.GetAxis("Horizontal");
Vector3 vector = new Vector3(horizontal, 0f, 0f) * this.moveSpeed;
base.transform.Translate(vector * Time.deltaTime);
// Accurate restoration of key detection and physics operations
if (Input.GetKeyDown(KeyCode.Space))
{
this.rb.AddForce(Vector3.up * this.jumpForce, ForceMode.Impulse);
}
}
}
Complex Game Logic Restoration Example
Game State Manager Restoration:
// Game manager perfectly restored by UREngine
public class GameManager : MonoBehaviour
{
public static GameManager Instance { get; private set; }
public enum GameState
{
Menu,
Playing,
Paused,
GameOver
}
public GameState currentState;
public int score;
public int lives;
private void Awake()
{
// Singleton pattern automatically identified
if (Instance == null)
{
Instance = this;
DontDestroyOnLoad(gameObject);
}
else
{
Destroy(gameObject);
}
}
public void ChangeState(GameState newState)
{
// State machine logic completely restored
switch (newState)
{
case GameState.Menu:
Time.timeScale = 1f;
UIManager.Instance.ShowMenu();
break;
case GameState.Playing:
Time.timeScale = 1f;
UIManager.Instance.HideMenu();
break;
case GameState.Paused:
Time.timeScale = 0f;
UIManager.Instance.ShowPauseMenu();
break;
case GameState.GameOver:
Time.timeScale = 0f;
UIManager.Instance.ShowGameOverScreen();
SaveHighScore();
break;
}
currentState = newState;
}
private void SaveHighScore()
{
// PlayerPrefs operations automatically identified
int highScore = PlayerPrefs.GetInt("HighScore", 0);
if (score > highScore)
{
PlayerPrefs.SetInt("HighScore", score);
PlayerPrefs.Save();
}
}
}
Core Technical Architecture Analysis
Multi-layer Analysis Pipeline
APK/IPA Input → Binary Extraction → Metadata Parsing → ARM64 Disassembly
↓
CFG Construction → ISIL Intermediate Representation → Data Flow Analysis → C# Syntax Reconstruction
↓
Code Optimization → Quality Analysis → Unity Project Reconstruction
Intelligent Analysis Engine
| Analysis Feature | Function Description | Technical Advantage | |---------|---------|---------| | Context Awareness | Smart inference based on Unity framework features | Accurate Unity API call identification | | Pattern Recognition | Automatic identification of common Unity programming patterns | Restoration of design patterns and architecture | | Exception Optimization | Smart cleanup of IL2CPP redundant exception handling | Generate clean, readable code |
Extensible Plugin Architecture
- Instruction Set Plugins: Support for ARM64, x86/x64, RISC-V, etc.
- Analysis Plugins: CFG optimization, data flow analysis, code quality detection
- Output Format Plugins: C# source code, Unity projects, documentation reports
🎯 Practical Application Scenarios
Game Security Research
Anti-cheat Mechanism Analysis
// UREngine can perfectly restore game anti-cheat logic
public class AntiCheatSystem : MonoBehaviour
{
private float lastUpdateTime;
private Vector3 lastPosition;
private float maxSpeed = 10f;
private void Update()
{
// Speed detection restoration
float deltaTime = Time.time - lastUpdateTime;
float distance = Vector3.Distance(transform.position, lastPosition);
float speed = distance / deltaTime;
if (speed > maxSpeed)
{
// Cheat detection logic
ReportCheat("SPEED_HACK", speed);
}
lastPosition = transform.position;
lastUpdateTime = Time.time;
}
}
Network Communication Protocol Restoration
// Network protocol and e
Security Score
Audited on Mar 26, 2026