When you want to read the GameObjects from a Unity game, you really only have one option: The GameObjectManager (GOM). Here I will explain to find it, using Ghidra.

Step 1: Setup Ghidra#

For this, you need Ghidra correctly setup. Load the UnityPlayer.dll from the project you want to reverse engineer. Don’t forget to load the PDB file.

Step 2: Search a method that will use the GameObjectManager#

Usually, the methods that returns a GameObject will do. You can use UnityEngine.GameObject::FindGameObjectsWithTag

In Ghidra disassembler tool, find the string (eg. UnityEngine.GameObject::FindGameObjectsWithTag) with Search > For Strings > Search. Here, you can input the string

Double click on the matching line, your disassembler should take you to the line.

Step 3: Find refs#

We need to find the references to this line, in order to find to which function it is registered.

On the line in the disassembler, Right Click > References > Show References To Address Double click on the line, it should take you to a code that looks like this:

Now, you should see the function definition address, on the line above the found reference

Step 4: Open the function#

Double click on the function above the pointer to it’s name

Step 5: Find the GetGameObjectManager()#

Somewhere in the function definition, you should see a call to GetGameObjectManager() If you don’t find it, you should try with another method (Step 2.)

Double click on this call.

Step 6: Get the pointer#

Now, you will be presented with a function that returns the instance

return GameObjectManager::s_Instance;

Double click s_Instance

You should see the address.

Note that this is relative to the base of the assembly.

Easiest way to find the base of the assembly is to scroll up to the beginning.

The final address is : assembly base - s_instance_address

So in this instance: 1817ffd28-180000000=17ffd28.

Enjoy.