21 November 2015

[Tutorial] How to decrypt an encrypted .dll file with GDB gcore (Root) (4.2.2-4.4.4) (ARM only)

Decrypting an encrypted .dll without root
Decrpyting an encrypted .dll and other files using Termux app (Root only) (5.0 and up).
NO MORE PIE PATCH!

http://www.iandrohacker.net/2017/03/how-to-decrpyt-encrypted-dll-and-other.html

If your device is Lollipop 5.x.x, try patch PIE to make it work for lollipop but you have to take risk bricking your device. Make a nandroid backup before replacing linker file
https://www.alphagamers.net/threads/guide-bypassing-pie-security-check-android-5-0-up.242363/

Hello dear community,

I will show you how to decrypt and encrypted .dll file (when trying to MOD Unity based Android games) using Gcore dump and WinHex.

Before we start, how to check if a .dll file is encrypted?

Easy. When you open a .dll file into Reflector and you get:

"Assembly-CSharp (this could change, depending on the name of the file), File is not a portable executable. DOS header does not contain 'MZ' signature."

it means you have got an encrypted DLL!


See image:


It means the DLL file does not have a valid MZ/PE header so you can't open/modify it. DLL files require MZ/PE headers in order to view its content and, to prevent hacking, some game developers protect their game erasing these MZ/PE headers from some dll files.

Now let's start with the requirements!


First of all, you need:
1.
To have some Android Hacking experiences (otherwise you will not understand a single word of this Topic)
2. A rooted Android device
3. .NET Reflector or JustDecompile installed on your computer (if you've got hacking experience, you should already have this tool)
4. A computer running at least Windows XP
5. A Rooted Android device running Android 4.2.2 and newer versions. Previous version might not work.
6. At least 1 GB of RAM on your Device. A minimum of 300-400 MB free RAM space is required
7. Latest verison of SuperSU or other Superuser apps
8. BusyBox for Android. Get it from
HERE
9. Terminal app for Android. You can download it from
HERE
10. gcore installed on your device. Download it from:
HERE
11. Any file explorer app installed on your Android device. I'd recommended
X-plore
12. Modified version of WinHex (free version will not work for this purpose). Download it from
HERE

Update your BusyBox and Superuser.
If you are using outdated version of BusyBox, SuperSU or other Superuser apps, you will need to update because older versions may cause problems. If you are using built-in cyanogenmod SuperUser, beware it's very unstable. Uninstall
this and this abandoned superuser if you have one and install the popular Superuser apps, SuperSU, Kingroot, Kingoroot, iRoot, etc...

Most Superuser have an update check option in the settings, some of them don't. Simply open a setting and request an update, or manually update the app from the website.

[​IMG]

Install BusyBox from the given link.

Open the app and grant Root permissions. Smart Install will slowly load and, when completely loaded, tap "Install". The BusyBox binaries will be now permanently installed on your device. You can close the app or even uninstall it. BusyBox is just the installer. See screen below if you need help.


[​IMG][​IMG]

Install gcore on your device
1) Download gcore to your device (using the link given at the top of this Topic)
2) Open your Root Explorer app
3) Copy the 2 files "gdb" and "gdbserver" included into the zip file
4) Paste them to /system/bin/ (in your INTERNAL ROOT memory -> system -> bin) Folder (of course you will need to grant root permissions to see that folder).
5) If asked, overwrite files.

Find the package name of the app you're going to hack!
This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".

Method #1
You can find it going (with your browser) to the Google Play website
https://play.google.com/, looking for the game you have installed on your device and then copying what's next to "id=".
See screenshot:


[​IMG]

Method #2
Install Package Name Viewer app from playstore and find the game you are looking for

[​IMG]

Method #3
For Cyanogenmod ROMs, you can go to "Settings" -> "Apps" and then you'll find the package name of any app you have installed on your device.

[​IMG]

Dump the game from the RAM memory using Terminal app
First, reboot your phone
Install Terminal app (with the link above). Then launch and minimize the game with the decrypted .dll (otherwise you could not see it in the following step.)

Launch the Terminal and type:
su

Now hit Enter and grant Root Permissions for the Terminal app.


[​IMG]


Your username will now start with "root@". This confirms you have now Root Permissions on the Terminal.

Now, type:

dumpsys meminfo | grep com.*

to show all the processes

or

dumpsys meminfo | grep com.*

This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol)

or

dumpsys meminfo | grep th.*

This command will search for all the running processes starting with "th." (the * is a jolly symbol which means any letter/number/symbol)

Hit enter and you'll see a list of the running process of your device.
You will find the package name of the game with the encrypted dll too!

Using the game Crusaders Quest's as an example, you should see something like this:

118740 kB: com.nhnent.SKQUEST (pid 383 / activities)

[​IMG]

If you have some problems searching for PID or if an app close after a few seconds and you dont have enough time to type in the code

You can use an APP called ProcessView , you can find it on Google Play Store
GooglePlay LINK:
https://play.google.com/store/apps/details?id=jp.vviki.android.SysLoadLogger

Take note of the number next to "pid" (PID stands for "Process ID" and changes everytime a process starts). In my example, I'll take note of the number "383".

Now, using the PID you just noted, type:

gdb -pid xxxxxx

(replacing "xxxxxx" with the PID number)

In my example, I'll use my Crusader Quest's PID (383).



Now hit Enter.

You'll wait few seconds and the Terminal will show
(gdb)

in the Terminal app.


If you got "can' execute: permission denied" error, put this in Terminal

chmod 777 /system/bin/gdb && chmod 777 /system/bin/gdbserver


HAVE "ptrace: Operation not permitted" ERROR? PLEASE SEE THE TUTORIAL ABOUT BYPASSING THE "ptrace: Operation not permitted" ERROR
LINK TO TUTORIAL

We're almost done with Terminal. Now we do need to save the dumped file from the RAM storage we will use to get the decrypted dll into our /sdcard/ path. So, choose how to call this file (I will call it "nameoffile" as an example).

So, let's type:

gcore /sdcard/anynames

Hit enter and the Terminal will show empty line.. it's generating a very big dumped file so wait patiently until it completes this process. The file could be up to 1GB of size!!!



At the end of this process, you'll see:

Saved corefile /sdcard/xxxxxxxx
(gdb)


Of course, instead of "nameoffile" you will see the name of the file you chosen before.

Do not worry about any warnings like these you may read in the Terminal app:

[​IMG]

after that, you succcessfully decrypted the game. Close the Terminal app.

They do not interfere in ANY way with the decryption of the .dll files.

Are you tired? Well, I've got a good new for you. You just decrypted the dll (well, every dll also if not encrypted will be "decrypted"! You're almost done. You just need few more steps and you'll be able to HACK your game! You can (finally) close the Terminal App!

Moving the file to your PC!

If you browse with your mobile to the path "/sdcard/", you will see the new big file but, since Windows can't see dump files, to move it to your PC you have two chances.

1) Enable USB Debugging (better in my opinion)

This way you'll see dump files from your PC. Go to Settings -> About Phone and tap on "Build Number" 7 times. You will unlock the "hidden" developer menu.

[​IMG]

Now go will see "Developer Options" inside "Settings" of your device. Tap on it and check "USB Debugging".

[​IMG]

OR

2) Moving this file to a folder

Create a folder on your /sdcard/ path and move this dumped file to the newly created folder. This way Windows should be able to see it.




So, if you chosen 1) or 2), now connect your device to your PC, go to the /sdcard/ directory and move the file (if you followed 1st option) or the folder (if you followed 2nd option)



Now copy the file to your computer

Using WinHex
Open the cracked WinHex (extract the downloaded .zip file and double-click on the "WinHex.exe" file. See pic:

[​IMG]

Now take a look at the top of WinHex window and click "File" -> "Open" (see pic).





You will see the a dialog box similar to the following:



So, go to the folder where you copied the big file and click "Open".

Now, go to "Tools -> "Disk Tools" -> "File Recovery by Type..." (top of WinHex), like the following screenshot:



and a smaller window will pop-up. It should be very similar to the following one:



Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

The file recover will now begin and, when it finished you'll get a message like this:



Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.

The recovered .dll file have got the wierd names so you have to find Assembly-Csharp.dll by yourself. Assembly-Csharp.dll is always the largest file

Happy modding!


If you do need help, please reply below!

Credits
iAndroHackerDK (For the tutorial)
SK H Nam A.K.A SKNAM (helped me with winhex)
@P3triiX (Tips about ProcessView)

0 comments:

Post a Comment