23 May 2016

[Tutorial] Invalid RVA Address error workaround

As we already knew, after v1.9.0 , all the library files has been encrypted and we no longer be able to change easily using .NET Reflector

Tool that we need:
- CFF Explorer.
- HxD or Hex Workshop
- .NET Reflector with Reflexil.

Step by step:
1 - Extract/decompile the APK file using Apktool or open APK with Winrar, go to /assets/bin/data/ and extract the Managed folder. Go the location of the Assembly-CSharp.dll and open it with CFF Explorer.
2 - Go the ".NET Directory" section, you will see something like this.




3 - Take a look at that "MetaData RVA". If you open this file in .NET Reflector, it will show you some error like this.




4 - Now, change that MetaData RVA from E9AAC908 to 001AF31C (i will tell the reason later).
Save it and re-open.


[​IMG]


5 - Now go "MetaData Header" section, at "Signature", change the Value to 424A5342 (this is string "BSJB" on hex)




6 - Go to the "MetaData Streams" , plus 4 units on each offset. You will have something like this.


[​IMG]

7 - Save it. Now open it again with .NET Reflector and see the miracle. But do not feel happy yet, now the real hell come if you want to mod.

8 - If you try to open any function inside Assembly-CSharp.dll via .NET Reflector, it will give you some error like this pic and doesn't show any OP Code or so.


[​IMG]

9 - So what do we do now?
This time, i will use method "setTimeAcceleration" as example. You can do same for another .
Choose it , take a look at Reflexil windows, go to Attribute tab and check the RVA field.


[​IMG]

10 - Back to CFF Explorer, go to "Section Headers [x]" and see 2 values at "Virtual Address" and "Raw Address" column on ".text" row.


[​IMG]

11 - The common formula is: Physical Address = RVA - Virtual Address + Raw Address + [X]
In this case, Physical Address for that function is C8DC0 - 2000 + 200 + C = C6FCC
C8DC0 = 822720 in hex

( For the number [X] , i cannot fully explain it, because it can have many value . For example, when i search for method "getBaseATK" , the number [X] must be 1 so it can fit Physical address that we need to change, but for method "setTimeAcceleration", [X] = 12 = C in hex, this number i got after many times calculation, hope someone can explain this. )

12 - Go back to .NET Reflector, still in Reflexil windows, go to Instruction tab, you will notice that: the Op code somehow still familliar as the previous version.
As for "setTimeAcceleration" function, we need to change the OP Code at the 2 following part.


[​IMG]

Look at that offset. Now, we need to re-calculate the address that we need to change.

C6FCC + 6D = C7039


[​IMG]

Voila~
In case you need, here is the speed change function.

1x - 22 00 00 80 3f
2x - 22 00 00 00 40
3x - 22 00 00 40 40
4x - 22 00 00 80 40
5x - 22 00 00 a0 40
10x - 22 00 00 20 41

Good luck.

P/s: This isn't the only way to mod , as it's not perfect, so hope 
<3 anyone give us better solution

0 comments:

Post a Comment