29. marts 2017

How to decrypt an encrypted .dll and other files using Termux app (Root only, 5.0 and up, ARM & x86)

I have found a new way to decrypt .dll and other files using Termux. In this tutorial, I'll show you how to decrypt an encrypted .dll file

Requirements:
- Rooted device or Emulator. ARM or x86.
- A powerful Android device: 1 GB RAM, 4 cores, 1.5 - 2.x GHz. If you have a low-end device, your device may freeze during dumping.
- Available free space of Internal storage or Sdcard: 2 GB
- Requires Android 5.0 and up. Works on Marshmallow 6.0.1. Termux will not work on 4.4.4 and below.
- Termux app. It is avaliable on Play Store
- Modified Winhex for Windows (free version will not work for this purpose).

Notes:
There is no need PIE patching. gdb 7.12 natively support Android 5.0 and up

If your device is running Kitkat 4.4.4 and below, please read my old tutorial: http://www.iandrohacker.net/2015/11/tutorial-how-to-decrypt-encrypted-dll.html

Does it work on Emulator?
Yes, Termux and GDB are working, but it does not support dumping a memory, return an error "Target does not support core file generation"


[​IMG]

Finding the package name of the app:
Find the package name of the app you're going to hack!

This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".
You can find it going (with your browser) to the Google Play website, looking for the game you have installed on your device and then copying what's next to "id=".
See screenshot:


Alternatively, you can Install Package Name Viewer 2.0 from play store and you'll find the package name of any app you have installed on your device.


If your device is running Cyanogenmod/Lineage OS, you can go to Settings -> Apps and then you'll find the package name of any app you have installed on your device.

[​IMG]

Termux setup and decryption:
Open Termux. It should be very similar to the following one:


Type the following commands:

Tip: apt-get or apt doesn't matter. apt-get's most commonly used commands are available in apt


apt update
Update package infomation
apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies.

apt install gdb tsu
Install both gdb and tsu

gdb is a process debugger

tsu is a root mode for Termux.

Press the home button and launch the game. Let the game fully load.

Open multitask, and go back to Termux

Type the following commands:

su
Superuser mode
And grant root access to enter superuser mode for your device.

dumpsys meminfo | grep com*

Show process list
This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol). The package name of the game is always at top. Don't forget to note it

 

exit
Exit Superuser mode

tsu
Root mode for Termux

gdb -pid <pid>

attach a process with gdb

Example:
gdb -pid 12345

Hit return to continue when asked.

Do not worry about any warnings like these you may read in the Terminal app:


gcore <path>
save core file

Example:
gcore /sdcard/thegametodump

Type Y when asked

This will take 3-5 minutes. You device may freeze during dumping. Do not touch your device.

quit

quit gdb
And deattach the process when asked
Or you can exit Termux session from notification


Connect your device to your computer and copy your dumped file, if the file does not appear, just create a folder and move the file. This way Windows should be able to see it

Recover decrypted files using WinHex
Open Winhex.exe
File -> Open... and select a dumped file
Tools -> Disk Tools -> File Recovery by Type


Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

                                                                                                                                                          
The file recover will now begin and, when it finished you'll get a message like this:


Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.

You can finally close WinHex.

Happy modding!

Credits:
iAndroHacker
x-ways devs (Winhex program)

Fredrik (Termux app)

0 kommentarer:

Send en kommentar