[TUTORIAL] decrypt Assembly-Csharp.dll file for encrypted Unyt3dgames

Discussion in 'Tutorial' started by Droid, Sep 6, 2017.

  1. Droid

    Droid United States Knowledged Soul Support



    Today, i'm going to show you how to decrypt native Assembly-Csharp.dll file using gcore dump and winhex. since there is no tutorials, i decided to make my own tutorial so other peoples don't have to spend their time to teach peoples how to decrypt a native DLL file.

    Why i can't open the DLL file on Reflector or JustCompile:
    When you open a DLL file, you will see this error
    [​IMG]


    The DLL file does not have MZ/PE headers so windows can't open it. DLL files need MZ/PE headers to be able to open the file. The game company used SecNeo to protect their game and erased MZ/PE headers from DLL file


    What is MZ/PE headers?
    See DOS MZ executeable on wiki
    See Portable Executeable on wiki


    First, you need:
    1.
    To be an android modder/hacker and CIL and C# knowledge.


    2. NET Reflector or JustDecompile software


    Rooted Android devices


    3. A computer running Windows XP/Vista/7/8/8.1/10

    4. Device running Android 4.2.2 and never. previous version might not work. Works with Cyanogenmod 10+, SlimKat/lollipop, PAC... MIUI rom is untested

    5. 800 MB of RAM or more. not recommended with 512 MB RAM

    6.
    300-400 MB free RAM space.

    7. Latest verison of SuperSU or Kingroot

    8. Latest version of busybox (Current version is 1.23.2-Stericson)

    9. Terminal app

    10. Any Unity3D games that is encrypted (Darkness Reborn, Crusaders Quest, Heroes, etc...)

    11. gcore installed on your device. click here to download

    12. Any root explorer app installed on your Android device. I recommended Root File Manager

    13. Cracked WinHex
    (You can't get the Assembly-Csharp.dll file if you are using the free version of WinHex)


    Update your busybox and superuser.
    If you are using outdated busybox or superuser, you will need to update it for stabillity. older versions may cause problems. If you are using build-in cyanogenmod superuser, flash SuperSU. build-in superuser is very unstable. Uninstall this abandoned superuser if you have one



    For kinguser. It will show a pop-up message about new version of Kinguser software. Press "update" to update it. You can check update manually by open Kinguser app -> Click on gear icon -> Click on Software version and it will update kinguser.



    [​IMG]


    For SuperSU. If there is any update, It will ask you to update SuperSU binary and it will show it on the notification message. Click on it and it will ask you to update SuperSU binary normally or update it via TWRP/CWM. If you choose "normal", it will update it directly without having to reboot a device. if you choose "TWRP/CWM", the device will reboot into custom recovery, flash it and it will reboot your device again



    [​IMG]


    Install BusyBox from playstore. Open the app and grant root access. wait until smart install is fully loaded and you can tap "install". after that, close the app. you can keep the busybox installer or uninstall the busybox installer if you want. The app is just an installer. The busybox binaries are permanently installed on your device.



    [​IMG][​IMG]

    Install gcore on your device
    You need any root explore installed on your device. I recommended Root File Manager


    Download gcore to your device. open any root explorer. copy 2 files "gdb" and "gdbserver" and paste it on /system/bin/ (in ROOT memory -> system -> bin) folder



    [​IMG]

    [​IMG]


    Remember the package name
    You need to remember the package name of the game you are looking for so you can find the pid ID of the game in Terminal app


    Method #1
    go to https://play.google.com/search the game you are looking for and look at the URL for package name. See the screenshot below


    [​IMG]


    Method #2
    Install Package Name Viewer app from playstore and find the game you are looking for


    [​IMG]


    Method #3
    For Cyanogenmod users. You can go to settings -> apps -> (any apps) and you will see the package name below the title


    [​IMG]


    Decrypt a game on rooted devices
    Important: Reboot your phone and close all other running application and make sure you have enough RAM to perform decryption


    Make sure you have Terminal app installed on your device. Open Terminal and type

    su



    hit enter and grant root access.


    [​IMG]


    You will see

    root@yourname:/ #



    ...in terminal.


    [​IMG]


    type

    dumpsys meminfo | grep com.*



    [​IMG]


    hit enter and it will show the list of running process. find the package name that you are looking for and look at pid ID. Example Crusaders Quest's package name and pid ID.

    118740 kB: com.nhnent.SKQUEST (pid 383 / activities)



    [​IMG]


    Rembemer the pid ID and type

    gdb -pid xxxxxx



    and hit enter


    [​IMG]


    example

    gdb -pid 383



    the symbols will be loaded and it will show
    (gdb)



    ...in terminal.


    type

    gcore /sdcard/anynames



    [​IMG]


    examples

    gcore /sdcard/dump
    gcore /sdcard/testingmyskill
    gcore /sdcard/gcore
    gcore /sdcard/samsunggalaxy
    gcore /sdcard/darknessreborn



    or whatever you want to name the file. hit enter and the terminal will show empty line like this







    [​IMG]


    and wait.... until it says

    Saved corefile /sdcard/xxxxxxxx
    (gdb)





    [​IMG]


    NOTE: IGNORE THE MEMORY READ FAILED ERRORS. IT DOES NOTHING AT ALL!


    after that. you succcessfully decrypted the game. Close the terminal app.


    Copy the file to your computer
    On your device you will see dumped file on Sdcard/


    [​IMG]


    but a problem is windows can't see the file


    [​IMG]


    so you need to create a folder "a" on sdcard/, move the big dumped file to "a" folder and the windows can see it.


    [​IMG]


    [​IMG]


    Now copy the file to your computer
    [​IMG]


    Open Cracked Winhex
    Open cracked Winhex on your computer. Click "File" -> "Open"


    [​IMG]


    You will see the this dialog box. Go to the folder where you copied the file and open it


    [​IMG]


    Go to "Tools -> "Disk Tools" -> "File Recovery by Type..."


    [​IMG]


    and you will see this dislog box


    Click "+" on programs and check "Windows exec.". Select your output folder and choose the folder you want to output. On drop-down, select "Complere byte-level search" and click OK


    [​IMG]


    After recovering the files. You get this message


    [​IMG]


    Go to the location where you recovered the files and delete all .COM files. You don't need it


    Close Winhex


    What DLL files are encrypted?
    This is important. If you don't check what DLL files are encrypted. You might now be able to save DLL file with Reflexil because of missing / encrypted DLL files. You have to find out which DLL files are encrypted. Not just Assembly-Csharp.dll file. Other files can be encrypted too.


    Take out "Managed" folder from the APK file (located at assets/bin/data/Managed) select all DLL files and drag and drop onto Reflector or JustDecompile to see which DLL files are encrypted. Click "No" when it ask you to reopen DLL files.


    [​IMG]


    Crusaders Quest have 4 encrypted DLL files
    Assembly-CSharp.dll
    Assembly-CSharp-firstpass.dll
    Assembly-UnityScript.dll
    Assembly-UnityScript-firstpass.dll


    Heroes only have 1 encrypted file
    Assembly-CSharp.dll


    Remember the DLL files you need for modding
    Clear all opened DLL files from Reflector or JustDecompile. Go to the location where you recovered the files and drag and drop all DLL files. Click "No" when it ask you to reopen DLL files. ignore the DLL errors


    Select the DLL file to show the name of the file and the location


    [​IMG]


    Crusaders Quest:
    Assembly-CSharp.dll = 000034.dll
    Assembly-CSharp-firstpass.dll = 000030.dll
    Assembly-UnityScript.dll = 000028.dll
    Assembly-UnityScript-firstpass.dll = 000013.dll


    Heroes:
    Assembly-CSharp.dll = 000021.dll


    Rename all DLL files that was encrypted and place it on extracted "Managed" folder


    [​IMG]


    Let's start modding
    Go to "Managed" folder and open Assembly-CSharp.dll file with Reflector or JustDecompile. Enjoy modding!


    Questions?
    If you have any question to this. Post a comment below and i will try to help you.


    Does this tutorial confusing you? or does it make non-sense? i will fix the tutorial for you


    Credits
    iAndroHackerDK (For the tutorial)
    SK H Nam A.K.A SKNAM ( ALEXMATA)
     












  2. qqq131ppp

    qqq131ppp New Zealand Leecher



    Hey Droid!

    Do you have tips or tutorials on how to encrypt the dll back to its original form? I am having problems running the APK after editing the file.
     












  3. Droid

    Droid United States Knowledged Soul Support



    you would most likely need to re download a clean version of it.
     












  4. qqq131ppp

    qqq131ppp New Zealand Leecher



    Hey man! Thanks for the tips! I did re-download the latest version of Crusader's Quest but I could not find any DLL's anymore under the assets/bin/Data/Managed folder.

    Do you know if this game is still modable?
     












  5. Droid

    Droid United States Knowledged Soul Support















  6. Droid

    Droid United States Knowledged Soul Support



    also i only took a quick glance at the game so i can't really say too much about it.
     












  7. qqq131ppp

    qqq131ppp New Zealand Leecher



    Thanks Droid! I will play around with IDA and see what I can do.
     












  8. qqq131ppp

    qqq131ppp New Zealand Leecher



    Hey Droid, I am having no luck in modding Crusader's Quest at the moment.

    I was wondering if you are up to do a teamviewer session with me to try mod Crusader's Quest and I'll pay for a successful mod? Or better yet, If you could mod CQ for me and I'll pay you.

    Please let me know!
     












Share This Page