[TUTORIAL] How to decrypt Assembly-Csharp.dll file using gcore dump (for encrypted Unity3D games)
Hi fans or modders
Today, i'm going to show you how to decrypt native Assembly-Csharp.dll file using gcore dump and winhex. since there is no tutorials, i decided to make my own tutorial so other peoples don't have to spend their time to teach peoples how to decrypt a native DLL file.
Why i can't open the DLL file on Reflector or JustCompile:
When you open a DLL file, you will see this error
The DLL file does not have MZ/PE headers so windows can't open it. DLL files need MZ/PE headers to be able to open the file. The game company used SecNeo to protect their game and erased MZ/PE headers from DLL file
What is MZ/PE headers?
First, you need:
1. To be an android modder/hacker and CIL and C# knowledge.
2. NET Reflector or JustDecompile software
3. A computer running Windows XP/Vista/7/8/8.1/10
4. Device running Android 4.2.2 and never. previous version might not work. Works with Cyanogenmod 10+, SlimKat/lollipop, PAC... MIUI rom is untested
5. 800 MB of RAM or more. not recommended with 512 MB RAM
6. 300-400 MB free RAM space.
10. Any Unity3D games that is encrypted (Darkness Reborn, Crusaders Quest, Heroes, etc...)
(You can't get the Assembly-Csharp.dll file if you are using the free version of WinHex)
Update your busybox and superuser.
If you are using outdated busybox or superuser, you will need to update it for stabillity. older versions may cause problems. If you are using build-in cyanogenmod superuser, flash SuperSU. build-in superuser is very unstable. Uninstall this abandoned superuser if you have one
For kinguser. It will show a pop-up message about new version of Kinguser software. Press "update" to update it. You can check update manually by open Kinguser app -> Click on gear icon -> Click on Software version and it will update kinguser.
For SuperSU. If there is any update, It will ask you to update SuperSU binary and it will show it on the notification message. Click on it and it will ask you to update SuperSU binary normally or update it via TWRP/CWM. If you choose "normal", it will update it directly without having to reboot a device. if you choose "TWRP/CWM", the device will reboot into custom recovery, flash it and it will reboot your device again
Install BusyBox from playstore. Open the app and grant root access. wait until smart install is fully loaded and you can tap "install". after that, close the app. you can keep the busybox installer or uninstall the busybox installer if you want. The app is just an installer. The busybox binaries are permanently installed on your device.
Install gcore on your device
Download gcore to your device. open any root explorer. copy 2 files "gdb" and "gdbserver" and paste it on /system/bin/ (in ROOT memory -> system -> bin) folder
Remember the package name
You need to remember the package name of the game you are looking for so you can find the pid ID of the game in Terminal app
Method #1
go to https://play.google.com/search the game you are looking for and look at the URL for package name. See the screenshot below
Method #2
Method #3
For Cyanogenmod users. You can go to settings -> apps -> (any apps) and you will see the package name below the title
Decrypt a game on rooted devices
Important: Reboot your phone and close all other running application and make sure you have enough RAM to perform decryption
Make sure you have Terminal app installed on your device. Open Terminal and type
su
hit enter and grant root access.
You will see
root@yourname:/ #
...in terminal.
type
dumpsys meminfo | grep com.*
hit enter and it will show the list of running process. find the package name that you are looking for and look at pid ID. Example Crusaders Quest's package name and pid ID.
118740 kB: com.nhnent.SKQUEST (pid 383 / activities)
Rembemer the pid ID and type
gdb -pid xxxxxx
and hit enter
example
gdb -pid 383
the symbols will be loaded and it will show
(gdb)
...in terminal.
type
gcore /sdcard/anynames
examples
gcore /sdcard/dump
gcore /sdcard/testingmyskill
gcore /sdcard/gcore
gcore /sdcard/samsunggalaxy
gcore /sdcard/darknessreborn
or whatever you want to name the file. hit enter and the terminal will show empty line like this
and wait.... until it says
Saved corefile /sdcard/xxxxxxxx
(gdb)
NOTE: IGNORE THE MEMORY READ FAILED ERRORS. IT DOES NOTHING AT ALL!
after that. you succcessfully decrypted the game. Close the terminal app.
Copy the file to your computer
On your device you will see dumped file on Sdcard/
but a problem is windows can't see the file
so you need to create a folder "a" on sdcard/, move the big dumped file to "a" folder and the windows can see it.
Now copy the file to your computer
Open Cracked Winhex
Open cracked Winhex on your computer. Click "File" -> "Open"
You will see the this dialog box. Go to the folder where you copied the file and open it
Go to "Tools -> "Disk Tools" -> "File Recovery by Type..."
and you will see this dislog box
Click "+" on programs and check "Windows exec.". Select your output folder and choose the folder you want to output. On drop-down, select "Complere byte-level search" and click OK
After recovering the files. You get this message
Go to the location where you recovered the files and delete all .COM files. You don't need it
Close Winhex
What DLL files are encrypted?
This is important. If you don't check what DLL files are encrypted. You might now be able to save DLL file with Reflexil because of missing / encrypted DLL files. You have to find out which DLL files are encrypted. Not just Assembly-Csharp.dll file. Other files can be encrypted too.
Take out "Managed" folder from the APK file (located at assets/bin/data/Managed) select all DLL files and drag and drop onto Reflector or JustDecompile to see which DLL files are encrypted. Click "No" when it ask you to reopen DLL files.
Crusaders Quest have 4 encrypted DLL files
Assembly-CSharp.dll
Assembly-CSharp-firstpass.dll
Assembly-UnityScript.dll
Assembly-UnityScript-firstpass.dll
Heroes only have 1 encrypted file
Assembly-CSharp.dll
Remember the DLL files you need for modding
Clear all opened DLL files from Reflector or JustDecompile. Go to the location where you recovered the files and drag and drop all DLL files. Click "No" when it ask you to reopen DLL files. ignore the DLL errors
Select the DLL file to show the name of the file and the location
Crusaders Quest:
Assembly-CSharp.dll = 000034.dll
Assembly-CSharp-firstpass.dll = 000030.dll
Assembly-UnityScript.dll = 000028.dll
Assembly-UnityScript-firstpass.dll = 000013.dll
Heroes:
Assembly-CSharp.dll = 000021.dll
Rename all DLL files that was encrypted and place it on extracted "Managed" folder
Let's start modding
Go to "Managed" folder and open Assembly-CSharp.dll file with Reflector or JustDecompile. Enjoy modding!
Questions?
If you have any question to this. Post a comment below and i will try to help you.
Does this tutorial confusing you? or does it make non-sense? i will fix the tutorial for you
Credits
iAndroHackerDK (For the tutorial)
some AndroidRepublic members for gcore tips
[TUTORIAL] How to decrypt Assembly-Csharp.dll file using gcore dump (for encrypted Unity3D games)
Reviewed by Unknown
on
8:53 AM
Rating:
How can i encrypt back after mod?
ReplyDeletei use KOPLAYER(emulator android) but i get error this step: gdb -pid 1669
Deletesh: /system/bin/gdb: not executable magic 7f45
Please help me, i'd like dump it!