$MEVIUS-PROJECT#
Key: SQUARE-ENIX-BD1%
CipherMode: CBCOffset | Size | Description |
0x00 | 16 bytes | AES IV - Treat as UTF8 bytes |
0x16 | varies | Compressed data |
Offset | Size | Description |
0x00 | 4 bytes | Probably entries count |
0x04 | EntryCount*48 | Entry |
Offset | Size | Description |
0x00 | 40 bytes | ANSI file relative path |
0x28 | unsigned int | File revision (uint) |
0x2C | int | File size |
Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr
Thanks! What was the obfuscation?Idk, just dump the game process and look at the dump via HEX-editor. (:
EDIT: Oh, there's a debug menu. :D
.text:0000000180001020 arg_0 = dword ptr 8
.text:0000000180001020
.text:0000000180001020 mov [rsp+arg_0], ecx
.text:0000000180001024 xor edx, edx
.text:0000000180001026 mov r8d, 0FFFFFFFEh
.text:000000018000102C lea r10, byte_18005B090
.text:0000000180001033 lea r9, byte_18005C950
.text:000000018000103A nop word ptr [rax+rax+00h]
.text:0000000180001040
.text:0000000180001040 loc_180001040: ; CODE XREF: getCryKey2+57j
.text:0000000180001040 lea eax, [r8-1]
.text:0000000180001044 mov rcx, r8
.text:0000000180001047 add rdx, 2
.text:000000018000104B and eax, 3
.text:000000018000104E and ecx, 3
.text:0000000180001051 add r8d, 2
.text:0000000180001055 movzx eax, byte ptr [rsp+rax+arg_0]
.text:000000018000105A movzx ecx, byte ptr [rsp+rcx+arg_0]
.text:000000018000105F xor al, [rdx+r10-2]
.text:0000000180001064 xor cl, [rdx+r10-1]
.text:0000000180001069 mov [rdx+r9-2], al
.text:000000018000106E mov [rdx+r9-1], cl
.text:0000000180001073 cmp rdx, 22h
.text:0000000180001077 jl short loc_180001040
.text:0000000180001079 mov rax, r9
.text:000000018000107C retn
$MEVIUS-PROJECT#,SQUARE-ENIX-BD1%
"pc",
"mon",
"npc",
"weapon",
"guardian",
"fa",
"summon",
"test",
"exte"
cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/Hash/a1/092b86e0aa0970e80dbc9bc152fbe3_win.unity3d
Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr
This is jp version because it has only Japanese servers and assets list encoded to download. Original file has damaged meta-data header (the magic net header I forgot now), it's not really obfuscated, just protected from IL decompiling. Net unpacker doesn't work with this, you have to rip the dll manually or find a way to fix this header.
It's "BSJB" (0x424A5342) DWORD missing in metadata section (probably). I have no idea how to locate it.
This may be extremely helpful:
https://www.codeproject.com/Articles/12585/The-NET-File-Format
On CFF explorer author site I found SNSRemover, a software that removes signature from .NET assembly, maybe they used that?