Author Topic: Mobius Final Fantasy [Unity]  (Read 1892 times)

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Mobius Final Fantasy [Unity]
« on: 2016-08-07 10:32:19 »
mobiusff_Data/mobius_data/Hash/...
Compressed Unity3D standalone files with MD5 hash names
Opeanable/decompressable with UnityEx 1.4.3
After decompressing, real package name is at: 0x40. Example name: CAB-b90836_android (terminated with /0)

About fileformats:
MUSIC:
example: music_saranotheme.txt is in AKB2 container. In order to make it working OGG delete 320 bytes from start, so the file starts with OggS header. Voila

Textures:
DXT

AES crypt
e.g. assetList_hash_win.dat is AES crypted
AES128
IV :
Code: [Select]
$MEVIUS-PROJECT#Key:
Code: [Select]
SQUARE-ENIX-BD1%CipherMode: CBC
PaddingMode: ISO10126


assetList_hash_win.dat
OffsetSizeDescription
0x0016 bytesAES IV - Treat as UTF8 bytes
0x16variesCompressed data

Deciphered:
OffsetSizeDescription
0x004 bytesProbably entries count
0x04EntryCount*48Entry

ENTRY:
OffsetSizeDescription
0x0040 bytesANSI file relative path
0x28unsigned intFile revision (uint)
0x2CintFile size


Example MD5 file names:

Text/CutScene/ev_0000_010/ev_0000_010TxtRes__jp

Full JP filelist:
http://cache.jp.mobiusfinalfantasy.com/asset/20170127_0007/mobius_data_middle/win/assetList_hash_win_JP.bin (unknown format, probably AES with default IV and key, too lazy to test UPDATE:Nope, doesn't work)
http://cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/managementList_hash_win_JP.txt
http://cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/datasheetList_hash_win_JP.txt
« Last Edit: 2017-02-17 19:21:41 by Maki »

Albeoris

  • Cool newbie
  • *
  • Posts: 51
  • Karma: 11
    • View Profile
    • FFRTT
Re: Mobius Final Fantasy (Android/iOS) [Unity]
« Reply #1 on: 2017-02-17 10:24:18 »
Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Re: Mobius Final Fantasy (Android/iOS) [Unity]
« Reply #2 on: 2017-02-17 11:44:15 »
Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr

Thanks! What was the obfuscation?

EDIT: Oh, there's a debug menu. :D
« Last Edit: 2017-02-17 11:48:29 by Maki »

Albeoris

  • Cool newbie
  • *
  • Posts: 51
  • Karma: 11
    • View Profile
    • FFRTT
Re: Mobius Final Fantasy (Android/iOS) [Unity]
« Reply #3 on: 2017-02-17 12:58:29 »
Thanks! What was the obfuscation?

EDIT: Oh, there's a debug menu. :D
Idk, just dump the game process and look at the dump via HEX-editor. (:

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Re: Mobius Final Fantasy (Android/iOS) [Unity]
« Reply #4 on: 2017-02-17 13:33:42 »
Okay, the AssetList_hash_win.dat is AES secured

IV = is the first 16 characters, grab them as ASCII to string and convert by Encoding.UTF8 to bytes
Key = Key is calculated from 64-bit library of NativeLibrary.dll, function getCryKey2. Get's one uint argument which in code is passed as MainLoop.key (which is null uint)

Code is:
Code: [Select]
.text:0000000180001020 arg_0           = dword ptr  8
.text:0000000180001020
.text:0000000180001020                 mov     [rsp+arg_0], ecx
.text:0000000180001024                 xor     edx, edx
.text:0000000180001026                 mov     r8d, 0FFFFFFFEh
.text:000000018000102C                 lea     r10, byte_18005B090
.text:0000000180001033                 lea     r9, byte_18005C950
.text:000000018000103A                 nop     word ptr [rax+rax+00h]
.text:0000000180001040
.text:0000000180001040 loc_180001040:                          ; CODE XREF: getCryKey2+57j
.text:0000000180001040                 lea     eax, [r8-1]
.text:0000000180001044                 mov     rcx, r8
.text:0000000180001047                 add     rdx, 2
.text:000000018000104B                 and     eax, 3
.text:000000018000104E                 and     ecx, 3
.text:0000000180001051                 add     r8d, 2
.text:0000000180001055                 movzx   eax, byte ptr [rsp+rax+arg_0]
.text:000000018000105A                 movzx   ecx, byte ptr [rsp+rcx+arg_0]
.text:000000018000105F                 xor     al, [rdx+r10-2]
.text:0000000180001064                 xor     cl, [rdx+r10-1]
.text:0000000180001069                 mov     [rdx+r9-2], al
.text:000000018000106E                 mov     [rdx+r9-1], cl
.text:0000000180001073                 cmp     rdx, 22h
.text:0000000180001077                 jl      short loc_180001040
.text:0000000180001079                 mov     rax, r9
.text:000000018000107C                 retn

EDIT: The file names are casual MD5, nothing much
I'll try to hack into process and grab the key from memory

UPDATE: There's some exception protection as it's throwing them like a crazy when started (may be related to webview of news) so it kind of kills my IDA64, attaching later to process after finishing web activity loading doesn't trigger getCryKey2 anymore (it's only at the semi-beginning to set the AESIV and AESKEY and is not used anymore. I'm still digging. Anyway, I found this:
Code: [Select]
$MEVIUS-PROJECT#,SQUARE-ENIX-BD1%

It has 33 characters
The managed code gets IntPtr to result of the getCryKey2, treats it via Marshal as ANSI text and splits to IV and key via string.split based on ',' character.
meaning, that this may be the secret key:
$MEVIUS-PROJECT# - for default IV
SQUARE-ENIX-BD1% - for default key
both have 16 characters, so 128bit, looks fine. Let's see..
@UPDATE

Yep:
AES128
IV : $MEVIUS-PROJECT#
Key: SQUARE-ENIX-BD1%
CipherMode.CBC
PaddingMode.ISO10126

What if they have seen that extracting Final Fantasy IX code was easy so they obfuscated the IL assembly and hid the key in AMD64 (x86-64) DLL?  8)
Well, not really the key is hidden. Just let Mobius run and generate the keys, then attach to process, find NativePlugins DLL and getCryKey2 function and jump to byte array at getCryKey2+C. They don't flush the buffer after saving the key to managed Mevius.App.Api.AesKey and Mevius.App.Api.IV

@UPDATE3:
Found the dictionary for fileList, the two unknowns in entries are: fileRevision and fileSize

Content categories. First character is first hash name (not the files, it's far more complicated xD)
Code: [Select]
"pc",
"mon",
"npc",
"weapon",
"guardian",
"fa",
"summon",
"test",
"exte"


Now the server:
Sample HTTP 1.1 GET request for asset file:
Code: [Select]
cache.jp.mobiusfinalfantasy.com/asset/20170217_1633/mobius_data_middle/win/Hash/a1/092b86e0aa0970e80dbc9bc152fbe3_win.unity3d

Info file:
http://web.jp.mobiusfinalfantasy.com/asset/mobius_info_JP.txt
« Last Edit: 2017-02-17 17:10:26 by Maki »

yubikiri

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Mobius Final Fantasy (Android/iOS) [Unity]
« Reply #5 on: 2017-02-23 02:09:22 »
Decrypted Assembly-CSharp.dll (PC):
https://yadi.sk/d/dI9_Cqw_3ECdtr

It says (PC), which version the original file, was it steam jp?
was it obfuscated dll or encrypted one btw? since there is invalid RVA warning

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #6 on: 2017-02-23 09:08:08 »
This is jp version because it has only Japanese servers and assets list encoded to download. Original file has damaged meta-data header (the magic net header I forgot now), it's not really obfuscated, just protected from IL decompiling. Net unpacker doesn't work with this, you have to rip the dll manually or find a way to fix this header.

yubikiri

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #7 on: 2017-02-23 09:36:20 »
This is jp version because it has only Japanese servers and assets list encoded to download. Original file has damaged meta-data header (the magic net header I forgot now), it's not really obfuscated, just protected from IL decompiling. Net unpacker doesn't work with this, you have to rip the dll manually or find a way to fix this header.

woah, so that is how it is, i've been messing with the global version and no luck yet.
it's always ended up with *Object reference not set to an instance of an object.*
thanks for the heads up

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #8 on: 2017-02-23 10:21:58 »
It's "BSJB" (0x424A5342) DWORD missing in metadata section (probably). I have no idea how to locate it.

This may be extremely helpful:
https://www.codeproject.com/Articles/12585/The-NET-File-Format

On CFF explorer author site I found SNSRemover, a software that removes signature from .NET assembly, maybe they used that?
« Last Edit: 2017-02-23 10:33:25 by Maki »

yubikiri

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #9 on: 2017-02-23 10:49:56 »
It's "BSJB" (0x424A5342) DWORD missing in metadata section (probably). I have no idea how to locate it.

This may be extremely helpful:
https://www.codeproject.com/Articles/12585/The-NET-File-Format

On CFF explorer author site I found SNSRemover, a software that removes signature from .NET assembly, maybe they used that?

idk, maybe they did remove it by using that software...
it's not really my thing but it does help me understand better about the structure.
if it's "BSJB".. i think it could be located by inputting the value of "MetaData RVA" from MetaData Header to address converter on CFF, hmmm, i'll just try it later

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #10 on: 2017-02-23 11:16:58 »
Tried that. ILSpy detects it as managed assembly but throws error (probably with the meta data streams)
I ripped the most-up-to-date english assembly and tested it with packed assembly:


and info for unpacked/working assembly with working metadata:



Link to english decrypted Assembly:
https://www.dropbox.com/s/bmxv2tgxa5yysmy/assemblyCS.dll?dl=0
« Last Edit: 2017-02-23 11:20:16 by Maki »

yubikiri

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #11 on: 2017-02-23 11:42:45 »
uwah, i'm envius that you managed to do it so fast  ::) ::)
i guess i still have many thing too learn..
btw does the global version used the same file with japan version? i can't tell about the content, but the size of dll file is about the same

Maki

  • Lana Del Rey
  • Insane poster
  • *
  • Posts: 412
  • Karma: 76
  • Final Fantasy VIII reverse team
    • View Profile
Re: Mobius Final Fantasy [Unity]
« Reply #12 on: 2017-05-14 08:21:12 »
I'm getting reports that they did an update for Mobius and:

1. The process reopens a bit after showing SquareEnix logo and works in some sort of protected mode meaning you can't attach debugger to working project
2. Dumped Assembly-CSharp.dll from running instance is strange, ILSpy isn't opening it, CE doesn't even detect it in EnumSymbols function and IDA fails to attach (Mobius process) and enumerate images because of the privileges, when AssemblyCs opened in IDA it says, that the image is corrupted and has nothing to show

Tried looking at it via Process Monitors, bur it turns out it's just like any other process, nothing about locked access or anything.

Has anyone met such project that you can't attach to because of the "insufficient privileges" even though the process looks like normal process? Is it possible Mobius creates it's own fake debugger and attaches to himself to prevent any other debugger to step in?
« Last Edit: 2017-05-14 08:23:14 by Maki »

LeonhartGR

  • No life
  • *
  • Posts: 2293
  • Karma: 28
  • ~Whatever...~ Finally married to my "Rinoa"!
    • View Profile
    • LeonhartGR Productions
Re: Mobius Final Fantasy [Unity]
« Reply #13 on: 2017-06-03 10:15:17 »
Hey folks... If anyone is playing mobius I'd love to get along with in this journey. I'm playing for a long time now and definitely would need some help. Also with the MP. Add me on steam and send me a message there if you r interested. Thanks.