Miscellaneous Forums > Scripting and Reverse Engineering

Mobius Final Fantasy [Unity]

<< < (4/4)

Maki:
Hello again!
Some time ago I received an e-mail if I might be looking back at that obfuscated/crypted assembly:

1. Anti debugger privileges was my paranoid anti-malware software
2. mobiusff.exe is C++ 64 bit Unity assembly
3. The assembly-csharp.dll IS NOT loaded as library (via loadlibrary)
 3a. I hooked every single I/O operation to actually find what makes it to parse Assembly-csharp.dll. See image below


Assembly-csharp.dll is broken on purpose to not be available to anything that manages symbols from DLL other than specific software written to ignore such details. I'm going to find the code location inside memory and see what I could do

UPDATE:
0x2EC- this whole file is completely crypted... Normal PE is fine, but the whole .NET is completely ciphered

UPDATE2:
MonoManager::LoadAssemblies(dynamic_bitset)+184 -> loads the .DLL (and probably parses it/ RAX contains struct with assembly pointers)
MonoManager::LoadAssemblies(dynamic_bitset)+191  call    cs:mono_assembly_get_image

UPDATE3:
I'm close:
These are strings from pre-loaded assembly image from struct:

pointer 2:

Pointer 3:


It's not full assembly (there's no i.e. BSJB), but it's already deciphered/decrypted so looks like MonoManager::LoadAssemblies(dynamic_bitset)+184 is where I need to go deeper (it's before I/O and after decipher)

UPDATE4:
I got it. I'm soon to rebuild the assembly

Maki:
Decrypted! (DLL as of 2018.09.19)
https://www.dropbox.com/s/vtlby83o8whxf1n/Assembly-CSharp.zip?dl=0

Sangawku:
Hate to bump this from the dead. But Maki do you have a way to decrypt/reencrypt the assembly-csharp.dll or at least strip the encryption from the exe so we can load a decrypted dll?
I wanted to start working on a server for it but so far i haven't found a way to override the addresses at runtime(0 skill with bepin)

Could you possibly drop something for that since the game has been shutdown for the better part of 4 years now :)   


I have been digging into it but i am still that 0 skill pleb when it comes to the the encryption things :(

Maki:

--- Quote from: Sangawku on 2024-06-21 06:44:20 ---Hate to bump this from the dead. But Maki do you have a way to decrypt/reencrypt the assembly-csharp.dll or at least strip the encryption from the exe so we can load a decrypted dll?
I wanted to start working on a server for it but so far i haven't found a way to override the addresses at runtime(0 skill with bepin)

Could you possibly drop something for that since the game has been shutdown for the better part of 4 years now :)   


I have been digging into it but i am still that 0 skill pleb when it comes to the the encryption things :(

--- End quote ---
Were you able to decrypt the current Assembly-CSharp.dll? After some minutes I got the decrypted DLL. It's... not encrypted per-se, but rather custom obfuscated. Indeed the game don't like the decrypted DLL.
I'm dropping the current Steam version of Assembly-CSharp.dll decrypted:
https://mega.nz/file/KR4ViS5J#2DZWXju0I1U0vLXjgnKjEcnzXUzRY6O6CR32rWzd0lg

I'll check the EXE. Probably they had Unity source and implemented an encryption

Sangawku:
Yeah i was able to decrypt it, its at runtime, they just used a method that playerprefs with which dlls to obfuscate..

However i seem to be missing some files that aren't cached anywhere :(

Navigation

[0] Message Index

[*] Previous page

Go to full version