How to decrypt an encrypted .dll file with GDB gcore (Root) (4.2.2-4.4.4) (ARM only)
Decrpyting an encrypted .dll and other
files using Termux app (Root only) (5.0 and up).
Hello dear community,
I will show you how to decrypt and encrypted .dll file
(when trying to MOD Unity based Android games) using Gcore dump and WinHex.
Before we start, how to check if a .dll file is
encrypted?
Easy. When you open a .dll file into Reflector and you
get:
"Assembly-CSharp (this could change, depending on
the name of the file), File is not a portable executable. DOS header does not
contain 'MZ' signature."
it means you have got an encrypted DLL!
See image:
It
means the DLL file does not have a valid MZ/PE header so you can't open/modify
it. DLL files require MZ/PE headers in order to view its content and, to prevent
hacking, some game developers protect their game erasing these MZ/PE headers
from some dll files.
Now let's start with the requirements!
Now let's start with the requirements!
First of all, you need:
1. To have some Android Hacking experiences (otherwise you will not understand a single word of this Topic)
2. A rooted Android device
3. .NET Reflector or JustDecompile installed on your computer (if you've got hacking experience, you should already have this tool)
4. A computer running at least Windows XP
5. A Rooted Android device running Android 4.2.2 and newer versions. Previous version might not work.
6. At least 1 GB of RAM on your Device. A minimum of 300-400 MB free RAM space is required
7. Latest verison of SuperSU or other Superuser apps
8. BusyBox for Android. Get it from HERE
9. Terminal app for Android. You can download it from HERE
10. gcore installed on your device. Download it from: HERE
11. Any file explorer app installed on your Android device. I'd recommended X-plore
1. To have some Android Hacking experiences (otherwise you will not understand a single word of this Topic)
2. A rooted Android device
3. .NET Reflector or JustDecompile installed on your computer (if you've got hacking experience, you should already have this tool)
4. A computer running at least Windows XP
5. A Rooted Android device running Android 4.2.2 and newer versions. Previous version might not work.
6. At least 1 GB of RAM on your Device. A minimum of 300-400 MB free RAM space is required
7. Latest verison of SuperSU or other Superuser apps
8. BusyBox for Android. Get it from HERE
9. Terminal app for Android. You can download it from HERE
10. gcore installed on your device. Download it from: HERE
11. Any file explorer app installed on your Android device. I'd recommended X-plore
If you are using outdated version of BusyBox, SuperSU or other Superuser apps, you will need to update because older versions may cause problems. If you are using built-in cyanogenmod SuperUser, beware it's very unstable. Uninstall this and this abandoned superuser if you have one and install the popular Superuser apps, SuperSU, Kingroot, Kingoroot, iRoot, etc...
Most Superuser have an update check option in the settings, some of them don't. Simply open a setting and request an update, or manually update the app from the website.
![[IMG]](https://i.imgur.com/55NjVLk.jpg)
Install BusyBox from the given link.
Open the app and grant Root permissions. Smart Install will slowly load and, when completely loaded, tap "Install". The BusyBox binaries will be now permanently installed on your device. You can close the app or even uninstall it. BusyBox is just the installer. See screen below if you need help.
![[IMG]](https://i.imgur.com/PtsKJ2l.png)
![[IMG]](https://i.imgur.com/VWiprRv.png)
Install gcore on your device
1) Download gcore to
your device (using the link given at the top of this Topic)
2) Open your Root Explorer app
3) Copy the 2 files "gdb" and "gdbserver" included into the zip file
4) Paste them to /system/bin/ (in your INTERNAL ROOT memory -> system -> bin) Folder (of course you will need to grant root permissions to see that folder).
5) If asked, overwrite files.
2) Open your Root Explorer app
3) Copy the 2 files "gdb" and "gdbserver" included into the zip file
4) Paste them to /system/bin/ (in your INTERNAL ROOT memory -> system -> bin) Folder (of course you will need to grant root permissions to see that folder).
5) If asked, overwrite files.
Find
the package name of the app you're going to hack!
This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".
Method #1
You can find it going (with your browser) to the Google Play website https://play.google.com/, looking for the game you have installed on your device and then copying what's next to "id=".
See screenshot:
![[IMG]](https://i.imgur.com/oMPbxeI.jpg)
This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".
Method #1
You can find it going (with your browser) to the Google Play website https://play.google.com/, looking for the game you have installed on your device and then copying what's next to "id=".
See screenshot:
![[IMG]](https://i.imgur.com/VEKB0Zp.png)
Method
#3
For Cyanogenmod ROMs, you can go to "Settings" -> "Apps" and then you'll find the package name of any app you have installed on your device.
For Cyanogenmod ROMs, you can go to "Settings" -> "Apps" and then you'll find the package name of any app you have installed on your device.
![[IMG]](https://i.imgur.com/dH2dx7q.png)
Dump the
game from the RAM memory using Terminal app
First, reboot your phone
Install Terminal app (with the link above). Then launch and minimize the game with the decrypted .dll (otherwise you could not see it in the following step.)
Launch the Terminal and type:
First, reboot your phone
Install Terminal app (with the link above). Then launch and minimize the game with the decrypted .dll (otherwise you could not see it in the following step.)
Launch the Terminal and type:
su
Now
hit Enter and grant Root Permissions for the Terminal app.
![[IMG]](https://i.imgur.com/YwQuPVl.png)
Your username will
now start with "root@". This confirms you have now Root Permissions
on the Terminal.
Now, type:
dumpsys meminfo
| grep com.*
to show all the
processes
or
or
dumpsys meminfo | grep
com.*
This command will
search for all the running processes starting with "com." (the * is a
jolly symbol which means any letter/number/symbol)
or
or
dumpsys meminfo | grep th.*
Hit enter and you'll
see a list of the running process of your device.
You will find the package name of the game with the encrypted dll too!
Using the game Crusaders Quest's as an example, you should see something like this:
You will find the package name of the game with the encrypted dll too!
Using the game Crusaders Quest's as an example, you should see something like this:
118740 kB:
com.nhnent.SKQUEST (pid 383 / activities)
![[IMG]](https://i.imgur.com/2f4kK8y.png)
If you have some
problems searching for PID or if an app close after a few seconds and you dont
have enough time to type in the code
You can use an APP called ProcessView , you can find it on Google Play Store
GooglePlay LINK: https://play.google.com/store/apps/details?id=jp.vviki.android.SysLoadLogger
Take note of the number next to "pid" (PID stands for "Process ID" and changes everytime a process starts). In my example, I'll take note of the number "383".
Now, using the PID you just noted, type:
You can use an APP called ProcessView , you can find it on Google Play Store
GooglePlay LINK: https://play.google.com/store/apps/details?id=jp.vviki.android.SysLoadLogger
Take note of the number next to "pid" (PID stands for "Process ID" and changes everytime a process starts). In my example, I'll take note of the number "383".
Now, using the PID you just noted, type:
gdb -pid xxxxxx
(replacing
"xxxxxx" with the PID number)
In my example, I'll use my Crusader Quest's PID (383).
In my example, I'll use my Crusader Quest's PID (383).
Now
hit Enter.
You'll wait few seconds and the Terminal will show
You'll wait few seconds and the Terminal will show
(gdb)
in the Terminal app.
HAVE "ptrace: Operation not permitted" ERROR? PLEASE SEE THE TUTORIAL ABOUT BYPASSING THE "ptrace: Operation not permitted" ERROR
We're almost done with Terminal. Now we do need to save the dumped file from the RAM storage we will use to get the decrypted dll into our /sdcard/ path. So, choose how to call this file (I will call it "nameoffile" as an example).
So, let's type:
If you
got "can' execute: permission denied" error, put this in Terminal
chmod 777 /system/bin/gdb && chmod 777 /system/bin/gdbserver
HAVE "ptrace: Operation not permitted" ERROR? PLEASE SEE THE TUTORIAL ABOUT BYPASSING THE "ptrace: Operation not permitted" ERROR
We're almost done with Terminal. Now we do need to save the dumped file from the RAM storage we will use to get the decrypted dll into our /sdcard/ path. So, choose how to call this file (I will call it "nameoffile" as an example).
So, let's type:
gcore
/sdcard/anynames
Hit
enter and the Terminal will show empty line.. it's generating a very big dumped
file so wait patiently until it completes this process. The file could be up to
1GB of size!!!
At the end of this
process, you'll see:
Saved corefile
/sdcard/xxxxxxxx
(gdb)
Of
course, instead of "nameoffile" you will see the name of the file you
chosen before.
Do not worry about any warnings like these you may read in the Terminal app:
![[IMG]](https://i.imgur.com/qu0dUi6.jpg)
Do not worry about any warnings like these you may read in the Terminal app:
after that, you
succcessfully decrypted the game. Close the Terminal app.
They do not interfere in ANY way with the decryption of the .dll files.
Are you tired? Well, I've got a good new for you. You just decrypted the dll (well, every dll also if not encrypted will be "decrypted"! You're almost done. You just need few more steps and you'll be able to HACK your game! You can (finally) close the Terminal App!
They do not interfere in ANY way with the decryption of the .dll files.
Are you tired? Well, I've got a good new for you. You just decrypted the dll (well, every dll also if not encrypted will be "decrypted"! You're almost done. You just need few more steps and you'll be able to HACK your game! You can (finally) close the Terminal App!
Moving
the file to your PC!
If you browse with your mobile to the path "/sdcard/", you will see the new big file but, since Windows can't see dump files, to move it to your PC you have two chances.
1) Enable USB Debugging (better in my opinion)
This way you'll see dump files from your PC. Go to Settings -> About Phone and tap on "Build Number" 7 times. You will unlock the "hidden" developer menu.
If you browse with your mobile to the path "/sdcard/", you will see the new big file but, since Windows can't see dump files, to move it to your PC you have two chances.
1) Enable USB Debugging (better in my opinion)
This way you'll see dump files from your PC. Go to Settings -> About Phone and tap on "Build Number" 7 times. You will unlock the "hidden" developer menu.
![[IMG]](https://i.imgur.com/21XDniJ.jpg)
Now go will see "Developer Options" inside "Settings" of your device. Tap on it and check "USB Debugging".
![[IMG]](https://i.imgur.com/KyVpF3A.jpg)
OR
2) Moving this file to a folder
Create a folder on your /sdcard/ path and move this dumped file to the newly created folder. This way Windows should be able to see it.
So, if you chosen 1) or 2), now connect your device to your PC, go to the /sdcard/ directory and move the file (if you followed 1st option) or the folder (if you followed 2nd option)
Now copy the file to
your computer
Open the cracked WinHex (extract the downloaded .zip file and double-click on the "WinHex.exe" file. See pic:
![[IMG]](https://i.imgur.com/vwiY6Sl.jpg)
Now take a look at the top of WinHex window and click "File" -> "Open" (see pic).
You
will see the a dialog box similar to the following:
So, go
to the folder where you copied the big file and click "Open".
Now, go to "Tools -> "Disk Tools" -> "File Recovery by Type..." (top of WinHex), like the following screenshot:
Now, go to "Tools -> "Disk Tools" -> "File Recovery by Type..." (top of WinHex), like the following screenshot:
and a
smaller window will pop-up. It should be very similar to the following one:
Click
the "+" next to "Programs" (1) and check "Windows
exec." (2). Now, select the folder where you want the new file to be
generated under "Output Folder" (3).
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).
The file recover will now begin and, when it finished you'll get a message like this:
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).
The file recover will now begin and, when it finished you'll get a message like this:
Now, reach the
location where you saved this file and delete all files with the
".com" extension. They're not needed and may only cause confusion.
The recovered .dll file have got the wierd names so you have to find Assembly-Csharp.dll
by yourself. Assembly-Csharp.dll is always the largest file
Happy modding!
If you do need help, please reply below!
Credits
Comments
Post a Comment