Dump decrypted DLL file with IDA Pro
Note: This tutorial was
created by xiaobaiyey and written in chinese. This tutorial is poorly
translated from Google Translation but i have fixed some grammar to make it
easier to understand.
reviously I read an article by hook
decrypting the encrypted dll Unity3D, recently new to dynamic, so they can try
the next through IDA, the same as the shelling, dump the decrypted dll file,
try the next, it really can, in here to share under
Requirements:
Game: Monthly Dragon knife (just find
a game)
Enable USB-debugging in Developer
Options
Open lib in IDA:
Unzip lib folder from the APK, drag
the file libmono.so to IDA
Several functions mainly in the
upper and lower breakpoint (refer mono source )
mono_image_open_from_data_full
mono_image_open_from_data
mono_image_open_from_data_with_name
mono_image_open_from_data_with_name
In a decryption process can about
these function
View the final in front of a
function call or mono_image_open_from_data_with_name,
Enable Developer Options:
If Developer Option does not show in
settings, follow the steps below.
1. Open
Settings > About
2. Then tap
“Build number” seven times to enable Developer options. ...
3. Go back
to Settings menu and now you'll be able to see “Developer options” there.
4. Tap it
and turn on USB Debugging
Dynamic debugging:
If the app has anti-debugging, you
need to skip meals to debug, the following brief dynamic debugging Preparations
(there are many online tutorials dynamic debugging)
Push android_server
file to the phone
1:
adb push android_server /data/local/tmp/
2:
adb shell
3:
cd /data/data/tmp/
4:
chmod 777
android_server
5:
./android_server
Port Forwarding:
adb forward
tcp:23946 tcp:23946
Debug startup app:
adb shell am
start -D -n com.huiguan.qinglong.taiqi.dl/com.huiguan.qlyyd.UnityPlayerNativeActivity
Check the app's PID:
1.
adb shell
2.
ps | grep dl
Record the PID and Forwarding (pid can be seen in the ida)
adb forward
tcp:8700 jdwp:PID
Setting ida (the main settings
hostname: 127.0.0.1) and open the attach process (wait for the program to
automatically break live, live off later)
Run app (in the f9 at ifa)
This time, open CMD.exe on Windows
and run jdb debugger (Java debugger):
jdb -connect
com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700
This time can be debugged
Run app will break on the linker

Then if the app is no
anti-molestation: running directly f9
This window appears: same point

Wait a moment, will end on Linker , directly connected
to f9 op row
If this window appears, select "yes
(pass to app)" without waiting

Many may appear behind all this
window select yes and then run f9
Finally broken in the mono_image_open_from_data_with_name, method
Loading is not the first time we
want to skip dll

If you can not read f5 look at the source code, source code
demonstrate this direct f5, where he rewrote
momo source
int __fastcall
mono_image_open_from_data_with_name (int a1, char * haystack, int a3, int a4,
char a5, char * haystacka)
Several key parameters
// NT
A1 read dll file offset address
// Char
* haystack, DLL file size
// Char
* haystacka , file name

This time following the R1 register to see the encrypted DLL file address,
indicating the DLL has not yet begun to decrypt, decryption may later. And
laid down the road to change a single note of each register after a simple loop
The dll decrypted
This time it decrypted DLL in
memory,

This time it can have a dump,
Check Register Window: Find R6 and R11
The entire file offset start R6 = 7B95304C
End offset
address R6 = R11
+ 7B95304C + 3AF200
= 7BD0224C
Use; dump dex scripts
auto fp,
dexAddress;
fp = fopen ( "D:\\Test.dll", "wb");
for (dexAddress = 0x7B95304C; dexAddress < 0x7BD0224C; dexAddress ++)
fputc (Byte(dexAddress), FP);
fp = fopen ( "D:\\Test.dll", "wb");
for (dexAddress = 0x7B95304C; dexAddress < 0x7BD0224C; dexAddress ++)
fputc (Byte(dexAddress), FP);
Under run on ok
Decryption out the effect,
Attach the original dll and decrypted
dll
Credit:
xiaobaiyey
Comments
Post a Comment