ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Wed Dec 13, 2017 3:37 am

All times are UTC




Post new topic  Reply to topic  [ 13 posts ] 
Author Message
 Post subject: DLL Descrypt [MU Origin]
PostPosted: Wed Apr 19, 2017 2:03 pm 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
Yo,

Someone can help-me? I want to remove some descrypt from a dll, game called: MU Origin, developed with Unity.
They added some xor encrypt in dll.

I decompiled *.exe they used for encrypt *.dll file, but I think they has changed encrypt logic or key.

Code:
      private static void Main(string[] args)
      {
         File.Delete(".\\Assembly-CSharp.dll");
         FileStream input = new FileStream(".\\tmpAndroid\\assets\\bin\\Data\\Managed\\Assembly-CSharp.dll", FileMode.Open);
         FileStream output = new FileStream(".\\Assembly-CSharp.dll", FileMode.CreateNew);
         BinaryReader binaryReader = new BinaryReader(input);
         BinaryWriter binaryWriter = new BinaryWriter(output);
         try
         {
            while (true)
            {
               byte b = binaryReader.ReadByte();
               b ^= 48;
               b ^= 65;
               binaryWriter.Write(b);
            }
         }
         catch (Exception)
         {
         }
         binaryWriter.Flush();
         binaryWriter.Close();
         binaryReader.Close();
      }


I'm trying to descrypt this Assembly-CSharp.dll version:
Link: https://mega.nz/#!OkJiwRAT!1j-qjnUpJMav ... e_cBNRXHos

I have this code for decompile, but not work. Maybe is because they changed key.

Code:
    public static class Decryptor
    {
        //change key there
        static byte[] XorTableLock = {0x71};
        public static void Decrypt(string file)
        {
            byte[] buffer = File.ReadAllBytes(file);
            byte[] decrypted = DecryptFile(buffer);
            File.WriteAllBytes(file, decrypted);
            Console.WriteLine("Done!");
        }
        private static byte[] DecryptFile(byte[] filebuffer)
        {
            byte[] bytes = filebuffer;
            for (int i = 0; i < bytes.Length; i++)
            {
                bytes[i] ^= XorTableLock[i % 1];
            }

            return bytes;
        }

    }


Thanks,
Cheers!!!


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Thu Apr 20, 2017 12:49 am 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 92
The entire file is not encrypted just part of it. The DOS header is in-tact with just the signature changed. Part of the NT header is there, but not all of it. It seems upto the timestamp is valid then the rest is either encrypted or compressed in some manner.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Thu Apr 20, 2017 1:19 am 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
@atom0s
Thanks for answering me. Could you help me remove the encrypt from Assembly-CSharp.dll? I want to decompile this *.dll.

Cheers.


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Fri Apr 21, 2017 3:55 pm 

Joined: Mon Sep 22, 2014 5:13 pm
Posts: 69
Have you tried ILSpy?

http://ilspy.net/


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Fri Apr 21, 2017 7:43 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 92
Viserion wrote:
@atom0s
Thanks for answering me. Could you help me remove the encrypt from Assembly-CSharp.dll? I want to decompile this *.dll.

Cheers.


What version of the game / APK are these files from? The files you linked are just whats typical in the /assets/bin/ folder for Unity games, but the .so files are needed to determine how these are loaded.

Also what version was the game for the decryption stuff you posted above? Would be helpful to determine where the game stored the decryption information in the original version and compare it to the newer.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Sat Apr 22, 2017 12:15 pm 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
Teancum wrote:
Have you tried ILSpy?

http://ilspy.net/


My intention is to use ILSpy, but first, is necessary to remove encrypt inside from *.dll file.

atom0s wrote:
Viserion wrote:
@atom0s
Thanks for answering me. Could you help me remove the encrypt from Assembly-CSharp.dll? I want to decompile this *.dll.

Cheers.


What version of the game / APK are these files from? The files you linked are just whats typical in the /assets/bin/ folder for Unity games, but the .so files are needed to determine how these are loaded.

Also what version was the game for the decryption stuff you posted above? Would be helpful to determine where the game stored the decryption information in the original version and compare it to the newer.


Yo, version is 2.4.2, if you want, I think is better give for you apk original.

Link: http://titan.mu/
APK Link: https://storage.googleapis.com/titan-mu ... Normal.apk

I never saw before *.so files.

Thanks,
Cheers!


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Sat Apr 22, 2017 8:43 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 92
The important part of the way this works is the .so files. Mainly libmono.so which is located within the APK at:
/lib/x86/libmono.so

You are looking for the commonly used (due to the ability to encrypt the data) function:
mono_image_open_from_data_with_name

However, most games that make use of this encrypt the function to prevent people from easily decoding it. The way this is done is having a 'onload' function called when the module is first loaded (libmono.so) within the VM. Think of it like a TLS callback that is called immediately on load.
In your case, there is a function called:
_llooaa which is called by llooaa

This is where the decryption of mono_image_open_from_data_with_name takes place.
It is a simple xor encryption but the effect has its purpose to weed off people from just opening the .so in IDA and going right to the function needed.

The decryption of this function would be done, in the current APK you linked, like this:
Code:
            var fileDataOriginal = File.ReadAllBytes("data.bin");
            var v26 = fileDataOriginal.Length - 1;
            var v27 = 0;
            var v28 = 0;

            do
            {
                fileDataOriginal[v28] ^= (byte) 0x9a;
                fileDataOriginal[v28] = (byte)~fileDataOriginal[v28];
                v28 = ++v27;

            } while (v27 != v26);


Where data.bin holds the function bytes of the mono_image_open_from_data_with_name function. You can see the libmono.so doing this here:
Code:
int __usercall _llooaa@<eax>(int a1@<ebx>, int a2, char *s2)
{
  int v3; // ebx@1
  int result; // eax@1
  int v5; // [sp+1Ch] [bp-2Ch]@1
  int v6; // [sp+20h] [bp-28h]@2
  char *v7; // [sp+24h] [bp-24h]@3
  size_t len; // [sp+28h] [bp-20h]@2
  void *addr; // [sp+2Ch] [bp-1Ch]@2
  int v10; // [sp+30h] [bp-18h]@2
  int (__cdecl *v11)(void *, size_t, int, int, int, char *); // [sp+34h] [bp-14h]@2
  __int32 v12; // [sp+38h] [bp-10h]@2
  unsigned int i; // [sp+3Ch] [bp-Ch]@2

  _x86_get_pc_thunk_bx();
  v3 = a1 + 2070368;
  result = getTargetFuncInfo(a2, s2, (int)&v5);
  if ( (_BYTE)result != -1 )
  {
    v12 = sysconf(40);
    v11 = (int (__cdecl *)(void *, size_t, int, int, int, char *))(*(char **)((char *)&mono_image_open_from_data_with_name_ptr[-905985]
                                                                            + v3)
                                                                 - 1);
    v10 = v6;
    addr = (void *)((unsigned int)v11 & -v12);
    len = (char *)((char *)v11 + v6) - (char *)addr;
    mprotect((void *)((unsigned int)v11 & -v12), len, 7);
    for ( i = 0; i < v10 - 1; ++i )
    {
      v7 = (char *)v11 + i;
      *((_BYTE *)v11 + i) ^= 0x9Au;
      *v7 = ~*v7;
    }
    result = mprotect(addr, len, 5);
  }
  return result;
}


After you manually fix the function you can then decrypt the actual function that loads the modules, which looks like this now:
Code:
int __usercall mono_image_open_from_data_with_name@<eax>(int a1@<ebx>, void *src, size_t n, int a4, int a5, int a6, char *haystack)
{
  int v7; // ebx@1
  char v8; // si@19
  int v9; // eax@19
  char v10; // si@38
  int v11; // eax@38
  int v12; // eax@43
  char v14; // [sp+14h] [bp-144h]@18
  char v15; // [sp+15h] [bp-143h]@18
  char v16; // [sp+16h] [bp-142h]@18
  char v17; // [sp+17h] [bp-141h]@18
  char v18; // [sp+18h] [bp-140h]@18
  char v19; // [sp+19h] [bp-13Fh]@18
  char v20; // [sp+1Ah] [bp-13Eh]@18
  char v21; // [sp+1Bh] [bp-13Dh]@18
  char v22; // [sp+1Ch] [bp-13Ch]@18
  char v23; // [sp+1Dh] [bp-13Bh]@18
  char v24; // [sp+1Eh] [bp-13Ah]@18
  char v25; // [sp+1Fh] [bp-139h]@18
  char v26; // [sp+20h] [bp-138h]@18
  char v27; // [sp+21h] [bp-137h]@18
  char v28; // [sp+22h] [bp-136h]@18
  char v29; // [sp+23h] [bp-135h]@18
  char v30; // [sp+24h] [bp-134h]@18
  char v31; // [sp+25h] [bp-133h]@18
  char v32; // [sp+26h] [bp-132h]@18
  char v33; // [sp+27h] [bp-131h]@18
  char v34; // [sp+28h] [bp-130h]@18
  char v35; // [sp+29h] [bp-12Fh]@18
  char v36; // [sp+2Ah] [bp-12Eh]@18
  char v37; // [sp+2Bh] [bp-12Dh]@18
  char v38; // [sp+2Ch] [bp-12Ch]@18
  char v39; // [sp+2Dh] [bp-12Bh]@18
  char v40; // [sp+2Eh] [bp-12Ah]@18
  char v41; // [sp+2Fh] [bp-129h]@18
  char v42; // [sp+30h] [bp-128h]@18
  char v43; // [sp+31h] [bp-127h]@18
  char v44; // [sp+32h] [bp-126h]@18
  char v45; // [sp+33h] [bp-125h]@18
  char v46; // [sp+34h] [bp-124h]@18
  char v47; // [sp+35h] [bp-123h]@18
  char v48; // [sp+36h] [bp-122h]@18
  char v49; // [sp+37h] [bp-121h]@18
  char v50; // [sp+38h] [bp-120h]@18
  char v51; // [sp+39h] [bp-11Fh]@18
  char v52; // [sp+3Ah] [bp-11Eh]@18
  char v53; // [sp+3Bh] [bp-11Dh]@18
  char v54; // [sp+3Ch] [bp-11Ch]@18
  char v55; // [sp+3Dh] [bp-11Bh]@18
  char v56; // [sp+3Eh] [bp-11Ah]@18
  char v57; // [sp+3Fh] [bp-119h]@18
  char v58; // [sp+40h] [bp-118h]@18
  char v59; // [sp+41h] [bp-117h]@18
  char v60; // [sp+42h] [bp-116h]@18
  char v61; // [sp+43h] [bp-115h]@18
  char v62; // [sp+44h] [bp-114h]@18
  char v63; // [sp+45h] [bp-113h]@18
  char v64; // [sp+46h] [bp-112h]@18
  char v65; // [sp+47h] [bp-111h]@18
  char v66; // [sp+48h] [bp-110h]@18
  char v67; // [sp+49h] [bp-10Fh]@18
  char v68; // [sp+4Ah] [bp-10Eh]@18
  char v69; // [sp+4Bh] [bp-10Dh]@18
  char v70; // [sp+4Ch] [bp-10Ch]@18
  char v71; // [sp+4Dh] [bp-10Bh]@18
  char v72; // [sp+4Eh] [bp-10Ah]@18
  char v73; // [sp+4Fh] [bp-109h]@18
  char v74; // [sp+50h] [bp-108h]@18
  char v75; // [sp+51h] [bp-107h]@18
  char v76; // [sp+52h] [bp-106h]@18
  char v77; // [sp+53h] [bp-105h]@18
  char needle[4]; // [sp+54h] [bp-104h]@12
  int v79; // [sp+58h] [bp-100h]@12
  int v80; // [sp+5Ch] [bp-FCh]@12
  int v81; // [sp+60h] [bp-F8h]@12
  int v82; // [sp+64h] [bp-F4h]@12
  char v83; // [sp+68h] [bp-F0h]@1
  int v84; // [sp+E8h] [bp-70h]@45
  int v85; // [sp+ECh] [bp-6Ch]@42
  int v86; // [sp+F0h] [bp-68h]@37
  signed __int32 v87; // [sp+F4h] [bp-64h]@37
  signed __int32 v88; // [sp+F8h] [bp-60h]@32
  char v89; // [sp+FFh] [bp-59h]@29
  char *v90; // [sp+100h] [bp-58h]@27
  signed __int32 v91; // [sp+104h] [bp-54h]@27
  int v92; // [sp+108h] [bp-50h]@27
  int v93; // [sp+10Ch] [bp-4Ch]@18
  int v94; // [sp+110h] [bp-48h]@18
  int v95; // [sp+114h] [bp-44h]@18
  int v96; // [sp+118h] [bp-40h]@18
  int v97; // [sp+11Ch] [bp-3Ch]@18
  size_t v98; // [sp+120h] [bp-38h]@18
  int v99; // [sp+124h] [bp-34h]@18
  int v100; // [sp+128h] [bp-30h]@13
  int v101; // [sp+12Ch] [bp-2Ch]@37
  signed __int32 j; // [sp+130h] [bp-28h]@27
  int i; // [sp+134h] [bp-24h]@18
  int v104; // [sp+138h] [bp-20h]@18
  void *dest; // [sp+13Ch] [bp-1Ch]@6

  _x86_get_pc_thunk_bx();
  v7 = a1 + 2061836;
  qmemcpy(&v83, (char *)&unk_2B96C0 + v7 - 3623940, 0x80u);
  if ( !src || !n )
  {
    if ( a5 )
      *(_DWORD *)a5 = 3;
    return mono_image_open_from_data_full(src, n, a4, a5, a6);
  }
  dest = src;
  if ( a4 )
  {
    dest = (void *)g_malloc(n);
    if ( !dest )
    {
      if ( a5 )
        *(_DWORD *)a5 = 1;
      return mono_image_open_from_data_full(src, n, a4, a5, a6);
    }
    memcpy(dest, src, n);
  }
  v82 = 0;
  needle[0] = 65;
  needle[1] = 116;
  needle[2] = 115;
  needle[3] = 101;
  v79 = 2037146221;
  v80 = 1750287149;
  v81 = 779121249;
  LOWORD(v82) = 27748;
  BYTE2(v82) = 108;
  if ( strstr(haystack, needle) )
  {
    v100 = getGlobalData();
    if ( *(_BYTE *)v100 == 84 || *(_BYTE *)(v100 + 1) == 46 || *(_BYTE *)(v100 + 2) == 77 || *(_BYTE *)(v100 + 3) == 46 )
      return mono_image_open_from_data_full(src, n, a4, a5, a6);
    v99 = **(int **)((char *)&g_monoRelRotklog_ptr + v7 - 3623940);
    v98 = v99 / 5;
    v97 = v99 % 5;
    v96 = ((signed int)&unk_6E147A - v99) / 4;
    v95 = 136;
    memcpy((char *)dest + 136, *(char **)((char *)&g_monoRelRotklog_ptr + v7 - 3623940) + 2 * v98 + 4, v98);
    memcpy((char *)dest + v95 + v98, *(char **)((char *)&g_monoRelRotklog_ptr + v7 - 3623940) + v98 + 4, v98);
    memcpy((char *)dest + 2 * v98 + v95, *(void ***)((char *)&g_monoRelRotklog_ptr + v7 - 3623940) + 1, v98);
    memcpy(
      (char *)dest + 3 * v98 + v95,
      *(char **)((char *)&g_monoRelRotklog_ptr + v7 - 3623940) + 3 * v98 + v96 + 4,
      2 * v98 + v97);
    v14 = 60;
    v15 = -90;
    v16 = -72;
    v17 = -25;
    v18 = -102;
    v19 = -52;
    v20 = 20;
    v21 = -123;
    v22 = -105;
    v23 = -96;
    v24 = -58;
    v25 = -72;
    v26 = -29;
    v27 = 71;
    v28 = 94;
    v29 = 96;
    v30 = -55;
    v31 = 42;
    v32 = 23;
    v33 = 69;
    v34 = 40;
    v35 = -74;
    v36 = -46;
    v37 = -112;
    v38 = 24;
    v39 = 41;
    v40 = 60;
    v41 = 70;
    v42 = 92;
    v43 = 106;
    v44 = 123;
    v45 = -114;
    v46 = -99;
    v47 = -95;
    v48 = -76;
    v49 = -60;
    v50 = -41;
    v51 = -31;
    v52 = -24;
    v53 = -4;
    v54 = -8;
    v55 = -103;
    v56 = -56;
    v57 = -41;
    v58 = -24;
    v59 = -75;
    v60 = -90;
    v61 = -3;
    v62 = 3;
    v63 = -74;
    v64 = -105;
    v65 = 8;
    v66 = 62;
    v67 = 106;
    v68 = 123;
    v69 = -87;
    v70 = 75;
    v71 = 94;
    v72 = 108;
    v73 = 125;
    v74 = -120;
    v75 = -112;
    v76 = -109;
    v77 = -78;
    v104 = 0;
    v94 = 64;
    v93 = v99 + v95;
    for ( i = v95; i < v93; ++i )
    {
      v8 = *((_BYTE *)dest + i);
      v9 = v104++;
      *((_BYTE *)dest + i) = v8 ^ *(&v14 + v9);
      if ( v104 && !(v104 % v94) )
        v104 = 0;
    }
  }
  if ( *(_BYTE *)dest == 73
    || strstr(haystack, &aAssemblyCsharp[v7 - 3623940])
    || strstr(haystack, &aAssemblyCsha_0[v7 - 3623940]) )
  {
    *(_BYTE *)dest = 77;
    v92 = 136;
    v91 = (n - 136 + 3) >> 2;
    v90 = (char *)dest + 136;
    for ( j = 0; j < v91; ++j )
    {
      if ( j & 1 )
      {
        v89 = v90[j];
        v90[j] = *(&v90[j] + v91);
        *(&v90[j] + v91) = v89;
      }
    }
    v88 = n - v92 + -3 * v91;
    for ( j = 0; j < v88; ++j )
    {
      if ( !(j & 1) )
      {
        v89 = *(&v90[2 * v91] + j);
        *(&v90[2 * v91] + j) = *(&v90[3 * v91] + j);
        *(&v90[3 * v91] + j) = v89;
      }
    }
    v87 = n - v92;
    v101 = 0;
    v86 = 128;
    for ( j = 0; j < v87; ++j )
    {
      v10 = v90[j];
      v11 = v101++;
      v90[j] = v10 ^ *(&v83 + v11);
      if ( !(v101 % v86) )
        v101 = 0;
    }
  }
  v85 = g_malloc0(872);
  *(_DWORD *)(v85 + 8) = dest;
  *(_DWORD *)(v85 + 12) = n;
  *(_BYTE *)(v85 + 16) = 2 * (a4 & 1) | *(_BYTE *)(v85 + 16) & 0xFD;
  if ( haystack )
    v12 = g_strdup(haystack);
  else
    v12 = g_strdup_printf(&aDataP[v7 - 3623940], (char)dest);
  *(_DWORD *)(v85 + 20) = v12;
  v84 = g_malloc0(396);
  *(_DWORD *)(v85 + 44) = v84;
  *(_BYTE *)(v85 + 16) = 8 * (a6 & 1) | *(_BYTE *)(v85 + 16) & 0xF7;
  *(_DWORD *)v85 = 1;
  v85 = do_mono_image_load(v85, a5, 1, 1);
  if ( v85 )
    register_image(v85);
  return mono_image_open_from_data_full(src, n, a4, a5, a6);
}


I don't have the time to work with the decrypted function at hte moment, have some real life stuff to attend to but this should be a good start for you to get the Assembly-CSharp.dll decoded now as what you need is here.

This function is replacing stolen data from the dll back into it starting from the IMAGE_NT_HEADERS Timestamp location. Which starts at file offset 0x88. It replaces the rest of the IMAGE_NT_HEADERS then the sections from data that is within the libmono.so file. If you fix the libmono.so file you can follow what its doing fairly easily to get it back to where it should be. When I get home later I can look into it more if someone else, or you, haven't done so already. But at this point its pretty straigt forward and easy to finish.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Sun Apr 23, 2017 2:21 am 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
atom0s wrote:
This function is replacing stolen data from the dll back into it starting from the IMAGE_NT_HEADERS Timestamp location. Which starts at file offset 0x88. It replaces the rest of the IMAGE_NT_HEADERS then the sections from data that is within the libmono.so file. If you fix the libmono.so file you can follow what its doing fairly easily to get it back to where it should be. When I get home later I can look into it more if someone else, or you, haven't done so already. But at this point its pretty straigt forward and easy to finish.


Your help is very amazing! Sorry in about continue your work, but my knowlodge in eng reverse is null, then I can't to continue. I need this *.dll for manys reasons. If you can finish, I'll be very grateful, but I'm already grateful for all your help.


Top
   
 Post subject: Re: DLL Descrypt
PostPosted: Sun Apr 23, 2017 5:45 am 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 92
Without some of the parameters being passed to the function I can't tell what parts are needed for certain things. The better approach for this would be to debug the app and dump the module from it after it was loaded. This would give you the decrypted module.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Tue Apr 25, 2017 2:52 am 

Joined: Mon Dec 22, 2014 1:04 am
Posts: 9
I followed what atom0s wrote and managed to find where the decryption of this dll occurs due the aAssemblyCsha_0 name, I translated the decryption and copied the key from the .so file.

here is the code (C#) for decryption:
Code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Threading.Tasks;
 
namespace DecryptMUOriginDLL
{
    class Program
    {
        static byte[] key = StringToByteArray("742062652072756E20696E20444F532060832A63616E6E6F01C8E1F49B8CB4A5742062632572756E32FEE14F519040086BB1E7A10E0E1FBA742068652072756E23696A2A4145502A21B80149FC21546869732170726F67726D6F66652EFC0D0A2430A14403FCFC202430A00A03000620504500114C0502016D6F64652E0D0D0A");
        static void Main(string[] args)
        {
            if (args.Length != 1) Console.WriteLine("MUDLLDecrypt.exe [name]");
            else
            {
                byte[] buffer = File.ReadAllBytes(args[0]);
                buffer[0] = 0x4D;
                int n = buffer.Length;
                buffer[0] = 77;
                int offset = 136;
                int len = (n - 136 + 3) >> 2;
                for (int j = 0; j < len; ++j)
                {
                    if (j % 2 != 0)
                    {
                        byte temp = buffer[j+offset];
                        buffer[j + offset] = buffer[j + offset + len];
                        buffer[j + offset + len] = temp;
                    }
                }
                int len2 = n - offset + -3 * len;
                for (int j = 0; j < len2; ++j)
                {
                    if (j%2 == 0)
                    {
                        byte temp = buffer[offset+2 * len+ j];
                        buffer[offset + 2 * len + j] = buffer[offset + 3 * len + j];
                        buffer[offset + 3 * len + j] = temp;
                    }
                }
                int len3 = n - offset;
                int i = 0;
                int k = 128;
                for (int j = 0; j < len3; ++j)
                {
                    byte temp =  buffer[offset+j];
                    int off = i++;
                    buffer[offset + j] = (byte)(temp ^ key[off]);
                    if (i % k == 0) i = 0;
                }
                File.WriteAllBytes(args[0]+"-fixed",buffer);
                Console.WriteLine("Fixed!");
                return;
            }
        }
        public static byte[] StringToByteArray(string hex)
        {
                return Enumerable.Range(0, hex.Length)
                                 .Where(x => x % 2 == 0)
                                 .Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
                                 .ToArray();
        }
    }
}

and here is a compiled program: https://mega.nz/#!Y0chUJiK!XPts_fwTRQeq ... mpL6TEQcfU

how to use: program.exe [name]
where name is the full path to the dll.


Last edited by dniel888 on Thu Nov 23, 2017 6:18 pm, edited 1 time in total.

Top
   
PostPosted: Tue Apr 25, 2017 10:15 am 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
dniel888 wrote:
I followed what atom0s wrote and managed to find where the decryption of this dll occurs due the aAssemblyCsha_0 name, I translated the decryption and copied the key from the .so file.

here is the code (C#) for decryption: https://pastebin.com/cxLEhLP6
and here is a compiled program: https://mega.nz/#!Y0chUJiK!XPts_fwTRQeq ... mpL6TEQcfU

how to use: program.exe [name]
where name is the full path to the dll.


Hi dniel888, thanks you and atom0s too much!!!


Top
   
PostPosted: Fri Jun 02, 2017 11:16 am 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
deleted.


Top
   
PostPosted: Fri Jul 21, 2017 11:02 pm 

Joined: Fri Sep 12, 2014 11:02 pm
Posts: 57
Someone can help me again to decrypt this new version dll?

Link: https://mega.nz/#!v1AGSK4Y!5BY_39bYcgyV ... dsUbmHc5Sw


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 13 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited