Android Tutorial How to decrypt an encrypted .dll file with GDB gcore (Root & ARM only)

ThePianoGuy · October 30, 2018

Hi there,

I will show you how to decrypt and encrypted .dll file (when trying to MOD Unity based Android games) using Gcore dump and WinHex.

Before we start, how to check if a .dll file is encrypted?

Easy. When you open a .dll file into Reflector and you get:

"Assembly-CSharp (this could change, depending on the name of the file), File is not a portable executable. DOS header does not contain 'MZ' signature."

it means you have got an encrypted DLL!

See image:

It means the DLL file does not have a valid MZ/PE header so you can't open/modify it. DLL files require MZ/PE headers in order to view its content and, to prevent hacking, some game developers protect their game erasing these MZ/PE headers from some dll files.

Now let's start with the requirements!

First of all, you need:

1. To have some Android Hacking experiences (otherwise you will not understand a single word of this Topic)

2. A rooted Android device

3. .NET Reflector or JustDecompile installed on your computer (if you've got hacking experience, you should already have this tool)

4. A computer running at least Windows XP

5. A Rooted Android device (Works with BlueStacks) running Android 4.2.2 and newer versions. Previous version might not work.

Works with Bluestacks. Custom roms with Android 4.2.2+ based are supported

6. At least 1 GB of RAM on your Device. A minimum of 300-400 MB free RAM space is required

7. Latest verison of SuperSU or other Superuser apps

8. BusyBox for Android. Get it from HERE

9. Terminal app for Android. You can download it from HERE

10. gcore installed on your device. Download it from: HERE

11. Any file explorer app installed on your Android device. I'd recommended X-plore

12.[/url]Cracked version of WinHex (free version will not work for this purpose). Download it from HERE

Update your BusyBox and Superuser.

If you are using outdated version of BusyBox, SuperSU or other Superuser apps, you will need to update because older versions may cause problems. If you are using built-in cyanogenmod SuperUser, beware it's very unstable. Uninstall this and this abandoned superuser if you have one and install the popular Superuser apps, SuperSU, Kingroot, Kingoroot, iRoot, etc...

Most Superuser have an update check option in the settings, some of them don't. Simply open a setting and request an update, or manually update the app from the website.

Install BusyBox from the given link.

Open the app and grant Root permissions. Smart Install will slowly load and, when completely loaded, tap "Install". The BusyBox binaries will be now permanently installed on your device. You can close the app or even uninstall it. BusyBox is just the installer. See screen below if you need help.

Install gcore on your device

1) Download gcore to your device (using the link given at the top of this Topic)

2) Open your Root Explorer app

3) Copy the 2 files "gdb" and "gdbserver" included into the zip file

4) Paste them to /system/bin/ (in your INTERNAL ROOT memory -> system -> bin) Folder (of course you will need to grant root permissions to see that folder).

5) If asked, overwrite files.

Find the package name of the app you're going to hack!

This will be required to find the app in the Terminal app we're going to use soon.

It's usually called "com.DEVELOPER_CODE.GAME_CODE".

Method #1

You can find it going (with your browser) to the Google Play website https://play.google.com/, looking for the game you have installed on your device and then copying what's next to "id=".

See screenshot:

Method #2

Install Package Name Viewer app from playstore and find the game you are looking for

Method #3

For Cyanogenmod ROMs, you can go to "Settings" -> "Apps" and then you'll find the package name of any app you have installed on your device.

Decrypt a game with a Terminal app

First, reboot your phone

Install Terminal app (with the link above). Then launch and minimize the game with the decrypted .dll (otherwise you could not see it in the following step.)

Launch the Terminal and type:

su

Now hit Enter and grant Root Permissions for the Terminal app.

Your username will now start with "root@". This confirms you have now Root Permissions on the Terminal.


root@[member='YourName'] #

Now, type:


dumpsys meminfo

to show all the processes

or


dumpsys meminfo | grep com.*

This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol)

or


dumpsys meminfo | grep th.*

This command will search for all the running processes starting with "th." (the * is a jolly symbol which means any letter/number/symbol)

Hit enter and you'll see a list of the running process of your device.

You will find the package name of the game with the encrypted dll too!

Using the game Crusaders Quest's as an example, you should see something like this:


118740 kB: com.nhnent.SKQUEST (pid 383 / activities)

If you have some problems searching for PID or if an app close after a few seconds and you dont have enough time to type in the code

You can use an APP called ProcessView , you can find it on Google Play Store

GooglePlay LINK: https://play.google.com/store/apps/details?id=jp.vviki.android.SysLoadLogger

Take note of the number next to "pid" (PID stands for "Process ID" and changes everytime a process starts). In my example, I'll take note of the number "383".

Now, using the PID you just noted, type:


gdb -pid xxxxx

(replacing "xxxxxx" with the PID number)

In my example, I'll use my Crusader Quest's PID (383).

Now hit Enter.

You'll wait few seconds and the Terminal will show:


(gdb)

in the Terminal app.

If you got "can' execute: permission denied" error, put this in Terminal


chmod 777 /system/bin/gdb && chmod 777 /system/bin/gdbserver

HAVE "ptrace: Operation not permitted" ERROR? PLEASE SEE THE TUTORIAL ABOUT BYPASSING THE "ptrace: Operation not permitted" ERROR

LINK TO TUTORIAL

We're almost done with Terminal. Now we do need to save the dumped file from the RAM storage we will use to get the decrypted dll into our /sdcard/ path. So, choose how to call this file (I will call it "nameoffile" as an example).

So, let's type:


gcore /sdcard/anynames

(replacing "nameoffile" with the name you decided to give to this file). See pic:

Hit enter and the Terminal will show empty line.. it's generating a very big dumped file so wait patiently until it completes this process. The file could be up to 1GB of size!!!

At the end of this process, you'll see:


Saved corefile /sdcard/xxxxxxxx

Of course, instead of "nameoffile" you will see the name of the file you chosen before.

Do not worry about any warnings like these you may read in the Terminal app:

after that, you succcessfully decrypted the game. Close the Terminal app.

They do not interfere in ANY way with the decryption of the .dll files.

Are you tired? Well, I've got a good new for you. You just decrypted the dll (well, every dll also if not encrypted will be "decrypted"! You're almost done. You just need few more steps and you'll be able to HACK your game! You can (finally) close the Terminal App!

Moving the file to your PC!

If you browse with your mobile to the path "/sdcard/", you will see the new big file but, since Windows can't see dump files, to move it to your PC you have two chances.

1) Enable USB Debugging (better in my opinion)

This way you'll see dump files from your PC. Go to Settings -> About Phone and tap on "Build Number" 7 times. You will unlock the "hidden" developer menu.

Now go will see "Developer Options" inside "Settings" of your device. Tap on it and check "USB Debugging".

OR

2) Moving this file to a folder

Create a folder on your /sdcard/ path and move this dumped file to the newly created folder. This way Windows should be able to see it.

So, if you chosen 1) or 2), now connect your device to your PC, go to the /sdcard/ directory and move the file (if you followed 1st option) or the folder (if you followed 2nd option)

Now copy the file to your computer

Using WinHex

Open the cracked WinHex (extract the downloaded .zip file and double-click on the "WinHex.exe" file. See pic:

Now take a look at the top of WinHex window and click "File" -> "Open" (see pic).

You will see the a dialog box similar to the following:

So, go to the folder where you copied the big file and click "Open".

Now, go to "Tools -> "Disk Tools" -> "File Recovery by Type..." (top of WinHex), like the following screenshot:

and a smaller window will pop-up. It should be very similar to the following one:

Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).

Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

The file recover will now begin and, when it finished you'll get a message like this:

Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.

You can finally close WinHex.

Find the right dll

Now you do have a list of .dll files but... which one is encrypted? They have got weird names...

This step is important. You need to check which DLL is encrypted. Also, not just Assembly-Csharp.dll file can be encrypted. Other files can be encrypted too.

So, take out "Managed" folder from the APK file you want to MOD (it's located at /assets/bin/data/Managed/), select all the .dll files inside that folder and drag and drop them into the Reflector window like you usually do when you try to hack a Unity3D game. To see which DLL files are encrypted, click "No" when it ask you to reopen DLL files.

For example, Crusaders Quest has got 4 encrypted .dlls:


Assembly-CSharp.dll

Assembly-CSharp-firstpass.dll

Assembly-UnityScript.dll

Assembly-UnityScript-firstpass.dll

Now, clear all opened DLL files from Reflector, go to the location where you recovered the files (with WinHex) and drag and drop all the .dll files. Click "No" if it does ask you to reopen DLL files in Reflector and ignore any dll error.

So, select a .dll file to show the name of the file and its location

For example, for Crusaders Quest we have got:


Assembly-CSharp.dll = 000034.dll

Assembly-CSharp-firstpass.dll = 000030.dll

Assembly-UnityScript.dll = 000028.dll

Assembly-UnityScript-firstpass.dll = 000013.dll

So, rename all the .dll files that was encrypted and place them inside the extracted "Managed" folder. This way you'll replace original encrypted files with new decrypted ones.