• Sky
  • Mint
  • Azure
  • Indigo
  • Blueberry
  • Blackcurrant
  • Watermelon
  • Strawberry
  • Pomegranate
  • Ruby Red
  • Orange
  • Banana
  • Apple
  • Emerald
  • Teal
  • Chocolate
  • Slate
  • Midnight
  • Maastricht
  • Charcoal
  • Matte Black
  • Disable
Welcome to iOSGods

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more!

This message will be removed once you have signed in.

Infamous-Bluetooth

Android Tutorial
HOW TO HACK SOME ONLINE GAME USING CHARLES PROXY

45 posts in this topic

REQUIREMENTS:

 

1. CHARLES

2. SOME BRAIN

 

 

From their website:

About Charles

Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your own computer. Your web browser (or any other Internet application) is then configured to access the Internet through Charles, and Charles is then able to record and display for you all of the data that is sent and received.

In Web and Internet development you are unable to see what is being sent and received between your web browser / client and the server. Without this visibility it is difficult and time-consuming to determine exactly where the fault is. Charles makes it easy to see what is happening, so you can quickly diagnose and fix problems.

Simply translated, this program allows you to see the "hidden" communication between your browser and the target server.
"Big Deal I can get that information off Firefox/Chrome etc. already"
Well the key difference is how the information is displayed and what you can do with it. Looking at a few of the key features:

SSL Proxying – view SSL requests and responses in plain text
AJAX debugging – view XML and JSON requests and responses as a tree or as text
Repeat requests to test back-end changes
Edit requests to test different inputs

(Only partial list of key features, the ones that we will put to use)
As you can see, this will allow us to not only read and understand the severs response from a HTTPS game server (or most web pages using SSL), its able to easily modify requests sent to the server as a MITM application.

Ok Let's get started, for this PoC hack I will be using a completely unedited game from the Play store, Prince Billy Bob (Playstore Link: Game. Lastly, the Android phone I have the game installed on normally, which will have to be run on wifi to connect to the proxy computer.

1st Step: Setup Charles

  • Install Charles following its standard direction, if you can't get that far without needing more detailed help, please exit stage right
  • Start up the program and setup the SSL web proxy. Here's how (DISCLAIMER: I have seen a few different versions of the toolbars in Charles, here is my version, just find the same information if you have a diff version):
    1. Go to Proxy > Proxy Settings
    2. In the Proxies tab enter "8888" in the HTTP Proxy Port field
    3. In same window, Go to SSL tab
    4. Check enable SSL and ensure under locations, it has a checkbox with * next to it and the checkbox is checked. Example:
    5. Check your computer's ipv4 address, if on the same LAN with your computer use the internal ip address before the router, should start with 192.168... or 10.0... assuming standard LAN setup. save this number for later. If not on the LAN with the computer, get on it (or setup an external proxy which is beyond the scope of this tutorial, as LAN setup will allow SSL responses in plaintext, you'll have to figure out your proper configuration to use an external proxy).
    6. Lastly, prep your two SSL certificates. Go to Help > Install Charles CA SSL Certificate. You are going to install on both your PC, and your android. PC installation easy, simply hit Install Certificate and let it select its certificate store, save and done. Next for Android, after hitting the menu item Install Charles CA SSL Certificate, choose the details tab, then copy to file. Save as a DER encoded binary X.509 (CER file) name it whatever and after choosing its destination, send it to your android phone via usb, wifi, sd card, NFC, bluetooth, aliens, IDGAF just send it onto your phone then use any decent file explorer to select and install it.
    7. Alright leave Charles open and now setup the target phone

2nd Step: Setup Android

  1. (if not already done) Install the game from Play store link above (or Gapps/sideload obv fine, just stating the point that the game itself remains untouched with this method, no version conflict to worry about, achievements are available, etc.)
  2. Change your LAN wifi settings. I believe its pretty universal among android versions on how to do this. Go to Settings >Wifi. Long press your network name, and select modify network.. Check the advanced options. Change Proxy settings to manual, scroll down the menu to proxy hostname, change to the LAN ipv4 address you saved from your PC. change proxy port to 8888 to match your settings above. You can leave the rest of the settings alone. Scroll back up and enter wifi password so you can save settings.

Provided you did all that correctly, you should now be set. Test by going on Charles to verify the button that looks like a white circle with a smaller red circle is depressed, then going on your browser on your phone and search something on google, or go to homepage, etc. The second you tap any of those on your phone, Charles should come to life, populating its structure/sequence windows with all sorts of neat data.

All right you're all setup. Next post I'll have up shortly to detail what kind of details you want to focus on, how to get the server to throw you a bone to work with and not just Facebook tracking data, etc. Lastly I'll show my specific exploit I used for Billy Bob .

 

Now back to how to do the hack.

1. Start Billy Bob game. Its going to load up a bunch of folders and info that if you try to figure out where anything useful is you may get lost, so sit tight and let the game start, load up google plus, etc. once its all done and it looks like Charles is done loading new folders constantly, we are going to
2. Stop the recording session (press white/red button). This info is mostly useless unless you want to dig for app api keys, hashes, fun stuff for more complex hacks, but this is a beginners tut to show the benefits of Charles at all levels. Personally I saved this session before I clear it for study later, but you may either save it or just clear it, its not needed for this hack.
3. Now that Charles is clear, restart the recording session. With all the junk out the way, its more likely to only call the server based on your input, thus easier to track what you want. So here is what i did. I started looking for things that you do that trigger a call to the games main server. Things to try include checking daily rewards, in app purchases, buying premium items in game using premium in game currency(read: currency they expect you to pay real money to get any decent quantity), or as I found for my example, the cloud save sent to https://billybobglobal.mafrpgserver.net/google_game/save . This one was the jackpot which game me completely clear (thanks to Charles SSL credentials) JSON string the developer used in this save. Heres the string you can find by checking the request we sent to the server, easiest to read in Form view, it will look a lot like this

 

Hidden Content

    Like this post or reply to this topic to see the hidden content. More info

 

Doesn't look like much up front, but you'll notice a lot of number match your details, for simplicity sake, heres a easy translation for most the variables, haven't played with all of them yet

 

Hidden Content

    Like this post or reply to this topic to see the hidden content. More info

 

So in conclusion what I decided to do, was alter the numbers being VERY carefulk not to delete any delimiters like ,\": etc (in a file editor was easier for me to c/p but you can edit charles inline) and resend the save request with the altered numbers from Charles. You wont get a confirmation about your svae from that, but its ok, once you get a 200 response from the server, you can hit load game from the app directly, and it will load the numbers you put in.

Play around with it to see what you can do, and dont forget to go into your android wifi setting to disable the proxy when done or you wont be able to use the network properly unless your PC is on, etc. Charles stops when shut down so no need to do anything there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • By Ted2
      Hey there,
       
      A few days ago, I figured out how a game I've been hacking for years added protection to their game.
      Their protection compared stored values with the original values in classes.dex (smali files)
       
      What does crc do?
      The crc protection will detect if the game files has been modified. For example you change a simple coin value from 0x9 to 0xfff, the game will notice the original code is changed and it will probably crash the game. crc protection has it's own value/key which is stored somewhere in resources as a string. 
      Example: 0x7f050017
       
      How do we bypass it?
      I've never seen this kind of protection in any game before, but that might be because I don't really hack that much anymore. Anyways, I've read somewhere that this kind of protection gets more popular, so that's why I'll teach you how we bypass it.
       
      As I said, this protection compares using .classes.dex
       
      Open up a text editor which can read .smali files, go to 'find in files' and locate your decompiled apk.
      Search for: classes.dex. I'm not sure how much hits you get, I got 2 hits.
       
      1:
      .method private static a(Ljava/util/zip/ZipFile;Ljava/util/zip/ZipEntry;Ljava/io/File;Ljava/lang/String;)V .locals 6 .prologue .line 308 invoke-virtual {p0, p1}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream; move-result-object v1 .line 310 const-string v0, ".zip" invoke-virtual {p2}, Ljava/io/File;->getParentFile()Ljava/io/File; move-result-object v2 invoke-static {p3, v0, v2}, Ljava/io/File;->createTempFile(Ljava/lang/String;Ljava/lang/String;Ljava/io/File;)Ljava/io/File; move-result-object v2 .line 312 const-string v0, "MultiDex" new-instance v3, Ljava/lang/StringBuilder; invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V const-string v4, "Extracting " invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v2}, Ljava/io/File;->getPath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v3 invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I .line 314 :try_start_0 new-instance v3, Ljava/util/zip/ZipOutputStream; new-instance v0, Ljava/io/BufferedOutputStream; new-instance v4, Ljava/io/FileOutputStream; invoke-direct {v4, v2}, Ljava/io/FileOutputStream;-><init>(Ljava/io/File;)V invoke-direct {v0, v4}, Ljava/io/BufferedOutputStream;-><init>(Ljava/io/OutputStream;)V invoke-direct {v3, v0}, Ljava/util/zip/ZipOutputStream;-><init>(Ljava/io/OutputStream;)V :try_end_0 .catchall {:try_start_0 .. :try_end_0} :catchall_0 .line 316 :try_start_1 new-instance v0, Ljava/util/zip/ZipEntry; const-string v4, "classes.dex" <-----> invoke-direct {v0, v4}, Ljava/util/zip/ZipEntry;-><init>(Ljava/lang/String;)V .line 318 invoke-virtual {p1}, Ljava/util/zip/ZipEntry;->getTime()J move-result-wide v4 invoke-virtual {v0, v4, v5}, Ljava/util/zip/ZipEntry;->setTime(J)V .line 319 invoke-virtual {v3, v0}, Ljava/util/zip/ZipOutputStream;->putNextEntry(Ljava/util/zip/ZipEntry;)V .line 321 const/16 v0, 0x4000 new-array v4, v0, [B .line 322 invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I move-result v0 .line 323 :goto_0 const/4 v5, -0x1 if-eq v0, v5, :cond_0 .line 324 const/4 v5, 0x0 invoke-virtual {v3, v4, v5, v0}, Ljava/util/zip/ZipOutputStream;->write([BII)V .line 325 invoke-virtual {v1, v4}, Ljava/io/InputStream;->read([B)I move-result v0 goto :goto_0 .line 327 :cond_0 invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->closeEntry()V :try_end_1 .catchall {:try_start_1 .. :try_end_1} :catchall_1 .line 329 :try_start_2 invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V .line 331 const-string v0, "MultiDex" new-instance v3, Ljava/lang/StringBuilder; invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V const-string v4, "Renaming to " invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {p2}, Ljava/io/File;->getPath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v3 invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I .line 332 invoke-virtual {v2, p2}, Ljava/io/File;->renameTo(Ljava/io/File;)Z move-result v0 if-nez v0, :cond_1 .line 333 new-instance v0, Ljava/io/IOException; new-instance v3, Ljava/lang/StringBuilder; invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V const-string v4, "Failed to rename \"" invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 const-string v4, "\" to \"" invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {p2}, Ljava/io/File;->getAbsolutePath()Ljava/lang/String; move-result-object v4 invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 const-string v4, "\"" invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v3 invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v3 invoke-direct {v0, v3}, Ljava/io/IOException;-><init>(Ljava/lang/String;)V throw v0 :try_end_2 .catchall {:try_start_2 .. :try_end_2} :catchall_0 .line 337 :catchall_0 move-exception v0 invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V .line 338 invoke-virtual {v2}, Ljava/io/File;->delete()Z throw v0 .line 329 :catchall_1 move-exception v0 :try_start_3 invoke-virtual {v3}, Ljava/util/zip/ZipOutputStream;->close()V throw v0 :try_end_3 .catchall {:try_start_3 .. :try_end_3} :catchall_0 .line 337 :cond_1 invoke-static {v1}, Landroid/support/c/b;->a(Ljava/io/Closeable;)V .line 338 invoke-virtual {v2}, Ljava/io/File;->delete()Z .line 340 return-void .end method this method is long as hell, doesn't seem to have any value or key like 0x7f050017 etc. Also, it didn't seem any intresting to me cause it didn't got any intresting .smali places like com/gamecreators/gamename, just android/support.
      Let's look at hit 2 first.
      .method public a()Z .locals 6 .prologue const/4 v1, 0x0 .line 34 new-instance v0, Ljava/util/zip/ZipFile; iget-object v2, p0, Lcom/companyname/test/e;->a:Landroid/content/Context; invoke-virtual {v2}, Landroid/content/Context;->getPackageCodePath()Ljava/lang/String; move-result-object v2 invoke-direct {v0, v2}, Ljava/util/zip/ZipFile;-><init>(Ljava/lang/String;)V .line 35 const-string v2, "classes.dex" <-----> invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry; move-result-object v2 .line 36 const-string v3, "classes2.dex" <------> invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getEntry(Ljava/lang/String;)Ljava/util/zip/ZipEntry; move-result-object v3 .line 38 invoke-virtual {v0, v2}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream; move-result-object v2 .line 39 invoke-virtual {v0, v3}, Ljava/util/zip/ZipFile;->getInputStream(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream; move-result-object v0 .line 41 invoke-direct {p0, v2}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String; move-result-object v3 .line 42 invoke-direct {p0, v0}, Lcom/companyname/test/e;->a(Ljava/io/InputStream;)Ljava/lang/String; move-result-object v0 .line 47 :try_start_0 invoke-direct {p0}, Lcom/companyname/test/e;->b()Ljava/security/PublicKey; move-result-object v2 .line 48 const v4, 0x7f050017 ### invoke-direct {p0, v4}, Lcom/companyname/test/e;->a(I)[B move-result-object v4 .line 49 const v5, 0x7f050016 ### invoke-direct {p0, v5, v4, v2}, Lcom/companyname/test/e;->a(I[BLjava/security/PublicKey;)Z :try_end_0 .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0 move-result v2 .line 51 if-eqz v2, :cond_1 .line 52 const v4, 0x7f050016 ### :try_start_1 invoke-direct {p0, v4, v3, v0}, Lcom/companyname/test/e;->a(ILjava/lang/String;Ljava/lang/String;)Z :try_end_1 .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1 move-result v0 .line 58 :goto_0 if-eqz v2, :cond_0 if-eqz v0, :cond_0 const/4 v1, 0x1 :cond_0 return v1 .line 55 :catch_0 move-exception v0 move v0, v1 :goto_1 move v2, v0 move v0, v1 goto :goto_0 :catch_1 move-exception v0 move v0, v2 goto :goto_1 :cond_1 move v0, v1 goto :goto_0 .end method This one gets intresting. Values are in this function marked with ### + the location (which I did rename) are intresting. com/companyname/test/e.
       
      Okay, I believe there are like 5 ways to bypass the check.
      I'm gonna tell you the most simple one.
       
      The function name, what does it say? (the beginning of code I added)
      .method public a()Z Z = BOOLEAN in smali.
       
      Let's look under the function name:
      .method public a()Z .locals 6 .prologue const/4 v1, 0x0 0x0 = false
      0x1 = true
       
      Since we're pretty sure the method is the crc protection, change 0x0 to 0x1.
      Recompile - sign & test.
       
      Why?
      .Method public a()Z translated should me something like: isOrignalClasses.Dex or hasNotBeenModified etc
      it automaticly returns to false, but we want it to true.
       
      Hope I explained it a bit well, it's complicated so hard to explain.
       
      Credit: @Ted2
       
    • By evildog1
      I have found a new way to decrypt .dll and other files using Termux. In this tutorial, I'll show you how to decrypt an encrypted .dll file
      Requirements:
      - Rooted device or Emulator. ARM or x86.
      - A powerful Android device: 1 GB RAM, 4 cores, 1.5 - 2.x GHz. If you have a low-end device, your device may freeze during dumping.
      - Available free space of Internal storage or Sdcard: 2 GB
      - Requires Android 5.0 and up. Works on Marshmallow 6.0.1. Termux will not work on 4.4.4 and below.
      - Termux app. It is avaliable on Play Store
      - Modified Winhex for Windows (free version will not work for this purpose).

      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info Notes:
      There is no need PIE patching. gdb 7.12 natively support Android 5.0 and up
      If your device is running Kitkat 4.4.4 and below, please read my old tutorial:
      Using Android Emulator?
      Termux and GDB fully support x86, but Termux will not work on Kitkat 4.4.4 and below due to system limitation, so you have to use the following emulator that have Lollipop 5.0 ROM and above
      MEmu emulator running Lollipop CR5 (Recommended)
      Download Lollipop RC5 ROM:
      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info How to setup Lollipop RC5 ROM: http://www.memuplay.com/blog/index.php/2017/03/11/memu-android-5-1-rc5-is-released/
      To transfer files to PC, just copy the file to /Sdcard/Download and the file will appear at C:\Users\<your name>\Downloads\MEmu Download\
      You can change the shared folder in MEmu settings.
      Remix OS player running Marshmallow
      Download: http://www.jide.com/remixos-player
      AMIDuOS running Lollipop (30 day trail)
      Download: http://www.amiduos.com/
      I'm not sure if other emulators support shared folder. Just find it yourself.
      Finding the package name of the app:
      Find the package name of the app you're going to hack!
      This will be required to find the app in the Terminal app we're going to use soon.
      It's usually called "com.DEVELOPER_CODE.GAME_CODE".
      You can find it going (with your browser) to the Google Play website, looking for the game you have installed on your device and then copying what's next to "id=".
      See screenshot:

      Alternatively, you can Install Package Name Viewer 2.0 from play store and you'll find the package name of any app you have installed on your device.

      If your device is running Cyanogenmod/Lineage OS, you can go to Settings -> Apps and then you'll find the package name of any app you have installed on your device.

      Termux setup and decryption:
      Open Termux. It should be very similar to the following one:



      Type the following commands:
      apt update Update package infomation
      apt-get update downloads the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies.
       
      apt install gdb tsu Install both gdb and tsu
      gdb is a process debugger
      tsu is a root mode for Termux.
      Press the home button and launch the game. Let the game fully load.
      Open multitask, and go back to Termux
      Type the following commands:
      su Enter Superuser mode
      Grant root access to enter superuser mode for your device when asked.
      dumpsys meminfo | grep com*
      Show process list
      This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol). The package name of the game is always at top. Don't forget to write it down


      exit
      Exit Superuser mode
      tsu
      Enter root mode for Termux
      gdb -pid <pid>
      attach a process with gdb

      Example:
      gdb -pid 12345 Hit return to continue when asked.
      Do not worry about any warnings like these you may read in the Terminal app:


      gcore <path>
      save core file
      Example:
      gcore /sdcard/thegametodump Type Y when asked
      This will take 3-5 minutes. You device may freeze during dumping. Do not touch your device.
      quit
      quit gdb
      And deattach the process when asked
      Or you can exit Termux session from notification


      Connect your device to your computer and copy your dumped file, if the file does not appear, just create a folder and move the file. This way Windows should be able to see it
      Recover decrypted files using WinHex:
      Open Winhex.exe
      File -> Open... and select a dumped file
      Tools -> Disk Tools -> File Recovery by Type

      Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
      Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

      The file recover will now begin and, when it finished you'll get a message like this:

      Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.
      You can finally close WinHex.
      Happy modding!
      Credits:
      iAndroHacker
      x-ways devs (Winhex program)
      Fredrik (Termux app)
    • By evildog1
      Hi there,  
         
       
      I will show you how to decrypt and encrypted .dll file (when trying to MOD Unity based Android games) using Gcore dump and WinHex.  
       
         
       
      Before we start, how to check if a .dll file is encrypted?  
       
         
       
      Easy. When you open a .dll file into Reflector and you get:  
       
         
       
      "Assembly-CSharp (this could change, depending on the name of the file), File is not a portable executable. DOS header does not contain 'MZ' signature."  
       
         
       
      it means you have got an encrypted DLL!  
       
         
       
      See image:  
       
         
       
       
       
         
       
      It means the DLL file does not have a valid MZ/PE header so you can't open/modify it. DLL files require MZ/PE headers in order to view its content and, to prevent hacking, some game developers protect their game erasing these MZ/PE headers from some dll files.  
       
         
       
      Now let's start with the requirements!  
       
         
       
      First of all, you need:  
       
      1. To have some Android Hacking experiences (otherwise you will not understand a single word of this Topic)  
       
      2. A rooted Android device  
       
      3. .NET Reflector or JustDecompile installed on your computer (if you've got hacking experience, you should already have this tool)  
       
      4. A computer running at least Windows XP  
       
      5. A Rooted Android device (Works with BlueStacks) running Android 4.2.2 and newer versions. Previous version might not work.  
       
      Works with Bluestacks. Custom roms with Android 4.2.2+ based are supported  
       
      6. At least 1 GB of RAM on your Device. A minimum of 300-400 MB free RAM space is required  
       
      7. Latest verison of SuperSU or other Superuser apps  
       
      8. BusyBox for Android. Get it from HERE  
       
      9. Terminal app for Android. You can download it from HERE  
       
      10. gcore installed on your device. Download it from: HERE  
       
      11. Any file explorer app installed on your Android device. I'd recommended X-plore  
       
      12.[/url]Cracked version of WinHex (free version will not work for this purpose). Download it from HERE  
       
         
       
      Update your BusyBox and Superuser.  
       
      If you are using outdated version of BusyBox, SuperSU or other Superuser apps, you will need to update because older versions may cause problems. If you are using built-in cyanogenmod SuperUser, beware it's very unstable. Uninstall this and this abandoned superuser if you have one and install the popular Superuser apps, SuperSU, Kingroot, Kingoroot, iRoot, etc...  
       
         
       
      Most Superuser have an update check option in the settings, some of them don't. Simply open a setting and request an update, or manually update the app from the website.  
       
         
       
       
       
         
       
      Install BusyBox from the given link.  
       
         
       
      Open the app and grant Root permissions. Smart Install will slowly load and, when completely loaded, tap "Install". The BusyBox binaries will be now permanently installed on your device. You can close the app or even uninstall it. BusyBox is just the installer. See screen below if you need help.  
       
         
       
       
       
         
       
      Install gcore on your device  
       
      1) Download gcore to your device (using the link given at the top of this Topic)  
       
      2) Open your Root Explorer app  
       
      3) Copy the 2 files "gdb" and "gdbserver" included into the zip file  
       
      4) Paste them to /system/bin/ (in your INTERNAL ROOT memory -> system -> bin) Folder (of course you will need to grant root permissions to see that folder).  
       
      5) If asked, overwrite files.  
       
         
       
      Find the package name of the app you're going to hack!  
       
      This will be required to find the app in the Terminal app we're going to use soon.  
       
      It's usually called "com.DEVELOPER_CODE.GAME_CODE".  
       
         
       
      Method #1  
       
      You can find it going (with your browser) to the Google Play website https://play.google.com/, looking for the game you have installed on your device and then copying what's next to "id=".  
       
      See screenshot:  
       
         
       
       
       
         
       
      Method #2  
       
      Install Package Name Viewer app from playstore and find the game you are looking for  
       
         
       
       
       
         
       
      Method #3  
       
      For Cyanogenmod ROMs, you can go to "Settings" -> "Apps" and then you'll find the package name of any app you have installed on your device.  
       
         
       
       
       
         
       
      Decrypt a game with a Terminal app  
       
      First, reboot your phone  
       
      Install Terminal app (with the link above). Then launch and minimize the game with the decrypted .dll (otherwise you could not see it in the following step.)  
       
         
       
         
       
      Launch the Terminal and type:  
       
         
       
        su  
       
         
       
      Now hit Enter and grant Root Permissions for the Terminal app.  
       
         
       
       
       
         
       
      Your username will now start with "root@". This confirms you have now Root Permissions on the Terminal.  
       
         
       
        root@[member='YourName'] #  
       
         
       
         
       
       
       
         
       
      Now, type:  
       
         
       
        dumpsys meminfo  
       
         
       
      to show all the processes  
       
         
       
      or  
       
         
       
        dumpsys meminfo | grep com.*  
       
         
       
      This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol)  
       
         
       
      or  
       
         
       
        dumpsys meminfo | grep th.*  
       
         
       
      This command will search for all the running processes starting with "th." (the * is a jolly symbol which means any letter/number/symbol)  
       
         
       
       
       
         
       
      Hit enter and you'll see a list of the running process of your device.  
       
      You will find the package name of the game with the encrypted dll too!  
       
         
       
      Using the game Crusaders Quest's as an example, you should see something like this:  
       
         
       
        118740 kB: com.nhnent.SKQUEST (pid 383 / activities)  
       
         
       
       
       
         
       
      If you have some problems searching for PID or if an app close after a few seconds and you dont have enough time to type in the code  
       
         
       
      You can use an APP called ProcessView , you can find it on Google Play Store  
       
      GooglePlay LINK: https://play.google.com/store/apps/details?id=jp.vviki.android.SysLoadLogger  
       
         
       
      Take note of the number next to "pid" (PID stands for "Process ID" and changes everytime a process starts). In my example, I'll take note of the number "383".  
       
         
       
      Now, using the PID you just noted, type:  
       
         
       
        gdb -pid xxxxx  
       
         
       
      (replacing "xxxxxx" with the PID number)  
       
         
       
      In my example, I'll use my Crusader Quest's PID (383).  
       
         
       
       
       
         
       
      Now hit Enter.  
       
         
       
      You'll wait few seconds and the Terminal will show:  
       
         
       
        (gdb)  
       
         
       
      in the Terminal app.  
       
         
       
      If you got "can' execute: permission denied" error, put this in Terminal  
       
         
       
        chmod 777 /system/bin/gdb && chmod 777 /system/bin/gdbserver  
       
         
       
      HAVE "ptrace: Operation not permitted" ERROR? PLEASE SEE THE TUTORIAL ABOUT BYPASSING THE "ptrace: Operation not permitted" ERROR  
       
         
       
      LINK TO TUTORIAL  
       
         
       
      We're almost done with Terminal. Now we do need to save the dumped file from the RAM storage we will use to get the decrypted dll into our /sdcard/ path. So, choose how to call this file (I will call it "nameoffile" as an example).  
       
         
       
      So, let's type:  
       
         
       
        gcore /sdcard/anynames  
       
         
       
      (replacing "nameoffile" with the name you decided to give to this file). See pic:  
       
         
       
       
       
         
       
      Hit enter and the Terminal will show empty line.. it's generating a very big dumped file so wait patiently until it completes this process. The file could be up to 1GB of size!!!  
       
         
       
         
       
       
       
         
       
      At the end of this process, you'll see:  
       
         
       
        Saved corefile /sdcard/xxxxxxxx  
       
         
       
       
       
         
       
      Of course, instead of "nameoffile" you will see the name of the file you chosen before.  
       
         
       
      Do not worry about any warnings like these you may read in the Terminal app:  
       
       
       
         
       
      after that, you succcessfully decrypted the game. Close the Terminal app.  
       
         
       
      They do not interfere in ANY way with the decryption of the .dll files.  
       
         
       
      Are you tired? Well, I've got a good new for you. You just decrypted the dll (well, every dll also if not encrypted will be "decrypted"! You're almost done. You just need few more steps and you'll be able to HACK your game! You can (finally) close the Terminal App!  
       
         
       
      Moving the file to your PC!  
       
         
       
      If you browse with your mobile to the path "/sdcard/", you will see the new big file but, since Windows can't see dump files, to move it to your PC you have two chances.  
       
         
       
      1) Enable USB Debugging (better in my opinion)  
       
         
       
      This way you'll see dump files from your PC. Go to Settings -> About Phone and tap on "Build Number" 7 times. You will unlock the "hidden" developer menu.  
       
         
       
       
       
         
       
      Now go will see "Developer Options" inside "Settings" of your device. Tap on it and check "USB Debugging".  
       
         
       
       
       
         
       
      OR  
       
         
       
      2) Moving this file to a folder  
       
         
       
      Create a folder on your /sdcard/ path and move this dumped file to the newly created folder. This way Windows should be able to see it.  
       
         
       
         
       
       
       
         
       
      So, if you chosen 1) or 2), now connect your device to your PC, go to the /sdcard/ directory and move the file (if you followed 1st option) or the folder (if you followed 2nd option)  
       
         
       
       
       
         
       
      Now copy the file to your computer  
       
         
       
      Using WinHex  
       
      Open the cracked WinHex (extract the downloaded .zip file and double-click on the "WinHex.exe" file. See pic:  
       
         
       
       
       
         
       
      Now take a look at the top of WinHex window and click "File" -> "Open" (see pic).  
       
         
       
       
       
         
       
      You will see the a dialog box similar to the following:  
       
         
       
       
       
         
       
      So, go to the folder where you copied the big file and click "Open".  
       
         
       
      Now, go to "Tools -> "Disk Tools" -> "File Recovery by Type..." (top of WinHex), like the following screenshot:  
       
         
       
       
       
         
       
      and a smaller window will pop-up. It should be very similar to the following one:  
       
         
       
       
       
         
       
      Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).  
       
      Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).  
       
         
       
      The file recover will now begin and, when it finished you'll get a message like this:  
       
         
       
       
       
         
       
      Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.  
       
         
       
      You can finally close WinHex.  
       
         
       
      Find the right dll  
       
         
       
      Now you do have a list of .dll files but... which one is encrypted? They have got weird names...  
       
      This step is important. You need to check which DLL is encrypted. Also, not just Assembly-Csharp.dll file can be encrypted. Other files can be encrypted too.  
       
         
       
      So, take out "Managed" folder from the APK file you want to MOD (it's located at /assets/bin/data/Managed/), select all the .dll files inside that folder and drag and drop them into the Reflector window like you usually do when you try to hack a Unity3D game. To see which DLL files are encrypted, click "No" when it ask you to reopen DLL files.  
       
         
       
       
       
         
       
      For example, Crusaders Quest has got 4 encrypted .dlls:  
       
         
       
        Assembly-CSharp.dll Assembly-CSharp-firstpass.dll Assembly-UnityScript.dll Assembly-UnityScript-firstpass.dll  
       
         
       
      Now, clear all opened DLL files from Reflector, go to the location where you recovered the files (with WinHex) and drag and drop all the .dll files. Click "No" if it does ask you to reopen DLL files in Reflector and ignore any dll error.  
       
         
       
      So, select a .dll file to show the name of the file and its location  
       
         
       
       
       
         
       
      For example, for Crusaders Quest we have got:  
       
         
       
        Assembly-CSharp.dll = 000034.dll Assembly-CSharp-firstpass.dll = 000030.dll Assembly-UnityScript.dll = 000028.dll Assembly-UnityScript-firstpass.dll = 000013.dll  
       
         
       
      So, rename all the .dll files that was encrypted and place them inside the extracted "Managed" folder. This way you'll replace original encrypted files with new decrypted ones.  
       
         
       
       
       
         
       
      Let's start modding!  
       
      Go to the "Managed" folder and move the newly decrypted .dll files inside Reflector or JustDecompile and enjoy modding the way you know!  
       
         
       
      if you do need help, please reply below!  
       
         
       
      Credits  
       
      iAndroHackerDK (For the tutorial)  
       
      SK H Nam A.K.A SKNAM (helped me with winhex)  
       
      SB (Fixed grammar)  
       
         
       
      IF YOU GOT "ptrace: Operation not permitted" ERROR, PLEASE SEE THE TUTORIAL ABOUT BYPASSING THE "ptrace: Operation not permitted" ERROR  
       
         
       
      LINK TO TUTORIAL  
       
         
       
      Tags:  
       
      File is not a portable executable. dos header does not contain 'mz' signature, How to decrypt dll file, Encrypted file, Assembly-Csharp.dll, Assembly-Csharp.dll file, Unity3D, Unity 3D games, File is not a portable executable  
    • By Kyle2100
      This Tutorial will show you how to install a newer firmware on a older Samsung Tablet that does not allow it
      why would i want this version?  This will make more apps compatible and improve the performance of the device.

      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info
    • By Kyle2100
      This Tutorial will show you how to install newer firmware on a older Samsung Galaxy Tab that is stuck on 2.2 
      This will allow you to have more compatibility with apps and increase the performance
       
      How to Install Android 4.3.1 Jelly Bean PAC-Man [Build 1] Custom ROM on Verizon Samsung Galaxy Tab SCH-I800 [Tutorial]

      Hidden Content
      Like this post or reply to this topic to see the hidden content. More info
  • Recently Browsing   0 members

    No registered users viewing this page.


    • Administrators |
    • Global Moderators  |
    • Moderators  |
    • ViP |
    • Cheaters |
    • Modders  |
    • Novice Cheaters |
    • Rookie Modders |
    • Supporters  |
    • GFX Team  |
    • Senior Members |
    • Members |