Mobile Legends Bang Bang reversing

tanis · May 10, 2019

I don't know if this is the right place to post this topic. If not, please move it to the right place

I would like to start a community effort to reverse Mobile Legends Bang Bang as I think there are quite some members of the forum that could jump in and fill the gaps. My main goal is to be able to dissect the game code. I'm using the Android version as a reference but it looks like it works the same way on iOS. So far what I can tell is the following:

the game is written in Unity3D
the actual game code sits in Lua files
the Lua files are probably encrypted because their file size is a multiple of 8 and there are good chances that the algorithm being used is AES (more on this later)
the C# DLLs have been encrypted and obfuscated
Moonton modified the original mono loader to actually decrypt and deobfuscate those DLLs while loading them into memory
there is another DLL inside assets/Any/android/MobaLogicAndroidData.unity3d and that DLL has been obfuscated and encrypted but it looks like it might slightly differ from the protection used with the other DLLs.

There are plenty of *.lua files in the assets/android/lua folder. While they should be text files with the actual game code, it clearly shows that they've been encrypted. Checking the file size I can assume that they're using some block cypher algorithm and I guess it's almost surely AES as that algorithm is also used to encrypt pieces of the C# DLLs.

I decompiled libmono.so, libmain.so, libunity.so, libunityx.so but I couldn't find any trace of the parts that should load the Lua files so far. What is clear is that the libmono.so has been modified because the C# DLLs in assets/bin/Data/Managed aren't standard .NET DLLs. They have their headers modified. Kao did a great job at analyzing them and finding out more about what's going on with them and I invite you to check his blog there: https://lifeinhex.com/unity3d-protection-in-moonton-games-part-2/

Basically the MS-DOS signature has been changed so that they know that the file is an encrypted DLL and if you replace it they just won't load it.

The PE header has been encrypted with a slightly modified version of AES -128.

The stream names have been changed and their size and data fields have been switched around. The size and data fields have been encoded.

The method header have been encoded and both tiny and fat methods have been slightly modified in the way they work.

What I'm trying to do now is to find out who's loading the Lua files and the decryption algorithm. It would be nice if we could join forces and get deeper with this. I'm looking forward for comments if you're interested