[TUTORIAL] How to decrypt Assembly-Csharp.dll file using gcore dump (for encrypted Unity3D games)

http://yotafiles.com/457257
Hi fans or modders

Today, i'm going to show you how to decrypt native Assembly-Csharp.dll file using gcore dump and winhex. since there is no tutorials, i decided to make my own tutorial so other peoples don't have to spend their time to teach peoples how to decrypt a native DLL file.

Why i can't open the DLL file on Reflector or JustCompile:
When you open a DLL file, you will see this error
 

The DLL file does not have MZ/PE headers so windows can't open it. DLL files need MZ/PE headers to be able to open the file. The game company used SecNeo to protect their game and erased MZ/PE headers from DLL file

What is MZ/PE headers?
See DOS MZ executeable on wiki
First, you need:
1. To be an android modder/hacker and CIL and C# knowledge.

2. NET Reflector or JustDecompile software


3. A computer running Windows XP/Vista/7/8/8.1/10

4. Device running Android 4.2.2 and never. previous version might not work. Works with Cyanogenmod 10+, SlimKat/lollipop, PAC... MIUI rom is untested

5. 800 MB of RAM or more. not recommended with 512 MB RAM

6. 300-400 MB free RAM space.

7. Latest verison of SuperSU or Kingroot

8. Latest version of busybox (Current version is 1.23.2-Stericson)


10. Any Unity3D games that is encrypted (Darkness Reborn, Crusaders Quest, Heroes, etc...)

11. gcore installed on your device. click here to download

12. Any root explorer app installed on your Android device. I recommended Root File Manager

(You can't get the Assembly-Csharp.dll file if you are using the free version of WinHex)

Update your busybox and superuser.
If you are using outdated busybox or superuser, you will need to update it for stabillity. older versions may cause problems. If you are using build-in cyanogenmod superuser, flash SuperSU. build-in superuser is very unstable. Uninstall this abandoned superuser if you have one


For kinguser. It will show a pop-up message about new version of Kinguser software. Press "update" to update it. You can check update manually by open Kinguser app -> Click on gear icon -> Click on Software version and it will update kinguser.


For SuperSU. If there is any update, It will ask you to update SuperSU binary and it will show it on the notification message. Click on it and it will ask you to update SuperSU binary normally or update it via TWRP/CWM. If you choose "normal", it will update it directly without having to reboot a device. if you choose "TWRP/CWM", the device will reboot into custom recovery, flash it and it will reboot your device again

http://www.jellydroid.com/wp-content/uploads/2014/06/SuperSU-update-su-binary.jpg

Install BusyBox from playstore. Open the app and grant root access. wait until smart install is fully loaded and you can tap "install". after that, close the app. you can keep the busybox installer or uninstall the busybox installer if you want. The app is just an installer. The busybox binaries are permanently installed on your device.


Install gcore on your device
You need any root explore installed on your device. I recommended Root File Manager

Download gcore to your device. open any root explorer. copy 2 files "gdb" and "gdbserver" and paste it on /system/bin/ (in ROOT memory -> system -> bin) folder







Remember the package name
You need to remember the package name of the game you are looking for so you can find the pid ID of the game in Terminal app

Method #1
go to https://play.google.com/search the game you are looking for and look at the URL for package name. See the screenshot below


Method #2
Install Package Name Viewer app from playstore and find the game you are looking for

 

Method #3
For Cyanogenmod users. You can go to settings -> apps -> (any apps) and you will see the package name below the title

 

Decrypt a game on rooted devices
Important: Reboot your phone and close all other running application and make sure you have enough RAM to perform decryption

Make sure you have Terminal app installed on your device. Open Terminal and type

su

hit enter and grant root access.


You will see

root@yourname:/ #

...in terminal.


type

dumpsys meminfo | grep com.*


hit enter and it will show the list of running process. find the package name that you are looking for and look at pid ID. Example Crusaders Quest's package name and pid ID.

118740 kB: com.nhnent.SKQUEST (pid 383 / activities)


Rembemer the pid ID and type

gdb -pid xxxxxx

and hit enter


example

gdb -pid 383

the symbols will be loaded and it will show
(gdb)

...in terminal.

type

gcore /sdcard/anynames


examples

gcore /sdcard/dump
gcore /sdcard/testingmyskill
gcore /sdcard/gcore
gcore /sdcard/samsunggalaxy
gcore /sdcard/darknessreborn

or whatever you want to name the file. hit enter and the terminal will show empty line like this




and wait.... until it says

Saved corefile /sdcard/xxxxxxxx
(gdb)



NOTE: IGNORE THE MEMORY READ FAILED ERRORS. IT DOES NOTHING AT ALL!

after that. you succcessfully decrypted the game. Close the terminal app.

Copy the file to your computer
On your device you will see dumped file on Sdcard/


but a problem is windows can't see the file


so you need to create a folder "a" on sdcard/, move the big dumped file to "a" folder and the windows can see it.



Now copy the file to your computer
 

Open Cracked Winhex
Open cracked Winhex on your computer. Click "File" -> "Open"


You will see the this dialog box. Go to the folder where you copied the file and open it


Go to "Tools -> "Disk Tools" -> "File Recovery by Type..."


and you will see this dislog box

Click "+" on programs and check "Windows exec.". Select your output folder and choose the folder you want to output. On drop-down, select "Complere byte-level search" and click OK


After recovering the files. You get this message

 

Go to the location where you recovered the files and delete all .COM files. You don't need it

Close Winhex

What DLL files are encrypted?
This is important. If you don't check what DLL files are encrypted. You might now be able to save DLL file with Reflexil because of missing / encrypted DLL files. You have to find out which DLL files are encrypted. Not just Assembly-Csharp.dll file. Other files can be encrypted too.

Take out "Managed" folder from the APK file (located at assets/bin/data/Managed) select all DLL files and drag and drop onto Reflector or JustDecompile to see which DLL files are encrypted. Click "No" when it ask you to reopen DLL files.


Crusaders Quest have 4 encrypted DLL files
Assembly-CSharp.dll
Assembly-CSharp-firstpass.dll
Assembly-UnityScript.dll
Assembly-UnityScript-firstpass.dll

Heroes only have 1 encrypted file
Assembly-CSharp.dll

Remember the DLL files you need for modding
Clear all opened DLL files from Reflector or JustDecompile. Go to the location where you recovered the files and drag and drop all DLL files. Click "No" when it ask you to reopen DLL files. ignore the DLL errors

Select the DLL file to show the name of the file and the location


Crusaders Quest:
Assembly-CSharp.dll = 000034.dll
Assembly-CSharp-firstpass.dll = 000030.dll
Assembly-UnityScript.dll = 000028.dll
Assembly-UnityScript-firstpass.dll = 000013.dll

Heroes:
Assembly-CSharp.dll = 000021.dll

Rename all DLL files that was encrypted and place it on extracted "Managed" folder


Let's start modding
Go to "Managed" folder and open Assembly-CSharp.dll file with Reflector or JustDecompile. Enjoy modding!

Questions?
If you have any question to this. Post a comment below and i will try to help you.

Does this tutorial confusing you? or does it make non-sense? i will fix the tutorial for you

Credits
iAndroHackerDK (For the tutorial)
SK H Nam A.K.A SKNAM (helped me with winhex)

some AndroidRepublic members for gcore tips
Thank you for reading the article about [TUTORIAL] How to decrypt Assembly-Csharp.dll file using gcore dump (for encrypted Unity3D games) on Android and IOS Hack blog if you want to disseminate this article are requested to include a link as the Source, and if this article useful please bookmark this page in a web browser you, by pressing Ctrl + D on your keyboard keys.

New Article :