Dump decrypted DLL file with IDA Pro

Sbenny.com is trusted by 1,312,823 happy users since 2014.
Register

AndnixSH

Savage Lv6️⃣
SB Mod Squad ⭐
Member for 8 years
Note: This tutorial was created by xiaobaiyey and written in chinese. This tutorial is poorly translated from Google Translation but i have fixed some grammar to make it easier to understand.

Previously I read an article by hook decrypting the encrypted dll Unity3D, recently new to dynamic, so they can try the next through IDA, the same as the shelling, dump the decrypted dll file, try the next, it really can, in here to share under

Requirements:
Tools: IDA6.6.
🔒 Hidden content
You need to Register or Login in order to view this content. Since you're viewing the AMP-accelerated version of our website which doesn't store login cookies, please scroll to the bottom of this page and click on the "View Non-AMP Version" button first, thanks!
Game: Monthly Dragon knife (just find a game)
Enable USB-debugging in Developer Options

Open lib in IDA:
Unzip lib folder from the APK, drag the file libmono.so to IDA
Several functions mainly in the upper and lower breakpoint (refer mono source )

Code:
mono_image_open_from_data_full
mono_image_open_from_data
mono_image_open_from_data_with_name
In a decryption process can about these function

View the final in front of a function call or mono_image_open_from_data_with_name,

Enable Developer Options:
If Developer Option does not show in settings, follow the steps below.
1. Open Settings > About
2. Then tap “Build number” seven times to enable Developer options....
3. Go back to Settings menu and now you'll be able to see “Developer options” there.
4. Tap it and turn on USB Debugging

Dynamic debugging:
If the app has anti-debugging, you need to skip meals to debug, the following brief dynamic debugging Preparations (there are many online tutorials dynamic debugging)

Get android_server file from IDA PRO 6.6\ida66\dbgsrv or download the file HERE!

Push android_server file to the phone

1:
Code:
adb push android_server /data/local/tmp/
2:
Code:
adb shell
3:
Code:
cd /data/data/tmp/
4:
Code:
chmod 777 android_server
5:
Code:
./android_server
Port Forwarding:
Code:
adb forward tcp:23946 tcp:23946
Debug startup app:
Code:
adb shell am start -D -n com.huiguan.qinglong.taiqi.dl/com.huiguan.qlyyd.UnityPlayerNativeActivity
Check the app's PID:

1.
Code:
adb shell
2.
Code:
ps | grep dl
Record the PID and Forwarding (pid can be seen in the ida)
Code:
adb forward tcp:8700 jdwp:PID
Setting ida (the main settings hostname: 127.0.0.1) and open the attach process (wait for the program to automatically break live, live off later)

Run app (in the f9 at ifa)
This time, open CMD.exe on Windows and run jdb debugger (Java debugger):
Code:
jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700
This time can be debugged
Run app will break on the linker



Then if the app is no anti-molestation: running directly f9
This window appears: same point



Wait a moment, will end on Linker , directly connected to f9 op row
If this window appears, select "yes (pass to app)" without waiting



Many may appear behind all this window select yes and then run f9
Finally broken in the mono_image_open_from_data_with_name, method
Loading is not the first time we want to skip dll



If you can not read f5 look at the source code, source code demonstrate this direct f5, where he rewrote momo source

Code:
int __fastcall mono_image_open_from_data_with_name (int a1, char * haystack, int a3, int a4, char a5, char * haystacka)
Several key parameters
Code:
// NT A1 read dll file offset address
// Char * haystack, DLL file size
// Char * haystacka , file name


This time following the R1 register to see the encrypted DLL file address, indicating the DLL has not yet begun to decrypt, decryption may later. And laid down the road to change a single note of each register after a simple loop

The dll decrypted
This time it decrypted DLL in memory,



This time it can have a dump,

Check Register Window: Find R6 and R11
The entire file offset start R6 = 7B95304C
End offset address R6 = R11 + 7B95304C + 3AF200 = 7BD0224C

Use; dump dex scripts

Code:
auto fp, dexAddress;
fp = fopen ( "D:\\Test.dll", "wb");
for (dexAddress = 0x7B95304C; dexAddress < 0x7BD0224C; dexAddress ++)
fputc (Byte(dexAddress), FP);
Under run on ok
Decryption out the effect,

Attach the original dll and decrypted dll

Credit:
xiaobaiyey
 

jampopoy

Novice Lv1️⃣
Member for 7 years
does this work on grand chase m game? please reply asap thanks
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
I think the third step:

cd /data/data/tmp/

should be

cd /data/local/tmp/

and Step 5 can't be done, it's not well exaplained, making it impossible for us to do it.
 

Jamesmykil

Novice Lv1️⃣
Member for 7 years
I wanna learn how to do this on my own!!!
 

Sbenny

A crazy scientist
Staff member
Admin
SB Mod Squad ⭐
✔ Approved Releaser
Active User
ADB is constantly updated, you can download it from the official google android website.
 
Top