How could I dump this game?

[BULLETBOT]

Hello, the game I've been trying to dump is "Legend of Slime: Idle RPG"

I've tried these links but didn't work.
https://platinmods.com/threads/how-to-use-auto-il2cppdumper-to-dump-protected-il2cpp-games-no-magisk-zygisk.134194/#fromHistory

https://platinmods.com/threads/how-to-dump-protected-libil2cpp-libue4-game-metadata-file-and-other-non-unity-games-new-method.129433/#fromHistory

https://platinmods.com/threads/how-to-use-zygisk-il2cppdumper-to-dump-il2cpp-games-magisk-24-and-up.157221/

https://platinmods.com/threads/il2cppdumper-gui-tool-windows.7511/

https://il2cppdumper.com/the-dumper-tool#

And also decompiling the apk with Apktool doesn't work too. How can I somehow dump the game ?

Edited February 28 by BULLETBOT

[nok1a]

12 hours ago, BULLETBOT said:

How did you manage to select the game process without getting kicked out from the game in 64bit?

Liapp doesn't appear if i open GG just before the game opens. Has to be timed right. Then you can see that it takes the game longer before it loads. Dunno why. But Liapp will not appear.

Here, hope it helps. I took 32 bit in particular.

 

[BULLETBOT]

Forgot to mention since I can't edit the post anymore that I am downloading the game from ApkMirror. The apk is pretty well protected itself but the anti-cheat not that much lol.

Edited February 28 by BULLETBOT

[BULLETBOT]

I've noticed that only the global-metadata.dat is encrypted.

When I looked into the metadata file, I found this https://imgur.com/a/XavBIBI from Hxd.

It has a "LIKEY" in it, it's probably encrypted because of the LIAPP which the game uses for anti-cheat.

Is there any way to decrypt it?

[nok1a]

4 hours ago, BULLETBOT said:

I've noticed that only the global-metadata.dat is encrypted.

When I looked into the metadata file, I found this https://imgur.com/a/XavBIBI from Hxd.

It has a "LIKEY" in it, it's probably encrypted because of the LIAPP which the game uses for anti-cheat.

Is there any way to decrypt it?

Hi, (having account auth sign-in problems, so messaging for now through other account, the administrator have been informed. Not sure how the issue will be fixed)

Can't help you with explaining about how encryption works but dumped the game for 64 bit, so the method i explain is for 64 bit. Have no idea if this works on other games. The actual metadata was located in other memory region then where the metadata path name was shown. Don't let it mislead you.

Did like the following.

1. Search metadata.dat magic bytes.
   
2. Forgot how to accurately look for the correct metadata.dat size, so i did pointer search on the first(start) address, the offset +0x08 in data type Dword.
   
3. One of the values is the metadata offset you can use for dump with GG. Don't use the values that are shown negative because metadata doesn't get that large(or have not seen yet) So the two that make most sense for try are the postivevalues with offset 0x0091C000 and 0x00A00000
4. Use offset calculation on start address and save the address you jump to.
   
   If you go a few address up, you can see already the end of the metadata.dat. So your offset 0x0091C000 was correct.
   
5. copy start address and address you jumped to, then dump it.
   

Also dump the libil2cpp.so file. Then use Il2CppDumperGUI.1.8.0 to get dump.cs. For input dump address you use start of libil2cpp.so address.

 

[BULLETBOT]

Uh.. What do you mean by "Search metadata.dat magic bytes"? Sorry, I'm new to this stuff and the images doesn't load in 2nd step. Well anyways I can only bypass the game in 32bit but I can't in 64bit for some reason. How did you manage to select the game process without getting kicked out from the game in 64bit?

Edited March 2 by BULLETBOT

[nok1a]

Magic bytes can often be used to find the global-metadata in running process, see here more info: https://en.wikipedia.org/wiki/Magic_number_(programming)#In_files.

In this case it is the first 4 bytes of the metadata.dat. Should be like this:

Your case when you opened the global-metadata.dat from the directory the first 4 bytes where not AF 1B B1 FA, which is the magical bytes for global.metadata.dat. So it was encrypted or obfuscated or they did some changes with the header...etc, see here explanation about obfuscated/encrypted metadata.

If your not familiar with encryption/obfuscation you have to check for the metadata.dat and libil2cpp.so at runtime.
Searching for the magical bytes is a alternative way of searching for the correct global-metadata.dat (although this not work for every game, like genshin impact).

 

10 hours ago, BULLETBOT said:

How did you manage to select the game process without getting kicked out from the game in 64bit?

I open the game and then directly hide it on the background.

[BULLETBOT]

2 hours ago, nok1a said:

Your case when you opened the global-metadata.dat from the directory the first 4 bytes where not AF 1B B1 FA, which is the magical bytes for global.metadata.dat. So it was encrypted or obfuscated or they did some changes with the header...etc

So should I replace the "LIKEY" to those bytes?

2 hours ago, nok1a said:

I open the game and then directly hide it on the background.

Oh, I see.

 

Also can you please record it for me, I don't really understand the process since i'm new to this. I tried the first step but I got like a lot of results from it.

Edited March 2 by BULLETBOT

[BULLETBOT]

Thank you, I'll watch the video. If it works, I'll mark it as a best answer.

[nok1a]

Sure, if any questions just post.

Edited March 2 by nok1a
correction

[BULLETBOT]

Hm. The metadata is still protected. 

I'll show you the addresses and paste the metadata file here.

Edited March 2 by BULLETBOT

[nok1a]

You loaded the wrong metadata file in il2cppDumper. the one you gave me was the protected one. You need to load the metadata that you just dumped with gameguardian.

[BULLETBOT]

That's what I did though.

[nok1a]

12 minutes ago, BULLETBOT said:

That's what I did though.

If the one that you uploaded here is the same file as the one that you placed in il2cppDumper as in the screenshot than it means you placed the wrong metadata.dat file. It also says that it does not recognize it as a valid metadata. So if you dumped correctly with GG it means you selected the wrong file. 

Edited March 2 by nok1a
Typo

[BULLETBOT]

I dumped the metadata file from the GG like you did in the video and yet I got the same error for some reason.

Edited March 2 by BULLETBOT

[nok1a]

24 minutes ago, BULLETBOT said:

I dumped the metadata file from the GG like you did in the video and yet I got the same error for some reason.

I'm quite positive it is a matter of selecting the right metadata. If it works for me it needs to work for you. 

Make a short video of when you dump libil2cpp.so and global-metadata.dat with Gameguardian and when you transfer the files from the emulator to the PC to then load it in il2cppDumper. 

Also open the metadata that you uploaded in il2cppDumper with HxD and send screenshot of the start of file.

If possible upload it to a YouTube channel because downloading video will take long time. I have very slow internet.