Jump to content
  • 0

How could I dump this game?


Recommended Posts

  • 0
Posted (edited)

Forgot to mention since I can't edit the post anymore that I am downloading the game from ApkMirror. The apk is pretty well protected itself but the anti-cheat not that much lol.

Edited by BULLETBOT
  • 0
Posted

I've noticed that only the global-metadata.dat is encrypted.

When I looked into the metadata file, I found this https://imgur.com/a/XavBIBI from Hxd.

It has a "LIKEY" in it, it's probably encrypted because of the LIAPP which the game uses for anti-cheat.

Is there any way to decrypt it?

  • 0
Posted
4 hours ago, BULLETBOT said:

I've noticed that only the global-metadata.dat is encrypted.

When I looked into the metadata file, I found this https://imgur.com/a/XavBIBI from Hxd.

It has a "LIKEY" in it, it's probably encrypted because of the LIAPP which the game uses for anti-cheat.

Is there any way to decrypt it?

Hi, (having account auth sign-in problems, so messaging for now through other account, the administrator have been informed. Not sure how the issue will be fixed)

Can't help you with explaining about how encryption works but dumped the game for 64 bit, so the method i explain is for 64 bit. Have no idea if this works on other games. The actual metadata was located in other memory region then where the metadata path name was shown. Don't let it mislead you.

Did like the following.

  1. Search metadata.dat magic bytes.
    image.thumb.png.1d5f1eb377cab512157f4789381f451f.png
  2. Forgot how to accurately look for the correct metadata.dat size, so i did pointer search on the first(start) address, the offset +0x08 in data type Dword.
    image.thumb.png.5c8a1bf314b87c44696b2708710f538e.pngimage.thumb.png.1a4aa4a9a92b863067796aff319d210b.png
  3. One of the values is the metadata offset you can use for dump with GG. Don't use the values that are shown negative because metadata doesn't get that large(or have not seen yet) So the two that make most sense for try are the postivevalues with offset 0x0091C000 and 0x00A00000
  4. Use offset calculation on start address and save the address you jump to.
    image.thumb.png.8cd86d31be7ccbccfb10ec00897f2d3f.pngimage.thumb.png.595a6d8f81285aad499d85e86045b68a.png
    If you go a few address up, you can see already the end of the metadata.dat. So your offset 0x0091C000 was correct.
    image.thumb.png.6c496ea03781d42693447f8080bdb31f.png
  5. copy start address and address you jumped to, then dump it.
    image.thumb.png.313c91279ca501d35a9915493c1c3306.png

Also dump the libil2cpp.so file. Then use Il2CppDumperGUI.1.8.0 to get dump.cs. For input dump address you use start of libil2cpp.so address.
image.thumb.png.e39cd3dabfbe38c307cefa416b71ce9a.png

 

  • 0
Posted (edited)

Uh.. What do you mean by "Search metadata.dat magic bytes"? Sorry, I'm new to this stuff and the images doesn't load in 2nd step. Well anyways I can only bypass the game in 32bit but I can't in 64bit for some reason. How did you manage to select the game process without getting kicked out from the game in 64bit?

Edited by BULLETBOT
  • 0
Posted

Magic bytes can often be used to find the global-metadata in running process, see here more info: https://en.wikipedia.org/wiki/Magic_number_(programming)#In_files.

In this case it is the first 4 bytes of the metadata.dat. Should be like this:

image.thumb.png.a0b057a90562015d880d001ffbc52e68.png

Your case when you opened the global-metadata.dat from the directory the first 4 bytes where not AF 1B B1 FA, which is the magical bytes for global.metadata.dat. So it was encrypted or obfuscated or they did some changes with the header...etc, see here explanation about obfuscated/encrypted metadata.

If your not familiar with encryption/obfuscation you have to check for the metadata.dat and libil2cpp.so at runtime.
Searching for the magical bytes is a alternative way of searching for the correct global-metadata.dat (although this not work for every game, like genshin impact).

 

10 hours ago, BULLETBOT said:

How did you manage to select the game process without getting kicked out from the game in 64bit?

I open the game and then directly hide it on the background.

  • 0
Posted (edited)
2 hours ago, nok1a said:

Your case when you opened the global-metadata.dat from the directory the first 4 bytes where not AF 1B B1 FA, which is the magical bytes for global.metadata.dat. So it was encrypted or obfuscated or they did some changes with the header...etc

So should I replace the "LIKEY" to those bytes?

2 hours ago, nok1a said:

I open the game and then directly hide it on the background.

Oh, I see.

 

Also can you please record it for me, I don't really understand the process since i'm new to this. I tried the first step but I got like a lot of results from it.

Edited by BULLETBOT
  • 1
Posted
12 hours ago, BULLETBOT said:

How did you manage to select the game process without getting kicked out from the game in 64bit?

Liapp doesn't appear if i open GG just before the game opens. Has to be timed right. Then you can see that it takes the game longer before it loads. Dunno why. But Liapp will not appear.

Here, hope it helps. I took 32 bit in particular.


 

  • 0
Posted (edited)

Hm. The metadata is still protected. 

I'll show you the addresses and paste the metadata file here.

image.thumb.png.2c54febdcf830b6f74ee0a98f22a2d29.pngimage.thumb.png.a14776543d663af158e513a91c6a56a9.png

Edited by BULLETBOT
  • 0
Posted

You loaded the wrong metadata file in il2cppDumper. the one you gave me was the protected one. You need to load the metadata that you just dumped with gameguardian.

  • 0
Posted (edited)
12 minutes ago, BULLETBOT said:

That's what I did though.

If the one that you uploaded here is the same file as the one that you placed in il2cppDumper as in the screenshot than it means you placed the wrong metadata.dat file. It also says that it does not recognize it as a valid metadata. So if you dumped correctly with GG it means you selected the wrong file. 

Edited by nok1a
Typo
  • 0
Posted (edited)

I dumped the metadata file from the GG like you did in the video and yet I got the same error for some reason.

Edited by BULLETBOT
  • 0
Posted
24 minutes ago, BULLETBOT said:

I dumped the metadata file from the GG like you did in the video and yet I got the same error for some reason.

I'm quite positive it is a matter of selecting the right metadata. If it works for me it needs to work for you. 

Make a short video of when you dump libil2cpp.so and global-metadata.dat with Gameguardian and when you transfer the files from the emulator to the PC to then load it in il2cppDumper. 

Also open the metadata that you uploaded in il2cppDumper with HxD and send screenshot of the start of file.

If possible upload it to a YouTube channel because downloading video will take long time. I have very slow internet.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.