Author Archives: kao

10 Dec 2018

Changes in Chrome 71 break Gmail.

I've complained about Chrome automatic updates before. I actually stayed on outdated Chrome 45 for a long time because I really needed NPAPI support to perform certain tasks. 

But few months ago I decided to bite the bullet and "live a normal life". So, I enabled Google Chrome updates and crossed my fingers. It worked for some time. I got the awful "modern UI" and managed to turn it off. I got the automatic Chrome sign-in that nobody actually wants and Google retracted later. And I was able to turn it off too.

But now Chrome cannot open my Gmail account. WTF?

Can't sync to account.

When logging into Gmail it just pops up this message "Can't sync to account. Request cancelled."

Read More

19 Nov 2018

Unity3D/Mono protections, part 4

This part is more about my own failure than about Unity3D or Mono. I enjoy looking at Android game cheats and how they manage to exploit every single bug in Mono engine used by Unity3D. And then I make equally stupid bug in my fixer tool. How embarrassing! oops

Well, not really. I don't pretend to be perfect. I make mistakes just like everyone else and I have no problem admitting them. And hope that somebody else will learn from my mistakes, too.

So, today we'll look at the Vietnamese app that has a funny way to encrypt DLLs:

First, I'll show how the main module is encrypted in the original app. Then I'll analyze a modded version of the app on which my fixer tool failed miserably. Finally, I'll provide a fixed version for my tool.

Read More

12 Nov 2018

Unity3D protection in Moonton games

This is Part 3 of the series about tricks in PE file format used by Unity3D-based games and cheats.

In Part 1 I analyzed some basic tricks used by Android game modders and ways how to defeat them. In Part 2 I covered more tricks used by modding teams and traced their origins to obscure Chinese Android games.

This part will cover tricks used by game developer Moonton in their games:

All games use modified versions of libmono.so containing few tricks that nobody else uses. Different versions of libraries have slightly different ways of implementing these tricks, most of my analysis is based on Mobile Legends: Bang Bang v1.3.25.3323.

Read More

31 Oct 2018

Unity3D, Mono and invalid PE files, part 2

In the first part of the series I explained how some cheat authors try to protect their work against other cheaters. It was a quick introduction to Unity3D and bugs in Mono that cheat authors exploit.

Last week someone emailed me another example of a game cheat. My tool from the previous article failed to fix invalid metadata, so I decided to look at it again.

Cheats by BlackMod.net

The cheat I received was made by Mod4U from BlackMod.net team. It appears that Mod4U is one of the most active members of the team, judging by number of the releases. His/her cheats use invalid PE file tricks and are encrypted, as you'll see later in the article.

After looking at different mods from other team members, I've confirmed that Rito, Aurora and Legend also are using invalid PE files for hiding their work. But none of their cheats encrypt Assembly-CSharp.dll.

So, let's look at the cheats and see what new tricks BlackMod team members have found!
Read More

18 Oct 2018

Why morons shouldn’t be writing about security, part 4

Yesterday I read an article on ZDNet called "Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months" and it made my laugh hysterically.

Why? Because it's a bloody nonsense from start to end.

Let's just look at the main claim in the article.

... in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

What. The. Fuck.
Read More

30 Sep 2018

September update of unpackers

Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.

Enigma Virtual Box unpacker

  • Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
  • Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
  • Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
  • Fixed warning message about TLS directory. Mea culpa.

Molebox Virtualization Studio unpacker

  • Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
  • Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
  • Fixed out-of-memory error when unpacking huge data files;
  • Loads possible filenames from mole_dictionary.txt;

How to use mole_dictionary.txt

If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.
Read More

15 May 2018

Unity3D, Mono and invalid PE files

Some time ago, Reoto asked a very nice question on Black Storm forum:

Can someone fix the .dll (.net) pe header to MS DOS?
How can I do that?
If you know about protecting .net files for Android, please help me.
I have another question.
Can I fix dnspy to resolve .dll pe header isn't .net?

Obviously, English is not author's first language but it seemed like an interesting problem, so I decided to look into it.

Here is one of the files in question: https://mega.nz/#!0g4VHaIR!KmpQirte4_3lv8MSxyjETiufjFGb-CITpFGrXwxSgGY

TL;DR: Mono loader used by Unity3D accepts invalid PE files. It can be used to break most .NET decompilers. dnlib and tools based on dnlib (dnSpy, de4dot) were updated on 20-Apr-2018 but the rest of the tools still can't handle such files.
Read More