Final release in 2018 fixes a bug that was reported by dehola.
Enigma Virtual Box unpacker
- Fixed detection of original TLS directory for some Delphi executables
Final release in 2018 fixes a bug that was reported by dehola.
My last posts about Unity3D/Mono protections gained a lot of attention. Unfortunately, they gained the wrong kind of attention and low quality comments. So, I decided to make changes in a way these posts are made.
I have no agenda against game authors or any of the Android MOD teams. They just happen to use interesting protection mechanisms. And I like to take protections apart and describe HOW they work. So, the posts will be even more focused on HOW the protection works and how it can be defeated. Sometimes I'll make some code snippets available. But in any case, you will have to do your work to defeat the protection.
I made a big mistake releasing compiled executable. It attracts crowds of asian kids who are only able to drop DLL on the compiled executable and complain that it did not magically fix everything. They have absolutely no interest in how the protection actually works.
To fix that, there will be no more ready-made tools. If you care about the protection, my blog has all the information you need to make your own tool. But if you need a ready-made, compiled tool, go somewhere else.
Yes, I'm always interested in new and innovative protections. If you tell me about such protection, I will be very happy. When I get some free time, I will look at it. If it's interesting enough, I will write about it.
But I will not crack the protection for you. And most certainly I will not do it on your schedule. So, don't bug me about that.
My free time is limited. I will read all comments and all emails. Someday. When I have free time.
So, do NOT bump your comments or your emails. If you haven't received a reply, your message was stupid and I decided to ignore it. Or perhaps I just haven't had time to read it and respond to it.
I got plenty of comments like "how do I use your tool?" or "I can't open file in dnSpy. Help!!!111".
First, read the bloody posts, they explain how my tools work and what the limitations are. Second, use Google. Third, read "How to Report Bugs Effectively". I can't magically solve all your problems - I need to see the actual file first.
Thank you for reading to the end, I really appreciate that. Please enjoy your stay here.
I've complained about Chrome automatic updates before. I actually stayed on outdated Chrome 45 for a long time because I really needed NPAPI support to perform certain tasks.
But few months ago I decided to bite the bullet and "live a normal life". So, I enabled Google Chrome updates and crossed my fingers. It worked for some time. I got the awful "modern UI" and managed to turn it off. I got the automatic Chrome sign-in that nobody actually wants and Google retracted later. And I was able to turn it off too.
But now Chrome cannot open my Gmail account. WTF?
When logging into Gmail it just pops up this message "Can't sync to account. Request cancelled."
This part is more about my own failure than about Unity3D or Mono. I enjoy looking at Android game cheats and how they manage to exploit every single bug in Mono engine used by Unity3D. And then I make equally stupid bug in my fixer tool. How embarrassing! oops
Well, not really. I don't pretend to be perfect. I make mistakes just like everyone else and I have no problem admitting them. And hope that somebody else will learn from my mistakes, too.
So, today we'll look at the Vietnamese app that has a funny way to encrypt DLLs:
First, I'll show how the main module is encrypted in the original app. Then I'll analyze a modded version of the app on which my fixer tool failed miserably. Finally, I'll provide a fixed version for my tool.
This is Part 3 of the series about tricks in PE file format used by Unity3D-based games and cheats.
In Part 1 I analyzed some basic tricks used by Android game modders and ways how to defeat them. In Part 2 I covered more tricks used by modding teams and traced their origins to obscure Chinese Android games.
This part will cover tricks used by game developer Moonton in their games:
All games use modified versions of libmono.so containing few tricks that nobody else uses. Different versions of libraries have slightly different ways of implementing these tricks, most of my analysis is based on Mobile Legends: Bang Bang v184.108.40.20623.
In the first part of the series I explained how some cheat authors try to protect their work against other cheaters. It was a quick introduction to Unity3D and bugs in Mono that cheat authors exploit.
Last week someone emailed me another example of a game cheat. My tool from the previous article failed to fix invalid metadata, so I decided to look at it again.
The cheat I received was made by Mod4U from BlackMod.net team. It appears that Mod4U is one of the most active members of the team, judging by number of the releases. His/her cheats use invalid PE file tricks and are encrypted, as you'll see later in the article.
After looking at different mods from other team members, I've confirmed that Rito, Aurora and Legend also are using invalid PE files for hiding their work. But none of their cheats encrypt Assembly-CSharp.dll.
So, let's look at the cheats and see what new tricks BlackMod team members have found!
As requested by fury...
Yesterday I read an article on ZDNet called "Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months" and it made my laugh hysterically.
Why? Because it's a bloody nonsense from start to end.
Let's just look at the main claim in the article.
... in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.
What. The. Fuck.
For last few years I'm taking part in the FLARE-ON competition. This year I finished 4th - which is not bad at all. smile
Now that the challenge is over, it's fun to read all the solutions. Of course, there are official solutions - they explain what the challenge does and one way how to solve it. Nice but I want more. smile
Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.
If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.