Unity3D protection in Moonton games

This is Part 3 of the series about tricks in PE file format used by Unity3D-based games and cheats.

In Part 1 I analyzed some basic tricks used by Android game modders and ways how to defeat them. In Part 2 I covered more tricks used by modding teams and traced their origins to obscure Chinese Android games.

This part will cover tricks used by game developer Moonton in their games:

Mobile Legends: Bang Bang
Mobile Battleground - Blitz
Mobile Battleground: Frontline (currently removed from Google Play)
Hoop Legends: Slam Dunk
Puzzle Ark

All games use modified versions of libmono.so containing few tricks that nobody else uses. Different versions of libraries have slightly different ways of implementing these tricks, most of my analysis is based on Mobile Legends: Bang Bang v1.3.25.3323.

Changed DOS signature

First thing you'll notice is that the normal MZ signature is missing in the Assembly-CSharp.dll and other DLLs.

That is because method mono_image_load_pe_data was changed to check for "ER" instead:

memcpy (&msdos, image->raw_data + offset, sizeof (msdos));

if (!(msdos.msdos_sig [0] == 'E' && msdos.msdos_sig [1] == 'R'))
   goto invalid_image;
....

Changed .NET metadata stream names, offsets and sizes

Another trivial change is done inside load_metadata_ptrs - all stream names have "#" replaced with "$". So, instead of "#Blob" stream, you have "$Blob", and so on.

To accomplish that, load_metadata_ptrs was changed like this:

for (i = 0; i < streams; i++){
   if (strncmp (ptr + 8, "$~", 3) == 0){
   ....
   } else if (strncmp (ptr + 8, "$Strings", 9) == 0){
   ....
   } else if (strncmp (ptr + 8, "$US", 4) == 0){
   ....
   } else if (strncmp (ptr + 8, "$Blob", 6) == 0){
   ....
   } else if (strncmp (ptr + 8, "$GUID", 6) == 0){
....

Obfuscated .NET metadata stream offsets and sizes

Final change is the most interesting one - Moonton has decided to obfuscate all .NET metadata stream offsets and sizes. They chose to use simple "binary NOT" operation - but it works really well. 🙂

Compare original load_metadata_ptrs in Mono code:

for (i = 0; i < streams; i++){
   if (strncmp (ptr + 8, "#~", 3) == 0){
      image->heap_tables.data = image->raw_metadata + read32 (ptr);
      image->heap_tables.size = read32 (ptr + 4);
      ptr += 8 + 3;
   } else if (strncmp (ptr + 8, "#Strings", 9) == 0){
....

and decompiled code from libmono.so

for (i = 0; i < streams; i++){
   if (strncmp (ptr + 8, "$~", 3) == 0){
      image->heap_tables.data = ~read32 (ptr) + image->raw_metadata;
      image->heap_tables.size = ~read32 (ptr + 4);
      ptr += 11;
   } else if (strncmp (ptr + 8, "$Strings", 9) == 0){
....

In a different version of libmono.so from Puzzle Ark v1.0.21, both standard and hacked PE files are supported:

if ( msdos.msdos_sig[0] != 0x4D || msdos.msdos_sig[1] != 0x5A )
{
   for ( i = 0; streams > i; ++i )
   {
      if ( !strncmp(ptr + 8, "$~", 3u) )
      {
         image->heap_tables.data = image->raw_metadata + ~read32 (ptr);
         image->heap_tables.size = ~read32 (ptr + 4);
         ptr += 11;
      }
      else if ( !strncmp(ptr + 8, "$Strings", 9u) )
      ....
   }
}
else
{
   for ( i = 0; streams > i; ++i )
   {
      if ( !strncmp(ptr + 8, "#~", 3u) )
      {
         image->heap_tables.data = image->raw_metadata + read32 (ptr);
         image->heap_tables.size = read32 (ptr + 4);
         ptr += 11;
      }
      else if ( !strncmp(ptr + 8, "#Strings", 9u) )
....

Update of my tool

All of Moonton's tricks are very easy to revert. For example, fixing DOS header is a matter of 3 extra lines:

var dosHeader = stream.ReadStruct();

// Check for Moonton protection
if (dosHeader.e_magic == 0x5245)
{
   Console.WriteLine("[!] Fixing wrong MZ signature (Moonton games).");
   stream.WriteStruct(0, IMAGE_DOS_HEADER.IMAGE_DOS_SIGNATURE);
}
else if (dosHeader.e_magic != IMAGE_DOS_HEADER.IMAGE_DOS_SIGNATURE)
{
   Console.WriteLine("[x] Not a MZ/PE file. Can't help you with that");
   return;
}

Similarly, a check for .NET metadata stream names can be implemented.

Here you can download updated tool + source code:

Special thanks to Yuuki Kuroyama for bringing my attention to this protection.

11 thoughts on “Unity3D protection in Moonton games”

Anon

2018-11-13 at 14:39

A question, what program do you use to decompile libmono.so file?
1. kao
  
  2018-11-13 at 17:40
  
  I'm using IDA 7.0. Free version allows only disassembly of x64; for ARM support and decompilation you need a full version (which can be easily found on Google..)
hannah

2018-11-15 at 10:44

I send you message in gmail. Please see this. Btw this os the file i need to fix and decrypt the dll .{hidden link}
1. kao
  
  2018-11-15 at 20:23
  
  I already answered to your email, but here it is again for completeness:
  
  It takes a lot of time to analyze a native protection like the one in libplatinmods.so. I will look at it someday - but I can't promise anything soon.
hannah

2018-11-16 at 04:38

Thanks for your hardwork and time for this,. BTW can you send me how you unlocked the second dll i send you before in email since i decrypt it but not yet fully unlocked > its from blackmod. Thanks again
hannah

2018-11-18 at 04:01

Please see my message in gmail. Thank you.
1. kao
  
  2018-11-18 at 22:31
  
  Please, there is no need to send me reminders every day.
  
  I will answer to your email when I have some free time to do that.
hannah

2018-11-18 at 23:55

Thanks admin. Hope you got free time . sorry if i bothered you.
MoreFun

2018-11-22 at 14:15

Amazing work. author please check my DLL . i cant unlock it. and also i send email to you. {hidden link}

APK full : {hidden link}

This game had xigncode . Please mind to check where they change it. Thank You.
unknown

2018-12-11 at 08:17

Please Check my email mr Kao .
kao

2018-12-11 at 22:11

Comments disabled. Read about the reasons here: https://lifeinhex.com/changes-in-the-blog/

Comments are closed.