12 Nov

Unity3D protection in Moonton games

This is Part 3 of the series about tricks in PE file format used by Unity3D-based games and cheats.

In Part 1 I analyzed some basic tricks used by Android game modders and ways how to defeat them. In Part 2 I covered more tricks used by modding teams and traced their origins to obscure Chinese Android games.

This part will cover tricks used by game developer Moonton in their games:

All games use modified versions of libmono.so containing few tricks that nobody else uses. Different versions of libraries have slightly different ways of implementing these tricks, most of my analysis is based on Mobile Legends: Bang Bang v1.3.25.3323.

Changed DOS signature

First thing you'll notice is that the normal MZ signature is missing in the Assembly-CSharp.dll and other DLLs.


That is because method mono_image_load_pe_data was changed to check for "ER" instead:

Changed .NET metadata stream names, offsets and sizes

Another trivial change is done inside load_metadata_ptrs - all stream names have "#" replaced with "$". So, instead of "#Blob" stream, you have "$Blob", and so on.

To accomplish that, load_metadata_ptrs was changed like this:

Obfuscated .NET metadata stream offsets and sizes

Final change is the most interesting one - Moonton has decided to obfuscate all .NET metadata stream offsets and sizes. They chose to use simple "binary NOT" operation - but it works really well. smile

Compare original load_metadata_ptrs in Mono code:

and decompiled code from libmono.so

In a different version of libmono.so from Puzzle Ark v1.0.21, both standard and hacked PE files are supported:

Update of my tool

All of Moonton's tricks are very easy to revert. For example, fixing DOS header is a matter of 3 extra lines:

Similarly, a check for .NET metadata stream names can be implemented.

Here you can download updated tool + source code:

Special thanks to Yuuki Kuroyama for bringing my attention to this protection.

11 thoughts on “Unity3D protection in Moonton games

    • I'm using IDA 7.0. Free version allows only disassembly of x64; for ARM support and decompilation you need a full version (which can be easily found on Google..)

  1. I send you message in gmail. Please see this. Btw this os the file i need to fix and decrypt the dll .{hidden link}

    • I already answered to your email, but here it is again for completeness:

      It takes a lot of time to analyze a native protection like the one in libplatinmods.so. I will look at it someday - but I can't promise anything soon.

  2. Thanks for your hardwork and time for this,. BTW can you send me how you unlocked the second dll i send you before in email since i decrypt it but not yet fully unlocked > its from blackmod. Thanks again

    • Please, there is no need to send me reminders every day.

      I will answer to your email when I have some free time to do that.

  3. Amazing work. author please check my DLL . i cant unlock it. and also i send email to you. {hidden link}

    APK full : {hidden link}

    This game had xigncode . Please mind to check where they change it. Thank You.

Comments are closed.