1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Fate/Grand Order] Assembly-Csharp decryption tutorial and discussion

Discussion in 'Public Mod / Hack Discussion' started by Yuki1308, May 22, 2016.

  1. Yuki1308

    Yuki1308 Active Member

    Joined:
    Nov 23, 2015
    Messages:
    28
    Likes Received:
    23
    As we already knew, after v1.9.0 , all the library files has been encrypted and we no longer be able to change easily using .NET Reflector

    After some researching and thanks to Uncle_BoB's suggestion, finally i found a way to decrypt it, though it's not perfect.
    Hope it can help you guys :D

    So let's get started.

    * Tool that we need:
    - CFF Explorer.
    - HxD
    - .NET Reflector with Reflexil.

    Just google for download link.

    Step by step.

    1- Extract the APK files. Go the location of the Assembly-CSharp.dll and open it with CFF Explorer.
    2- Go the ".NET Directory" section, you will see something like this.

    [​IMG]

    3- Take a look at that "MetaData RVA". If you open this file in .NET Reflector, it will show you some error like this.

    [​IMG]

    4- Now, change that MetaData RVA from E9AAC908 to 001AF31C (i will tell the reason later).
    Save it and re-open.

    [​IMG]

    5- Now go "MetaData Header" section, at "Signature", change the Value to 424A5342 (this is string "BSJB" on hex)

    [​IMG]

    6- Go to the "MetaData Streams" , plus 4 units on each offset. You will have something like this.

    [​IMG]

    7- Save it. Now open it again with .NET Reflector and see the miracle. But do not feel happy yet, now the real hell come if you want to mod.

    8- If you try to open any function inside Assembly-CSharp.dll via .NET Reflector, it will give you some error like this pic and doesn't show any OP Code or so.

    [​IMG]

    9- So what do we do now?
    This time, i will use method "setTimeAcceleration" as example. You can do same for another .
    Choose it , take a look at Reflexil windows, go to Attribute tab and check the RVA field.

    [​IMG]

    10- Back to CFF , go to "Section Headers [x]" and see 2 values at "Virtual Address" and "Raw Address" column on ".text" row.

    [​IMG]


    11- The common formula is: Physical Address = RVA - Virtual Address + Raw Address + [X]
    In this case, Physical Address for that function is C8DC0 - 2000 + 200 + C = C6FCC
    C8DC0 = 822720 in hex

    ( For the number [X] , i cannot fully explain it, because it can have many value . For example, when i search for method "getBaseATK" , the number [X] must be 1 so it can fit Physical address that we need to change, but for method "setTimeAcceleration", [X] = 12 = C in hex, this number i got after many times calculation, hope someone can explain this. )

    12 - Go back to .NET Reflector, still in Reflexil windows, go to Instruction tab, you will notice that: the Op code somehow still familliar as the previous version.
    As for "setTimeAcceleration" function, we need to change the OP Code at the 2 following part.

    [​IMG]

    Look at that offset. Now, we need to re-calculate the address that we need to change.

    C6FCC + 6D = C7039

    [​IMG]

    Voila~
    In case you need, here is the speed change function.

    1x - 22 00 00 80 3f
    2x - 22 00 00 00 40
    3x - 22 00 00 40 40
    4x - 22 00 00 80 40
    5x - 22 00 00 a0 40
    10x - 22 00 00 20 41

    Good luck.

    P/s: This isn't the only way to mod , as it's not perfect, so hope someone might give us better solution.
     
    #1 Yuki1308, May 22, 2016
    Last edited: May 22, 2016
    typeMARS, MGM, mazzod and 4 others like this.
  2. NEMESIS

    NEMESIS Junior Modding Team
    Junior Modding Team

    Joined:
    Sep 25, 2015
    Messages:
    857
    Likes Received:
    267
    i need more explanation about this.
    we know its not only the assembly-csharp will show an issue like that. so how if we want to mod the other file? should we use that code also? or need differen code?
    how to calculate it?
    teach me how to open it (for example).
    thank you
     
    #2 NEMESIS, Jun 7, 2016
    Last edited: Jun 7, 2016
  3. Yuki1308

    Yuki1308 Active Member

    Joined:
    Nov 23, 2015
    Messages:
    28
    Likes Received:
    23
    @NEMESIS Thanks for reminding me.
    Totally forgot about it.
    Anw. Here is the reason

    If you open files libsmono.so with IDA, search for usage of this function mono_cli_rva_image_map
    You may find something like this.

    [​IMG]

    the mono_cli_rva_image_map function take responsibility to change RVA address of the output files. In this case, it has made a "XOR" with E9B03A28 and we will have E9AAC908 XOR E9B03A28 = 001AF320
    But, this isn't the address we need.
    In order to make .NET Reflector can read it, the files must contain 4-byte for header signature (BSJB - because the dev deleted them).
    So, in order to create them, you have to reduce the address 4-byte, which mean 001AF320 - 4 = 001AF31C

    That's all, there's nothing special about this part. But note that, for FGO, from v1.10, they added new protection so this method now only can make files "Openable" but cannot see and change function.
    For other games, i don't know if it can change since i don't play much games. :D
     
    iAlex, NEMESIS and BTG like this.
  4. NEMESIS

    NEMESIS Junior Modding Team
    Junior Modding Team

    Joined:
    Sep 25, 2015
    Messages:
    857
    Likes Received:
    267
    well.. this looks like i have been chatting with the game maker ( o_o)

    now i know how it does. thanks again @Yuki1308
     
    #4 NEMESIS, Jun 8, 2016
    Last edited: Jun 8, 2016
  5. NEMESIS

    NEMESIS Junior Modding Team
    Junior Modding Team

    Joined:
    Sep 25, 2015
    Messages:
    857
    Likes Received:
    267
    IZANK likes this.
Loading...
  • About Us

    Android Republic - Android Game Hacks - Offering only the most advanced and exclusive android hacks, protections like Xigncode are easily bypassed by our team.

    Exclusive Android hacks, android protections cracked, only the best available games, here you will find only the best games such as Kritika, Summoners War, Raven, Dragon Striker, Avabel, Evil Bane, 7knights and seven knights, Darkness Reborn, Soul Seeker all fully hacked and waiting for you! easy xigncode and dxshield bypass too!, way better than alpha gamers or alphagamers no need for booster or root, simple the best android cheat apk available.