Solved Decrypt and modify file (unity3d game)

[serk11]

Hello, I currently plan to modify the files that are loaded by this game: HATSUNE MIKU: COLORFUL STAGE! – Applications sur Google Play

My goal is to modify the dialogues which are stored in downloadable files after installing the game.

These files are stored in: /storage/emulated/0/Android/data/com.sega.ColorfulStage.en/files/data

I was able to understand that they were here because when downloading new dialogs files were added to this folder.

In this folder there are many other folders with a tree structure like this:

In these folders is one to several files, with names like this:

I attach to my post an example file (0b82.rar)

I would like to be able to decrypt these files and encrypt them so as to have in the game a modification of dialogue or image for example.

After research I found that it was surely necessary to decompile using the libil2cpp and global-metadata.dat files and with this find the function which decrypts the file and potentially understand how to do the manipulation manually.

I managed to get a dump.cs with the list of addresses and names of functions in the application, but I don't have the contents of the functions.

I'm not at all sure if I'm on the right track to figure out how to decrypt my files and would like your help in figuring out how to do this.
Thanks to anyone who takes the time to respond to my post.

 

[Kaorin333]

be happy with the dump.cs but there is no way in decrypting more of it. the real names of the functions are gone.

 

[serk11]

thank you for your reply, what I want is to be able to decrypt these files, isn't there a way to find a way to decrypt them manually without going through the game?

 

[Kaorin333]

if you wanna decrypt the strings then yes, with ida.
if you wanna have the functions names. NO. NEVER.

if you wanna decypt globalmeta or il2cpp you need to find probalbly in libunity, where the il2cpp gets loaded... and so on, you need to follow it by your own over ida to see when it gets decrypted.

 

[xyzhunter]

modify dialogue ? trying translation ?
not sure but try this :

DevX Mega Guide (OBB & Bundle Modding + More) - Platinmods.com - Android & iOS MODs, Mobile Games & Apps

I hate writing with a burning passion of a thousand suns, but here it goes. I'll keep this as dumbed-down and straightforward as possible. Wtf is DevX? DevX is a very powerful and useful tool for Unity and Unreal Engine modding and analysis. Why use DevX? Restore C# Source (as much as it's...

platinmods.com

i can't use this tools since my laptop not support it.
you can ask hiyal for detail
sorry

 

[serk11]

Thank you very much for this software proposal, it is indeed very complete but unfortunately it does not show me the code that could help me decrypt my files (which are out of apk)

All .cs files have no code.
I also tried to decrypt my files directly with the software but it does not seem to have this possibility.
Surely this would have worked if the files weren't separated from the apk and if it wasn't encrypted.


I redid research in the dump.cs that I had been able to extract, I think that the function which decrypts the files in the memory is in there:

// Dll : mscorlib.dll
// Namespace: System.Security.Cryptography
public sealed class RijndaelManagedTransform : ICryptoTransform, IDisposable
{
    // Fields
    private CipherMode m_cipherMode; // 0x10
    private PaddingMode m_paddingValue; // 0x14
    private RijndaelManagedTransformMode m_transformMode; // 0x18
    private Int32 m_blockSizeBits; // 0x1c
    private Int32 m_blockSizeBytes; // 0x20
    private Int32 m_inputBlockSize; // 0x24
    private Int32 m_outputBlockSize; // 0x28
    private Int32[] m_encryptKeyExpansion; // 0x30
    private Int32[] m_decryptKeyExpansion; // 0x38
    private Int32 m_Nr; // 0x40
    private Int32 m_Nb; // 0x44
    private Int32 m_Nk; // 0x48
    private Int32[] m_encryptindex; // 0x50
    private Int32[] m_decryptindex; // 0x58
    private Int32[] m_IV; // 0x60
    private Int32[] m_lastBlockBuffer; // 0x68
    private Byte[] m_depadBuffer; // 0x70
    private Byte[] m_shiftRegister; // 0x78
    private static readonly Byte[] s_Sbox; // 0x0
    private static readonly Int32[] s_Rcon; // 0x8
    private static readonly Int32[] s_T; // 0x10
    private static readonly Int32[] s_TF; // 0x18
    private static readonly Int32[] s_iT; // 0x20
    private static readonly Int32[] s_iTF; // 0x28

    // Properties
    public Int32 InputBlockSize { get; }
    public Int32 OutputBlockSize { get; }
    public Boolean CanTransformMultipleBlocks { get; }

    // Methods
    // RVA: 0x1a91734 VA: 0x7859f53734
    internal Void .ctor(Byte[] rgbKey, CipherMode mode, Byte[] rgbIV, Int32 blockSize, Int32 feedbackSize, PaddingMode PaddingValue, RijndaelManagedTransformMode transformMode) { }
    // RVA: 0x1a92324 VA: 0x7859f54324
    public Void Dispose() { }
    // RVA: 0x1a9232c VA: 0x7859f5432c
    private Void Dispose(Boolean disposing) { }
    // RVA: 0x1a923f4 VA: 0x7859f543f4
    public Int32 get_InputBlockSize() { }
    // RVA: 0x1a923fc VA: 0x7859f543fc
    public Int32 get_OutputBlockSize() { }
    // RVA: 0x1a92404 VA: 0x7859f54404
    public Boolean get_CanTransformMultipleBlocks() { }
    // RVA: 0x1a9240c VA: 0x7859f5440c
    public Int32 TransformBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[] outputBuffer, Int32 outputOffset) { }
    // RVA: 0x1a93c80 VA: 0x7859f55c80
    public Byte[] TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) { }
    // RVA: 0x1a93f54 VA: 0x7859f55f54
    public Void Reset() { }
    // RVA: 0x1a926d8 VA: 0x7859f546d8
    private Int32 EncryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, ref Byte[] outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) { }
    // RVA: 0x1a93210 VA: 0x7859f55210
    private Int32 DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, ref Byte[] outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) { }
    // RVA: 0x1a93fcc VA: 0x7859f55fcc
    private Void Enc(Int32* encryptindex, Int32* encryptKeyExpansion, Int32* T, Int32* TF, Int32* work, Int32* temp) { }
    // RVA: 0x1a94188 VA: 0x7859f56188
    private Void Dec(Int32* decryptindex, Int32* decryptKeyExpansion, Int32* iT, Int32* iTF, Int32* work, Int32* temp) { }
    // RVA: 0x1a91d68 VA: 0x7859f53d68
    private Void GenerateKeyExpansion(Byte[] rgbKey) { }
    // RVA: 0x1a94464 VA: 0x7859f56464
    private static Int32 rot1(Int32 val) { }
    // RVA: 0x1a9445c VA: 0x7859f5645c
    private static Int32 rot2(Int32 val) { }
    // RVA: 0x1a94358 VA: 0x7859f56358
    private static Int32 rot3(Int32 val) { }
    // RVA: 0x1a94360 VA: 0x7859f56360
    private static Int32 SubWord(Int32 a) { }
    // RVA: 0x1a94438 VA: 0x7859f56438
    private static Int32 MulX(Int32 x) { }
    // RVA: 0x1a9446c VA: 0x7859f5646c
    private static Void .cctor() { }
}

I would just need the possibility of finding the code which is in these functions and I could perhaps find the algorithm which is carried out, do you have a software which would allow me this?

 

[xyzhunter]

Thank you very much for this software proposal, it is indeed very complete but unfortunately it does not show me the code that could help me decrypt my files (which are out of apk)

View attachment 498217

All .cs files have no code.
I also tried to decrypt my files directly with the software but it does not seem to have this possibility.
Surely this would have worked if the files weren't separated from the apk and if it wasn't encrypted.


I redid research in the dump.cs that I had been able to extract, I think that the function which decrypts the files in the memory is in there:

// Dll : mscorlib.dll
// Namespace: System.Security.Cryptography
public sealed class RijndaelManagedTransform : ICryptoTransform, IDisposable
{
    // Fields
    private CipherMode m_cipherMode; // 0x10
    private PaddingMode m_paddingValue; // 0x14
    private RijndaelManagedTransformMode m_transformMode; // 0x18
    private Int32 m_blockSizeBits; // 0x1c
    private Int32 m_blockSizeBytes; // 0x20
    private Int32 m_inputBlockSize; // 0x24
    private Int32 m_outputBlockSize; // 0x28
    private Int32[] m_encryptKeyExpansion; // 0x30
    private Int32[] m_decryptKeyExpansion; // 0x38
    private Int32 m_Nr; // 0x40
    private Int32 m_Nb; // 0x44
    private Int32 m_Nk; // 0x48
    private Int32[] m_encryptindex; // 0x50
    private Int32[] m_decryptindex; // 0x58
    private Int32[] m_IV; // 0x60
    private Int32[] m_lastBlockBuffer; // 0x68
    private Byte[] m_depadBuffer; // 0x70
    private Byte[] m_shiftRegister; // 0x78
    private static readonly Byte[] s_Sbox; // 0x0
    private static readonly Int32[] s_Rcon; // 0x8
    private static readonly Int32[] s_T; // 0x10
    private static readonly Int32[] s_TF; // 0x18
    private static readonly Int32[] s_iT; // 0x20
    private static readonly Int32[] s_iTF; // 0x28

    // Properties
    public Int32 InputBlockSize { get; }
    public Int32 OutputBlockSize { get; }
    public Boolean CanTransformMultipleBlocks { get; }

    // Methods
    // RVA: 0x1a91734 VA: 0x7859f53734
    internal Void .ctor(Byte[] rgbKey, CipherMode mode, Byte[] rgbIV, Int32 blockSize, Int32 feedbackSize, PaddingMode PaddingValue, RijndaelManagedTransformMode transformMode) { }
    // RVA: 0x1a92324 VA: 0x7859f54324
    public Void Dispose() { }
    // RVA: 0x1a9232c VA: 0x7859f5432c
    private Void Dispose(Boolean disposing) { }
    // RVA: 0x1a923f4 VA: 0x7859f543f4
    public Int32 get_InputBlockSize() { }
    // RVA: 0x1a923fc VA: 0x7859f543fc
    public Int32 get_OutputBlockSize() { }
    // RVA: 0x1a92404 VA: 0x7859f54404
    public Boolean get_CanTransformMultipleBlocks() { }
    // RVA: 0x1a9240c VA: 0x7859f5440c
    public Int32 TransformBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[] outputBuffer, Int32 outputOffset) { }
    // RVA: 0x1a93c80 VA: 0x7859f55c80
    public Byte[] TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) { }
    // RVA: 0x1a93f54 VA: 0x7859f55f54
    public Void Reset() { }
    // RVA: 0x1a926d8 VA: 0x7859f546d8
    private Int32 EncryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, ref Byte[] outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) { }
    // RVA: 0x1a93210 VA: 0x7859f55210
    private Int32 DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, ref Byte[] outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) { }
    // RVA: 0x1a93fcc VA: 0x7859f55fcc
    private Void Enc(Int32* encryptindex, Int32* encryptKeyExpansion, Int32* T, Int32* TF, Int32* work, Int32* temp) { }
    // RVA: 0x1a94188 VA: 0x7859f56188
    private Void Dec(Int32* decryptindex, Int32* decryptKeyExpansion, Int32* iT, Int32* iTF, Int32* work, Int32* temp) { }
    // RVA: 0x1a91d68 VA: 0x7859f53d68
    private Void GenerateKeyExpansion(Byte[] rgbKey) { }
    // RVA: 0x1a94464 VA: 0x7859f56464
    private static Int32 rot1(Int32 val) { }
    // RVA: 0x1a9445c VA: 0x7859f5645c
    private static Int32 rot2(Int32 val) { }
    // RVA: 0x1a94358 VA: 0x7859f56358
    private static Int32 rot3(Int32 val) { }
    // RVA: 0x1a94360 VA: 0x7859f56360
    private static Int32 SubWord(Int32 a) { }
    // RVA: 0x1a94438 VA: 0x7859f56438
    private static Int32 MulX(Int32 x) { }
    // RVA: 0x1a9446c VA: 0x7859f5646c
    private static Void .cctor() { }
}

I would just need the possibility of finding the code which is in these functions and I could perhaps find the algorithm which is carried out, do you have a software which would allow me this?

well idk , maybe try ida. sorry

 

[xyzhunter]

@serk11 so you solved your project ?

 

[serk11]

yes I solved my problem in another way, you can close this thread thank you

 

[xyzhunter]

yes I solved my problem in another way, you can close this thread thank you

ok

 

[DaRealPanDa]

Thread will be set to "solved" and closed.
When you're not happy with that just send me a message and i will re-open the thread for you.

Thanks.