Tutorial How to decrypt an encrypted .dll file with GDB gcore (Root only)

G-Bo ッ

Administrator
Original poster
Staff member
Administrator
Mar 22, 2017
8,636
336,500
2,350
Behind you.
platinmods.com
If you want to dump without root, check this first:

How to decrypt an encrypted .dll [NO-ROOT]


Hello dear community,

I will show you how to decrypt and encrypted .dll file (when trying to MOD Unity based Android games) using Gcore dump and WinHex.

Before we start, how to check if a .dll file is encrypted?

Easy. When you open a .dll file into Reflector and you get:

"Assembly-CSharp (this could change, depending on the name of the file), File is not a portable executable. DOS header does not contain 'MZ' signature."

it means you have got an encrypted DLL!


See image:
Mt9bkqf.png


It means the DLL file does not have a valid MZ/PE header so you can't open/modify it. DLL files require MZ/PE headers in order to view its content and, to prevent hacking, some game developers protect their game erasing these MZ/PE headers from some dll files.

Now let's start with the requirements!

First of all, you need:
1.
To have some Android Hacking experiences (otherwise you will not understand a single word of this Topic)
2. A rooted Android device
3. .NET Reflector or JustDecompile installed on your computer (if you've got hacking experience, you should already have this tool)
4. A computer running at least Windows XP
5. A Rooted Android device running Android 4.2.2 and newer versions. Previous version might not work.
6. At least 1 GB of RAM on your Device. A minimum of 300-400 MB free RAM space is required
7. Latest verison of SuperSU or other Superuser apps
8. BusyBox for Android. Get it from:
BusyBox – Android-Apps auf Google Play

9. Terminal app for Android. You can download it from:
Android Terminal Emulator – Android-Apps auf Google Play

10. gcore installed on your device. Download it from:
Zippyshare: gcoregdb.zip
Google Drive: gcoregdb.zip

11. Any file explorer app installed on your Android device. I'd recommended:
X-plore File Manager – Android-apps på Google Play

12. Modified version of WinHex (free version will not work for this purpose). Download it from:
WinHex 19.1.rar

Update your BusyBox and Superuser.
If you are using outdated version of BusyBox, SuperSU or other Superuser apps, you will need to update because older versions may cause problems. If you are using built-in cyanogenmod SuperUser, beware it's very unstable. Uninstall
Superuser - Android Apps on Google Play
abandoned superuser if you have one and install the popular Superuser apps, SuperSU, Kingroot, Kingoroot, iRoot, etc...

Most Superuser have an update check option in the settings, some of them don't. Simply open a setting and request an update, or manually update the app from the website.

55NjVLk.jpg


Install BusyBox from the given link.

Open the app and grant Root permissions. Smart Install will slowly load and, when completely loaded, tap "Install". The BusyBox binaries will be now permanently installed on your device. You can close the app or even uninstall it. BusyBox is just the installer. See screen below if you need help.


PtsKJ2l.png
VWiprRv.png


Install gcore on your device
1)
Download gcore to your device (using the link given at the top of this Topic)
2) Open your Root Explorer app
3) Copy the 2 files "gdb" and "gdbserver" included into the zip file
4) Paste them to /system/bin/ (in your INTERNAL ROOT memory -> system -> bin) Folder (of course you will need to grant root permissions to see that folder).
5) If asked, overwrite files.

Find the package name of the app you're going to hack!
This will be required to find the app in the Terminal app we're going to use soon.
It's usually called "com.DEVELOPER_CODE.GAME_CODE".

Method #1
You can find it going (with your browser) to the Google Play websiteGoogle Play, looking for the game you have installed on your device and then copying what's next to "id=".
See screenshot:

oMPbxeI.jpg


Method #2
Install Package Name Viewer app from playstore and find the game you are looking for

VEKB0Zp.png


Method #3
For Cyanogenmod ROMs, you can go to "Settings" -> "Apps" and then you'll find the package name of any app you have installed on your device.

dH2dx7q.png


Dump the game from the RAM memory using Terminal app
First, reboot your phone
Install Terminal app (with the link above). Then launch and minimize the game with the decrypted .dll (otherwise you could not see it in the following step.)

Launch the Terminal and type:

Code:
su
Now hit Enter and grant Root Permissions for the Terminal app.


YwQuPVl.png



Your username will now start with "root@". This confirms you have now Root Permissions on the Terminal.

Now, type:

Code:
dumpsys meminfo | grep com.*
to show all the processes

or

Code:
dumpsys meminfo | grep com.*
This command will search for all the running processes starting with "com." (the * is a jolly symbol which means any letter/number/symbol)

or

Code:
dumpsys meminfo | grep th.*
This command will search for all the running processes starting with "th." (the * is a jolly symbol which means any letter/number/symbol)

Hit enter and you'll see a list of the running process of your device.
You will find the package name of the game with the encrypted dll too!

Using the game Crusaders Quest's as an example, you should see something like this:

Code:
118740 kB: com.nhnent.SKQUEST (pid 383 / activities)
2f4kK8y.png


If you have some problems searching for PID or if an app close after a few seconds and you dont have enough time to type in the code

You can use an APP called ProcessView , you can find it on Google Play Store
GooglePlay LINK: CPU Usage & Process Viewer – Android-Apps auf Google Play

Take note of the number next to "pid" (PID stands for "Process ID" and changes everytime a process starts). In my example, I'll take note of the number "383".

Now, using the PID you just noted, type:

Code:
gdb -pid xxxxxx
(replacing "xxxxxx" with the PID number)

In my example, I'll use my Crusader Quest's PID (383).

BjM722D.png


Now hit Enter.

You'll wait few seconds and the Terminal will show
(gdb)

in the Terminal app.


If you got "can' execute: permission denied" error, put this in Terminal

Code:
chmod 777 /system/bin/gdb && chmod 777 /system/bin/gdbserver

We're almost done with Terminal. Now we do need to save the dumped file from the RAM storage we will use to get the decrypted dll into our /sdcard/ path. So, choose how to call this file (I will call it "nameoffile" as an example).

So, let's type:

Code:
gcore /sdcard/anynames
Hit enter and the Terminal will show empty line.. it's generating a very big dumped file so wait patiently until it completes this process. The file could be up to 1GB of size!!!


daIMwGJ.png


At the end of this process, you'll see:
Code:
Saved corefile /sdcard/xxxxxxxx
(gdb)
1k2XoSb.png


Of course, instead of "nameoffile" you will see the name of the file you chosen before.

Do not worry about any warnings like these you may read in the Terminal app:

qu0dUi6.jpg


after that, you succcessfully decrypted the game. Close the Terminal app.

They do not interfere in ANY way with the decryption of the .dll files.

Are you tired? Well, I've got a good new for you. You just decrypted the dll (well, every dll also if not encrypted will be "decrypted"! You're almost done. You just need few more steps and you'll be able to HACK your game! You can (finally) close the Terminal App!

Moving the file to your PC!

If you browse with your mobile to the path "/sdcard/", you will see the new big file but, since Windows can't see dump files, to move it to your PC you have two chances.

1) Enable USB Debugging (better in my opinion)

This way you'll see dump files from your PC. Go to Settings -> About Phone and tap on "Build Number" 7 times. You will unlock the "hidden" developer menu.

21XDniJ.jpg


Now go will see "Developer Options" inside "Settings" of your device. Tap on it and check "USB Debugging".

KyVpF3A.jpg


OR

2) Moving this file to a folder

Create a folder on your /sdcard/ path and move this dumped file to the newly created folder. This way Windows should be able to see it.


1zZ2okI.png
lDxOJBM.png


So, if you chosen 1) or 2), now connect your device to your PC, go to the /sdcard/ directory and move the file (if you followed 1st option) or the folder (if you followed 2nd option)

FnS4AtS.png


Now copy the file to your computer

Using WinHex
Open the cracked WinHex (extract the downloaded .zip file and double-click on the "WinHex.exe" file. See pic:

vwiY6Sl.jpg


Now take a look at the top of WinHex window and click "File" -> "Open" (see pic).



G1TXfOH.png


You will see the a dialog box similar to the following:

nABBcma.png


So, go to the folder where you copied the big file and click "Open".

Now, go to "Tools -> "Disk Tools" -> "File Recovery by Type..." (top of WinHex), like the following screenshot:

HfbJdcY.png


and a smaller window will pop-up. It should be very similar to the following one:

7e6W8nE.png


Click the "+" next to "Programs" (1) and check "Windows exec." (2). Now, select the folder where you want the new file to be generated under "Output Folder" (3).
Ensure "Complere byte-level search" is checked (4) and then click "OK" (5).

The file recover will now begin and, when it finished you'll get a message like this:

MsPP0tr.png


Now, reach the location where you saved this file and delete all files with the ".com" extension. They're not needed and may only cause confusion.

The recovered .dll file have got the wierd names so you have to find Assembly-Csharp.dll by yourself.Assembly-Csharp.dll is always the largest file

Happy modding!


If you do need help, please reply below!

Credits
@iAndroHacker
 
Last edited by a moderator:

FlyGuardX

Platinian
Nov 21, 2017
8
11
13
34
good day sir i try to paste the gcore in root system foolder but it failed i use bluestacks rooted and installed Su
 

Darwin te

Rookie
Mar 27, 2017
3
1
53
33
you cant, you need to fix the libmono but thats something for advanced modder
YOU DO NOT HAVE A MORE EASY WAY TO DO IT FROM THE PC WITHOUT USING THE CELLULAR MY PANA DE ANDROID_MOD TOLD ME THAT confuserex I COULD SEE THE FILE ASSEMBLY-CSharp AS I DO NOT FIND IT IN THE APK OF THE GAME MAD GUNZ ASK ME A LOT IN MY CHANNEL
 

AndnixSH

PMT Elite Modder
Staff member
Modding-Team
Jun 27, 2017
4,680
297,036
1,213
Modding World
YOU DO NOT HAVE A MORE EASY WAY TO DO IT FROM THE PC WITHOUT USING THE CELLULAR MY PANA DE ANDROID_MOD TOLD ME THAT confuserex I COULD SEE THE FILE ASSEMBLY-CSharp AS I DO NOT FIND IT IN THE APK OF THE GAME MAD GUNZ ASK ME A LOT IN MY CHANNEL
dude relax lol
 

Arifin79

Awesome Active Platinian
Dec 3, 2017
109
1,616
193
Wtf so much steps just to dump a file... if the game is frequently updating it's going to be pain in the ass.

I wish it was as easy as PC way: You just need an app like processhacker, pchunter, or whatever to suspend game client process then locate the thread or module file you want to dump.
 

Arifin79

Awesome Active Platinian
Dec 3, 2017
109
1,616
193
I just found out it's much easier and faster to dump the encrypted dlls through gameguardian.
 

agarzki07

Platinian
Jan 23, 2018
17
0
53
31
I made menu but it has bug . When i click the button open close the toggles on and off also it affected every toggles . Any idea to fix this