Open Karanveer7921 opened 2 years ago
wjdwndud0114
commented
2 years ago Try to dig into the stacktrace to pinpoint when/where the error is happening. It should give you an idea of where to start debugging. You should be able to walk through the code execution with a debugger if you removed AppGuard. Then try to determine whether the issue is with the libmono or DLL (sounds like DLL is the issue based on the error you described)
Karanveer7921
commented
2 years ago 3) App was frozen on splash screen so I digged into smali sources and found that on some activities or services, there was a call to some method of AppGuard class on 'onCreate', 'onResume' or 'onStop' methods. Which I Assumed that It was a just a wrapper call for the functions since in the AppGuarded apk, original Application class was not in manifest, instead there was the Application class of AppGuard. I just replaced those method calls with default super calls
4) Compiled the app, Now the application was working partially fine. I passed the splash activity but some activities of app weren't working as expected
onCreate method { SomeAppGuardClass.someMethod(....) }
-> replacing this call with default super call worked in some cases but not all worked. -> so I traced the call stack of original APK (by making a simple xposed module) -> I found that in some cases SomeAppGuardClass.someMethod(....) , this was calling another method of same activity
SomeAppGuardClass.someMethod(....) so this was just a wrapper (ofc with some ant hack checks) which was behind the scenes was invoking those methods
5) Recompiled the APK, now application was working fine. Everything was working as the original app was working and was also able to attach to this process via frida. So all java/native android side of app was working
6) Now this app has a unity part, which when on button clicked, launches unity player activity as a new process
In the app guarded , Assembly-CSharp.dll and Assembly-CSharp-firstpass.dll was encrypted. so I dumped them from memory via original app, fixed the headers and placed them in the modified APK. Rest you know
I don't have much experience of unity or IDA
IN YOU NOTES.TXT
There you have mentioned , still broken c sharp file, I didn't got that Like how you know DLL was broken ? wasn't it opening in .net decompiler or it was causing crash or what ??
The u wrote u compared it with original file , how you compared and with which original file ?
What I want to achieve ? I want to hook unity methods, which can be done via frida or any other tool but will require attaching debugger
but I was unable to bypass anti-debugging so decided to removed AppGuard but that caused another problem, the broken .net dll
If I dont remove the app guard, I can pass root detection using magisk (zygisk) and can use xposed but xposed can't hook mono method
Either I have to bypass anti debugging OR need to get the non-broken c#
I have removed appGuard from the app completely. Now since the app was loading an encrypted dll before using custom libmonobdwgc.so , which have decryption algo, so I replaced this lib with the normal one we get default from unity. now I have normal libs and the decrypted DLL (Dumped and fixed headers) but when the app launches, it crashes and in logcat it shows some DLL related issue while loading it with libmonobdwgc.so, it says something like invalid and shows something like memory near r1, r2, r3 .... I dont know is the problem with dll or the lib .. btw I can open DLL with dotPeek
(I have no other way to contact you rather than raising this issue)