Unity FurryVNE [2024-03-12] [FurryVNE Team]

3.90 star(s) 9 Votes
Discussion Reviews (9)
W

Wacre

Member
Jun 2, 2017
211
165
Kernels said:
As someone said earlier, indeed their first game when it was in beta had similar protection only without the obfuscator. I don't think it's difficult for them to maintain these servers since their first game is still with working servers after 8 years. Most likely they will actually make this "game" free too when it comes out of beta.
To be honest, I'm only interested in this game because of these kinda innovative interactions. Well im probably asking too much but it’s a pity that it’s not open source and on il2cpp
Click to expand...
Same,this looks far superior to what can be done on trash like Honey Select or Koikatsu studio
Just...with furries,tho i dont mind that,pr0nz is pr0nz
 
haste

haste

Newbie
Jul 27, 2018
30
26
Depesonalization said:
Didn't the game launch for you and some other dude before? With the model and such?
Click to expand...
Yes and no. You can force any unity scene to load either by making a custom hack or via UnityExplorer but all of the actual content of the program (namely meshes and such) isn't loaded, thus, all you get is a map, useless menus and background music. The current consensus of how this protection works is that the authorization function that npomme analyzed, somehow loads the needed content after authenticating patreon user.
npomme said:
Inside the dump.rar are dummy dll and the file that are needed to get the function name in ida because i don't know for sure that we all have the same result in the function naming
Click to expand...
Il2CppDumper gave me the function names that you mentioned so I think we can assume that the results of header dumping are consistent.
Also, may I ask you whether you use IDA pro or the free version of IDA?

For the past 3 days I've been trying to learn reverse engineering with Ghidra but this program has been EXTREMELY uncooperative when it comes to debugging features. It cannot attach the debugger to a process that is already running without vomiting java exceptions and starting FurryVNE with a debugger attached at launch makes it crash with the "Failed to load original DLL" just like it sometimes does when you open it normally.
If I have to use an external debugger alongside Ghidra and look up decompiled functions by hand, then I'd rather give up Ghidra and try out IDA since I really want to be able to do proper decompilation debugging like you seem to be doing.

I'm trying to get my setup in working order by testing it on notepad.exe first, but at this point my patience has worn really thin. I already encountered multitude of problems I later found on Ghidra's github forums, many of which seem still unresolved... :FacePalm:
Wacre said:
Going so open about all this process wouldnt make the devs more aware and tricky about how to encrypt it? Im sure they are aware of the existence of this thread
Click to expand...
That is a valid concern but I don't think it matters, especially at this point because:
1. Fiddling with their protection will always cost time, and at this point it'll probably be a lot of work for very diminished returns.
2. The guys here (or 1 guy mostly, thank you again for your effort npomme) haven't done nowhere near that much progress to justify making all this talk more private, imo.
However if someone here cracked it, then maybe it would be smart to not disclose the most technical details publicly.
 
Last edited:
40C72

40C72

Member
Nov 8, 2021
132
304
haste said:
Also, may I ask you whether you use IDA pro or the free version of IDA?
Click to expand...
Free is ass. Either use a paid version with a HexRays Decompiler license or use Ghidra

haste said:
For the past 3 days I've been trying to learn reverse engineering with Ghidra but this program has been EXTREMELY uncooperative when it comes to debugging features. It cannot attach the debugger to a process that is already running without vomiting java exceptions and starting FurryVNE with a debugger attached at launch makes it crash with the "Failed to load original DLL" just like it sometimes does when you open it normally.
If I have to use an external debugger alongside Ghidra and look up decompiled functions by hand, then I'd rather give up Ghidra and try out IDA since I really want to be able to do proper decompilation debugging like you seem to be doing.
Click to expand...
Both Ghidra and IDA are designed as static disassembly tools first and foremost. I thoroughly recommend getting a dedicated debugger (x64dbg), the experience is significantly better. You do not have to look up disassembled/named functions by hand: you can either make or use a pre-existing script to export IDA databases to x64dbg databases

Anyway, I found some more time to look at it. Content is encrypted on-disk and gets decrypted through a field from the Patreon request. Essentially, you can't just patch the program to say blindly say "oh okay this unregistered user does have access," you'll need to figure out the encryption scheme and incorporate a keygen. Alternatively, a paid user could theoretically just dump the encrypted files from memory and then the crack would be distributed with those now-decrypted files
 
  • Red Heart
  • Like
Reactions: npomme and haste
haste

haste

Newbie
Jul 27, 2018
30
26
40C72 said:
You do not have to look up disassembled/named functions by hand: you can either make or use a pre-existing script to export IDA databases to x64dbg databases
Click to expand...
THANK YOU.
Being able to load decompiled data into x64dbg is exactly what I needed so this is excellent news. Now I'll be able to actually start learning SRE somewhat properly instead of wasting time on bullshit java errors.

Funny thing is, I was already thinking about trying x64dbg for the dynamic part of analysis because I didn't llike WinDbg that much. Most tutorials I've seen used Ghidra alongside x64dbg anyway. Now I know why :LUL:
 
npomme

npomme

Member
Nov 20, 2020
292
390
haste said:
Yes and no. You can force any unity scene to load either by making a custom hack or via UnityExplorer but all of the actual content of the program (namely meshes and such) isn't loaded, thus, all you get is a map, useless menus and background music. The current consensus of how this protection works is that the authorization function that npomme analyzed, somehow loads the needed content after authenticating patreon user.

Il2CppDumper gave me the function names that you mentioned so I think we can assume that the results of header dumping are consistent.
Also, may I ask you whether you use IDA pro or the free version of IDA?

For the past 3 days I've been trying to learn reverse engineering with Ghidra but this program has been EXTREMELY uncooperative when it comes to debugging features. It cannot attach the debugger to a process that is already running without vomiting java exceptions and starting FurryVNE with a debugger attached at launch makes it crash with the "Failed to load original DLL" just like it sometimes does when you open it normally.
If I have to use an external debugger alongside Ghidra and look up decompiled functions by hand, then I'd rather give up Ghidra and try out IDA since I really want to be able to do proper decompilation debugging like you seem to be doing.

I'm trying to get my setup in working order by testing it on notepad.exe first, but at this point my patience has worn really thin. I already encountered multitude of problems I later found on Ghidra's github forums, many of which seem still unresolved... :FacePalm:

That is a valid concern but I don't think it matters, especially at this point because:
1. Fiddling with their protection will always cost time, and at this point it'll probably be a lot of work for very diminished returns.
2. The guys here (or 1 guy mostly, thank you again for your effort npomme) haven't done nowhere near that much progress to justify making all this talk more private, imo.
However if someone here cracked it, then maybe it would be smart to not disclose the most technical details publicly.
Click to expand...
I'm using ida pro and debuger work but you need to consider that :

1707947275799.png

so you will need to patch the assembly via hex editor or create fuction inside the empty space that do the patching inside the code and find a way to call it somewhere

Dont use IDA free it pure garbage and if its true it seem that ghidra is better but i always come back to ida because ghidra has so much problem !

Edit:

Dynamic analysis can be tricky with all the padding and crap added by beebyte i find the code jumping all other the place really confusing
 
  • Like
Reactions: haste
npomme

npomme

Member
Nov 20, 2020
292
390
40C72 said:
Anyway, I found some more time to look at it. Content is encrypted on-disk and gets decrypted through a field from the Patreon request. Essentially, you can't just patch the program to say blindly say "oh okay this unregistered user does have access," you'll need to figure out the encryption scheme and incorporate a keygen. Alternatively, a paid user could theoretically just dump the encrypted files from memory and then the crack would be distributed with those now-decrypted files
Click to expand...
the program fallback to login screen if decryption fail and throw lorem ipsum errors and array out of bound error too and i find really weird the fact that they use so much array inside this decryption code
 
Last edited:
haste

haste

Newbie
Jul 27, 2018
30
26
npomme said:
I'm using ida pro and debuger work but you need to consider that :

1707947275799.png
Click to expand...
I actually am working on AMD64 cpu but doing the actual patch is still far away from my grasp currently anyway, I need to level up my skill first.
As others suggested, the way I was thinking of potentially going about this was to just make a MelonLoader plugin to execute the code inside the game, instead of messing with the executable itself.

It looks like I'm going to stay with Ghidra + x64dbg and see what I need for making the actual hack when I have clearer picture of what the hell I am even doing. Ghidra did it's decompiling job so far.

Thank you for the warning though. Worse case scenario I will have to patch the assembly by hand (if I even get to that point). At least it will be an interesting experience :HideThePain:

npomme said:
Dynamic analysis can be tricky with all the padding and crap added by beebyte i find the code jumping all other the place really confusing
Click to expand...
Yeah, I expected this. With my skill and knowledge, I am already facing an impossible task. I don't think it can get any harder for me lmao.
 
G_777888999000

G_777888999000

Newbie
Mar 1, 2020
74
72
The game was blocked using an obfuscator, one bastard laughs that he bought the game and others can't (now his message has been deleted), and I made 5 characters in the build 2023-11-06 and redesigned them.

1.png 2.png 3.png 4.png 5.png
 
G_777888999000

G_777888999000

Newbie
Mar 1, 2020
74
72
npomme said:
the program fallback to login screen if decryption fail and throw lorem ipsum errors and array out of bound error too and i find really weird the fact that they use so much array inside this decryption code
Click to expand...
Hello npomme how are you doing with hacking?
 
npomme

npomme

Member
Nov 20, 2020
292
390
G_777888999000 said:
Hello npomme how are you doing with hacking?
Click to expand...
I'm stuck as i said earlier i dont think i can crack this without an account i give it a try each day but it's hard without even knowing what to expect from the backend

Maybe someone here can get fiddler and dump the request to yl2Cloud/verify with an pledged account it can help to see what the backend really do as i can forge fake request and see were the game jmp with these fake request

If you do so give me the request in private i dont know about the dev policy but they can ban you from requesting the backend as they generate an hardwareUID and they get data from the patreon to fill the other field so better safe than sorry!
 
npomme

npomme

Member
Nov 20, 2020
292
390
I maybe found something but i'm no familiar with the thing i was messing a bit with the fuction looking what they can use to encrypt or at least pack the data and i found this
1708032500837.png

and i checked if this is used in the other version that have no login and the answer is no

This take us to the question you guy are familiar with brotli and if yes as i dont want to read the full documentation is the function used here can be used for encrypting content?
 
D

Drae

New Member
Nov 2, 2017
10
24
Brotli is but a lossless compression algorithm. Generally used for compressing websites but can be used for some microcontroller bullshit, but that's unrelated. Never heard of someone using it for encryption tbh.
 
  • Like
Reactions: npomme
Windfaker

Windfaker

Member
Dec 11, 2017
329
568
  • Haha
  • Like
Reactions: ssbbssc and LeFisheAuChocolat
You must log in or register to reply here.
Top Bottom
3.90 star(s) 9 Votes