Unity FurryVNE [2024-06-19] [FurryVNE Team]

[npomme]

I'm diving in back i'm sick so i have time to spend and also to learn but i wonder if anyone have an account and can trace function call?

What i need is what the compiler call just before loading the game after authentication

if anyone know if there a menu when the authentication and the pledge is validated that will help too

i will continue the manual reverse but its really more time consuming without a good entry point like the latest method called inside the Verify.(x) after a true login with pledge

 

[Depesonalization]

I'm diving in back i'm sick so i have time to spend and also to learn but i wonder if anyone have an account and can trace function call?

What i need is what the compiler call just before loading the game after authentication

if anyone know if there a menu when the authentication and the pledge is validated that will help too

i will continue the manual reverse but its really more time consuming without a good entry point like the latest method called inside the Verify.(x) after a true login with pledge

Try BepInEx. In my tries, on launch, it'd display that unity was trying to fetch cookies or something, I couldn't understand a lot because my knowledge is extremely limited. It showed what it was trying to call.

 

[npomme]

i think they double check or something i got the game stuck on this screen when trying to crack him this go after the pledge message but



After that i used fiddle to check if there is some web request and found this :

 

[npomme]

Quick investigation create more questions

If i create a request were i say all is goo 200 Ok an retuning json the game stay stuck on the verifiying... exactly the same as my bypass each time i bypass the login the game stay stuck on this screen and nothing append i really need to find someone that has an account and can say to us if after the verifiying there something

like downloading or initializing screen best case he can lend his account to me but that i dont count on it

 

[Rustyshack]

Quick investigation create more questions

If i create a request were i say all is goo 200 Ok an retuning json the game stay stuck on the verifiying... exactly the same as my bypass each time i bypass the login the game stay stuck on this screen and nothing append i really need to find someone that has an account and can say to us if after the verifiying there something

like downloading or initializing screen best case he can lend his account to me but that i dont count on it

have patience, saying it over and over isn't helping anything.

 

[Kernels]

Quick investigation create more questions

If i create a request were i say all is goo 200 Ok an retuning json the game stay stuck on the verifiying... exactly the same as my bypass each time i bypass the login the game stay stuck on this screen and nothing append i really need to find someone that has an account and can say to us if after the verifiying there something

like downloading or initializing screen best case he can lend his account to me but that i dont count on it

it looks like you broke the game. When I intercept this packet and stupidly spoof the code to 200 I am again thrown from infinite verification to login. When I put for example 304 or 204 I get a new error "invalid server response". It wants code 200 with some special token. I think you should try to bypass the check in the game code itself. But yeah as you said earlier without knowing what happens after verification, it's like looking for a needle in a haystack, especially with this fucking il2cpp

Upd: i sent 200 with json set to true. Still taking me back to login. Im pretty sure it needs some token, not just json.

 

[Depesonalization]

I salute you lads, doing god's work

 

[npomme]

it looks like you broke the game. When I intercept this packet and stupidly spoof the code to 200 I am again thrown from infinite verification to login. When I put for example 304 or 204 I get a new error "invalid server response". It wants code 200 with some special token. I think you should try to bypass the check in the game code itself. But yeah as you said earlier without knowing what happens after verification, it's like looking for a needle in a haystack, especially with this fucking il2cpp

no IL2CPP is not the ennemy here this is what make game easy to decompile if it was not that broken by design all the code will be obfuscated IL2CPP is an interpreter that sit between the script code and the real code his task is to convert whatever language script to c# and by doing this he need to keep a file encrypted with all the struct (name of the method) and all the metadata needed to assign them to obfuscated content so it make our job easier as there a big flaw that make decrypting the container easy because the key are in the binary and with a little trick you can extract them this is what IL2CPPDUMPER
is doing and works great!

For the i'm not only giving 200 im passing json wich what the game is wanting with some value tweaked to true but i think its not enough there an other trick in place i pretty sure the last method thats called and draw the message is YL2_Verification_Verify__JLJBBEPJHKC

and the code that draw the error pledge is :

il2cpp:00007FFBFC6E3A99 loc_7FFBFC6E3A99:                       ; CODE XREF: YL2_Verification_Verify$$JLJBBEPJHKC_latestCall+7C0↑j
il2cpp:00007FFBFC6E3A99                 test    rbp, rbp
il2cpp:00007FFBFC6E3A9C                 jz      short loc_7FFBFC6E3AFF  <=Exeption catch
il2cpp:00007FFBFC6E3A9E                 mov     r9, rbx         ; callback
il2cpp:00007FFBFC6E3AA1                 mov     qword ptr [rsp+48h+strict], 0 ; method
il2cpp:00007FFBFC6E3AAA                 mov     r8, rsi         ; items
il2cpp:00007FFBFC6E3AAD                 mov     rdx, r14        ; text
il2cpp:00007FFBFC6E3AB0                 mov     rcx, rbp        ; this
il2cpp:00007FFBFC6E3AB3                 call    YL2_Modal$$Show_6452275376
il2cpp:00007FFBFC6E3AB8                 jmp     loc_7FFBFC6E360D

the call to modal$$ YL2_Modal$$Show_6452275376 is what prepare the drawing of the pledge error and probably also do the check

loc_7FFBFC6E3AFF call a sub that allways jumping to other subroutines that are exception related so its error and this subroutine is everywhere

the fact i know my code doesnt really broke the game is because i never fall into these subroutines and i get spike when he try to recheck the request there is missing data here thats not a broken game!

 

[Queen Zexiara]

At first i wasnt sure what is wrong with this but then i noticed that the instead of doing a full spin the body just morphs together and the legs spin around like an unholy creation of a crazed elder god.

oh jesus i didnt notice that at first

yeah.... unfortunately the spine node from the original Yiffalicious has been replaced with a far more dynamic (but really slow) 3-slider menu, making it a challenge to get it to spin around on cue, turning high-paced animations into blursed cinema




"my child, you must end my suffering"

 

[thegrinch333]

someone hmu when yall get this shit working in an easy install file, its about time i jack my dick off to big ass

 

[LeFisheAuChocolat]

yeah.... unfortunately the spine node from the original Yiffalicious has been replaced with a far more dynamic (but really slow) 3-slider menu, making it a challenge to get it to spin around on cue, turning high-paced animations into blursed cinema
View attachment 3339385



View attachment 3339389 "my child, you must end my suffering"

 

[40C72]

Hi, I come from the cracking forum. I've only spent less than an hour looking at the game and will be working slowly on it because I'm busy right now and have other hobby projects to work on alongside work. Because of this I figured I'll share my findings if anyone else finds them useful

Obviously, as you know, there's 40+ Verify functions that have had their names obfuscated. Also as we know, this doesn't matter a lot because IL2CPP is a godsend and the metadata it comes with is akin to debug symbols, but you can't strip them. Simple reasoning states that all functions will not be used, and looking at the dissasembly most are duplicates of one another
First order of business is to find which ones are actually called. Easiest way is to attach a debugger and give it a spin

For the i'm not only giving 200 im passing json wich what the game is wanting with some value tweaked to true but i think its not enough there an other trick in place i pretty sure the last method thats called and draw the message is YL2_Verification_Verify__JLJBBEPJHKC

and the code that draw the error pledge is :

il2cpp:00007FFBFC6E3A99 loc_7FFBFC6E3A99:                       ; CODE XREF: YL2_Verification_Verify$$JLJBBEPJHKC_latestCall+7C0↑j
il2cpp:00007FFBFC6E3A99                 test    rbp, rbp
il2cpp:00007FFBFC6E3A9C                 jz      short loc_7FFBFC6E3AFF  <=Exeption catch
il2cpp:00007FFBFC6E3A9E                 mov     r9, rbx         ; callback
il2cpp:00007FFBFC6E3AA1                 mov     qword ptr [rsp+48h+strict], 0 ; method
il2cpp:00007FFBFC6E3AAA                 mov     r8, rsi         ; items
il2cpp:00007FFBFC6E3AAD                 mov     rdx, r14        ; text
il2cpp:00007FFBFC6E3AB0                 mov     rcx, rbp        ; this
il2cpp:00007FFBFC6E3AB3                 call    YL2_Modal$$Show_6452275376
il2cpp:00007FFBFC6E3AB8                 jmp     loc_7FFBFC6E360D

the call to modal$$ YL2_Modal$$Show_6452275376 is what prepare the drawing of the pledge error and probably also do the check

This guy gets the idea. Yes, Verify.JLJBBEPJHKC is the last method called if you do not have internet connection or have not pledged enough. A bunch of Verify methods get called before it but I haven't found anything interesting in those and assume they're there as a form of obfuscation or setup
Looking into Verify.JLJBBEPJHKC you can see it calls UnityWebRequest.GetResponseCode. If it is code 200, continue with the verification. If not, figure out the error message to display, construct it, and show it.

Forcing Verify.JLJBBEPJHKC to accept any status code as valid, not just 200, leads to Verify.PCHDHEFEMEI. This one checks the content of the data received and, if everything looks good, sets several values with PlayerPrefs.Set. Forcing PCHDHEFEMEI to succeed moves on to ILELHEPOPDJ (which I haven't looked into yet) which unconditionally moves to GNKKAIBCKFG. GNKKAIBCKFG has the potential to be more interesting, it reads/writes to the "password" field and returns a bool. Forcing it to return true leads to ONLAPIANNCH, which does some SHA1 hashing on the password field and also returns a bool. Forcing this one to return true takes us to LKMNBJMOFHB (which I also haven't looked into and could be a garbage call). Game crashed here because an object wasn't initialised which, yeah, I got a little lazy on ONLAPIANNCH and just changed the "return false" bit (xor al,al) to "return true" (mov al,1) so some necessary instructions that normally run on a legitimate run weren't executed

Overall call chain of Verify functions where I've blocked network access for the game:

Verify$$.ctor > Verify$$Awake > Verify$$Start > Verify$$GNKKAIBCKFG > Verify$$MNFHGOOHPFL > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$ABNFNAFACMJ > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$JLJBBEPJHKC > FINISH ("Connection issue") / ("A pledge of $12 or more is required")

If JLJBBEPJHKC succeeds: Verify$$PCHDHEFEMEI > Verify$$ILELHEPOPDJ > Verify$$GNKKAIBCKFG (force TRUE) > Verify$$ONLAPIANNCH (force TRUE) > Verify$$LKMNBJMOFHB > ...

That's where I stopped yesterday, but I'll work more on it tonight. Again, if someone has more time to dedicate to this I hope I've helped you

 

[npomme]

Hi, I come from the cracking forum. I've only spent less than an hour looking at the game and will be working slowly on it because I'm busy right now and have other hobby projects to work on alongside work. Because of this I figured I'll share my findings if anyone else finds them useful

Obviously, as you know, there's 40+ Verify functions that have had their names obfuscated. Also as we know, this doesn't matter a lot because IL2CPP is a godsend and the metadata it comes with is akin to debug symbols, but you can't strip them. Simple reasoning states that all functions will not be used, and looking at the dissasembly most are duplicates of one another
First order of business is to find which ones are actually called. Easiest way is to attach a debugger and give it a spin


This guy gets the idea. Yes, Verify.JLJBBEPJHKC is the last method called if you do not have internet connection or have not pledged enough. A bunch of Verify methods get called before it but I haven't found anything interesting in those and assume they're there as a form of obfuscation or setup
Looking into Verify.JLJBBEPJHKC you can see it calls UnityWebRequest.GetResponseCode. If it is code 200, continue with the verification. If not, figure out the error message to display, construct it, and show it.

Forcing Verify.JLJBBEPJHKC to accept any status code as valid, not just 200, leads to Verify.PCHDHEFEMEI. This one checks the content of the data received and, if everything looks good, sets several values with PlayerPrefs.Set. Forcing PCHDHEFEMEI to succeed moves on to ILELHEPOPDJ (which I haven't looked into yet) which unconditionally moves to GNKKAIBCKFG. GNKKAIBCKFG has the potential to be more interesting, it reads/writes to the "password" field and returns a bool. Forcing it to return true leads to ONLAPIANNCH, which does some SHA1 hashing on the password field and also returns a bool. Forcing this one to return true takes us to LKMNBJMOFHB (which I also haven't looked into and could be a garbage call). Game crashed here because an object wasn't initialised which, yeah, I got a little lazy on ONLAPIANNCH and just changed the "return false" bit (xor al,al) to "return true" (mov al,1) so some necessary instructions that normally run on a legitimate run weren't executed

Overall call chain of Verify functions where I've blocked network access for the game:

Verify$$.ctor > Verify$$Awake > Verify$$Start > Verify$$GNKKAIBCKFG > Verify$$MNFHGOOHPFL > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$ABNFNAFACMJ > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$JLJBBEPJHKC > FINISH ("Connection issue") / ("A pledge of $12 or more is required")

If JLJBBEPJHKC succeeds: Verify$$PCHDHEFEMEI > Verify$$ILELHEPOPDJ > Verify$$GNKKAIBCKFG (force TRUE) > Verify$$ONLAPIANNCH (force TRUE) > Verify$$LKMNBJMOFHB > ...

That's where I stopped yesterday, but I'll work more on it tonight. Again, if someone has more time to dedicate to this I hope I've helped you

There is 128 verify not called on my Ida using no internet and no pledge as a Filter setting a break point on each one an deleting all break point that are called i think the solution is un one of the Unused one but if i force a fake login game always crash i think i Will continue m'y tinkering today but if i were to have an account that Will ne way easier

 

[Monoworks]

FurryVNE 2024-02-09

You must be registered to see the links

You must be registered to see the links

You must be registered to see the links

 

[The Name 2nd]

Hopefully this doesn't mean that the crack progress has to start back up from scratch

 

[npomme]

Hopefully this doesn't mean that the crack progress has to start back up from scratch

Maybe Maybe not i'm decompiling this one and we wil see

 

[npomme]

there is more verify fonction i think they beefed it up a bit or cranked the obfuscation to the max setting i'm tracing the last called function and restart the process of listing interesting unused one because for some reason the naming is not the same and i cant reimport my ida database on the project so back to the start but at least i'm now familiar with the inner working of this login thing

 

[tester72]

yeah.... unfortunately the spine node from the original Yiffalicious has been replaced with a far more dynamic (but really slow) 3-slider menu, making it a challenge to get it to spin around on cue, turning high-paced animations into blursed cinema
View attachment 3339385



View attachment 3339389 "my child, you must end my suffering"

It gets worse the more you look at it.

 

[40C72]

there is more verify fonction i think they beefed it up a bit or cranked the obfuscation to the max setting i'm tracing the last called function and restart the process of listing interesting unused one because for some reason the naming is not the same and i cant reimport my ida database on the project so back to the start but at least i'm now familiar with the inner working of this login thing

They probably simply re-run their obfuscation script on it with each new build. Sigscanning for the functions should yield the important ones that got renamed and will be very quick, but running and saving the call stack to compare the disassembly of the new functions with the previous build will also work

 

[kurisu7885]

So looking at the posts I'm guessing no download yet because some are trying to crack it.