Unity FurryVNE [2024-11-09] [FurryVNE Team]

3.90 star(s) 9 Votes
Discussion Reviews (9)
Queen Zexiara

Queen Zexiara

Newbie
Oct 20, 2019
29
232
tester72 said:
At first i wasnt sure what is wrong with this but then i noticed that the instead of doing a full spin the body just morphs together and the legs spin around like an unholy creation of a crazed elder god.
Click to expand...
LeFisheAuChocolat said:
oh jesus i didnt notice that at first
Click to expand...
yeah.... unfortunately the spine node from the original Yiffalicious has been replaced with a far more dynamic (but really slow) 3-slider menu, making it a challenge to get it to spin around on cue, turning high-paced animations into blursed cinema
sans, i have a tumor.png



today this is what i gift to the internet, i regret nothing but the sleep i lost making this.png "my child, you must end my suffering"
 
  • Haha
  • Like
Reactions: creepus explodus, DwingF9, archmancer8 and 6 others
40C72

40C72

Member
Nov 8, 2021
144
490
Hi, I come from the cracking forum. I've only spent less than an hour looking at the game and will be working slowly on it because I'm busy right now and have other hobby projects to work on alongside work. Because of this I figured I'll share my findings if anyone else finds them useful

Obviously, as you know, there's 40+ Verify functions that have had their names obfuscated. Also as we know, this doesn't matter a lot because IL2CPP is a godsend and the metadata it comes with is akin to debug symbols, but you can't strip them. Simple reasoning states that all functions will not be used, and looking at the dissasembly most are duplicates of one another
First order of business is to find which ones are actually called. Easiest way is to attach a debugger and give it a spin

npomme said:
For the i'm not only giving 200 im passing json wich what the game is wanting with some value tweaked to true but i think its not enough there an other trick in place i pretty sure the last method thats called and draw the message is YL2_Verification_Verify__JLJBBEPJHKC

and the code that draw the error pledge is :
Code: 
il2cpp:00007FFBFC6E3A99 loc_7FFBFC6E3A99:                       ; CODE XREF: YL2_Verification_Verify$$JLJBBEPJHKC_latestCall+7C0↑j
il2cpp:00007FFBFC6E3A99                 test    rbp, rbp
il2cpp:00007FFBFC6E3A9C                 jz      short loc_7FFBFC6E3AFF  <=Exeption catch
il2cpp:00007FFBFC6E3A9E                 mov     r9, rbx         ; callback
il2cpp:00007FFBFC6E3AA1                 mov     qword ptr [rsp+48h+strict], 0 ; method
il2cpp:00007FFBFC6E3AAA                 mov     r8, rsi         ; items
il2cpp:00007FFBFC6E3AAD                 mov     rdx, r14        ; text
il2cpp:00007FFBFC6E3AB0                 mov     rcx, rbp        ; this
il2cpp:00007FFBFC6E3AB3                 call    YL2_Modal$$Show_6452275376
il2cpp:00007FFBFC6E3AB8                 jmp     loc_7FFBFC6E360D
the call to modal$$ YL2_Modal$$Show_6452275376 is what prepare the drawing of the pledge error and probably also do the check
Click to expand...
This guy gets the idea. Yes, Verify.JLJBBEPJHKC is the last method called if you do not have internet connection or have not pledged enough. A bunch of Verify methods get called before it but I haven't found anything interesting in those and assume they're there as a form of obfuscation or setup
Looking into Verify.JLJBBEPJHKC you can see it calls UnityWebRequest.GetResponseCode. If it is code 200, continue with the verification. If not, figure out the error message to display, construct it, and show it.

Forcing Verify.JLJBBEPJHKC to accept any status code as valid, not just 200, leads to Verify.PCHDHEFEMEI. This one checks the content of the data received and, if everything looks good, sets several values with PlayerPrefs.Set. Forcing PCHDHEFEMEI to succeed moves on to ILELHEPOPDJ (which I haven't looked into yet) which unconditionally moves to GNKKAIBCKFG. GNKKAIBCKFG has the potential to be more interesting, it reads/writes to the "password" field and returns a bool. Forcing it to return true leads to ONLAPIANNCH, which does some SHA1 hashing on the password field and also returns a bool. Forcing this one to return true takes us to LKMNBJMOFHB (which I also haven't looked into and could be a garbage call). Game crashed here because an object wasn't initialised which, yeah, I got a little lazy on ONLAPIANNCH and just changed the "return false" bit (xor al,al) to "return true" (mov al,1) so some necessary instructions that normally run on a legitimate run weren't executed

Overall call chain of Verify functions where I've blocked network access for the game:
Code: 
Verify$$.ctor > Verify$$Awake > Verify$$Start > Verify$$GNKKAIBCKFG > Verify$$MNFHGOOHPFL > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$ABNFNAFACMJ > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$JLJBBEPJHKC > FINISH ("Connection issue") / ("A pledge of $12 or more is required")

If JLJBBEPJHKC succeeds: Verify$$PCHDHEFEMEI > Verify$$ILELHEPOPDJ > Verify$$GNKKAIBCKFG (force TRUE) > Verify$$ONLAPIANNCH (force TRUE) > Verify$$LKMNBJMOFHB > ...
That's where I stopped yesterday, but I'll work more on it tonight. Again, if someone has more time to dedicate to this I hope I've helped you
 
  • Like
  • Heart
Reactions: DwingF9, dr4ch3n, Some Random Idiot and 8 others
npomme

npomme

Member
Nov 20, 2020
431
666
40C72 said:
Hi, I come from the cracking forum. I've only spent less than an hour looking at the game and will be working slowly on it because I'm busy right now and have other hobby projects to work on alongside work. Because of this I figured I'll share my findings if anyone else finds them useful

Obviously, as you know, there's 40+ Verify functions that have had their names obfuscated. Also as we know, this doesn't matter a lot because IL2CPP is a godsend and the metadata it comes with is akin to debug symbols, but you can't strip them. Simple reasoning states that all functions will not be used, and looking at the dissasembly most are duplicates of one another
First order of business is to find which ones are actually called. Easiest way is to attach a debugger and give it a spin


This guy gets the idea. Yes, Verify.JLJBBEPJHKC is the last method called if you do not have internet connection or have not pledged enough. A bunch of Verify methods get called before it but I haven't found anything interesting in those and assume they're there as a form of obfuscation or setup
Looking into Verify.JLJBBEPJHKC you can see it calls UnityWebRequest.GetResponseCode. If it is code 200, continue with the verification. If not, figure out the error message to display, construct it, and show it.

Forcing Verify.JLJBBEPJHKC to accept any status code as valid, not just 200, leads to Verify.PCHDHEFEMEI. This one checks the content of the data received and, if everything looks good, sets several values with PlayerPrefs.Set. Forcing PCHDHEFEMEI to succeed moves on to ILELHEPOPDJ (which I haven't looked into yet) which unconditionally moves to GNKKAIBCKFG. GNKKAIBCKFG has the potential to be more interesting, it reads/writes to the "password" field and returns a bool. Forcing it to return true leads to ONLAPIANNCH, which does some SHA1 hashing on the password field and also returns a bool. Forcing this one to return true takes us to LKMNBJMOFHB (which I also haven't looked into and could be a garbage call). Game crashed here because an object wasn't initialised which, yeah, I got a little lazy on ONLAPIANNCH and just changed the "return false" bit (xor al,al) to "return true" (mov al,1) so some necessary instructions that normally run on a legitimate run weren't executed

Overall call chain of Verify functions where I've blocked network access for the game:
Code: 
Verify$$.ctor > Verify$$Awake > Verify$$Start > Verify$$GNKKAIBCKFG > Verify$$MNFHGOOHPFL > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$ABNFNAFACMJ > Verify$$FBGIJGBDDLA > Verify$$CCICHFKODEK > Verify$$JLJBBEPJHKC > FINISH ("Connection issue") / ("A pledge of $12 or more is required")

If JLJBBEPJHKC succeeds: Verify$$PCHDHEFEMEI > Verify$$ILELHEPOPDJ > Verify$$GNKKAIBCKFG (force TRUE) > Verify$$ONLAPIANNCH (force TRUE) > Verify$$LKMNBJMOFHB > ...
That's where I stopped yesterday, but I'll work more on it tonight. Again, if someone has more time to dedicate to this I hope I've helped you
Click to expand...
There is 128 verify not called on my Ida using no internet and no pledge as a Filter setting a break point on each one an deleting all break point that are called i think the solution is un one of the Unused one but if i force a fake login game always crash i think i Will continue m'y tinkering today but if i were to have an account that Will ne way easier
 
npomme

npomme

Member
Nov 20, 2020
431
666
there is more verify fonction i think they beefed it up a bit or cranked the obfuscation to the max setting i'm tracing the last called function and restart the process of listing interesting unused one because for some reason the naming is not the same and i cant reimport my ida database on the project so back to the start but at least i'm now familiar with the inner working of this login thing
 
  • Like
  • Sad
Reactions: DwingF9, The Name 2nd, KATC14 and 4 others
40C72

40C72

Member
Nov 8, 2021
144
490
npomme said:
there is more verify fonction i think they beefed it up a bit or cranked the obfuscation to the max setting i'm tracing the last called function and restart the process of listing interesting unused one because for some reason the naming is not the same and i cant reimport my ida database on the project so back to the start but at least i'm now familiar with the inner working of this login thing
Click to expand...
They probably simply re-run their obfuscation script on it with each new build. Sigscanning for the functions should yield the important ones that got renamed and will be very quick, but running and saving the call stack to compare the disassembly of the new functions with the previous build will also work
 
npomme

npomme

Member
Nov 20, 2020
431
666
40C72 said:
They probably simply re-run their obfuscation script on it with each new build. Sigscanning for the functions should yield the important ones that got renamed and will be very quick, but running and saving the call stack to compare the disassembly of the new functions with the previous build will also work
Click to expand...
There tons of thoose :
1707605283307.png

they seem to be duplicate with minimal change is this created by the obfuscator and if yes my inside aretelling me that thoose are some sort of padding to make reversing harder but it seem to be really poor way to hide the real code as they are all exactly the same ....
 
  • Wow
  • Hey there
Reactions: Arwen Mays and ThatWeirdGuyWithaWeirdHat
npomme

npomme

Member
Nov 20, 2020
431
666
I will assume that all verify function that are like the one in my previous post are garbage from the obfuscator because i'm really thinking they are because i cant make any sense of them this jmp to MonoBehaviour is strange

This narrow the path to no pladge or server error to 14 function

And there 23 function unused by the error no pledge execution chart

Now i need to make sense of these 23 unused one and find the needle :p

I know previous post already said it but if anyone can lend me an account that as a valid pledge for few hours that will help a lot if you are our hero feel free to mp me ;)
 
npomme

npomme

Member
Nov 20, 2020
431
666
ThatWeirdGuyWithaWeirdHat said:
I was not expecting to see IDA Disassembler on F95 today
Click to expand...
thats the only tool i'm familiar with :) the others are really confusing

And i can't make this work they modified the latestcalled function that i was using as an entry point i managed to bypass the response check again but now it jump to some of the "not called normally" function wich seem encouraging at start but then it fall back into the login screen and i cant figure Why it's not crashing like before and now just ask me to loggin again i feel this is a little bit more tricky than i anticipated and i'm starting to ask myself if the entry point i use is not too late in the code i managed to find 2 function that call the scene manager of unity i think one of these are the real scene and not this loggin garbage but there no direct cross reference to the function so i need to find the manually wich is pure pain
 
40C72

40C72

Member
Nov 8, 2021
144
490
npomme said:
they seem to be duplicate with minimal change is this created by the obfuscator and if yes my inside aretelling me that thoose are some sort of padding to make reversing harder but it seem to be really poor way to hide the real code as they are all exactly the same ....
Click to expand...
Their obfuscation script also seems to flip a coin between inlining functions and not (or their compiler saw some optimisation), some functions that were previously split in two are now one.
For example, the one that checks the status code and determines tier status used to call a secondary function that would hash and store some settings:
You don't have permission to view the spoiler content. Log in or register now.
So yeah, you should be able to pick up where you left off without trouble
 
npomme

npomme

Member
Nov 20, 2020
431
666
i'm probably going to sleep for tonight but in need to share this magnificent new error the game gave me :
1707636308826.png
i think he really doesnt like all these value set to null because he cant get them from the server as i'm not really connected :ROFLMAO:
 
  • Like
Reactions: The Name 2nd
You must log in or register to reply here.
Top Bottom
3.90 star(s) 9 Votes