Reverse engineering of a mobile game, part 3: Now, it’s obfuscated

And here we are, after our original reverse engineering effort with unencrypted data, our update once they encrypted the data, we’re now at a new step in this somewhat entertaining (and teaching!) cat & mouse game. Once again, if you haven’t read yet the previous two parts, I strongly encourage you to do so, as we’re going to start off from there.

A new update came out, and as I was dumping stuff around for a little fun side-project with the game’s API, I realized they had a new API endpoint. They’ve switched from v3 (the encrypted endpoint) to v4, which still seems encrypted, although somewhat similar to the previous API endpoint. Unfortunately, the encryption keys changed, so we need to go fetch them again.

Using our usual tools, we decompile the libil2cpp.so file, and we see now that in the “firstpass” assembly generated by Il2CppDumper, there’s a new class that wasn’t there previously:

Beebyte.Obfuscator? Seems like we’re in for a ride! Were those $60 worth it?

That Obfuscator class is there for an obvious reason: they’ve now obfuscated the non-public parts of their assembly, as we can quickly see once we open the Athena namespace (the main namespace of the game’s code):

There are two paths we can follow here. First, the easy way, since we know already the layout of the classes we’re looking for (the Crypto/CryptoConstants…