JOURNAL.md 3.4 KB

Journal for 1.0.1

Service

The mhyprot2.sys service is started in UnityPlayer.dll.

0x90 @ POL:

[...] i applied the patches directly in-memory (in the running process) and even got around the checks directly in x64dbg with the help of breakpoints and scripts.

So either it's a memory hash, or has directly something to do with the mhyprot2 service not running.

There were no UnityPlayer.dll after 1.0.1 (when 31-4302 re-appeared), hence this is probably sent to the server for verification.

"Persistent" data changes

timbuntu @ POL:

So that's the files that changed since it was working as far as I can see: (expiring link)

Re-upload: https://pastebin.com/raw/NLqT62T4

Data 25 Oct vs 1 Nov

25 Oct files provided by geearf2.

Meta file contents:

base_res_version_hash: -1312696568
data_revision: 1358691
res_revision: 1284249
silence_data_versions_persist: blocks/00/29342328.blk 9e575f25184339034d4223a14f741381|38711

Checksums:

06e709897bc35837a3d3bc9589f3d722  battlePass_DE.srt
bcfecd8e3030d4aa7919851e7df609d1  battlePass_ES.srt
ab7cca0ab60adb17c12b3833c1342b36  battlePass_FR.srt
99b18daebd44eeecbbf0b1075f7e49dd  battlePass_ID.srt
d44cb3c378163928d8a80ac402d9f93c  battlePass_PT.srt
c5802bee59f304b4b969209e576e5c8b  battlePass_TH.srt

Assuming the old game data is correct, there weren't any content changes, hence being unrelated to error 31-4302.

Network

Clean logs provided by SeppNel.

Detailed information: network.md

Wireshark packet comparison

  1. A large majority of packets has the same length when comparing Windows and Linux.
  2. Game data is transferred using UDP, security stuff seems to be done using TLSv1.2.
  3. The Linux client begins loading the game data over UDP, but opens a connection to the logging server to report the error.

Note: UnityPlayer.dll did not change in the update that arised the error message (again)! This either means the server disabled some checks, or the verification is done using server-sent scripts (Lua?).

Stack backtrace according to the sent error message 31-4302:

MoleMole.SuperDebug:LogToServerInternal(Boolean, String, LogType, Boolean, Int32)
MoleMole.SuperDebug:LogToServer(LogType, String, Boolean, Int32, Boolean)
MoleMole.SuperDebug:VeryImportantError(String, Boolean, Int32)
ELGAMGOPJGD:JKPJLBDIKIL(LBOGGPKHJKM)
ELGAMGOPJGD:BNALHIDIEMK(FOAIFEEJEFM)
POPMKILNKHM:EALPDCPHJGJ(FOAIFEEJEFM, Boolean&)
LPEAGNCMLOB:MPCOIPPGAMO(FOAIFEEJEFM)
System.Func`2:Invoke(T)
CHJCLPBCDGE:DCPPCMLLGGH()
LPEAGNCMLOB:Tick()
MoleMole.GameManager:JLHDMGEJPGH()
MoleMole.GameManager:Update()

Function name source: global-metadata.dat

Some lines may originate from UserAssembly.dll, but the debug names from global-metadata.dat must first be assigned to addresses to confirm this.

Lua injection

How to apply the modification:

cd "/path/to/Genshin Impact Game"
bash "/path/to/GI-on-Linux/101/lua_injection.sh"

.. and run the game from that working directory.

The script will create a symlink. Copy the file to ensure that it'll work properly on Windows.

Results (outdated): https://pastebin.com/raw/ciay6HXj

  • "sc stop mhyprot2" is run after initialising Lua. The Anticheat check is performed before showing the login screen.

Warning: This code leaks information about GI's internals that are unrelated to this project.