Looking for Images and 3D Models from Mobile Suit Gundam: Iron-Blooded Orphans G

[3000kb]

This is a Unity (2021.3.9f1) game that has reached EOS (End of Service).
The APK contains UI assets, which can be extracted using standard Unity tools. However, the cache files are different, and some require additional processing.

What I Have Achieved So Far:

• Extracted Audio and Video Files
• These files have AFS2 and CRID headers.
• I found a decryption key inside the APK: "0048B2AB558A01B6".
• Using CRID-usm-Decrypter and HCA key generation tools, I successfully extracted these assets.

The Problem:

• The final implemented files before service shutdown confirm that the necessary assets exist.
• All content up to the EOS update is present in the extracted audio and video files, confirming that the cache holds the game’s full assets.
• However, 3D models and textures are missing, and the remaining files have no identifiable file extensions.
• Two distinct binary patterns (see images) appear frequently in these unidentified files, leading me to believe they contain graphics data.
• I suspect that these files contain the graphic data, but their format is unknown.
• I also tried using AI to perform decryption with the extracted key, but this has not yielded any results either.

What I Am Currently Doing:

• I lack experience in disassembly or reverse engineering.
• I am using AI-assisted analysis to examine Il2CppDumper output and searching for clues via Ghidra, but progress has been slow.

I have attached the cache files, APK, and DummyDlls. or alternatively, I will provide a sample of the cache with only the relevant files.

If anyone is familiar with where to start or knows any effective tools or methods to analyze these files, I would greatly appreciate your guidance.

Edited March 11 by 3000kb

[shak-otay]

Thanks for your efforts!

But you don't seriously expect someone to download that 12 GB zip of cached files?

I have no idea what "discontinued ... mobile game" means here. Does it still run on your mobile?

If so I'd suggest to use a 3D ripper for mobiles.

There's different solutions.

This one looks interesting but dunno whether it meets your requirements.

[3000kb]

It looks like my translation wasn’t clear—sorry about that.
The correct term is "EOS" (End of Service) game.

As for the files, I originally uploaded them as a full archive for reference, but if that’s an issue, I’ll prepare a smaller set with only the relevant ones.
Also, the game cannot even launch. After the service ended, it fails to start and does not reach the title screen.

Edited March 10 by 3000kb

[3000kb]

After analyzing the DLL scripts with AI, it turns out that most of them simply pass numerical values without performing any concrete processing.

The remaining clues are likely the .so files and global-metadata.

[shak-otay]

I had a quick glance at the files in the samples zip and couldn't find something 3D models related, no structures, no strings

(not surprising with a subset of 17 MB out of 12 GB of data).

I'd suggest to do a binary search of 000001000200 through out the 12 GB to maybe find face indices blocks,

or search for strings (without the quotes) like "mesh", "vertex", "index", "face".

(To know which relevant strings to search for I'd suggest to check unity games which have been analyzed successfully already.)

Wait...

Quote

The APK contains UI assets, which can be extracted using standard Unity tools.

It's UI assets only, not 3D models?

Edited March 12 by shak-otay

[3000kb]

Yes, the APK contains no individual character images or 3D models for stages or mechs.
Only system icons are present

.

Edited March 12 by 3000kb

[3000kb]

Progress has not been made at all. To begin with, I attempted dynamic analysis to avoid the communication error during the startup of the game. I explored using Frida and mitmproxy, but due to setup issues or outright failure, no results were achieved from these methods.

For the time being, the strategy will be either creating a simplified offline version by modifying the APK’s communication functions or tracing the functions in the .so files to follow the decryption process of the assets.

I will likely update this with additional attempts as I proceed.

[Andrakann]

On 3/9/2025 at 1:35 PM, 3000kb said:

• Two distinct binary patterns (see images) appear frequently in these unidentified files, leading me to believe they contain graphics data.

They looks like encrypted by the same key.
Unity bundles have large, mostly static header and this very helpful in our case:

So, if simple XOR is used for encryption, we can try to get key using marked ^ part of header, adapted for Unity version used in game:

(not sure in highlighted byte and too lazy to check, but it's better to note and change, if errors occurs)

XOR have some interesting features:

If you XOR 00 byte with any byte, you get this byte value in place of 00 - so, short keys can be visible with bare eyes if encrypted file have a lots of 00-bytes.

If you XOR encrypted file with original one - you'll get <key><key><key> sequence on whole file content.

We don't have original file, but we recreated first 35 bytes of it.

So, i renamed a copy of game bundle to "s1" and XOR it as new "s1x" file using reconstructed header bytes as key, with XOR tool from Luigi Auriemma:

xor s1 s1x 0x556E69747946530000000008352E782E7800323032312E332E39663100000000000000

And got partial <key><key> sequence:

So, XOR key is: EA7B2B092B59433996F0B470B7B3FEA7BC0AA57B0208A7314420

Decoding test bundle as "s1t" file with this key:

xor s1 s1t 0xEA7B2B092B59433996F0B470B7B3FEA7BC0AA57B0208A7314420

Looks very good )
Drag-and-drop "s1t" file to AssetStudioModGUI, and it loads without issues, so key is valid:

Dealing with 36K files in cache isn't easy task, so i done a python script for mass decrypt and save to separate folder:

# Mobile Suit Gundam - Iron-Blooded Orphans G bundles unxor

import os

xor_magic = b"\xBF\x15\x42\x7D"
# xor key: EA7B2B092B59433996F0B470B7B3FEA7BC0AA57B0208A7314420
xor_key = bytearray(b"\xea\x7b\x2b\x09\x2b\x59\x43\x39\x96\xf0\xb4\x70\xb7\xb3\xfe\xa7\xbc\x0a\xa5\x7b\x02\x08\xa7\x31\x44\x20")
output_path = R"C:\tmp\Cache"

with os.scandir('.') as file_paths:
    for file_path in file_paths:
        if file_path.is_dir(follow_symlinks=False):
            pass
        else:
            with open(file_path, "rb") as work_file:
                file_magic = work_file.read(4)
                if file_magic == xor_magic:
                    print("Processing file:", file_path.name)
                    work_file.seek(0)
                    encrypted_content = work_file.read()
                    encrypted_content_size = len(encrypted_content)
                    decrypted_content = bytearray(encrypted_content_size)
                    xor_key_multiplier = int(encrypted_content_size / 26) + 1
                    xor_key_array = xor_key * xor_key_multiplier
                    for byte in range(encrypted_content_size):
                        decrypted_content[byte] = encrypted_content[byte] ^ xor_key_array[byte]
                    out_file_name = str(file_path.name) + ".unity3d"
                    write_path = output_path + "\\" + out_file_name
                    os.makedirs(os.path.dirname(write_path), exist_ok=True)
                    open(write_path, "wb").write(decrypted_content)
                    print("Decrypted file saved:", write_path)
                    work_file.close()

Must be run inside of "Cache\assets\asset\" folder, and output to temporary folder on disk C (it's SSD usualy, to speed up things).

But there's other problem occur - that cache folder taken from a game which survived many updates, so a lots of older copies of same file present here, they have same name in first part (before "_") and version code as second name part.
So, i done another python script to separate latest file versions to another folder:

# Mobile Suit Gundam - Iron-Blooded Orphans G cache sort

import os
import shutil

work_dictionary = {}
output_path = R"C:\tmp\Cache\Assets"

with os.scandir('.') as file_paths:
    for file_path in file_paths:
        if file_path.is_dir(follow_symlinks=False):
            pass
        elif len(os.path.splitext(file_path)[0]) - 2 != 52: 
            pass
        else:
            bundle_name = file_path.name[0:33]
            bundle_version = int(file_path.name[34:52])
            if bundle_name in work_dictionary:
                if work_dictionary[bundle_name] >= bundle_version:
                    pass
                else:
                    work_dictionary[bundle_name] = bundle_version
            else:
                work_dictionary[bundle_name] = bundle_version

for item in work_dictionary:
    file_name = item + "_" + str(work_dictionary[item]) + ".unity3d"
    destination = output_path + "\\" + file_name
    os.makedirs(os.path.dirname(destination), exist_ok=True)
    if os.path.isfile(file_name) == True:
        shutil.move(file_name, destination)
        print("Latest version file moved to:", destination)

Must be run in folder with decoded bundles, it moves latest version files to Assets subfolder.
Then you can move this folder to main game folder "G_2.0.2_apkcombo\assets\bin\Data\" and load game folder to AssetStudioModGUI (took 16+ Gb of RAM):

Model export works fine, with animations:

 

Files with names starting with "r" is not encrypted or encrypted using more secure algorithms - no luck here.

Mobile_Suit_Gundam_cache_scripts.7z

Edited yesterday at 06:39 PM by Andrakann