The "whats new tutorial" issue for 9.4.0.22115
Closed this issue Β· 51 comments
I tried to update Hearthrock for 9.4.0.22115 a few days ago.
I found an issue that if I run Hearthstone with Hearthrock, the game client will ALWAYS enter "whats new tutorial". Worsely, I cannot click the button for starting the tutorial.
I didn't get time to check the root of the cause carefully. But a quick glance tells me that they have some unsafe codes for the "whats new tutorial". They probably will improve the code and the problem will be solved.
So I decided to publish a new version without solving this issue. I will keep an eye on this to determine whether or not we should solve the problem on our side.
Right now, if you stuck inside the "whats new tutorial". You can simply click run/pause button of Hearthrock, and Hearthrock will help you to get out of "whats new tutorial".
I am not sure why I see only black screen with rock menu in the top, if I click start I see "Rock started" but it is all
Hmm, so the problem is more serious than I thought.
I don't have time to do deep analyze recently, but I noticed that they added more prioritized dialog, and also modified the priorities of input layers.
None of those changes can cause a black screen.
You can check Hearthstone_Data\output_log.txt to see if there are some hints.
I see a strange message there:
The file 'F:/Hearthstone/Hearthstone_Data/level0' is corrupted! Remove it and launch unity again! [Position out of bounds!]
Any idea?
I try on Windows 10 x86
Have you tried to repair the Hearthstone client? It looks like one resource file is damaged.
I don't think this error is related to Hearthrock.
yes, and it is work fine if I click "recovery"
I will check it in second PC
Anyway, it is offtop here
Well, work fine in the second PC, I will look the tutorial issue too
Update, this issue is related to Encryption and Decryption, need more investigation.
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)
Spent 0.2459452s so far reading Data/win/rad_enus.unity3d..
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)
Spent 0.5197854s total time reading RuntimeAssetDatabase
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)
Failed setting triangles. Some indices are referencing out of bounds vertices. IndexCount: 6, VertexCount: 4
(Filename: Line: 1114)
FSM not Preprocessed: DrawerClose : FSM
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)
FSM not Preprocessed: DiskLoading : FSM
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)
FSM not Preprocessed: DiskMainMenu : FSM
When I use decrypted dll I can get this error.
Failed setting triangles. Some indices are referencing out of bounds vertices. IndexCount: 6, VertexCount: 4
(Filename: Line: 1114)
The error disappeared when I change dll back. Not sure if its related to the issue.
hi, while it works okay sometimes for the first game.
After the first game, it gets stuck in "whats new tutorial"
Is this a known issue?
Have you ever tried to encrypt the Assembly-CSharp.dll with the same key after you hooked?
hi, zoumorn, thanks for the response.
Im not familiar with encryption of the dll file, mind if sharing an example? a link in either english or chinese is fine... thanks in advance
Found a simple workaround. Install hook inside the the unencrypted Assembly-CSharp-firstpass.dll. :b
So forget my last comment, I saw that the Assembly-CSharp.dll hook is necessary for the input manager.
I built a little tool that encrypts the modified Assembly-CSharp.dll again but apparently the "whats new tutorial" issue isn't related to encryption, since it appears even with the encrypted assembly.
I've attached the encrypted assembly so you can test it yourself.
Oh, and here is the encryption snippet: https://gist.github.com/michaelpittino/0cde9ae55c10714dfe11186e7183ea0f
So, to draw a conclusion, seems like Hearthstone is able to determine if the Assembly-CSharp is encrypted or not and handle it the correct way, which means the "whats new" issue isn't related to encryption at all.
And btw, while doing a little research I think the file responsible for decrypting the assembly is the Hearthstone_Data\Plugins\MemModule32.dll file.
And btw, while doing a little research I think the file responsible for decrypting the assembly is the Hearthstone_Data\Plugins\MemModule32.dll file.
That makes sense because this is the error I found in my HS log
`Error.AddDevFatal() - message=MemModule: Failed to validate signature for: "Hearthstone_Data/Plugins/MemModule32.dll"!
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)`
And BTW, if I log with my iPad after patching the PC, "whats new" appears as well so I can say its more an account wide problem.
Did you try this comment above?
Have you ever tried to encrypt the Assembly-CSharp.dll with the same key after you hooked?
This is what I've done..
I've attached the encrypted assembly so you can test it yourself.
I thought it's decrypted assembly?
if it same assembly with hook.. I do not see rockUI here
I mean,
decrypt current assembly(I mean original HS asm), then set rock-hook, and then encrypt it again
decrypt current assembly(I mean original HS asm), then set rock-hook, and then encrypt it again
Yes, this is exactly what the uploaded assembly is.
So, it's strange, because I do not see rock ui,
I can patch the asm and I see that the asm size changed to 7,139 from 7,102 (original asm size 7,103), and rock ui here
just the uploaded asm behavior just like decrypted version
It's working for me: https://i.imgur.com/3sK5c6r.jpg
Here are the steps what I've done:
- Make sure your
Managed_Datafolder is clean: originalAssembly-CSharp.dll, noHearthrock.dllandheartrock.json. - Patch
Assembly-CSharp.dllusing the hearthrock Client. - Replace
Assembly-CSharp.dllwith my encryptedAssembly-CSharp.dll.
But as you can see on the screenshot, the "whats new tutorial" problem still persists.
Oh, seems like it works in some way now. Haven't changed anything but, hearthrock somehow glitched into the practice mode: https://i.imgur.com/cN7peiR.jpg
Edit: seems like the bot is stuck in Discover now.
https://i.imgur.com/fscZfyU.jpg
Probably #9
Ok, thanks, let me check this steps later
Yes, rock can ignore all and run selected mode, but it's not very helpful..
Yes, it's discover issue
But there still seems to be an input problem when you glitch into a game - you can't click any menu buttons like friends list or the bottom right menu button.
Hi @mcheng916 and all:
Here is my decryption of Assembly-CSharp.dll:
Decrypt the Assembly-CSharp.dll in hearthstone windows client
depends on blowfish alg:
blowfish.zip
I don't have much time to encrypt the DLL back and test it, you guys can try.
I am not good at Unity3D programming, I was thinking if we just inject an empty function call in the DLL and encrypt it back, then what will happen? The problem could be the input hooking.
Is there something different in your decryption method? Cause we already've done that..
Just another implementation for your information, the function are same.
Ahh...
First I call this "whats new tutorial" issue, but after some investigation, I realize the problem is not related to that tutorial.
Many top-level UI components have problems after patching.
For example, you can't click"option" button (like @michaelpittino said).
The text is missing in "your turn" message box. etc.
If you click "run" button on hearthrock frame, hearthrock will bring you to practice mode (or other modes depends on your configuration). So you can still use hearthrock, but if you want to play a game by youself, you would want to unpatch first.
I tried to...
-
Just decrypt Assembly-CSharp.dll, don't do any hook.
Problem persists.
So I was convinced that the problem is not caused by the hook of InputManager or the injecting of hearthrock. -
Decrypt Assembly-CSharp.dll, then encrypt back, which can generate exactly same Assembly-CSharp.dll
Problem is gone.
So encryption/decryption algorithm/implementation should be okay, huh. -
Just decrypt Assembly-CSharp.dll, but leave the keys inside dll.
Problem persists.
...
I tried Decrypt, then hook, then Encrypt again, and then I tried Decrypt again, but got exception
Maybe it is the reason why we got the dialogue issue even with encrypted version
Decrypt Assembly-CSharp.dll, then encrypt back, which can generate exactly same Assembly-CSharp.dll
Problem is gone.
So encryption/decryption algorithm/implementation should be okay, huh.
Do you mean by that, that the "whats new tutorial" doesn't appear?
If so, do you use a different encryption algorithm than I do? (https://gist.github.com/michaelpittino/0cde9ae55c10714dfe11186e7183ea0f)
I tried Decrypt, then hook, then Encrypt again, and then I tried Decrypt again, but got exception
I think hooking alters some of the PE information and the start of the .text section - which is why you get that error.
If so, do you use a different encryption algorithm than I do?
I am using your algorithm and hs work fine with it, if I do not set the hook
I think hooking alters some of the PE information and the start of the .text section - which is why you get that error.
So, if HS got same error probably it is the reason why we got the "whats new tutorial"
So, if HS got same error probably it is the reason why we got the "whats new tutorial"
Maybe, but it shouldn't. The file isn't corrupt or anything - just some values of the PE header changed, and the section size, which gave it a new start address. Hearthstone shouldn't care about that. I could be wrong tho.
I tried Decrypt, then hook, then Encrypt again, and then I tried Decrypt again, but got exception
So you are using the previews code I shared.
That code is hard-coded for original DLL. @michaelpittino is right, after "hook", the PE header of DLL has been modified by mono.cecil thus original decrypt code cannot work on that.
I don't think that could be the ROC.
First, the .NET implementation does not care PE headers that much.
Second,
Just decrypt Assembly-CSharp.dll, don't do any hook. Problem persists.
@michaelpittino
My code was in here, https://gist.github.com/yangyuan/14444ccbc08517f64b31cf24165fccf2
Basically the same logic as your code. I tried to extract header info so that I can detect header size, but I lost the patient.
We use the same BlowFish implementation.
Second,
Just decrypt Assembly-CSharp.dll, don't do any hook. Problem persists.
What if there is still something wrong with the decryption? Apparently Heartsthone should work with unencrypted assemblies too - since they use the same Unity Build for PC, Mac and Android - and only the PC uses an encrypted assembly.
Could someone upload the assembly from the Mac version? So we could compare it with our decrypted assembly.
Could someone upload the assembly from the Mac version? So we could compare it with our decrypted assembly.
- PE headers will be different, that's for sure.
- Text section is actually some binary tables. If decryption is wrong, then assembly should not even runnable.
- I compared the decrypted DLL with the unencrypted DLL in earlier versions, it looks okay.
But it would be good if someone could share it so that we can be confident about decryption.
What if there's something else to do besides just decrypting the sections? Do you know what the 5 bytes after the key in the encrypted assembly mean?
@michaelpittino
I think the last 1 byte is the number of sections, and the remaining 4 bytes are the size of the key.
It is a typical binary format design.
I heard Mono.Cecil broke a strong name, can it be somehow depended?
But seems like it is depended of the asm size, because default 7,103 work fine, if we are just run with decrypted version: size will be 7,102 (and not work), and with mono.cecil it'll be 7,139
@AiSatan
I didn't notice Mono.Cecil breaks any strong name.
And also, I don't think Mono.Cecil plays a role in this issue. The size is larger because the DLL generated by Mono.Cecil has different PE structure, which should be fine.
It would be interesting to find out how the "whats new" tutorial gets triggered.
I just can't find a relationship between the "whats new" tutorial and the assembly.
It's even more interesting that apparently the state gets saved server side, since the issue can be observed on other devices too when triggered by the modified assembly.
Here I have a very similar situation, but now with the "what's new" tutorial but with the year of mammuth rotation, at some point I cannot click the "next" button to return to the main menΓΊ.
This is the issue we are talking about.
I found one modified dll that works fine, try it please, maybe it'll be helpful for us, I don't know
this lib description (sorry it's just google translate):
triple acceleration of some animations
removed the effect of shaking
the time limit for using emotions is disabled
added the opportunity to receive gifts for the GalaxyGift promotion
forced use of the Blizzard store (useful when using a mobile interface)
All missing maps in the collection are displayed in color
The cards are deployed in the opponent's hand in spectator mode for two players
Well, I've patched the assembly with Rock, and now it's both work fine, you can test with this:
@AiSatan Thanks for providing this, it is very fun. I will take a look and compare the difference.
Can you share the website you download this? I guess hearthstone will update very soon...
I'm afraid that this site will not help, it's like all mods in one forum thread and it's Russian, something like xda for mobiles:
Windows: MixMod Ρ GalaxyGift
https://4pda.ru/forum/index.php?showtopic=870696
Also I saw it here:
Great news!
I've talked with developer the library: (google translate from Russian)
Greetings!
Yes, I saw Hearthrock. Funny thing. ;)
I deconstruct the decoded library from the memory of the game. Simply I cut off the necessary piece of memory, and I save to disk.
This can be done in HEXWorkShop, or in any other hex editor working with memory.
And the modification of the library I make through
https://github.com/0xd4d/dnSpy
Well, after that, I tried by myself, with mine HexEditor https://mh-nexus.de/en/downloads.php?product=HxD
I found the lib in memory. I found the lib's end (12db551F in my case) and move up to 6EF500 and found start's section. then I saved it as * .cs and then save as * .dll
I tried to run - all fine,
and then I patch it, and all works fine
I attached original (from memory)
and patched version as well
Original from memory with cs files.zip
Assembly-CSharp-patched.zip
I think I can write something for auto save it from memory to file
@AiSatan Great job.
The Assembly-CSharp.dll in Hearthstone+PC+v10.0+MixMod.zip has some corrupted data in the header. (To be specific, in optional PE header)
The Assembly-CSharp.dll you provided has malformed data between 0x200 to 0x400. Which also falls in the range of optional PE header.
The original Assembly-CSharp.dll actually doesn't encrypt the data between 0x200 to 0x400. and it contains the information of reloc section.
So I suspect that there are some data in optional PE header which brings the trouble. The hearthstone corrupt that data during decryption (and magically solved the problem).
@AiSatan
They just updated the client to 10.2. I use the Hexden to check the decompiled dll in the memory, it looks like they have fixed the issue (malformed data between 0x200 to 0x400). Instead, they choose not to decompile the data between 0x700200 and 0x700C00, which belongs to .sdata section.
I think they have improved their decrypt code. I tried to do that same thing in my decryption code (ignore .sdata) and it works.
I will update hearthrock as long as the Nuget package today. Thank you very much for your help.