How to anti obfuscate Unity3D game file?(.bytes)

[x-tiger]

Hello, everyone. When I was trying to extract a game made , the Config file extracted was wrong.
I am learning game hacking and will not use resources for business.



--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Statement:

Since the problem has been solved, and the game I used to learn reverse is a commercial game, in order to avoid some legal problems, I decided to delete the relevant game link and relevant documents, which does not involve the reply of others. I am sorry that I only learn reverse as a hobby, and I do not want to use this learning result for any business activities.

Thanks again for your help, thank you!

[x-tiger]

Can someone help me?Thank you so much!

[LolHacksRule]

Looks like a binary format with base64 data too.

[x-tiger]

Looks like a binary format with base64 data too.

I tried to decode it in Base64, but found it messy.

[x-tiger]

The problem has been solved

[chrrox]

StringObfuscatorPassword

Code: Select all

\xC3\x9D\xC3\xBA\x62\x55\x75\x10\xC2\x8B\xC2\xB8\x43\xC3\x81\xC3\x82\xC2\xA7\x2A\x34\x13\x50\xC3\x9A\xC2\xA9\x2D\xC3\xA1\xC2\xA9\xC2\xBE\x40\x54\x36\x44\xC2\x89\x6C\x0F\xC2\xB1\xC2\x91\xC3\x92\x57\xC3\xA2\x75\x7A\xC3\x85\x6D\x34\x47\xC3\x90\xC3\xB3\x19\xC3\x98\x24\x3D\xC3\x8D\x20\x67\x2C\xC2\xA5\x51\xC2\x83\x09\xC3\xAB\xC2\xAE\x69\x4B\x45\xC3\x9F\x20\x72\xC2\xA1\x19\xC2\x9F\xC3\x97\x36\x16\x30\xC3\x8D\x74\x20\xC2\x90\x34\xC3\xB6\xC3\x83\xC2\x93\x7E\x5E\xC2\xAB\x1C\x79\x03\x3A\xC2\x90\xC2\x96\xC3\x88\x64\x10\xC2\x8F\x31\x1A\x3C\x51\xC2\x8F\xC2\x99\xC3\x9B\xC3\x9D\xC3\xBA\x62\x55\x75\x10\xC2\x8B\xC2\xB8\x43\xC3\x81\xC3\x82\xC2\xA7\x2A\x34\x13\x50\xC3\x9A\xC2\xA9\x2D\xC3\xA1\xC2\xA9\xC2\xBE\x40\x54\x36\x44\xC2\x89\x6C\x0F\xC2\xB1\xC2\x91\xC3\x92\x57\xC3\xA2\x75\x7A\xC3\x85\x6D\x34\x47\xC3\x90\xC3\xB3\x19\xC3\x98\x24\x3D\xC3\x8D\x20\x67\x2C\xC2\xA5\x51\xC2\x83\x09\xC3\xAB\xC2\xAE\x69\x4B\x45\xC3\x9F\x20\x72\xC2\xA1\x19\xC2\x9F\xC3\x97\x36\x16\x30\xC3\x8D\x74\x20\xC2\x90\x34\xC3\xB6\xC3\x83\xC2\x93\x7E\x5E\xC2\xAB\x1C\x79\x03\x3A\xC2\x90\xC2\x96\xC3\x88\x64

This is the xor decode function.

Code: Select all

System_String_o *__cdecl I2_Loc_StringObfucator__XoREncode(System_String_o *NormalString, const MethodInfo *method)
{
  int v2; // r2
  int v3; // r3
  System_String_o *v4; // r4
  I2_Loc_StringObfucator_c *v5; // r0
  struct System_Char_array *v6; // r10
  System_Char_array *v7; // r4
  il2cpp_array_size_t v8; // r0
  uint16_t *v9; // r5
  signed int v10; // r6
  int v11; // r0
  int v12; // r1
  int v13; // r0
  char v14; // r9
  int v15; // r0
  unsigned __int8 v16; // r0
  signed int v18; // [sp+4h] [bp-24h]
  signed int v19; // [sp+8h] [bp-20h]

  v4 = NormalString;
  if ( !byte_17C6649 )
  {
    sub_30504C(18958);
    byte_17C6649 = 1;
  }
  v5 = I2_Loc_StringObfucator_TypeInfo;
  if ( I2_Loc_StringObfucator_TypeInfo->_2.bitflags2 & 2 && !I2_Loc_StringObfucator_TypeInfo->_2.cctor_started )
  {
    il2cpp_runtime_class_init_0(I2_Loc_StringObfucator_TypeInfo, 0, v2, v3);
    v5 = I2_Loc_StringObfucator_TypeInfo;
  }
  v6 = v5->static_fields->StringObfuscatorPassword;
  if ( !v4 )
    sub_332720();
  v7 = System_String__ToCharArray(v4, 0);
  if ( !v6 )
    sub_332720();
  v18 = v6->max_length;
  if ( !v7 )
    sub_332720();
  v19 = v7->max_length;
  if ( v19 >= 1 )
  {
    v8 = v7->max_length;
    v9 = v7->m_Items;
    v10 = 0;
    while ( 1 )
    {
      if ( v8 <= v10 )
      {
        v11 = sub_3337C4();
        sub_332674(v11);
      }
      v12 = v10 % v18;
      if ( v6->max_length <= v10 % v18 )
      {
        v13 = sub_3337C4();
        sub_332674(v13);
      }
      v14 = -51;
      if ( !(v10 & 1) )
        v14 = 23;
      if ( v7->max_length <= v10 )
      {
        v15 = sub_3337C4();
        sub_332674(v15);
      }
      v16 = v14 * v10++;
      *v9 = v16 ^ (unsigned __int16)(v6->m_Items[v12] ^ *v9);
      if ( v10 >= v19 )
        break;
      v8 = v7->max_length;
      ++v9;
    }
  }
  return System_String__CreateString_8594264(0, v7, 0);

Called by string decoder.

Code: Select all

System_String_o *__cdecl I2_Loc_StringObfucator__Decode(System_String_o *ObfucatedString, const MethodInfo *method)
{
  int v2; // r2
  int v3; // r3
  System_String_o *v4; // r4
  uint32_t v5; // r1
  System_String_o *v6; // r0
  const MethodInfo *v7; // r1

  v4 = ObfucatedString;
  if ( !byte_17C6646 )
  {
    sub_30504C(18954);
    byte_17C6646 = 1;
  }
  v5 = I2_Loc_StringObfucator_TypeInfo->_2.bitflags2;
  if ( v5 & 2 )
  {
    v5 = I2_Loc_StringObfucator_TypeInfo->_2.cctor_started;
    if ( !v5 )
      il2cpp_runtime_class_init_0(I2_Loc_StringObfucator_TypeInfo, 0, v2, v3);
  }
  v6 = I2_Loc_StringObfucator__FromBase64(v4, (const MethodInfo *)v5);
  return I2_Loc_StringObfucator__XoREncode(v6, v7);
}

[x-tiger]

My God, thank you so much.I cannot express my words, in my heart, you are God!
Thank you for having a teacher like you on the way of learning reverse. Thank you very much!

[x-tiger]

I'm sorry.
I have a new problem.
How is StringObfuscatorPassword obtained?

[chrrox]

its a string literal defined in the initialization of the string function.

[atom0s]

Some tools that help with this kind of thing:
- https://github.com/djkaty/Il2CppInspector
- https://github.com/Perfare/Il2CppDumper

Both can generate IDA python scripts to remap the il2cpp file back to actual named information from the global-metadata.dat file included with things that have used il2cpp.

[x-tiger]

its a string literal defined in the initialization of the string function.

First of all, thank you very much for your reply.
I'm sorry, I don't get the meaning of this sentence.
I've only been with game hackers for three weeks, and I'm not familiar with reverse engineering yet.

---------------------------------------------------------------------------------------
What is the process by which the cipher text of this initialization string function definition is obtained, or where can the string function be found?
1/ Use IDA static analysis to view SO file for password?
2/ Use other tools to view the encrypted config file to get the password?
3/ Using IDA to dynamically debug APK fetch?
4 / other?


In addition, I would like to ask whether I should use one of the following processes if I need to change the encrypted confused config file into a normal text file:
1/ First decode Config file with BASE64 decoder.Then decrypt the BASE64 decoded file using the password and related functions listed above?
Can the XOR decryption function be decrypted using the generic XOR decryption tool?
2/ Decrypt XOR using the above password and related functions. Then BASE64 decode?-- Process reversal

I'm sorry, But I have a lot of questions.
But, thank you very much for your help, thank you!

[x-tiger]

Some tools that help with this kind of thing:
- https://github.com/djkaty/Il2CppInspector
- https://github.com/Perfare/Il2CppDumper

Both can generate IDA python scripts to remap the il2cpp file back to actual named information from the global-metadata.dat file included with things that have used il2cpp.

Thank you for your reply!

[atom0s]

In this game's case, it's broken into two separate apk's within the main xapk.
- bettles.puzzle.solitaire.apk
- config.armeabi_v7a.apk

The config.armeabi_v7a.apk contains the actual libraries/game code files while the other contains the game assets, Unity runtime, and general app-related information.

The two main important files for this kind of thing are:
- bettles.puzzle.solitaire.apk > assets\bin\Data\Managed\Metadata\global-metadata.dat
- config.armeabi_v7a.apk > lib\armeabi-v7a\libil2cpp.so

This game makes use of il2cpp, which compiles the C# code down into native code. That is what the il2cpp file is. The global-metadata.dat file is the symbol map file for the il2cpp file, which contains all the symbol information (class/object/function names, static initialization data values, etc.) Tools like the ones I linked above can take the global-metadata.dat file and recreate a script for various tools to remap its content to the actual il2cpp file. (For tools like IDA/Ghidra and such where static analysis is performed.)

Once you remap the data and apply it to the il2cpp file, you can see the naming and object data for everything. Along with the object holding the xor key. You can follow/trace back in a tool like IDA or Ghidra to where that object is initialized, in this case its in a static constructor, and get its original value.

[x-tiger]

In this game's case, it's broken into two separate apk's within the main xapk.
- bettles.puzzle.solitaire.apk
- config.armeabi_v7a.apk

The config.armeabi_v7a.apk contains the actual libraries/game code files while the other contains the game assets, Unity runtime, and general app-related information.

The two main important files for this kind of thing are:
- bettles.puzzle.solitaire.apk > assets\bin\Data\Managed\Metadata\global-metadata.dat
- config.armeabi_v7a.apk > lib\armeabi-v7a\libil2cpp.so

This game makes use of il2cpp, which compiles the C# code down into native code. That is what the il2cpp file is. The global-metadata.dat file is the symbol map file for the il2cpp file, which contains all the symbol information (class/object/function names, static initialization data values, etc.) Tools like the ones I linked above can take the global-metadata.dat file and recreate a script for various tools to remap its content to the actual il2cpp file. (For tools like IDA/Ghidra and such where static analysis is performed.)

Once you remap the data and apply it to the il2cpp file, you can see the naming and object data for everything. Along with the object holding the xor key. You can follow/trace back in a tool like IDA or Ghidra to where that object is initialized, in this case its in a static constructor, and get its original value.

Thank you for your reply. These are the tools I used in the screenshots above.
What I don't understand is, where does the StringObfuscatorPassword data that Chrrox gives us come from
And this is what he said:
its a string literal defined in the initialization of the string function.
1. This function is where I'm going to find, from which tool to obtain this function and StringObfuscatorPassword.
2. How should I use the pseudo-code copied from IDA he gave?
I do not know pseudo code, and my programming ability and game hacking skills are poor, I just began to learn, I do not know the process.
Of course, anyway, thank you very much for your reply, you are a good person.

[atom0s]

What I don't understand is, where does the StringObfuscatorPassword data that Chrrox gives us come from

I do not know pseudo code, and my programming ability and game hacking skills are poor, I just began to learn, I do not know the process.

This is where understanding some basic level of coding will help, as well as understanding how C# (and .NET in general) works.

The pseudo-code generated by HexRays (the IDA plugin which chrrox's post used) is C/C++ syntax. C# is similar to it so once you have a basic understanding of C# or C/C++, you should be able to understand the basic jist of things. (I'd recommend understanding C/C++ more to fully understand what IDA / Ghidra generates for pseudo-code like this though as things like pointers, structures, etc. will be a bit hard to understand in these contexts if all you know is C#.)

As a quick rundown though, il2cpp converts the Assembly-CSharp.dll to native code.
It's essentially the same thing, just built into native code and wrapped around Mono calls to recreate the same things.

In C#, a class object has the ability to have to 'constructors' which initialize data of the object itself when an instance of it is created or a static instance is referenced. Static variables are initialized in a separate constructor called a 'static constructor'. This is signified via a '.cctor' function in the class when decompiled/disassembled. (Whereas a normal constructor is just a '.ctor' or will just be the same name as the class object itself.)

If you use il2cppDumper, it will gen both the IDA/Ghidra script needed and a dummy Assembly-CSharp.dll you can look at to see some useful information on how the object is setup. In this case, the object is:
Assembly-CSharp.dll -> I2.Loc -> StringObfucastor

Here you will see the layout of the class:


So we know it has a static constructor due to .cctor and we can see the methods and members of the class. If you click on 'StringObfuscatorPassword', you'll see its a static char array (char[]).

Code: Select all

// I2.Loc.StringObfucator
// Token: 0x04000D8E RID: 3470
[Token(Token = "0x4000B95")]
[FieldOffset(Offset = "0x0")]
public static char[] StringObfuscatorPassword;

Next, if you load up the il2cpp.so in IDA, then apply the il2cppDumper script data to it, you can go to the function "StringObfucastor" and see the usage. You can also see the static constructor in IDA, which is:

Code: Select all

int I2_Loc_StringObfucator___cctor()
{
  int v0; // r0
  int result; // r0

  if ( !byte_17C664A )
  {
    sub_30504C(18959);
    byte_17C664A = 1;
  }
  v0 = StringLiteral_8584;
  if ( !StringLiteral_8584 )
  {
    sub_332720(0);
    v0 = StringLiteral_8584;
  }
  result = System_String__ToCharArray(v0, 0);
  **(_DWORD **)(I2_Loc_StringObfucator_TypeInfo + 92) = result;
  return result;
}

Here the base password is being prepared by being initialized into a character array.

Code: Select all

StringLiteral_8584

Would be the variable that holds the base character array. Following that in IDA will show you a comment that holds the real value of the data, that you can then match up and copy from the 'stringliteral.json' file that il2cppDumper creates. Which looks like this:

Code: Select all

  {
    "value": "ÝúbUu\u0010‹¸CÁ§*4\u0013PÚ©-᩾@T6D‰l\u000f±‘ÒWâuzÅm4GÐó\u0019Ø$=Í g,¥Qƒ\të®iKEß r¡\u0019Ÿ×6\u00160Ít 4öÓ~^«\u001cy\u0003:–Èd\u00101\u001a<Q™ÛÝúbUu\u0010‹¸CÁ§*4\u0013PÚ©-᩾@T6D‰l\u000f±‘ÒWâuzÅm4GÐó\u0019Ø$=Í g,¥Qƒ\të®iKEß r¡\u0019Ÿ×6\u00160Ít 4öÓ~^«\u001cy\u0003:–Èd",
    "address": "0x17C548C"
  },

(You can lookup and confirm the data/value by its address seen in IDA and the address field here in the json file.)

[x-tiger]

What I don't understand is, where does the StringObfuscatorPassword data that Chrrox gives us come from

I do not know pseudo code, and my programming ability and game hacking skills are poor, I just began to learn, I do not know the process.

This is where understanding some basic level of coding will help, as well as understanding how C# (and .NET in general) works.

The pseudo-code generated by HexRays (the IDA plugin which chrrox's post used) is C/C++ syntax. C# is similar to it so once you have a basic understanding of C# or C/C++, you should be able to understand the basic jist of things. (I'd recommend understanding C/C++ more to fully understand what IDA / Ghidra generates for pseudo-code like this though as things like pointers, structures, etc. will be a bit hard to understand in these contexts if all you know is C#.)

As a quick rundown though, il2cpp converts the Assembly-CSharp.dll to native code.
It's essentially the same thing, just built into native code and wrapped around Mono calls to recreate the same things.

In C#, a class object has the ability to have to 'constructors' which initialize data of the object itself when an instance of it is created or a static instance is referenced. Static variables are initialized in a separate constructor called a 'static constructor'. This is signified via a '.cctor' function in the class when decompiled/disassembled. (Whereas a normal constructor is just a '.ctor' or will just be the same name as the class object itself.)

If you use il2cppDumper, it will gen both the IDA/Ghidra script needed and a dummy Assembly-CSharp.dll you can look at to see some useful information on how the object is setup. In this case, the object is:
Assembly-CSharp.dll -> I2.Loc -> StringObfucastor

Here you will see the layout of the class:


So we know it has a static constructor due to .cctor and we can see the methods and members of the class. If you click on 'StringObfuscatorPassword', you'll see its a static char array (char[]).

Code: Select all

// I2.Loc.StringObfucator
// Token: 0x04000D8E RID: 3470
[Token(Token = "0x4000B95")]
[FieldOffset(Offset = "0x0")]
public static char[] StringObfuscatorPassword;

Next, if you load up the il2cpp.so in IDA, then apply the il2cppDumper script data to it, you can go to the function "StringObfucastor" and see the usage. You can also see the static constructor in IDA, which is:

Code: Select all

int I2_Loc_StringObfucator___cctor()
{
  int v0; // r0
  int result; // r0

  if ( !byte_17C664A )
  {
    sub_30504C(18959);
    byte_17C664A = 1;
  }
  v0 = StringLiteral_8584;
  if ( !StringLiteral_8584 )
  {
    sub_332720(0);
    v0 = StringLiteral_8584;
  }
  result = System_String__ToCharArray(v0, 0);
  **(_DWORD **)(I2_Loc_StringObfucator_TypeInfo + 92) = result;
  return result;
}

Here the base password is being prepared by being initialized into a character array.

Code: Select all

StringLiteral_8584

Would be the variable that holds the base character array. Following that in IDA will show you a comment that holds the real value of the data, that you can then match up and copy from the 'stringliteral.json' file that il2cppDumper creates. Which looks like this:

Code: Select all

  {
    "value": "ÝúbUu\u0010‹¸CÁ§*4\u0013PÚ©-᩾@T6D‰l\u000f±‘ÒWâuzÅm4GÐó\u0019Ø$=Í g,¥Qƒ\të®iKEß r¡\u0019Ÿ×6\u00160Ít 4öÓ~^«\u001cy\u0003:–Èd\u00101\u001a<Q™ÛÝúbUu\u0010‹¸CÁ§*4\u0013PÚ©-᩾@T6D‰l\u000f±‘ÒWâuzÅm4GÐó\u0019Ø$=Í g,¥Qƒ\të®iKEß r¡\u0019Ÿ×6\u00160Ít 4öÓ~^«\u001cy\u0003:–Èd",
    "address": "0x17C548C"
  },

(You can lookup and confirm the data/value by its address seen in IDA and the address field here in the json file.)

Wow, thanks for the tutorial, it cleared up a bit of my confusion.
Thank you very much. I've learned a lot from it.
However, I still have some doubts that the value of 0x17C548C above is still confused, these real values that look confused, how can I use it or make it normal to read.
Finally, how do I use these passwords to make the encrypted Config file I exported from AssetStudio normally readable?

[atom0s]

chrrox's post with the key is just encoded differently, but is the same data. If you take his key and convert it back to Unicode in C#, like this:

Code: Select all

            var stringXorPassword = new byte[] {
                0xC3, 0x9D, 0xC3, 0xBA, 0x62, 0x55, 0x75, 0x10, 0xC2, 0x8B, 0xC2, 0xB8, 0x43, 0xC3, 0x81, 0xC3, 0x82, 0xC2,
                0xA7, 0x2A, 0x34, 0x13, 0x50, 0xC3, 0x9A, 0xC2, 0xA9, 0x2D, 0xC3, 0xA1, 0xC2, 0xA9, 0xC2, 0xBE, 0x40, 0x54,
                0x36, 0x44, 0xC2, 0x89, 0x6C, 0x0F, 0xC2, 0xB1, 0xC2, 0x91, 0xC3, 0x92, 0x57, 0xC3, 0xA2, 0x75, 0x7A, 0xC3,
                0x85, 0x6D, 0x34, 0x47, 0xC3, 0x90, 0xC3, 0xB3, 0x19, 0xC3, 0x98, 0x24, 0x3D, 0xC3, 0x8D, 0x20, 0x67, 0x2C,
                0xC2, 0xA5, 0x51, 0xC2, 0x83, 0x09, 0xC3, 0xAB, 0xC2, 0xAE, 0x69, 0x4B, 0x45, 0xC3, 0x9F, 0x20, 0x72, 0xC2,
                0xA1, 0x19, 0xC2, 0x9F, 0xC3, 0x97, 0x36, 0x16, 0x30, 0xC3, 0x8D, 0x74, 0x20, 0xC2, 0x90, 0x34, 0xC3, 0xB6,
                0xC3, 0x83, 0xC2, 0x93, 0x7E, 0x5E, 0xC2, 0xAB, 0x1C, 0x79, 0x03, 0x3A, 0xC2, 0x90, 0xC2, 0x96, 0xC3, 0x88,
                0x64, 0x10, 0xC2, 0x8F, 0x31, 0x1A, 0x3C, 0x51, 0xC2, 0x8F, 0xC2, 0x99, 0xC3, 0x9B, 0xC3, 0x9D, 0xC3, 0xBA,
                0x62, 0x55, 0x75, 0x10, 0xC2, 0x8B, 0xC2, 0xB8, 0x43, 0xC3, 0x81, 0xC3, 0x82, 0xC2, 0xA7, 0x2A, 0x34, 0x13,
                0x50, 0xC3, 0x9A, 0xC2, 0xA9, 0x2D, 0xC3, 0xA1, 0xC2, 0xA9, 0xC2, 0xBE, 0x40, 0x54, 0x36, 0x44, 0xC2, 0x89,
                0x6C, 0x0F, 0xC2, 0xB1, 0xC2, 0x91, 0xC3, 0x92, 0x57, 0xC3, 0xA2, 0x75, 0x7A, 0xC3, 0x85, 0x6D, 0x34, 0x47,
                0xC3, 0x90, 0xC3, 0xB3, 0x19, 0xC3, 0x98, 0x24, 0x3D, 0xC3, 0x8D, 0x20, 0x67, 0x2C, 0xC2, 0xA5, 0x51, 0xC2,
                0x83, 0x09, 0xC3, 0xAB, 0xC2, 0xAE, 0x69, 0x4B, 0x45, 0xC3, 0x9F, 0x20, 0x72, 0xC2, 0xA1, 0x19, 0xC2, 0x9F,
                0xC3, 0x97, 0x36, 0x16, 0x30, 0xC3, 0x8D, 0x74, 0x20, 0xC2, 0x90, 0x34, 0xC3, 0xB6, 0xC3, 0x83, 0xC2, 0x93,
                0x7E, 0x5E, 0xC2, 0xAB, 0x1C, 0x79, 0x03, 0x3A, 0xC2, 0x90, 0xC2, 0x96, 0xC3, 0x88, 0x64
            };

            var unicode = new String(System.Text.Encoding.UTF8.GetChars(stringXorPassword));

[x-tiger]

chrrox's post with the key is just encoded differently, but is the same data. If you take his key and convert it back to Unicode in C#, like this:

Code: Select all

            var stringXorPassword = new byte[] {
                0xC3, 0x9D, 0xC3, 0xBA, 0x62, 0x55, 0x75, 0x10, 0xC2, 0x8B, 0xC2, 0xB8, 0x43, 0xC3, 0x81, 0xC3, 0x82, 0xC2,
                0xA7, 0x2A, 0x34, 0x13, 0x50, 0xC3, 0x9A, 0xC2, 0xA9, 0x2D, 0xC3, 0xA1, 0xC2, 0xA9, 0xC2, 0xBE, 0x40, 0x54,
                0x36, 0x44, 0xC2, 0x89, 0x6C, 0x0F, 0xC2, 0xB1, 0xC2, 0x91, 0xC3, 0x92, 0x57, 0xC3, 0xA2, 0x75, 0x7A, 0xC3,
                0x85, 0x6D, 0x34, 0x47, 0xC3, 0x90, 0xC3, 0xB3, 0x19, 0xC3, 0x98, 0x24, 0x3D, 0xC3, 0x8D, 0x20, 0x67, 0x2C,
                0xC2, 0xA5, 0x51, 0xC2, 0x83, 0x09, 0xC3, 0xAB, 0xC2, 0xAE, 0x69, 0x4B, 0x45, 0xC3, 0x9F, 0x20, 0x72, 0xC2,
                0xA1, 0x19, 0xC2, 0x9F, 0xC3, 0x97, 0x36, 0x16, 0x30, 0xC3, 0x8D, 0x74, 0x20, 0xC2, 0x90, 0x34, 0xC3, 0xB6,
                0xC3, 0x83, 0xC2, 0x93, 0x7E, 0x5E, 0xC2, 0xAB, 0x1C, 0x79, 0x03, 0x3A, 0xC2, 0x90, 0xC2, 0x96, 0xC3, 0x88,
                0x64, 0x10, 0xC2, 0x8F, 0x31, 0x1A, 0x3C, 0x51, 0xC2, 0x8F, 0xC2, 0x99, 0xC3, 0x9B, 0xC3, 0x9D, 0xC3, 0xBA,
                0x62, 0x55, 0x75, 0x10, 0xC2, 0x8B, 0xC2, 0xB8, 0x43, 0xC3, 0x81, 0xC3, 0x82, 0xC2, 0xA7, 0x2A, 0x34, 0x13,
                0x50, 0xC3, 0x9A, 0xC2, 0xA9, 0x2D, 0xC3, 0xA1, 0xC2, 0xA9, 0xC2, 0xBE, 0x40, 0x54, 0x36, 0x44, 0xC2, 0x89,
                0x6C, 0x0F, 0xC2, 0xB1, 0xC2, 0x91, 0xC3, 0x92, 0x57, 0xC3, 0xA2, 0x75, 0x7A, 0xC3, 0x85, 0x6D, 0x34, 0x47,
                0xC3, 0x90, 0xC3, 0xB3, 0x19, 0xC3, 0x98, 0x24, 0x3D, 0xC3, 0x8D, 0x20, 0x67, 0x2C, 0xC2, 0xA5, 0x51, 0xC2,
                0x83, 0x09, 0xC3, 0xAB, 0xC2, 0xAE, 0x69, 0x4B, 0x45, 0xC3, 0x9F, 0x20, 0x72, 0xC2, 0xA1, 0x19, 0xC2, 0x9F,
                0xC3, 0x97, 0x36, 0x16, 0x30, 0xC3, 0x8D, 0x74, 0x20, 0xC2, 0x90, 0x34, 0xC3, 0xB6, 0xC3, 0x83, 0xC2, 0x93,
                0x7E, 0x5E, 0xC2, 0xAB, 0x1C, 0x79, 0x03, 0x3A, 0xC2, 0x90, 0xC2, 0x96, 0xC3, 0x88, 0x64
            };

            var unicode = new String(System.Text.Encoding.UTF8.GetChars(stringXorPassword));

Great! Thank you very much for your reply!

[x-tiger]

This post was invalidated because I didn't know how to use the password to decrypt it.
So, I gave up.Thanks to everyone who helped me.