Home >Operation and Maintenance >Safety >How to decrypt app resources in cocos2d-LUA reverse engineering

How to decrypt app resources in cocos2d-LUA reverse engineering

WBOY
WBOYforward
2023-05-16 19:11:102132browse

Let’s take Dashen apk as an example. Through the previous analysis of app decryption lua script, we can decrypt the lua script of Dashen apk. Now let’s decrypt its resources (configuration files and pictures, etc.). Let’s take a more important configuration file as an example. Before decryption:
How to decrypt app resources in cocos2d-LUA reverse engineering

The file header also has a signature value: fuckyou!. Seeing this, we first thought about whether it was also encrypted with xxtea. We used the above method to decrypt it with xxtea first, and then decompressed it. We found that it was still garbled, and an error occurred during the operation. Obviously, we have to deny what we just said. conjecture. We continue to decrypt the configuration file step by step.

Think about it for a moment, the file header is: fuckyou! If you want to decrypt the file, you inevitably need to process the string: fuckyou! , so we should be able to search for the fuckyou string in idaPro, and then use the function analysis, debugging and decryption in the code segment where the fuckyou string is located. Open idaPro and open the string view, search for "fuckyou" to verify our hypothesis. My guess is that optimization has been done and the string has been optimized somewhere.

The clue is broken, but our curiosity still allows us to continue. At this time, we can browse the cocos2d framework source code, combined with some information on the Internet, and find that cocos2d's processing of files is encapsulated into the CCFileUtils class: How to decrypt app resources in cocos2d-LUA reverse engineering

There are a lot of functions, and they are not posted one by one. I also found the experience of the predecessors from the Internet:

How to decrypt app resources in cocos2d-LUA reverse engineering

好, we will return now Go to idaPro, in the export window, search for getData:

How to decrypt app resources in cocos2d-LUA reverse engineering                  

Enter these two functions, decompile and have a look, they don’t look much alike, so skip it, but write it down first. During dynamic debugging, we can make a break here.

Let’s look at getFileData again: How to decrypt app resources in cocos2d-LUA reverse engineering

Since the app runs on the Android platform, let’s look at the CCFileUtilsAndroid::getFileData of the Android platform:

       

How to decrypt app resources in cocos2d-LUA reverse engineering Let’s follow up:

       

How to decrypt app resources in cocos2d-LUA reverse engineering The code is very long, so I won’t post it all, but here are the key parts of this function:

     

How to decrypt app resources in cocos2d-LUA reverse engineering Seeing the picture above, I feel like this is it, haha! But we still need to continue to analyze and verify. When the function processes the sign in the file header, it does not directly compare it with characters but compares its ASCII values ​​one by one, so we cannot find fuckyou in the string window! of. Then look down. When the function determines that it is text that conforms to the encrypted format, it will remove the first 8 bytes (fuck you!), and then perform an XOR operation with the value in the XOR table, looping every 256 bytes. .

We can take a look at byte_A1C55F:

How to decrypt app resources in cocos2d-LUA reverse engineering At this point, we can basically determine the file decryption function and process. We can dynamically debug and confirm again. After the app calls this function, there should be clear text content in the memory. When we debug, we interrupt at the beginning and end of the getData and CCFileUtilsAndroid:doGetFileData functions. The GetData function interrupts:

                                                      CCFileUtilsAndroid: doGetFileData function interrupts:

       How to decrypt app resources in cocos2d-LUA reverse engineering

Although both functions are interrupted, they only pause at the doGetFileData breakpoint, indicating that the doGetFileData function is used during the decryption process, which is in line with our expectations. Take a look at the registers and memory:

How to decrypt app resources in cocos2d-LUA reverse engineering

How to decrypt app resources in cocos2d-LUA reverse engineering

We saw the content before DogetFiledata was a ciphertext. Before the function returned, it has been decrypted into clear text, which shows that our previous analysis is right.

Okay, now, we can copy the XOR table byte_A1C55F, and then imitate the decryption process of the app (you can find an xor decoding script from GitHub and modify it slightly) and write a small tool to All resources of Dashen.apk have been decrypted:

How to decrypt app resources in cocos2d-LUA reverse engineering

###

The above is the detailed content of How to decrypt app resources in cocos2d-LUA reverse engineering. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete