How to decrypt app resources in cocos2d-LUA reverse engineering

Let’s take Dashen apk as an example. Through the previous analysis of app decryption lua script, we can decrypt the lua script of Dashen apk. Now let’s decrypt its resources (configuration files and pictures, etc.). Let’s take a more important configuration file as an example. Before decryption:

The file header also has a signature value: fuckyou!. Seeing this, we first thought about whether it was also encrypted with xxtea. We used the above method to decrypt it with xxtea first, and then decompressed it. We found that it was still garbled, and an error occurred during the operation. Obviously, we have to deny what we just said. conjecture. We continue to decrypt the configuration file step by step.

Think about it for a moment, the file header is: fuckyou! If you want to decrypt the file, you inevitably need to process the string: fuckyou! , so we should be able to search for the fuckyou string in idaPro, and then use the function analysis, debugging and decryption in the code segment where the fuckyou string is located. Open idaPro and open the string view, search for "fuckyou" to verify our hypothesis. My guess is that optimization has been done and the string has been optimized somewhere.

The clue is broken, but our curiosity still allows us to continue. At this time, we can browse the cocos2d framework source code, combined with some information on the Internet, and find that cocos2d's processing of files is encapsulated into the CCFileUtils class:

There are a lot of functions, and they are not posted one by one. I also found the experience of the predecessors from the Internet:

好, we will return now Go to idaPro, in the export window, search for getData:

                 

Enter these two functions, decompile and have a look, they don’t look much alike, so skip it, but write it down first. During dynamic debugging, we can make a break here.

Let’s look at getFileData again:

Since the app runs on the Android platform, let’s look at the CCFileUtilsAndroid::getFileData of the Android platform:

       

Let’s follow up:

       

The code is very long, so I won’t post it all, but here are the key parts of this function:

     

Seeing the picture above, I feel like this is it, haha! But we still need to continue to analyze and verify. When the function processes the sign in the file header, it does not directly compare it with characters but compares its ASCII values ​​one by one, so we cannot find fuckyou in the string window! of. Then look down. When the function determines that it is text that conforms to the encrypted format, it will remove the first 8 bytes (fuck you!), and then perform an XOR operation with the value in the XOR table, looping every 256 bytes. .

We can take a look at byte_A1C55F:

At this point, we can basically determine the file decryption function and process. We can dynamically debug and confirm again. After the app calls this function, there should be clear text content in the memory. When we debug, we interrupt at the beginning and end of the getData and CCFileUtilsAndroid:doGetFileData functions. The GetData function interrupts:

                                                      CCFileUtilsAndroid: doGetFileData function interrupts:

      

Although both functions are interrupted, they only pause at the doGetFileData breakpoint, indicating that the doGetFileData function is used during the decryption process, which is in line with our expectations. Take a look at the registers and memory:

We saw the content before DogetFiledata was a ciphertext. Before the function returned, it has been decrypted into clear text, which shows that our previous analysis is right.

Okay, now, we can copy the XOR table byte_A1C55F, and then imitate the decryption process of the app (you can find an xor decoding script from GitHub and modify it slightly) and write a small tool to All resources of Dashen.apk have been decrypted:

###

The above is the detailed content of How to decrypt app resources in cocos2d-LUA reverse engineering. For more information, please follow other related articles on the PHP Chinese website!