Shulou(Shulou.com)05/31 Report--

IdaPro how to analyze the app decryption lua script, in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Through the previous idaPro debugging or hook, we can get the xxtea decryption key. For sign, we can directly open the original file:

You can see the sign value: byds. So, we can try to decrypt it with the xxtea decryption tool (which can be compiled by ourselves from the GitHub source code):

Take index.luac as an example, let's look at the changes before and after index.luac decryption:

We can see that the lua script decrypted by xxtea is still not plaintext! According to the source code of the cocos2d framework and the result of the reverse compilation of apk, we determined that xxtea encryption is used, and the lua script of app also has a signature value, which also confirms that it is xxtea encryption, but the result of our decryption is still not plaintext, which indicates that our decryption may be incomplete, and whether we have to go back to idapro in the end.

Open libgame.so with idapro, search for byds in the export window, find the byds_d function, and double-click in:

Direct F5 displays the reverse code:

This is nothing special and is equivalent to the code in the source code of our framework. If the decryption is not completed, the next level of this function should be called to continue the decryption process. Let's jump xrefs track this function call:

Two come out, one of which is the got table, definitely not. Let's double-click the first one:

It's just a wrapper function, and we continue to trace:

Double-click in:

We see that the function name is the same as calling xxtea_decrypt in the source code, and we included this function as a breakthrough at the beginning. Now you can clearly see that the script has been decrypted by byds_d and then decompressed by uncompress. By now, it should be basically clear that the lua script should be compressed and encrypted, so if you want to restore it, you should first decrypt it with xxtea, and then decompress it. We can find a script to extract zlib from GitHub, and extract the decrypted text again:

Then look at index.lua:

You can see that it has become plaintext now.

The answer to the question about how idaPro analyzes the app decryption lua script is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.