Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to decrypt app resources in cocos2d-LUA reverse. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

Still take apk as an example, through the previous analysis of app decryption lua script, we can decrypt the lua script of apk, now let's decrypt its resources (configuration files, pictures, etc.). Let's take the more important configuration file as an example, before it is decrypted:

The file header also has a signature value: fuckyou!. Seeing this, we first thought whether it was also encrypted with xxtea. Using the above method, we first decrypted it with xxtea, and then decompressed it. We found that it was still garbled, and there was an error in the process of operation. Obviously, we have to deny our guess just now. We continue to decrypt the configuration file step by step.

Think about it a little bit, the header of the file is: fuckyou! If you want to decrypt the file, you will inevitably need to deal with the string: fuckyou! Therefore, we should be able to find the fuckyou string in idaPro, and then analyze, debug and decrypt it with the function at the code segment where the fuckyou string is located To verify our guess, open idaPro, open the string view, and search for fuckyou:

There's nothing! The guess is that it has been optimized to optimize the string somewhere.

The clue is broken, but curiosity continues. At this time, we can browse the source code of the cocos2d framework. Combined with some information on the Internet, we find that cocos2d's processing of files is encapsulated in the CCFileUtils class:

There are many functions, and they are not posted one by one, and I have also found the experience of my predecessors on the Internet:

All right, let's go back to idaPro, in the export window, and search for getData:

Enter these two functions, decompiler, look, look, do not look much alike, skip, but first write down, in the dynamic mode, we can break here.

Let's take a look at getFileData:

Since app runs on the Android platform, let's look at the CCFileUtilsAndroid::getFileData of the Android platform:

We went on to follow:

If the code is very long, not all of it will be pasted. Post the key part of this function:

See the picture above, it feels like it, hehe! But we still need to continue to analyze and verify. When the function deals with the file header sign, it does not compare directly with the character but with its ASCII value, so we can't find fuckyou in the string window! Of. Moving on, when the function determines that it is text in encrypted format, it removes the first 8 bytes (fuckyou! And then XOR with the values in the XOR table, looping every 256 bytes

We can take a look at byte_A1C55F:

At this point, we can basically determine the file decryption function and process, we can dynamically debug, and then confirm that when app calls this function, there should be plaintext content in memory. When we debug, the getData and CCFileUtilsAndroid:doGetFileData functions are broken at the beginning and end, and the GetData function is broken:

The break of doGetFileData function:

Although both functions are broken, they are only paused at the doGetFileData breakpoint, indicating that the decryption process is a doGetFileData function, in line with our expectations. Take a look at the register and memory:

We see that the content is ciphertext before doGetFileData, and the function has been decrypted into plaintext before the function is returned, which shows that our previous analysis is correct.

OK, now we can copy out the XOR table byte_A1C55F, and then imitate the decryption process of app (you can find a xor decoding script from GitHub and modify it slightly) to write a gadget to decrypt all the resources of the great god .apk:

After reading the above, do you have any further understanding of how to decrypt app resources in cocos2d-LUA reverse? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.