Analysis of three-kingdoms kill string Encryption algorithm

Analysis of three-kingdoms kill string Encryption algorithm
"article title": Three Kingdoms Kill string encryption algorithm
"article author": Ericky
"Author blog": http://blog.csdn.net/hk9259
"": Baidu Download
"Protected Mode": String encryption
"Author's statement": My level is limited, if there are deficiencies in the wrong place, please the warrior.

Introduction to 0x1

It is said that the old version of the game can be directly modified in the corresponding string to a civet cat for the prince, thus bypassing the test and to achieve the effect of the inside purchase, now after a year, the game in order to prevent tampering or other, strengthen the encryption of their own, especially to some key string protection, strength is worth the test of time , let's explore.

0x2 positioning

Open libgame.so, follow the previous idea, find the encrypted string in the vast string as follows:

The classes that are located in the red box are as follows:

0x3 Analysis

Analysis

Continue down Analysis:

Follow up following:

Base64 is the standard method of decryption.
The following function is an XOR-coded function, regardless of what we continue to follow:

Here is a circular decryption, the key function is 70004C.
Follow up and go on. sub_7be950 This function:

The decrypted string is then used for the call inside the so.

0x4 Write decryption Encryption program

Restore the encryption code as follows:

//Encrypt stringBYTE arry[] ="Classes.dea";//Encryption KeyConstuint32_t Key =0x9f;//Initializeunsigned Charxorout[ -] ="";Charbase64out[ -]="";Constsize_t lens =sizeof(Arry); for(size_t i =0; I < lens-1; i++) {Xorout[i] = Arry[i] ^ (key+i);} Base64_encode (Xorout, Base64out, lens-1);printf("%s\n", base64out);Char* Base64_encode (Const unsigned Char* Bindata,Char* Base64,intBinlength) {intI, J;unsigned CharCurrent for(i =0, j =0; i < binlength; i + =3) {current = (Bindata[i] >>2) ; Current &= (unsigned Char)0x3F; Base64[j++] = base64char[(int) current]; Current = ((unsigned Char) (Bindata[i] <<4)) & ((unsigned Char)0x30) ;if(i +1>= binlength) {base64[j++] = base64char[(int) current]; Base64[j++] =' = '; Base64[j++] =' = '; Break; } Current |= ((unsigned Char) (bindata[i+1] >>4)) & ((unsigned Char)0x0F); Base64[j++] = base64char[(int) current]; Current = ((unsigned Char) (bindata[i+1] <<2)) & ((unsigned Char)0x3C) ;if(i +2>= binlength) {base64[j++] = base64char[(int) current]; Base64[j++] =' = '; Break; } Current |= ((unsigned Char) (bindata[i+2] >>6)) & ((unsigned Char)0x03); Base64[j++] = base64char[(int) current]; Current = ((unsigned Char) bindata[i+2]) & ((unsigned Char)0x3F) ; Base64[j++] = base64char[(int) current]; } Base64[j] =' + ';returnBase64;}

Restore the decryption code as follows:

//******************* Decryption//keyConstuint32_t Key2 =0X9f;//Decrypt stringConst Charbase64in[]="7cxszdbwxspuhsbf3w==";Constsize_t Lens2 = (sizeof(base64in)-1)*3/4-2;//base64 and store after decryptionunsigned CharXorin[] ="";//base64 DecryptionBase64_decode (base64in, Xorin);//xor and store after decryptionCharbase64outd[ -] ="";//xor Decryption for(size_t i =0;  i < lens2; i++) {Base64outd[i] = Xorin[i] ^ (key2+i);}printf("%s\n", BASE64OUTD);intBase64_decode (Const Char* Base64,unsigned Char* Bindata) {intI, J;unsigned CharKunsigned Chartemp[4]; for(i =0, j =0; Base64[i]! =' + '; i + =4)    {memset(Temp,0xFF,sizeof(temp)); for(k =0; K < -; K + +) {if(Base64char[k] = = Base64[i]) temp[0]= K; } for(k =0; K < -; K + +) {if(Base64char[k] = = base64[i+1]) temp[1]= K; } for(k =0; K < -; K + +) {if(Base64char[k] = = base64[i+2]) temp[2]= K; } for(k =0; K < -; K + +) {if(Base64char[k] = = base64[i+3]) temp[3]= K; } bindata[j++] = ((unsigned Char)(((unsigned Char) (temp[0] <<2)) &0xFC)) | ((unsigned Char)((unsigned Char) (temp[1]>>4) &0x03));if(base64[i+2] ==' = ') Break; Bindata[j++] = ((unsigned Char)(((unsigned Char) (temp[1] <<4)) &0xF0)) | ((unsigned Char)((unsigned Char) (temp[2]>>2) &0x0F));if(base64[i+3] ==' = ') Break; Bindata[j++] = ((unsigned Char)(((unsigned Char) (temp[2] <<6)) &0xF0)) | ((unsigned Char) (temp[3]&0x3F)); }returnJ;}

0x5 test Results

7cxszdbwxspuhsbf3w==--–> Resources.out

88ndjclwympgyscfx8xpyc7d1jza2w==--–> lib/armeabi/libgame.so

88ndjclwympgysch3zvmgcpz09xs2dcyxnc=--–> lib/armeabi-v7a/libgame.so

/mza0ddb1ojdzde=--–> Classes.dex

0x6 Summary
Need full patience to analyze the algorithm, very exercise people, sleep.

2015.7.26
by Ericky

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Three Kingdoms Kill string encryption algorithm analysis