Crack TexturePacker's encrypted resources and texturepacker's encryption

Crack TexturePacker's encrypted resources and texturepacker's encryption

Recently, we want to launch a new project. UI and interaction are intended to learn from the currently popular "Legend of the Holy Fire". In order to develop programs in parallel with art production, we plan to use the torch resources for the moment. I decompress the tornado apk and found that the command line of TexturePacker could not convert its pvr. ccz resource file to png. Just a little bit, I know that TP provides the encryption function. I recently developed Unity, and only needed the most basic gallery function of TP. So I have been using v2.4.5 for a long time and have not upgraded it.

The torch resource is encrypted and cannot be opened without a key.

An artist can use a sketch or draw a sketch for the program. However, the ratio of a sketch to the source image is: the size and specification are incorrect, the quality is poor, and the elements are stacked together. Not to mention that it takes a lot of energy to do a heavy amount of physical work, this kind of thing will be "terrible", and when the formal art resources come, all the art shows also need to be adjusted by the program, this is a huge workload. Therefore, the best method is to study the encrypted resources used to crack the torch. The engineer's job is to reduce labor and improve production efficiency.

Dynamic library injection and API Interception

At the beginning, I had no idea at all, because I developed a game and never cracked it. Only a few years ago, I used DLL injection and API Interception when I was reading Windows core programming. I did some anti-plug-ins for games. I haven't done PC development in a few years, but I have forgotten the specific implementation. I just remember that the general principle is to inject my own DLL into the target process, hijack some APIs, and replace them with my own implementations.

The android kernel is based on linux. Can I intercept APIs through injection in linux? As long as the API can be hijacked, it can be cracked. Google "linux + inject" can also be injected in linux. Further, it is found that some people have open-source injection libraries written by themselves. LibInject, the core system API is ptrace, there are also several APIs that operate the dynamic link library, such as dlopen, dlsym, dlclose, and dlerror. After the injection, it is hijacking. traverse the got table, find the interface address, and replace it with the self-written interface.

After the injection and hijacking are both OK, I tried to hijack printf and replace it with my own function. The attack was successful, and I had a good idea of cracking. The following are some specific operations.

FirstRootTo copy the injection process and hijacking database to the mobile phone, for example, the adb push command under the/data directory. If the message "Permission Denied" is displayed, mount/data and change the File Permission (chmod ).

Then, open the lib directory inside the torch package, found that the torch is the development of cocos2d-js v2.2, go to the cocos2d-x official download v2.2.5. Then, findLoad pvr. cczAll modules inZipUtils. H/. cpp file.

Void ZipUtils: ccSetPvrEncryptionKeyPart (int index, unsigned int value) // set the key interface int ZipUtils: ccInflateCCZFile (const char * path, unsigned char ** out) // interface for loading ccz files

I want to hijack the User-Defined interface for key setting: ccSetPvrEncryptionKeyPart, so that you can get the password directly. However, the symbolic names obtained from soinfo-> symtab are always garbled. I have not understood the reason yet. Please know your guidance. I will turn to the implementation of ccInflateCCZFile. This interface will read the binary data of the ccz file, and then determine whether the ccz file is legal based on the first four bytes ("CCZ !") Or whether to encrypt the ccz file ("CCZp"). If it is encrypted, it will be decrypted. Next, call the libz decompression interface:

    int uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen);

Originally, ccz is also a zip compression format. The source and destLen parameters are used here. The source is Decrypted ccz file data, * DestLen is Size before compression. In this case, I only need to hijack the uncompress interface to crack the resource. Ps. Apart from hijacking uncompress, you can also hijack the opengl interface. After all, all images must be delivered to opengl for rendering.

Cracking

Check the ccz file header:

    /** @struct CCZHeader    */    struct CCZHeader {        unsigned char   sig[4];             // signature. Should be 'CCZ!' 4 bytes        unsigned short  compression_type;   // should 0        unsigned short  version;            // should be 2 (although version type==1 is also supported)        unsigned int    reserved;           // Reserverd for users.        unsigned int    len;                // size of the uncompressed file    };

Source does not contain the file header, so you need to fill in the file header yourself. Sig is "CCZ !", Compress_type is 0, version is 2, reserved is 0, len is * destLen. Create a ccz file and write the file header and source. Then, copy the generated ccz file back to the local machine, adb pull, "Permission Denied "? Chmod. Opened with TexturePacker with excitement, but reported failure. Then open the file in Hex Editor of Notepad ++ and convert it to hexadecimal notation. The size of the file header is reversed. For example, if the version is set to version, The hexadecimal value is 0x00 02 on the large-end machine and 0x02 on the small-end machine. If it is a small end, you can write it in reverse order. After the change, generate ccz again and open it successfully.

Activity. pvr. ccz, the decrypted torch Resource

File Name

The file name cannot be known when uncompress is hijacked. Write a file to scan the torch Resource Directory. The file size is key and the file name is value. Then, match the file size. Because the file size is accurate to byte, there is usually no file of the same size. I checked the torch, 211 ccz files, not of the same size.

Convert to png and cut Graph

TexturePacker can directly convert ccz to png through the command line, and then write a tool to read the plist to split the image. CocosStudio can be used, and python can also be used on the Internet. So far, we have cracked all the resources of the torch and obtained all the art resources.

Scatter plot of the cut-out flame art resources

In addition to the legend of the holy fire, many games also use TexturePacker to encrypt resources, which can be cracked. To avoid disputes, I will not release my tools and code.

Ps. Two related operation blogs:

View android process information http://blog.csdn.net/ynnmnm/article/details/38417829

Use adb to transfer a file http://blog.csdn.net/ynnmnm/article/details/38415221 between your computer and mobile phone

For more information, see http://blog.csdn.net/ynnmnm/article/details/38392795. Author: night wind.

Texturepacker cracking

Unlimited trial

Crack encrypted Images

The release of the bell must also be a contact. You can use the software to open the password.
Reinstalling the system will not cause the image to fail. You should not give birth to a child here. Unless you have installed a 98 System (currently, no one in this system will install it, because it is too troublesome .).
If you have installed 98, you can install ACDSEE.