Analysis of Three kill string encryption algorithms and kill string encryption algorithms

Source: Internet
Author: User

Analysis of Three kill string encryption algorithms and kill string encryption algorithms

Three Kingdoms kill string encryption algorithm analysis
[Article Title]: Three Kingdoms kill string Encryption Algorithm
[Author]: Ericky
[Author blog]: http://blog.csdn.net/hk9259
[]: Baidu download
[Protection method]: String Encryption
[Author's statement]: I am at a limited level. If you have any mistakes, please correct them.

0x1 Preface

It is said that the old version of this game can directly modify the corresponding strings to replace the prince with a raccoon, so as to bypass the test and achieve the effect of internal-purchase cracking, now one year later, in order to prevent tampering or others, the game has enhanced its own encryption. In particular, it protects some key strings and checks whether the strength is worth the time.

0x2 Positioning

Open libgame. so and follow the previous ideas to find the encrypted string in the vast string as follows:

Locate the class in the red box as follows:

0x3 Analysis

Analysis

Continue the following analysis:

Follow up as follows:

Base64 is the standard decryption method.
The following functions are Xor encoded functions, so we can continue to follow up:

Here is a loop decryption, the key function is 70004C.
Continue with the SUB_7BE950 function:

The decrypted string is used for calling in so.

0x4 Write/decrypt the encryption program

The restore encryption code is as follows:

// Encrypted string BYTE arry [] = "classes. dea "; // encrypt KEYconst uint32_t Key = 0x9f; // initialize unsigned char XorOut [100] =" "; char Base64Out [100] = ""; const size_t lens = sizeof (arry); for (size_t I = 0; I <lens-1; I ++) {XorOut [I] = arry [I] ^ (Key + I);} base64_encode (XorOut, Base64Out, lens-1); printf ("% s \ n ", base64Out); char * base64_encode (const unsigned char * bindata, char * base64, int binlength) {int I, j; unsigned char current; for (I = 0, j = 0; I <binlength; I + = 3) {current = (bindata [I]> 2); current & = (unsigned char) 0x3F; base64 [j ++] = base64char [(int) current]; current = (unsigned char) (bindata [I] <4) & (unsigned char) 0x30); if (I + 1> = binlength) {base64 [j ++] = base64char [(int) current]; base64 [j ++] = '; base64 [j ++] ='; break;} current | = (unsigned char) (bindata [I + 1]> 4) & (unsigned char) 0x0F); base64 [j ++] = base64char [(int) current]; current = (unsigned char) (bindata [I + 1] <2) & (unsigned char) 0x3C); if (I + 2> = binlength) {base64 [j ++] = base64char [(int) current]; base64 [j ++] = '; break;} current | = (unsigned char) (bindata [I + 2]> 6) & (unsigned char) 0x03); base64 [j ++] = base64char [(int) current]; current = (unsigned char) bindata [I + 2]) & (unsigned char) 0x3F); base64 [j ++] = base64char [(int) current];} base64 [j] = '\ 0'; return base64 ;}

The restored decryption code is as follows:

// ******************* Decrypt // KEYconst uint32_t Key2 = 0X9f; // decrypt the string const char Base64In [] = "7cXSzdbWxsPUhsbf3w ="; const size_t lens2 = (sizeof (Base64In)-1) * 3/4-2; // store unsigned char XorIn [] = "" After Base64 decryption; // Base64 decrypt base64_decode (Base64In, XorIn ); // After Xor is decrypted, the char Base64Outd [100] = ""; // Xor is stored for (size_t I = 0; I <lens2; I ++) {Base64Outd [I] = XorIn [I] ^ (Key2 + I);} printf ("% s \ n", Base64Outd); int base64_decod E (const char * base64, unsigned char * bindata) {int I, j; unsigned char k; unsigned char temp [4]; for (I = 0, j = 0; base64 [I]! = '\ 0'; I + = 4) {memset (temp, 0xFF, sizeof (temp); for (k = 0; k <64; k ++) {if (base64char [k] = base64 [I]) temp [0] = k;} for (k = 0; k <64; k ++) {if (base64char [k] = base64 [I + 1]) temp [1] = k;} for (k = 0; k <64; k ++) {if (base64char [k] = base64 [I + 2]) temp [2] = k;} for (k = 0; k <64; k ++) {if (base64char [k] = base64 [I + 3]) temp [3] = k;} bindata [j ++] = (unsigned char) (unsigned char) (temp [0] <2) & 0xFC) | (unsigned char) (temp [1]> 4) & 0x03); if (base64 [I + 2] = ') break; bindata [j ++] = (unsigned char) (unsigned char) (temp [1] <4) & 0xF0) | (unsigned char) (temp [2]> 2) & 0x0F); if (base64 [I + 3] = ') break; bindata [j ++] = (unsigned char) (temp [2] <6) & 0xF0) | (unsigned char) (temp [3] & 0x3F);} return j ;}
0x5 test results


7cXSzdbWxsPUhsbf3w ==---> resources. out

88nDjcLWyMPGysCFx8XPyc7d1JzA2w ==---> lib/armeabi/libgame. so

88nDjcLWyMPGysCH3ZvMgcPZ09XS2dCYxNc = ---> lib/armeabi-v7a/libgame. so

/MzA0dDB1ojDzdE = ---> classes. dex

0x6 Summary
We need patience to analyze algorithms, exercise people, and go to bed.

2015.7.26
By Ericky

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.