Use Ida static analysis to Decrypt "collection" Lua script

I haven't written anything for a long time, so I'm a little busy after a job change. you said entrepreneurship? The wind is too big to listen to look at the previous writing things, think before writing too serious, from now on to ease a little, to do a tease yard farming.

　　This article does not describe the details of the hack, and the code written to complete the hack will not be disclosed . Although this game is very shameless, but already on-line operation, I do not want to be checked water meter ah. So this is just an example of how to use Ida static analysis to crack a simple Cocos2dx-lua script encryption.

By the right, here is said the "Ship Niang Collection" is a hand tour, not the ship Niang, um.

Why do I have to crack it all of a sudden? The thing is this: one day, a former fine art colleague told me that he stumbled upon a hand and stole part of the original painting from the Fleet collection. Then showed me the extracted figure.

　　

Obviously the developer is using ship C's original painting, his own slightly run down the color to use in. In fact, this kind of thing in the domestic hand travel circle should be common, before there is a call "ship Niang State Service" page tour also did similar things, but they are more direct, function and interface directly is the original. This is an off-topic.

He added that he unpacked the APK, found that the art resources can be directly taken out, but there are many suffixes are LUA files, do not know what is to do, is not a picture?

I said, this is the code file, not the picture.

He also said that these documents can not be opened with Notepad, there is no way to see what is written in it?

I said, can't open must be encrypted, you study this do what, want to change to be a yard farmer ah? Don't make a mess with your youth.

He went on to say that you gave a crack to see Bai, anyway idle is also idle.

"Somebody else," I said, "I really am not humble, I am a u3d front-end code farmers, how to get reverse engineering it?" "(In fact, I am also very curious about the company to steal pictures, write the code is what level, but too lazy to toss)

And he said, "You see, in that game, they painted your wife like this:

　　

　　

......

......

......

Wife!!!!!

How did you become a dead fish eye,!!!!!!?

　　

And the expression of this brother-in-the-!!!!!!!! is noisy.

　　

　　I AM angry!

At that time I read two poems: "Mrs. Gou to crack, because of the misfortune to avoid the trend." And then find the colleague who's coming to APK.

　　

In fact, at the beginning of the time I can not promise to break out, I am the reverse engineering is basically only a little bit of trivial, IDA also used not familiar. But the force is like pouring out of water ah, force on it. Think of someone who was 200 people. Dragon Dog Poison Burst 120 people are lost, I as a novice how can not break out of it ~

Before I crack it, let me take a look at what the game is all about. After the load:

　　

Emma this app name and icon is really straightforward, and there is a "two-dimensional" corner mark.

　　

Go in, yo, there are beginners to guide it (and this leads to the back of the bug, in the untimely time to bounce out, or dislocation. In order to save space behind)

Then is to see the film as the fight, automatic, Rei four silly dozen opposite wife and north, incredibly still win???

Next is the choice level, the mother also has the dialogue, incredibly is uses the ship C's voice, even more is incredibly uses those voice to become the plot!

Although the automatic combat set and the original match, but special effects lot better a lot of ah ~ When the game is more dynamic than the original, it is more cool to watch.

Then unknowingly hit the second picture ...

Wait a minute......

I don't want to crack their script, how to play on it and play very well?

All right, close the game and start cracking. Look at the APK first. Unzip directly. Underneath the ASSETS/SRC is all the Lua scripts (by the way, look at the original picture under Res.) ）：

　　

　　

It's Cocos2dx-lua (or maybe quick-cocos2dx), and it's really something to remember. Although I have only used pure C + + Cocos,lua has not touched.

To open LUA files with Notepad, you can see that the common denominator is to start with JTS:

In common sense, the logic to decrypt Lua is in the compiled so file. Lib\armeabi There are two so, a more than 100 k, a more than 10 m, then surely the big is the Lord. The small one Baidu name, seems to be a certain bank's SDK? Whatever it is. next analyze the so file. Sacrifice the artifact Ida open so file, you can see inside cocos own class are not the beginning of CC, the description is 3.x:

　　

Because it is clear that this game is made by Cocos, look at the anti-assembler C code generated by Ida with the original control. Find the next hard drive, previously written easylive when the 3.2 is still in, Cocos New a LUA engineering auxiliary analysis. vaguely remember in the C + + version of the Cocos, if you want to read the encrypted PVR.CCZ picture, generally in the appdelegate::applicationdidlunchfinished. Then open the Cocos project in this method, here is the part that sets the Xxtea encryption parameters:

　　

Then search for this method in Ida, F5 generate C + + code, compare to see:

　　

　　

Is it very similar, and see the two key strings? In the Cocos Project, Luastack::lualoadbuffer inside did the Xxtea decryption operation, the heart thought: It seems this wave to decrypt the script is easy AH! The research team didn't dare to say anything, nor did the complex encryption algorithm ... Ah, the milk is not dead, the mother of Lao Tzu is a professional programmer, okay? Professional programmers, this code can not read AH? How can this milk die? How can you tell me that the direct copy code is solved without Ida? Open a new project to crack, copy code also broken, impossible to fail, impossible ...

　　

So I put cocos in the xxtea.h, XXTEA.C put forward to open a console project, and then follow the previous parameters to decrypt the script to try. The result was an explosion that could not be solved at all. Obviously, the xxteasign set in the code is a long string, and the signature in the script is only three characters (JTS). Therefore, the decryption of the script in this game is not directly using the Xxtea algorithm, and may not even use xxtea at all. (small color: Ida Ride face is your own dish, what does it matter to me)

Because Cocos is bound to go through the Luastack::lualoadbuffer method when reading Lua. So open Luaengine::executescriptfile in Ida, track it all the way in, and finally get into luastack::lualoadbuffer. The logical arrangement is:

　　

I accidentally fell into the pit and struggled for a long time. strcmp and strncmp These two functions, string equality returns 0, and unequal returns 1. Because I used to use C #, so directly think that the equivalent return 1 (true), with Xxtea for a long while did not get out ...

　　

Analyze the contents of the encrypted script, here will go to use Blowfish to decrypt the data flow, and did not use Xxtea, so he died of their own milk ... The next step is to write a decryption project according to the IDA code algorithm. Some variables look uncomfortable, you can rename a variable by clicking the selected variable and then pressing the N key. After writing, the processing Src/main.lua file test: (This file is cocos generated, directly put out also does not matter)

　　

　

Pretty! A file is solved, is it possible for other files to be decrypted with this set?

Finds all references to Luastack::lualoadbuffer in the Cocos Project, finds it was called once in Cocos2dx_lua_loader, and then finds Cocos2dx_lua_loader in Luastack:: There is code in init that sets the callback. So to be sure, this is the gateway to the LUA layer invocation script. Finding the corresponding place in Ida is also the same, stating that they do not have special handling, and all LUA scripts will go luastack::lualoadbuffer to decrypt them when they are read. So the decryption project just written is available for all LUA scripts. By analyzing the IDA code, it is possible to analyze their script as a file format: (a lattice represents a byte)

　　

　

So you can write a GUI and decrypt all the scripts. The GUI wants to do whatever it can, I use C # to invoke the DLL's way.

　　

　　

Look at the code, it is very surprising that the norms of comparative attention, from the game experience, the details of the better, and not like the work of small companies. So what is the company's hand? The code saw "generals" and other words, is it a skin-swapping game?

Then spit out the C + + layer code. Many of the underlying methods with j_j_ prefixes can be seen in Ida, such as this:

　　

Point in:

Then point it in:

　　

In fact, this hack is not what is used in the technology, is entirely reference to the Cocos source project, and then followed by Ida disassembly code analysis. Daniel watched the spray.

But I think I defended the dignity of the deep-sea admiral!

Finally, say how to avoid your own projects being compromised in this way.

In general, so file can be shell, so that Ida open the file when the error exits, or modify the name of the encryption class, so that the cracker can not find you in what way to encrypt, holding the key is useless (but a little bit of mind will be able to clean up the code in IDA when the decryption module) Or use a more advanced encryption method, but others can use the dynamic debugging directly hook Lual_loadbuffer to get the decrypted script ...

There are 1000 encryption methods, there are more than 10,000 decryption methods, how to effectively protect the resources of their own projects is a worthy study of the problem.

Is there anything you want to say about the developer of this game? --"I offended you today!" ”

If there is one sentence, it should be:-" don't copy, be a backbone developer, learn one for the battleship girl team." "

Very ashamed, did a little work, thank you!

Use Ida static analysis to Decrypt "collection" Lua script