Home > Operation and Maintenance > Safety > How idaPro analyzes app decryption lua script

How idaPro analyzes app decryption lua script

WBOY
Release: 2023-05-18 08:34:19
forward
1569 people have browsed it

Taking the previous IDAPRO or HOOK, we can get XXTEA decrypting key. For SIGN, we can directly open the original file:

How idaPro analyzes app decryption lua script

This can see the SIGN value: byds. Therefore, we can try to use the xxtea decryption tool (by getting the source code on GitHub and compiling it) to decrypt

How idaPro analyzes app decryption lua script        

Take index.luac as an example, let’s look at index.luac decryption Changes before and after:

How idaPro analyzes app decryption lua script

We see that the lua script decrypted by xxtea is still not clear text! We previously determined that the xxtea encryption was used based on the cocos2d framework source code and the master apk decoding result, and the app's Lua script also has a signature value, which also confirms that it is the xxtea encryption method, but the result we decrypted is still not plain text, which shows that we The decryption may not be complete. You have to go back to idapro to find out.

Open libgame.so with IDAPRO, search for Byds in the Export window, find the byds_d function, double -click in:

How idaPro analyzes app decryption lua script

# direct F5 will display the editor code:

                      How idaPro analyzes app decryption lua script

There is nothing special about this, it is equivalent to the code in our framework source code. If the decryption is not completed, the upper level of this function should be called again to continue the decryption process. Let's jump xrefs to track this function call: One is the got table, which is definitely not the case. Let’s double-click the first one:

How idaPro analyzes app decryption lua script

is just a wrapper function, let’s continue tracking:

How idaPro analyzes app decryption lua scriptDouble-click to enter:

        

How idaPro analyzes app decryption lua script We see that the name of this function is the same as the call to xxtea_decrypt in the source code. We also included this function in the breach at the beginning. Now you can clearly see that after the script has been decrypted by byds_d, it has been decompressed again. It should be basically clear now. The lua script should be compressed and encrypted, so if you want to restore it, you should first decrypt it with xxtea and then decrypt it. compression. You can find a script to decompress zlib on GitHub, which can be used to decompress the decrypted text

     

How idaPro analyzes app decryption lua scriptThen look at index.lua:

      

How idaPro analyzes app decryption lua script You can see that it has become clear text now.

The above is the detailed content of How idaPro analyzes app decryption lua script. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template