ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun Dec 16, 2018 12:51 am

All times are UTC




Post new topic  Reply to topic  [ 38 posts ]  Go to page 1 2 Next
Author Message
PostPosted: Fri Sep 21, 2018 11:59 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
I want to view Angry Birds LUAs but the headers of every one in APK/assets/data have weird headers. I heard they are encrypted/obfuscated/compiled in some way but how to decrypt/deobfuscate/decompile them? Here's a sample: http://www.filedropper.com/gamelogic. It would help me a lot.


Top
   
PostPosted: Sun Sep 23, 2018 11:31 pm 
User avatar

Joined: Sat Dec 27, 2014 8:49 pm
Posts: 104
Looks encrypted. You'd have to look in the Java code or their Lua lib/dll/so file to find how they are loading the files.

_________________
My personal site: http://atom0s.com
Donations can be made via Paypal: Click Here


Top
   
PostPosted: Mon Sep 24, 2018 9:42 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
Should I open the .SO with IDA, look it up in .SO via hex viewing or both? I found LUANAME and some large number of different digits for each, like this: "data/scripts/gamelogic.lua F5F3C41A2CABF2362C0039687DCB5F63B8AC68C8" in SO hex, I assume its a decryption key for the file but how to use it? Also, there isn't ANY DLLs in the game... Mostly encrypted LUA files, portions of DATs and encrypted JSONs as well as plain OGGs for audio. Fileswapping the LUAs doesn't work either, maybe this SHA1 checksum thing is the problem...


Last edited by LolHacksRule on Tue Sep 25, 2018 8:50 pm, edited 1 time in total.

Top
   
PostPosted: Tue Sep 25, 2018 6:04 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
No, that's the sha1 hash of the file.


Top
   
PostPosted: Tue Sep 25, 2018 8:51 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
Oh sorry, I thought it is was a decryption key... IDA it is...


Top
   
PostPosted: Thu Oct 11, 2018 3:47 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
Never mind finding the decryption key, the old one is still used even though I thought Rovio would change it... I decrypted the ZIPs (and got 7z+File) file after that but for LUAs, it gives me LZMA files... How to decompress? My extraction tools always fail to extract them... Also this affects all text files in APK/assets/data asides from DATs, like JSONs, giving 7Z's after. (But I think 7.9.7 changed to LZMA)...


Last edited by LolHacksRule on Thu Oct 11, 2018 6:48 pm, edited 1 time in total.

Top
   
PostPosted: Thu Oct 11, 2018 4:17 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
What's the old encryption you mention?


Top
   
PostPosted: Thu Oct 11, 2018 6:47 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
aluigi wrote:
What's the old encryption you mention?

http://forum.xentax.com/viewtopic.php?f=21&t=9840 this one. Also read the Rio LUA decrypting method.


Top
   
PostPosted: Thu Oct 11, 2018 7:28 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
ok but the sample lua file is no longer available.


Top
   
PostPosted: Thu Oct 11, 2018 7:46 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
I have found the files. Wait for the script.


Top
   
PostPosted: Thu Oct 11, 2018 7:58 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
Unfortunately you were right since the lzma data can't be decompressed.
I leave the work-in-progress script here that demonstrates how the lzma decompression fails:

*edit* a working script has been released


Top
   
PostPosted: Thu Oct 11, 2018 9:38 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
aluigi wrote:
Unfortunately you were right since the lzma data can't be decompressed.
I leave the work-in-progress script here that demonstrates how the lzma decompression fails:
Code:
putarray 0 -1 "USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2"
putarray 0 -1 "zePhest5faQuX2S2Apre@4reChAtEvUt"
putarray 0 -1 "RmgdZ0JenLFgWwkYvCL2lSahFbEhFec4"
putarray 0 -1 "An8t3mn8U6spiQ0zHHr3a1loDrRa3mtE"
putarray 0 -1 ""

get SIZE asize
for i = 0
    getarray KEY 0 i
    if KEY == ""
        cleanexit
    endif
    encryption aes-256-cbc KEY "" 0 32
    log MEMORY_FILE 0 16
    get DUMMY byte MEMORY_FILE  # 0x89
    getdstring TEST 8 MEMORY_FILE
    if TEST & "LZMA"
        savepos OFFSET MEMORY_FILE
        log MEMORY_FILE 0 SIZE
        encryption "" ""
        comtype lzma_dynamic
        math SIZE - OFFSET
        get NAME basename
        clog NAME OFFSET SIZE SIZE MEMORY_FILE
        cleanexit
    endif
next i


Thanks, here's a link for all encrypted and the few decrypted to 7z game files as of v7.9.7, excluding unencrypted files on a better sharing service. I tried the same decryption method on saves as well and got different results, not LZMA'ed after but, still unreadable and incompressible, I fixed it by using a different key, no zip/compression after either... plain LUA. http://tiny.cc/AngryBirdsDecTo7zEncV797. LZMA packing is also used in (I think) all classic Angry Birds games...


Top
   
PostPosted: Sat Oct 13, 2018 2:48 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
I'm looking into this LZMA encryption encoding in the game executable via IDA and found a portion of mentions for it but I don't know what's useful for me in it to find, like the decryption key... also I'm not so great with using IDA.


Attachments:
File comment: Found these... what to do...
LZMAThingsIfound.zip [157.76 KiB]
Downloaded 14 times
Top
   
PostPosted: Sun Oct 14, 2018 3:40 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
Never mind about LZMA, it isn't encryption, you just have to remove the first 9 bytes after decryption to get a LZMA'ed 7z (without its proper header with a "]") with the real file...


Top
   
PostPosted: Sun Oct 14, 2018 5:02 am 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
I managed to get this file, how to decompile it? I tried various decompilers... http://www.filedropper.com/gamelogic


Top
   
PostPosted: Sun Oct 14, 2018 8:02 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
LolHacksRule wrote:
Never mind about LZMA, it isn't encryption, you just have to remove the first 9 bytes after decryption to get a LZMA'ed 7z (without its proper header with a "]") with the real file...

No, that's exactly what my script did (OFFSET was 9) and it didn't work.

*edit* it's a problem in the decryption, going to investigate.


Top
   
PostPosted: Sun Oct 14, 2018 8:12 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
Shame on me for having forgotten to reinizialize the encryption:
http://aluigi.org/bms/angry_birds_lua.bms


Top
   
PostPosted: Sun Oct 14, 2018 2:50 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
Oh sorry about that, thanks then, you missed three bytes for the LZMA'ed file headers, the script has no effect on the ZIPs.


Attachments:
Missed a few bytes.PNG [35.87 KiB]
Downloaded 1 time
Top
   
PostPosted: Sun Oct 14, 2018 3:40 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9478
That's the problem of last-minute modifications made before releasing something :(
Fixed


Top
   
PostPosted: Sun Oct 14, 2018 3:58 pm 
User avatar

Joined: Fri Apr 20, 2018 12:41 am
Posts: 69
Thanks for that. It doesn't make folders before extracting things in folders, like level and every LUA is there where the game has level/levelid.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 38 posts ]  Go to page 1 2 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited