ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Mon Aug 26, 2019 9:58 am

All times are UTC




Post new topic  Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Sat Jun 01, 2019 12:12 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 242
How would quickbms handle this.

Code:
void *__fastcall cocos2d::LuaStack::setXXTEAKeyAndSign(size_t size, const char *a2, int a3, const char *a4, int sizea)

size  = 0xAD7287D0
a2    = dfjj2eifn18936dt
a3    = 0x10
a4    = fjf2w8vn2291ddg
sizea = 0xF


Here is a sample file.
In the samples I saw only one key was used but there are 2 here?
this was the sample I saw.
Code:
set KEY string "2dxLua"
encryption xxtea KEY "0x9e3779b9 0" 0 16    # cocos2d


Attachments:
texture_00.zip [805.67 KiB]
Downloaded 18 times
Top
   
PostPosted: Sat Jun 01, 2019 12:29 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 10569
Exactly, what is the second key?


Top
   
PostPosted: Sat Jun 01, 2019 12:47 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 242
key1 - dfjj2eifn18936dt
key2 - fjf2w8vn2291ddg
?

This is what i see debugging the cocos2d function
https://github.com/williamwen1986/Luaki ... decryption
Android decryption
Refer to jni demo code , add below code at the entrance of your jni code

setXXTEAKeyAndSign("2dxLua", strlen("2dxLua"), "XXTEA", strlen("XXTEA"));

so the first string is dfjj2eifn18936dt and 2nd string is fjf2w8vn2291ddg

How do I do this in quickbms?


Top
   
PostPosted: Sat Jun 01, 2019 1:26 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 10569
The file you upload is for sure not encrypted, maybe obfuscated?
The first 3 bytes at offset 0x14 are normal, there are long sequences of same bytes and it may sound more like a compression (but I don't see the 2 sizes).


Top
   
PostPosted: Sat Jun 01, 2019 1:41 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 242
mabee the encrypted data starts at 0x18?
here are a bunch of lua files.


Attachments:
cocos.7z [214.82 KiB]
Downloaded 12 times
Top
   
PostPosted: Sat Jun 01, 2019 2:44 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 10569
Don't know but that's not xxtea for sure.


Top
   
PostPosted: Sat Jun 01, 2019 11:05 pm 

Joined: Thu Aug 07, 2014 10:28 pm
Posts: 242
Ok so the data starts at 0x14
then you xor the first 4 bytes with
00 00 00 40
then you xor the rest of the file with
FF FF FF 3F
but you need to subtract 1 from this number every time
so
FF FF FF 3F
FE FF FF 3F
FD FF FF 3F
FC FF FF 3F
FB FF FF 3F
FA FF FF 3F
F9 FF FF 3F
F8 FF FF 3F

What is the best way to handle that in quickbms?


Top
   
PostPosted: Sat Jun 01, 2019 11:31 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 10569
Code:
encryption "incremental xor" 0x40000000 -1
math OFFSET = 0x14
get SIZE asize
math SIZE - OFFSET
get NAME filename
log NAME OFFSET SIZE


Please note that in this case it's 32bit because the key is bigger than 0xff, otherwise is 8bit.
I guess there is also an option for forcing the 32bit mode with smaller keys.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 8 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited