cocos2d setXXTEAKeyAndSign

[chrrox]

How would quickbms handle this.

Code: Select all

void *__fastcall cocos2d::LuaStack::setXXTEAKeyAndSign(size_t size, const char *a2, int a3, const char *a4, int sizea)

size  = 0xAD7287D0
a2    = dfjj2eifn18936dt
a3    = 0x10
a4    = fjf2w8vn2291ddg
sizea = 0xF

Here is a sample file.
In the samples I saw only one key was used but there are 2 here?
this was the sample I saw.

Code: Select all

set KEY string "2dxLua"
encryption xxtea KEY "0x9e3779b9 0" 0 16    # cocos2d

[aluigi]

Exactly, what is the second key?

[chrrox]

key1 - dfjj2eifn18936dt
key2 - fjf2w8vn2291ddg
?

This is what i see debugging the cocos2d function
https://github.com/williamwen1986/Luaki ... decryption
Android decryption
Refer to jni demo code , add below code at the entrance of your jni code

setXXTEAKeyAndSign("2dxLua", strlen("2dxLua"), "XXTEA", strlen("XXTEA"));

so the first string is dfjj2eifn18936dt and 2nd string is fjf2w8vn2291ddg

How do I do this in quickbms?

[aluigi]

The file you upload is for sure not encrypted, maybe obfuscated?
The first 3 bytes at offset 0x14 are normal, there are long sequences of same bytes and it may sound more like a compression (but I don't see the 2 sizes).

[chrrox]

mabee the encrypted data starts at 0x18?
here are a bunch of lua files.

[aluigi]

Don't know but that's not xxtea for sure.

[chrrox]

Ok so the data starts at 0x14
then you xor the first 4 bytes with
00 00 00 40
then you xor the rest of the file with
FF FF FF 3F
but you need to subtract 1 from this number every time
so
FF FF FF 3F
FE FF FF 3F
FD FF FF 3F
FC FF FF 3F
FB FF FF 3F
FA FF FF 3F
F9 FF FF 3F
F8 FF FF 3F

What is the best way to handle that in quickbms?

[aluigi]

Code: Select all

encryption "incremental xor" 0x40000000 -1
math OFFSET = 0x14
get SIZE asize
math SIZE - OFFSET
get NAME filename
log NAME OFFSET SIZE

Please note that in this case it's 32bit because the key is bigger than 0xff, otherwise is 8bit.
I guess there is also an option for forcing the 32bit mode with smaller keys.