Angry Birds Classic Series: Game Assets (*.LUA, *.JSON, *.ZIP)

[LolHacksRule]

I want to view Angry Birds LUAs but the headers of every one in APK/assets/data have weird headers. I heard they are encrypted/obfuscated/compiled in some way but how to decrypt/deobfuscate/decompile them? Here's a sample: http://www.filedropper.com/gamelogic. It would help me a lot.

[atom0s]

Looks encrypted. You'd have to look in the Java code or their Lua lib/dll/so file to find how they are loading the files.

[LolHacksRule]

Should I open the .SO with IDA, look it up in .SO via hex viewing or both? I found LUANAME and some large number of different digits for each, like this: "data/scripts/gamelogic.lua F5F3C41A2CABF2362C0039687DCB5F63B8AC68C8" in SO hex, I assume its a decryption key for the file but how to use it? Also, there isn't ANY DLLs in the game... Mostly encrypted LUA files, portions of DATs and encrypted JSONs as well as plain OGGs for audio. Fileswapping the LUAs doesn't work either, maybe this SHA1 checksum thing is the problem...

[aluigi]

No, that's the sha1 hash of the file.

[LolHacksRule]

Oh sorry, I thought it is was a decryption key... IDA it is...

[LolHacksRule]

Never mind finding the decryption key, the old one is still used even though I thought Rovio would change it... I decrypted the ZIPs (and got 7z+File) file after that but for LUAs, it gives me LZMA files... How to decompress? My extraction tools always fail to extract them... Also this affects all text files in APK/assets/data asides from DATs, like JSONs, giving 7Z's after. (But I think 7.9.7 changed to LZMA)...

[aluigi]

What's the old encryption you mention?

[LolHacksRule]

What's the old encryption you mention?

http://forum.xentax.com/viewtopic.php?f=21&t=9840 this one. Also read the Rio LUA decrypting method.

[aluigi]

ok but the sample lua file is no longer available.

[aluigi]

I have found the files. Wait for the script.

[aluigi]

Unfortunately you were right since the lzma data can't be decompressed.
I leave the work-in-progress script here that demonstrates how the lzma decompression fails:

*edit* a working script has been released

[LolHacksRule]

Unfortunately you were right since the lzma data can't be decompressed.
I leave the work-in-progress script here that demonstrates how the lzma decompression fails:

Code: Select all

putarray 0 -1 "USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2"
putarray 0 -1 "zePhest5faQuX2S2Apre@4reChAtEvUt"
putarray 0 -1 "RmgdZ0JenLFgWwkYvCL2lSahFbEhFec4"
putarray 0 -1 "An8t3mn8U6spiQ0zHHr3a1loDrRa3mtE"
putarray 0 -1 ""

get SIZE asize
for i = 0
    getarray KEY 0 i
    if KEY == ""
        cleanexit
    endif
    encryption aes-256-cbc KEY "" 0 32
    log MEMORY_FILE 0 16
    get DUMMY byte MEMORY_FILE  # 0x89
    getdstring TEST 8 MEMORY_FILE
    if TEST & "LZMA"
        savepos OFFSET MEMORY_FILE
        log MEMORY_FILE 0 SIZE
        encryption "" ""
        comtype lzma_dynamic
        math SIZE - OFFSET
        get NAME basename
        clog NAME OFFSET SIZE SIZE MEMORY_FILE
        cleanexit
    endif
next i

Thanks, here's a link for all encrypted and the few decrypted to 7z game files as of v7.9.7, excluding unencrypted files on a better sharing service. I tried the same decryption method on saves as well and got different results, not LZMA'ed after but, still unreadable and incompressible, I fixed it by using a different key, no zip/compression after either... plain LUA. http://tiny.cc/AngryBirdsDecTo7zEncV797. LZMA packing is also used in (I think) all classic Angry Birds games...

[LolHacksRule]

I'm looking into this LZMA encryption encoding in the game executable via IDA and found a portion of mentions for it but I don't know what's useful for me in it to find, like the decryption key... also I'm not so great with using IDA.

[LolHacksRule]

Never mind about LZMA, it isn't encryption, you just have to remove the first 9 bytes after decryption to get a LZMA'ed 7z (without its proper header with a "]") with the real file...

[LolHacksRule]

I managed to get this file, how to decompile it? I tried various decompilers... http://www.filedropper.com/gamelogic

[aluigi]

Never mind about LZMA, it isn't encryption, you just have to remove the first 9 bytes after decryption to get a LZMA'ed 7z (without its proper header with a "]") with the real file...

No, that's exactly what my script did (OFFSET was 9) and it didn't work.

*edit* it's a problem in the decryption, going to investigate.

[aluigi]

Shame on me for having forgotten to reinizialize the encryption:
http://aluigi.org/bms/angry_birds_lua.bms

[LolHacksRule]

Oh sorry about that, thanks then, you missed three bytes for the LZMA'ed file headers, the script has no effect on the ZIPs.

[aluigi]

That's the problem of last-minute modifications made before releasing something
Fixed

[LolHacksRule]

Thanks for that. It doesn't make folders before extracting things in folders, like level and every LUA is there where the game has level/levelid.