Skip to content

zboralski/reverse

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
cmd/reverse
cmd/reverse
 
 
ida
ida
 
 
internal
internal
 
 
samples
samples
 
 
vhs
vhs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

reverse

reverse finds XXTEA encryption keys in ARM64 Android/iOS Cocos apps.

How it works:

  • Disassembles ARM64 functions
  • Tracks register values and stack objects
  • Recognizes std::string patterns (inline and heap)
  • Finds calls to XXTEA functions
  • Extracts encryption keys and signatures
  • Shows annotated assembly code

Special thanks to Taha Draidia for the guidance and feedback that made this proof-of-concept possible.

Demo

Demo

Usage

TUI:

make
./reverse libcocos2djs.so

No TUI:

./reverse libcocos2djs.so --no-tui

Entry points assembly with annotations

./reverse libcocos2djs.so --no-tui --full

JSON output for scripting

./reverse libcocos2djs.so --json

Encryption and Decryption

Encrypt files

Encrypt a file with XXTEA:

./reverse --encrypt --key "mykey" file.lua

Encrypt with a signature (prepended to encrypted data):

./reverse --encrypt --key "mykey" --signature "SIG" file.lua

Write encrypted output to file:

./reverse --encrypt --key "mykey" --signature "SIG" -w file.lua
# Creates file.luac (for .lua files)
# Creates file.jsc (for .js files)
# Creates file.encrypted (for other files)

Batch encrypt all .lua files:

find src -name "*.lua" -exec ./reverse --encrypt --key "mykey" --signature "SIG" -w {} \;

Decrypt files

Decrypt a file with a known key:

./reverse --decrypt --key "key" encrypted.luac

Decrypt all jsc files in a directory:

find assets -name "*.jsc" -exec ./reverse --decrypt --key "key" -w {} \;
find assets -name "*.js" -exec prettier -w {} \;

Some Cocos2d-x games add a signature to encrypted files :

  • The signature appears at the start of the file
  • The encrypted data follows the signature
  • The tool strips the signature before decrypting

Ref: ResourcesDecode.cpp

Decrypt with signature:

./reverse --decrypt --key "key" --signature "sig" encrypted.luac

Decrypt all files with a specific signature:

./reverse --find-signature "sig" assets/ | \
  while read f; do
    ./reverse --decrypt --key "key" --signature "sig" -w "$f"
  done

Bruteforce key from .rodata section*

Use this when static analysis fails:

./reverse --decrypt -w --bruteforce libcocos2dlua.so encrypted.luac

with signature:

./reverse --decrypt  -w --bruteforce --signature "sig" libcocos2dlua.so encrypted.luac

How --bruteforce works:

  • Extracts all strings from the .rodata section
  • Searches near the signature first (if provided) - much faster
  • Tests each string as a key
  • Tests shifted versions too (handles offset pointers)
  • Detects gzip/zip compression
  • Validates results by checking file headers

Limitations

ARM64 only (no x86 or ARMv7)

Author

Anthony Zboralski @zboralski github.com/zboralski

License

MIT License - see LICENSE file for details.

About

reverse is a static analysis and key extraction tool for Cocos apps.

Topics

go golang reverse-engineering cocos2d-x arm64 cocos2d-js xxtea cocos dissassembler cocos2d-lua arm64v8

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages