H365极乐斗罗解包求助

讨论
1

定位到cocos2d::CZHelperFunc::getFileData(char const*,char const*,ulong *),里面有个xxtea函数;

image
image974×514 14 KB

看了下传参,a2是gQAeF1ORngIMTlO6ssuXnsCVcno=或=QIDEA-HEART-WOW=,然后就不理解怎么处理了。

但是,hook发现加密的png 确实是在getFileData加载的。

2

传加密文件

3

assets.zip (561.5 KB)

4

下载不了,不支持地区就离谱

5

好像ban了一些地区的ip

6

抓j_xxtea_decrypt这个函数的第三个参数

7
总结

[j_xxtea_decrypt] 函数调用开始
[参数0] 类型: 指针, 值: 0xa2c53928
[参数0] 内存分析:
读取256字节内存内容:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 8f d6 97 1c 8f 50 33 ca 25 aa 52 6a 78 56 49 37 …P3.%.RjxVI7
00000010 c5 26 1e 9c bd 9a 8b 69 df 11 71 f1 f5 c0 d4 60 .&…i…q…`
00000020 66 37 49 d4 8b ed 11 bd 47 29 6c 16 ac 48 4b 03 f7I…G)l…HK.
00000030 77 38 8d 94 a7 dc b7 13 1c 2b 39 67 00 00 00 00 w8…+9g…
00000040 7c 2e 00 00 19 00 00 00 38 22 04 b6 fb ff ff ff |…8"…
00000050 00 00 00 00 00 00 00 00 18 00 00 00 2a 00 00 00 …*…
00000060 98 38 c5 a2 01 0b 00 00 00 00 00 00 00 00 00 00 .8…
00000070 00 00 00 00 e0 01 87 a1 00 00 00 00 0f 00 00 00 …
00000080 00 00 00 00 2b 00 00 00 58 3b c5 a2 01 0b 00 00 …+…X;…
00000090 d8 3b c5 a2 fb ff ff ff 00 00 00 00 d8 39 c5 a2 .;…9…
000000a0 03 00 00 00 01 00 00 00 10 28 50 b6 3b 00 00 00 …(P.;…
000000b0 00 00 00 00 ff ff ff ff 70 ac 27 b6 ff ff ff ff …p.'…
000000c0 00 00 00 00 08 3a c5 a2 00 00 00 00 00 00 f0 3f …:…?
000000d0 08 70 ae ad f3 ff ff ff 00 00 00 00 fb ff ff ff .p…
000000e0 00 00 00 00 2b 00 00 00 b0 39 c5 a2 01 0b ff 00 …+…9…
000000f0 00 00 00 00 fb ff ff ff 00 00 00 00 80 32 6f b6 …2o.
可能的字符串内容: [object ArrayBuffer]
[参数1] 类型: 指针, 值: 0x3c
[参数1] 内存分析:
[参数2] 类型: 指针, 值: 0xb2813ee8
[参数2] 内存分析:
读取256字节内存内容:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 67 51 41 65 46 31 4f 52 6e 67 49 4d 54 6c 4f 36 gQAeF1ORngIMTlO6
00000010 73 73 75 58 6e 73 43 56 63 6e 6f 3d 00 00 00 00 ssuXnsCVcno=…
00000020 00 00 00 00 23 00 00 00 10 d8 f4 ad ff ff ff ff …#…
00000030 d8 92 cc aa f4 ff ff ff 0e 00 00 00 ff ff ff ff …
00000040 20 00 00 00 5b 00 00 00 c0 c7 7f b2 01 0b 00 05 …[…
00000050 50 3f 81 b2 40 3b bb b5 30 36 d2 b4 80 32 6f b6 P?..@;…06…2o.
00000060 05 00 00 00 00 00 00 00 74 77 6f 72 ff ff ff ff …twor…
00000070 b0 70 06 b5 fb ff ff ff 9a 99 99 99 99 99 f9 3f .p…?
00000080 c8 56 7b b2 fb ff ff ff 00 00 00 00 ff ff ff ff .V{…
00000090 20 35 37 39 39 20 31 33 58 00 00 00 3b 00 00 00 5799 13X…;…
000000a0 58 92 24 b5 01 0b 00 82 f8 df ad ac fb ff ff ff X.$…
000000b0 00 00 00 00 80 32 6f b6 05 00 00 00 00 00 00 00 …2o…
000000c0 30 25 50 b6 ff ff ff ff 30 bf 32 b6 fb ff ff ff 0%P…0.2…
000000d0 38 00 00 00 53 00 00 00 00 00 00 00 01 04 00 b6 8…S…
000000e0 be 7c 98 43 35 00 00 00 39 34 35 37 33 33 35 30 .|.C5…94573350
000000f0 3b 38 35 31 31 36 30 32 30 3b 37 35 36 35 38 36 ;85116020;756586
可能的字符串内容: [object ArrayBuffer]
[参数3] 类型: 指针, 值: 0x1c

参数3,前面是0x11,后面是0x1c,感觉是传的数据长度。

8

怪事, 这么看来似乎是二次加密, 第三个参数肯定是key

9 
QUtility *__fastcall QUtility::decryptFromBuffer(QUtility *this, unsigned __int8 *a2, unsigned int *a3)
{
  _BYTE *v5; // r10
  const char *v6; // r1
  const char *v7; // r1
  unsigned int v8; // r9
  char *v9; // r8
  unsigned __int8 *v10; // r5
  char *v11; // r0
  char *v12; // r9
  unsigned int v13; // r8
  unsigned __int8 *v14; // r9
  int v15; // r5
  unsigned __int8 *v16; // r0
  unsigned __int8 *v17; // r8
  void *v18; // r6
  size_t v19; // r5
  size_t v20; // r8
  void *v21; // r8
  size_t v22; // r5
  int *v24; // [sp+4h] [bp-2Ch]
  int v25; // [sp+8h] [bp-28h] BYREF
  int v26; // [sp+Ch] [bp-24h] BYREF

  if ( *(_DWORD *)a2 >= 0xEu )
  {
    v5 = malloc(0xFu);
    qmemcpy(v5, this, 0xEu);
    v5[14] = 0;
    if ( !strcmp(v5, "QIDEAENCRYPTED") )
    {
      cocos2d::CCLog((cocos2d *)"use xxtea_key --------------", v6);
      v26 = 0;
      v13 = (unsigned __int8)QUtility::xxtea_key;
      if ( (unsigned __int8)QUtility::xxtea_key << 31 )
      {
        v14 = (unsigned __int8 *)dword_870E78;
        v15 = (int)malloc(dword_870E78 + 1);
        qmemcpy((void *)v15, (const void *)dword_870E7C, (size_t)v14);
        v16 = &v14[v15];
      }
      else
      {
        v14 = (unsigned __int8 *)((unsigned __int8)QUtility::xxtea_key >> 1);
        v15 = (int)malloc((size_t)(v14 + 1));
        qmemcpy((void *)v15, (char *)&QUtility::xxtea_key + 1, v13 >> 1);
        v16 = (unsigned __int8 *)(v15 + (v13 >> 1));
      }
      v17 = a2;
      *v16 = 0;
      v18 = (void *)cocos2d::extra::CCCrypto::decryptXXTEA(
                      (QUtility *)((char *)this + 14),
                      (unsigned __int8 *)(*(_DWORD *)a2 - 14),
                      v15,
                      v14,
                      &v26,
                      (int *)a2);
      free((void *)v15);
      operator delete[](this);
      v19 = v26;
      this = (QUtility *)operator new[](v26 | (v26 >> 31));
      qmemcpy(this, v18, v19);
      free(v18);
      *(_DWORD *)v17 = v26;
    }
    else if ( !strcmp(v5, "QIDEBENCRYPTED") )
    {
      cocos2d::CCLog((cocos2d *)"use otherkey --------------", v7);
      v25 = 0;
      v8 = (unsigned __int8)QUtility::other_xxtea_key;
      if ( (unsigned __int8)QUtility::other_xxtea_key << 31 )
      {
        v20 = dword_870E84;
        v12 = (char *)malloc(dword_870E84 + 1);
        v10 = (unsigned __int8 *)v20;
        qmemcpy(v12, (const void *)dword_870E88, v20);
        v11 = &v12[v20];
      }
      else
      {
        v9 = (char *)malloc(((unsigned __int8)QUtility::other_xxtea_key >> 1) + 1);
        v10 = (unsigned __int8 *)(v8 >> 1);
        qmemcpy(v9, (char *)&QUtility::other_xxtea_key + 1, v8 >> 1);
        v11 = &v9[v8 >> 1];
        v12 = v9;
      }
      *v11 = 0;
      v21 = (void *)cocos2d::extra::CCCrypto::decryptXXTEA(
                      (QUtility *)((char *)this + 14),
                      (unsigned __int8 *)(*(_DWORD *)a2 - 14),
                      (int)v12,
                      v10,
                      &v25,
                      v24);
      free(v12);
      operator delete[](this);
      v22 = v25;
      this = (QUtility *)operator new[](v25 | (v25 >> 31));
      qmemcpy(this, v21, v22);
      free(v21);
      *(_DWORD *)a2 = v25;
    }
    free(v5);
  }
  return this;
}

瞄了眼字符串注意到了这个函数对J_xxtea交叉引用确实可以追溯到这个函数

10

主要是传参很奇怪。