Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

cocos2d setXXTEAKeyAndSign

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

chrrox, posted Sat Jun 01, 2019 12:12 pm (48161)

How would quickbms handle this.

Code:
void *__fastcall cocos2d::LuaStack::setXXTEAKeyAndSign(size_t size, const char *a2, int a3, const char *a4, int sizea)

size  = 0xAD7287D0
a2    = dfjj2eifn18936dt
a3    = 0x10
a4    = fjf2w8vn2291ddg
sizea = 0xF


Here is a sample file.
In the samples I saw only one key was used but there are 2 here?
this was the sample I saw.
Code:
set KEY string "2dxLua"
encryption xxtea KEY "0x9e3779b9 0" 0 16    # cocos2d
  • Author
  • Localization

aluigi, posted Sat Jun 01, 2019 12:29 pm (48163)

Exactly, what is the second key?
  • Author
  • Localization

chrrox, posted Sat Jun 01, 2019 12:47 pm (48165)

key1 - dfjj2eifn18936dt
key2 - fjf2w8vn2291ddg
?

This is what i see debugging the cocos2d function
https://github.com/williamwen1986/Luaki ... decryption
Android decryption
Refer to jni demo code , add below code at the entrance of your jni code

setXXTEAKeyAndSign("2dxLua", strlen("2dxLua"), "XXTEA", strlen("XXTEA"));

so the first string is dfjj2eifn18936dt and 2nd string is fjf2w8vn2291ddg

How do I do this in quickbms?
  • Author
  • Localization

aluigi, posted Sat Jun 01, 2019 1:26 pm (48174)

The file you upload is for sure not encrypted, maybe obfuscated?
The first 3 bytes at offset 0x14 are normal, there are long sequences of same bytes and it may sound more like a compression (but I don't see the 2 sizes).
  • Author
  • Localization

chrrox, posted Sat Jun 01, 2019 1:41 pm (48179)

mabee the encrypted data starts at 0x18?
here are a bunch of lua files.
  • Author
  • Localization

aluigi, posted Sat Jun 01, 2019 2:44 pm (48184)

Don't know but that's not xxtea for sure.
  • Author
  • Localization

chrrox, posted Sat Jun 01, 2019 11:05 pm (48279)

Ok so the data starts at 0x14
then you xor the first 4 bytes with
00 00 00 40
then you xor the rest of the file with
FF FF FF 3F
but you need to subtract 1 from this number every time
so
FF FF FF 3F
FE FF FF 3F
FD FF FF 3F
FC FF FF 3F
FB FF FF 3F
FA FF FF 3F
F9 FF FF 3F
F8 FF FF 3F

What is the best way to handle that in quickbms?
  • Author
  • Localization

aluigi, posted Sat Jun 01, 2019 11:31 pm (48288)

Code:
encryption "incremental xor" 0x40000000 -1
math OFFSET = 0x14
get SIZE asize
math SIZE - OFFSET
get NAME filename
log NAME OFFSET SIZE


Please note that in this case it's 32bit because the key is bigger than 0xff, otherwise is 8bit.
I guess there is also an option for forcing the 32bit mode with smaller keys.
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.