A tool built on python & frida to automatically decrypt the .luac files of COCOS2dx games. Please remember that this has only been tested on Mobile games.
python -m pip install -r requirements.txt
Before you start using this tool you will need gather the following 3 information manually.
- Library Name that contains the decryptor (Default:
libqpry_lua.so). You can find this library in thelibs/{ARCH}/folder of the extracted application. - Next you will have to decompile this native library in
GhidraorIDA-PROto find the offset of thexxtea_decryptfunction. In Ghidra, the offset will beADDRESS-10000. Refer to screenshots for reference.
- Finally, we will be fetching the header from the
.luacfile.
Finally we will use this information to decrypt all the files.
This will allow you to spawn the application on the mobile device and hook frida to it automatically. Frida server will be required
python main.py -f PACKAGE_NAME
If you are using frida gadget with an application and you want to the decryptor to hook to the pid, then you can use this flag.
python main.py -p GADGET_PID
Similar to -p|--pid, except that the tool automatically spawn and hooks to the application, eliminating the need to manually fetch the gadget PID. This method only works for android devices.
python main.py -g PACKAGE_NAME/MAIN_LAUNCHER_ACTIVITY
Following are some of the examples on how you can use the tool.
python main.py -f com.example.cocos2dx -l libtest.so -o 0x002Da542 --lua-header "TEST_LUA_HDR" --folder ./apktool_out/assets/base/
python main.py -p 5341 -l libtest.so -o 0x002Da542 --lua-header "TEST_LUA_HDR" --folder ./apktool_out/assets/base/
python main.py -g com.example.cocos2dx/com.example.cocos2dx.Appactivity -l libtest.so -o 0x002Da542 --lua-header "TEST_LUA_HDR" --folder ./apktool_out/assets/base/