Help/Support LF a confident guy with some revesrse knowledge for some help.

n1ce0n3 · June 3, 2023

Hi there, I'm currently trying to hack a pretty popular game (not going to tell the name of the game, though, it's pretty new and it has around a milion downloads on the play store )

1. The game uses LUA, which is packed with some kind of a packer that renamed all the source files into its' hashed names. There's a ton of files like that.

(pic1, pic2)

The progress I have so far. The game uses LuaJIT-2.1.0-beta3 on top of lua5.1. If I got it right the game uses a 64-bit compiler, since LUA's header is 1B 4C 4A 02 0A, when I compile lua script with a 32bit version of luajit - the header is 1B 4C 4A 02 02, the 64 bit version gives me 1B 4C 4A 02 0A.

Okay, so.

Each of these files you can see in a screenshot is not just a LUA script.

It is a lua script, which is compiled into LuaJIT with it's own name, after that that script gets zipped into a hashed name, but it keeps the lua extension. (e.g. config/Team.lua, becomes a ZIPPed archive "aa/aa70e1b8e38c140d2242f45bb58e2edf.lua".

On top of that the zip archive gets XXTEA encrypted.

Oh, forgot to mention that the game is built on cocos2d engine.

I've managed to recover all the source files (using luajit decompiler doesn't give you the exact sources, but at least it gives you a readable file, which you can look through and actually figure what's going on there.)

The problem is that if I modify a decompiled script - pack it the way it was originally packed, most of the times - it fails to work (I think it's because the decompiler doesn't give you the exact source code as it is originally written, since I've tried compilig for all of the architectures available, and most of the time - the game eitehr hangs when it gets to read that file - or doesn't load the section that I've modified like the file is corrupt or something)

The game loads cocos2dlua.so library during the startup - and then it unloads the library, so that it doesn't remain in the proccesses' memory.

As much as I've tried - I couldn't figure the addresses of the functions I wan.

Also, the library has no exports, exports tab in IDA have a single entry, which is ".init_proc".

I've located the LUA functions' names in IDA, but since I'm not super confident with IDA, I cannot figure how do I either hook any of these, or how to get their address.

They are in the symbols table, but yet again, I have no idea how I can reach them. (pic)

I've hooked fopen, fred, fwrite, fgets, fread and most of the other relevant native functions, but the most I could've gotten was the file name that gets loaded.

TL:DR

I've decompiled all of the games' sources (over 10k LUA files), and the only thing that is left to do is to somehow execute luaL_loadstring or luaL_loadfile on my own.

I've spent quite some time on that and honestly I am out of ideas can I get what I'm trying to.

I even tried pattern scanning the binary and all its' libraries to get either of the functions, basically, any lua function - had no success so far.

I'll really appreciate any help I can get at this point.

Feel free to reach me out messages so then we can get in touch via discord or any way you'll prefer. Thanks in advance.

The game's binary is actually a "split installer" as they call it, it has both ARM and x86 libraries within it's content (even every lua script has another version of itself for another architecture). That prevents me from loading the binary manually into the process , since it gives me an error:

Error: dlopen failed: "/data/local/tmp/libcocos2dlua.so" has unexpected e_machine: 183 (EM_AARCH64)

Updated June 3, 2023 by n1ce0n3