Hey everyone,
i used to edit/backup my angry birds files. It worked fine with angry birds and angry birds seasons. But now with angry birds rio rovio encrypts the files with AES.
what i know so far from IDA pro:
for example GameLua::loadLuaFileToObject does
=> io::FileInputStream::read
=> lang::AESUtil::AESUtil(...)
=> lang::AESUtil::decrypt(...)
So,
are any IDA excperts here who might help me figuring out the arguments to that decrypt call( the AES key). Or do you have any ideas on how to figure out the AES key at all?
Greets, Goddchen
Goddchen said:
Hey everyone,
i used to edit/backup my angry birds files. It worked fine with angry birds and angry birds seasons. But now with angry birds rio rovio encrypts the files with AES.
what i know so far from IDA pro:
for example GameLua::loadLuaFileToObject does
=> io::FileInputStream::read
=> lang::AESUtil::AESUtil(...)
=> lang::AESUtil::decrypt(...)
So,
are any IDA excperts here who might help me figuring out the arguments to that decrypt call( the AES key). Or do you have any ideas on how to figure out the AES key at all?
Greets, Goddchen
Click to expand...
Click to collapse
I'm afraid you can't decrypt an AES key with a current PC, considering it would take some good millions of years to bruteforce.
Your best bet would be finding an exploit into how the game implements this encryption, I guess.
sorry you might have misunderstood me.
i don't want to crack the key, i simply want to extract it. it has to be stored in the file somewhere.
Ever tryed the old fashion way of searching addys maybe even reversing the whole game? Wait I'm a computer game hacker idk about adroid games lol sorry uhmm I'm sure you can reverse enough to find the file but then again could it possibly be stored outside of the game itself?
Sent from my Vision using XDA Premium App
yes that's exactly what i want to do. i have already found the file loading/saving function that use the AESUtil, but i can't figure out where the actual key is stored
Could you have a look at it if i send you the binary file?
Greets, Goddchen
Yeah send them all to me every one you can find and I will search away hopefully its not somthing stupidly named that throws me off...and why hack a game like this anyways?
Sent from my Vision using XDA Premium App
Also have you tryed opening it up with a hexeditor? I know I know billions of lines of useless numbers for what you want but there is a chance it will be labled in there somewhere
Sent from my Vision using XDA Premium App
Yes i did that, and also decompiled the whole thing with IDA pro. That's why i know it's AES, because the read / write function use the AESUtil functions. But i can't figure out the address where the key is located...
Have you searched for aes or key I know it might sound funny but time after time I've found addys that way and and I toatally forgot that you used ida I use that to decompile dlls and mem dumps for my hacking on games...but pm me the files (idk never tryed sending files on here before so I'm not sure if its possible here if not pm for my email)
Sent from my Vision using XDA Premium App
you already have a PM
All assets/*/*.lua files are encrypted using AES, CBC mode with empty initial vector and 256-bit key = 'USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2' (yes, ascii only). After decryption you will see 7z file with real *.lua file inside.
Example in Python:
Code:
from Crypto.Cipher import AES
AES.new('USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2', AES.MODE_CBC, '').decrypt(open('MainMenuPage.lua', 'r').read())
You should see a string starting with "7z" and after saving it to a file you should be able to open it using any 7z archiver.
Still I don't know about highscores.lua and settings.lua - these files are different. I'm afraid they aren't 7z files, so even if I'll decrypt them successfully, I'll just get some unknown binary files.
wow i'm impressed! where did you get the key from?
Hm, when trying to decrypt the highscores.lua or settings.lua i keep getting
"java.io.IOException: last block incomplete in decryption".
Do you have any experience with Java AES encryption?
I've played with this a little.
The provided key does decrypts other LUAs, but not the highscores...
They either used another key or messed up something after applying encryption.
The error is javax.crypto.BadPaddingException: Given final block not properly padded
Again, I was able to decrypt level LUAs to plain 7z.
BTW: The highscores.lua is a plain text if decrypted correctly.
yes it should be plain lua files. This is the case for Angry Birds and Angry Birds Seasons, just RIO is encrypted
Can you please explain how to got your hands on the key you mentioned? Maybe this help me track down the key used to encrypt the highscores/settings.
Greets, Goddchen
still no progress
i also had a look at a hprof heap dump but counldn't find anything that looks like a 256 bit aes key...
Any more ideas?
highscores.lua and settings.lua are encrypted with AES, CBC mode, PKCS7 padding and key = '44iUY5aTrlaYoet9lapRlaK1Ehlec5i0'.
In my next post I will describe how I got these keys
Man! This is totally awesome! You're my hero!
Well... I have attached a debugger to native code, set breakpoints, analyzed registers, memory, etc. It wasn't that easy though. It took me several days to start debugging and get first key, but I got second one in about 1 hour.
Actually I don't really need that key, I can't even play Angry Birds Rio on my old G1, but it was challenging and I love challenges ;-) Plus I have learnt a LOT about gdb, assembler, ARM architecture, etc.
So I want to thank you, Goddchen, for giving me an opportunity to learn & play
Ok, let's move on...
First, I have disassembled libangrybirds.so using IDA Pro 5.5 . I was able to examine code and attach IDA to gdbserver on a device, but unfortunately it wasn't working properly. IDA was thinking that libangrybirds.so is a main binary of a process it attached to, but it should look into loaded shared libs instead. Weird, but I didn't find a way to attach it properly. And this is pity, because IDA is a great tool and it would make debugging a pleasure, but I had to use gdb instead.
Second, Android has problems with debugging multi-threaded native code. MT support was added in NDK r5 and because of some bug it's not possible on a system older than Gingerbread.
Third, you could attach gdb manually, but ndk-gdb script does great work for you. You will have to do some tricks to use it with 3rd party app though.
Fourth, it seems libangrybirds.so is a Java code compiled to native or something like that. There are objects like FileInputStream, ByteOutputStream, etc., but there are also some API differencies. We'll see String and Array<uchar> objects, but it's usually easy to find a pointer to simple uchar[].
Steps to start native code debugging:
Upgrade to Gingerbread (Yeah, I had to do that. Hacking requires you to sacrifice yourself a bit ;-) ). Or you could use an emulator.
Install NDK >= r5 .
Decode Angry Birds Rio using apktool. You could just unzip it, but decoded app is much more similiar to original sources, so it's more compatible with NDK. For example ndk-gdb reads AndroidManifest.xml to get package name. Of course you could fake simple AndroidManifest.xml and other files if you want.
Rename lib dir to libs.
Fake jni/Android.mk file. I have copied one from hello-jni sample and didn't even bother to modify module name: http://pastebin.com/HMBXt5cm .
Copy libs/armeabi*/libangrybirds.so to obj/local/armeabi*/ . Normally this is done by ndk-build command.
Fake libs/armeabi*/gdb.setup file. It should be something like: http://pastebin.com/BYm13RKz , but second line isn't that important.
Angry Birds Rio apk contains old gdbserver and you need one from NDK r5. Grab ${NDK_ROOT}/toolchains/arm-linux-androideabi-4.4.3/prebuilt/gdbserver and push it to /data/data/com.rovio.angrybirdsrio/lib .
Ufff... you could now try to run: ndk-gdb --verbose --launch=com.rovio.ka3d.App .
After few seconds you should see "(gdb)" prompt and game should be paused on the device.
Run 'info shared' and check if libangrybirds.so is loaded. If not then something is wrong.
Ok, let's find a key for levels lua files:
Set a breakpoint for GameLua::loadLevel() - find this method in IDA Pro and copy its EXPORT name:
Code:
(gdb) br _ZN7GameLua9loadLevelEN4lang6StringE
Breakpoint 1 at 0x80468e4c
Resume game and open some level. You should hit a breakpoint:
Code:
(gdb) c
Continuing.
[New Thread 5857]
[Switching to Thread 5857]
Breakpoint 1, 0x80468e4c in GameLua::loadLevel () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
Look into IDA and note there are 2 lang::String objects passed as first arguments to method, so pointers are in R1 and R2 registers. We need to examine these objects and find pointers to raw char[]. Fortunately lang::String is very simple wrapper around char[], so pointer is first (and only one, I think) member of String:
Code:
(gdb) x/4x $r1
0x4395e66c: 0x00a405f0 0x00153b28 0x804ec778 0x00000000
(gdb) x/s 0x00a405f0
0xa405f0: "levels/warehouse/Level190"
Yey, finally we see something
Let's move to lang::AESUtil::decrypt() method. It's named _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_, so:
Code:
(gdb) advance _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_
0x80539894 in lang::AESUtil::decrypt () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
As you can see decrypt() gets 3 Array<uchar> objects and 2 of them are const. It's quite easy to guess they're: key, encrypted data and container for decrypted data. Let's check this:
Code:
(gdb) x/4x $r1
0x1592b0: 0x00159528 0x00000020 0x00000020 0x7b206e65
0x00000020 = 32 - yes, length of AES key First 4 bytes of an Array object is a pointer to raw char[] and second 4 bytes contain length of an array. Now we could read contents of an Array:
Code:
(gdb) x/s 0x00159528
0x159528: "USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2a"
As you can see there are 33 chars instead of 32. This is because Array stores its length, so char[] isn't null-terminated. Ignore last "a" char.
We could also look into second const Array to be sure that encoded string is exactly the same as contents of lua file:
Code:
(gdb) x/4x $r2
0x4395d6f4: 0x009ca248 0x000004a0 0x000004a0 0x00000378
(gdb) x/4x 0x009ca248
0x9ca248: 0x3347b5dc 0x26048446 0x1a0c1231 0x35d3f99c
First 16 bytes are the same, length of data is also ok.
As you can see there is AES::BlockMode passed to AES:ecrypt(). It would be quite hard to interpret it without headers, so I was trying various block modes and I found that CBC with empty initial vector decodes to string starting with '7z'. For me that meant: mission successfull
Ok, highscores.lua and settings.lua files now. Technique is very similar, but there are some differences:
Different keys.
They aren't loaded using GameLua::loadLevel(), but GameLua::loadPersistentFile(). You could find this very easily, searching for "highscores.lua" in IDA.
If you examine GameLua::loadPersistentFile() method you will see it doesn't load files using FileInputStream, but io::AppDataInputStream, so we have to be sure, what exactly is being decrypted.
Annoying thing is that gdb can't catch highscores/settings loading, because they're loaded too soon - before gdb attach itself.
Maybe there is a better solution to last problem, but I've decided to add some Thread.sleep() call just after System.loadLibrary(), so gdb will attach before highscores.lua loading.
Open smali/com/rovio/ka3d/App.smali, and add 2 lines of code just after loadLibrary() call in onCreate() method:
Code:
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
const-wide/16 v0, 5000
invoke-static {v0, v1}, Ljava/lang/Thread;->sleep(J)V
Run ndk-gdb --verbose --launch=com.rovio.ka3d.App .
Set a breakpoint for GameLua::loadPersistentFile() method and check which file is being loaded:
Code:
(gdb) br _ZN7GameLua18loadPersistentFileERKN4lang6StringE
Breakpoint 1 at 0x80457030
(gdb) c
Continuing.
[New Thread 6735]
[Switching to Thread 6735]
Breakpoint 1, 0x80457030 in GameLua::loadPersistentFile () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
(gdb) x/s $r2
0x4395e3b8: "highscores.lua"
I'm not sure why it's R2, not R1 and why there is no lang::String, but char[] directly. I think this isn't a pointer to String, but String itself, passed to method in registers, so its char[] is in R2.
Now advance to lang::AESUtil::decrypt() method and read key as usual:
Code:
(gdb) advance _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_
0x80539894 in lang::AESUtil::decrypt () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
(gdb) x/4x $r1
0x159294: 0x00159620 0x00000020 0x00000020 0x00159518
(gdb) x/s 0x00159620
0x159620: "44iUY5aTrlaYoet9lapRlaK1Ehlec5i0"
Because of that AppDataInputStream object, we need to check if encrypted data is the same as file contents. Pull highscores.lua file from a device and run:
Code:
(gdb) x/4x $r2
0x4395ddc4: 0x0015bc00 0x00000040 0x00000040 0x00000001
(gdb) x/16x 0x0015bc00
0x15bc00: 0x2271b777 0xe6f19f4c 0x2489a316 0xfae1aee2
0x15bc10: 0x82e0ef38 0xe84fc25d 0xb196adac 0xbf030439
0x15bc20: 0xb6b9bade 0x3046af12 0xe8eeeb0d 0x20e8037c
0x15bc30: 0x1a405edf 0xc218f7f6 0xc29209e2 0x9ad03e8c
Yeah, this is my highscores.lua file.
Same for settings.lua file to check if it's encrypted with the same key. It is.
After decrypting these files we'll see some weird chars at the end of decoded data. Few seconds on the Wikipedia and we'll know this is just PKCS7 padding scheme.
Now we have got everything we want
Ahh, not exactly everything... I would be really happy to know, how to properly attach IDA for debugging - it would be much easier, even if gdb interface is also very good.
wow thank you so much for that detailed description. I'll give a try in the next days to see if i can reproduce the whole thing on my own I'm really impressed
Hi!
I am trying to develop an android app with a google map v2, location service and some control buttons.
But I don't want to put all these things inside one MainActivity class. So I thought I could split all the code into some more classes. The MainActivity shall controll all the GUI things and react on map or location events...
Now I have the following problem. Inside my onCreate I instanziate the additional classes:
Code:
// Preferences as singleton
pref = Prefs.getInstance(this.getApplicationContext());
pref.loadSettings();
// Set up the location
loc = new Locations(pref);
loc.setCallback(this);
map = new MyMap(pref);
It seems to work fine. But inside the MyMap class every time I start the app a null pointer exception is thrown. When I am calling MyMap() the following code will be executed:
Code:
[...]
private Prefs pref;
private GoogleMap mMap;
[...]
public MyMap(Prefs prefs) {
pref = (Prefs) prefs;
if (mMap == null) {
FragmentManager fmanager = getSupportFragmentManager();
mMap = ((SupportMapFragment) fmanager.findFragmentById(R.id.map)).getMap();
[...]
}
The line with the findFragmentById is the one that causes the exception.
If I write
Code:
SupportMapFragment f = ((SupportMapFragment) fmanager.findFragmentById(R.id.map));
f is allways null. But how can I access the fragments and view elements defined within my MainActivity?
It works if I put the code inside my MainAcitivity.
Every class extends "android.support.v4.app.FragmentActivity"
I tried to save the application context within my Prefs() class, so that I can access it from everywhere.
But I don't know how to use it inside my additional classes.
How to share the "R" across all my classes?
Can someone help me please?
Thank you very much!!
Thorsten
Are you having trouble adding a Map to a Fragment? If so, then you may take a look at this tutorial. I haven't tried it myself since I couldn't install Google Play Services on my development device. If it helps, do write back, as I am definitely going to try it myself soon.
Hi guys...
Since few weeks now, i'm facing to an unsolvable trouble that prevent me to access to google play (with the famous error "No Connexion"). I spent hard time to search why, tried some fixes found on the web... Nothing works.
This morning, i found with the Android Device-ID application that my "GSF Device-ID" is set to "null" ! Said differently, i'm pretty sure that my device (Samsung Galaxy S2) can't be recognized and identified on Play store because of this, giving me the "No Connexion" error.
Does anybody here know how i could fix this invalid ID (which is confirmed with the *#*#8255#*#* trick : aid:0 (INVALID AID!!!)
Thanks in advance for your help.
cheers
UP.
Nobody can help ? i can't believe it according to the number of gurus here
I am more and more convinced that the secret of this famous GSF ID is jealously guarded by its creators, and finally how to handle it are not or little known ... And for good reason, since this is for Google one of the only way to identify and thus tracking devices safely and reliably. Make it easily editable would be a disaster for them I guess ...
I still dare to hope that some geniuses who frequent this forum have already faced this problem and had pierced the mystery and how to handle this identifier.
I found the beginning of an answer with the sources code of an app "Android ID" :
Code:
private static final Uri URI = Uri.parse("content://com.google.android.gsf.gservices");
private static final String ID_KEY = "android_id";
String getAndroidId(Context ctx) {
String[] params = { ID_KEY };
Cursor c = ctx.getContentResolver()
.query(URI, null, null, params, null);
if (!c.moveToFirst() || c.getColumnCount() < 2)
return null;
try {
return Long.toHexString(Long.parseLong(c.getString(1)));
} catch (NumberFormatException e) {
return null;
}
}
In my case, i get a "null" for GSFID. That means no columns are found in reply to the query.
I have verified this by installing aSQLiteManager on my SGS2, and opening the gservices.db database.
My problem now is to find what are the key fields
that are supposed to be filled in order to have a GSF value returned.
Maybe some of you could provide me this information by having a look to your own configuration.
Thanks in advance.
I've got same problem
My phone is LG Optimus L5 and after I rooted my phone,I've got same problem and I couldn't connect to Google products and my AID's been null!