Android Lua脚本加密与解密实战教学<\/h3>

一、题目背景分析<\/h4>

文件结构<\/strong><\/p>

APK解压后存在assets\/lua<\/code>目录，内含加密的Lua脚本（如pz.lua<\/code>）<\/li>
动态库libluajava.so<\/code>负责Lua脚本加载，关键函数：luaL_loadbuffer<\/code><\/li> <\/ul> <\/li>
加密特征<\/strong><\/p> Assets中的Lua文件被加密，需通过逆向分析解密逻辑<\/li> 使用魔改XTEA算法（含自定义常数和异或操作）<\/li> <\/ul> <\/li> <\/ol> 二、解密流程详解<\/h4> 提取加密脚本<\/strong><\/p> # 从assets直接提取加密的pz.lua<\/span> <\/span><\/span>with<\/span> open("pz.lua"<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> encrypted_data =<\/span> f.<\/span>read() <\/span><\/span><\/code><\/pre><\/li> 逆向解密算法<\/strong><\/p> 密钥生成函数<\/strong> def<\/span> key<\/span>(t): <\/span><\/span> t1 =<\/span> t <\/span><\/span> t2 =<\/span> (0xFFFFFFFF80808081<\/span> *<\/span> t1) >><\/span> 32<\/span> <\/span><\/span> t3 =<\/span> (t2 +<\/span> t1) >><\/span> 7<\/span> <\/span><\/span> t4 =<\/span> 1<\/span> if<\/span> (t2 +<\/span> t1) <<\/span> 0<\/span> else<\/span> 0<\/span> <\/span><\/span> return<\/span> (t +<\/span> t3 +<\/span> t4) &<\/span> 0xFF<\/span> <\/span><\/span><\/code><\/pre><\/li> 逐字节解密<\/strong> def<\/span> decrypt<\/span>(s): <\/span><\/span> out =<\/span> bytearray(len(s)) <\/span><\/span> out[0<\/span>] =<\/span> 27<\/span> # 固定首字节<\/span> <\/span><\/span> t =<\/span> 0<\/span> <\/span><\/span> for<\/span> i in<\/span> range(1<\/span>, len(s)): <\/span><\/span> t +=<\/span> len(s) <\/span><\/span> out[i] =<\/span> s[i] ^<\/span> key(t) <\/span><\/span> return<\/span> bytes(out) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 执行解密<\/strong><\/p> decrypted_data =<\/span> decrypt(encrypted_data) <\/span><\/span>with<\/span> open("pz_decrypted.lua"<\/span>, 'wb'<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(decrypted_data) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 三、Lua脚本逆向分析<\/h4> 关键函数解析<\/strong><\/p> 填充函数<\/strong> ddddddddddddd<\/code> 确保输入长度为8的倍数，补\0<\/code> function<\/span> ddddddddddddd<\/span>(str) <\/span><\/span> return<\/span> str ..<\/span> string.rep("<\/span>\0<\/span>"<\/span>, 8<\/span> -<\/span> #<\/span>str %<\/span> 8<\/span>) <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre><\/li> 魔改XTEA加密<\/strong> aijusbndbv<\/code> 使用动态生成的常数（如114514<\/code>的变形）<\/li> 38轮加密，最终异或14<\/code>和17<\/code><\/li> <\/ul> function<\/span> aijusbndbv<\/span>(v, k) <\/span><\/span> local<\/span> sum =<\/span> 0<\/span> <\/span><\/span> for<\/span> i =<\/span> 1<\/span>, 38<\/span> do<\/span> <\/span><\/span> sum =<\/span> (sum +<\/span> delta) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> v[1<\/span>] =<\/span> (v[1<\/span>] +<\/span> (((v[2<\/span>] <<<\/span> 4<\/span>) ~<\/span> (v[2<\/span>] >><\/span> 5<\/span>)) +<\/span> v[2<\/span>] ~<\/span> sum +<\/span> k[(sum &<\/span> 3<\/span>) +<\/span> 1<\/span>])) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> v[2<\/span>] =<\/span> (v[2<\/span>] +<\/span> (((v[1<\/span>] <<<\/span> 4<\/span>) ~<\/span> (v[1<\/span>] >><\/span> 5<\/span>)) +<\/span> v[1<\/span>] ~<\/span> sum +<\/span> k[(sum >><\/span> 11<\/span> &<\/span> 3<\/span>) +<\/span> 1<\/span>])) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> end<\/span> <\/span><\/span> return<\/span> {v[1<\/span>] ~<\/span> 14<\/span>, v[2<\/span>] ~<\/span> 17<\/span>} <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 加密验证逻辑<\/strong><\/p> 输入格式：flag{...}<\/code><\/li> 解密后数据与硬编码值oianxasdavsdvasd<\/code>比对<\/li> <\/ul> <\/li> <\/ol> 四、解密脚本开发（C语言）<\/h4> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdint.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> decrypt<\/span>(uint32_t<\/span> *<\/span>v, uint32_t<\/span> *<\/span>k) { <\/span><\/span> uint32_t<\/span> v0 =<\/span> v[0<\/span>] ^<\/span> 14<\/span>, v1 =<\/span> v[1<\/span>] ^<\/span> 17<\/span>; <\/span><\/span> uint32_t<\/span> sum =<\/span> 38<\/span> *<\/span> 0x80E7D99B<\/span>; \/\/ 2161537835 * 38 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 38<\/span>; i++<\/span>) { <\/span><\/span> v1 -=<\/span> (k[(sum >><\/span> 11<\/span>) &<\/span> 3<\/span>] +<\/span> sum) ^<\/span> (v0 +<\/span> ((v0 >><\/span> 5<\/span>) ^<\/span> (v0 <<<\/span> 4<\/span>))); <\/span><\/span> v0 -=<\/span> (k[sum &<\/span> 3<\/span>] +<\/span> sum) ^<\/span> (v1 +<\/span> ((v1 >><\/span> 5<\/span>) ^<\/span> (v1 <<<\/span> 4<\/span>))); <\/span><\/span> sum -=<\/span> 0x80E7D99B<\/span>; <\/span><\/span> } <\/span><\/span> v[0<\/span>] =<\/span> v0; v[1<\/span>] =<\/span> v1; <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> uint32_t<\/span> encrypted[] =<\/span> {863918170<\/span>, 366827450<\/span>, 2944604520<\/span>, ...}; <\/span><\/span> uint32_t<\/span> key[] =<\/span> {5976<\/span>, 40857<\/span>, 3298229483<\/span>, 1500946329<\/span>}; <\/span><\/span> <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 10<\/span>; i +=<\/span> 2<\/span>) { <\/span><\/span> decrypt(&<\/span>encrypted[i], key); <\/span><\/span> printf("%08x%08x"<\/span>, encrypted[i], encrypted[i+<\/span>1<\/span>]); <\/span><\/span> } <\/span><\/span> \/\/ 输出拼接后得到flag <\/span><\/span><\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 五、关键知识点总结<\/h4> Lua加密套路<\/strong><\/p> 常见于luaL_loadbuffer<\/code>拦截或assets文件加密<\/li> 识别特征：首字节固定值、异或\/加减操作、动态密钥生成<\/li> <\/ul> <\/li> 魔改算法技巧<\/strong><\/p> 修改XTEA的轮数（38轮）、delta值（0x80E7D99B）<\/li> 最终异或操作（14\/17）和自定义大端序处理<\/li> <\/ul> <\/li> 动态分析技巧<\/strong><\/p> 使用Frida Hook luaL_loadbuffer<\/code>获取解密后脚本<\/li> IDA逆向libluajava.so<\/code>定位加密逻辑<\/li> <\/ul> <\/li> <\/ol> 六、Flag获取<\/h4> 执行解密脚本后输出： flag{7a5e-55e45-1671e-df3b7-cd7a1-6f1e-27fc}<\/code><\/p> 注<\/strong>：实际操作时需注意字节序（大端序）和Lua与C的数据类型转换，建议配合Unluac工具反编译验证逻辑。<\/p>