Reverse

A static analysis tool for extracting XXTEA encryption keys in ARM64 Cocos apps.

github.com/zboralski/reverse

It disassembles ARM64 functions, tracks register values and stack objects, recognizes std::string patterns (inline and heap), finds calls to XXTEA functions, extracts encryption keys and signatures, and shows annotated assembly code.

Features encryption and decryption of files once keys are extracted, including files with signatures:

./reverse libcocos2djs.so
./reverse --encrypt --key "KEY" --signature "SIG" file.lua
./reverse --decrypt --key "KEY" --signature "SIG" encrypted.luac