A static analysis tool for extracting XXTEA encryption keys in ARM64 Cocos apps.

github.com/zboralski/reverse

It disassembles ARM64 functions, tracks register values and stack objects, recognizes std::string patterns (inline and heap), finds calls to XXTEA functions, extracts encryption keys and signatures, and shows annotated assembly code.

Features encryption and decryption of files once keys are extracted, including files with signatures:

./reverse libcocos2djs.so
./reverse --encrypt --key "KEY" --signature "SIG" file.lua
./reverse --decrypt --key "KEY" --signature "SIG" encrypted.luac

A reverse engineering tool for analyzing JavaScript bytecode files (.jsc) compiled with the SpiderMonkey engine. Features bytecode disassembly and optional LLM-powered JavaScript reconstruction.

In Cocos apps the encryption key sits in the rodata section of the library and the original source code can be recovered. Ironically, when a Cocos app omits encryption it was harder to reverse because the JavaScript ships as bytecode and no disassembler existed.

github.com/zboralski/spidermonkey-dumper

Works with SpiderMonkey 33.1.1 and Cocos2d-JS v3.17.

Here is an example where you can see an uncloaking check in the disassembly:

00031  getprop      "country"
00036  string       "VN"
0003B  ne
0003C  ifeq         loc_00056 (+26)                         ; if (!=)

And here is the LLM decompilation:

// SplashScene.checkGame/<
SplashScene.prototype.checkGame$ = function () {
    if (this.country !== "VN") return cc.game.loadGame();
    var success = true;
    this.checkUpdate(success);
    return !success;
};