Add files via upload

npk decryption/decompression and compilation tool

Author: vexilligera

encode.py

@@ -0,0 +1,48 @@
+import rotor
+import marshal
+import zlib
+import sys
+
+def init_rotor():
+    asdf_dn = 'j2h56ogodh3se'
+    asdf_dt = '=dziaq.'
+    asdf_df = '|os=5v7!"-234'
+    asdf_tm = asdf_dn * 4 + (asdf_dt + asdf_dn + asdf_df) * 5 + '!' + '#' + asdf_dt * 7 + asdf_df * 2 + '*' + '&' + "'"
+    rot = rotor.newrotor(asdf_tm)
+    return rot
+
+def _reverse_string(s):
+    l = list(s)
+    l = map(lambda x: chr(ord(x) ^ 154), l[0:128]) + l[128:]
+    l.reverse()
+    return ''.join(l)
+
+def reverse_string(s):
+	l = list(s)
+	l.reverse()
+	sub_l = l[0:128]
+	sub_l = map(lambda x: chr(ord(x) ^ 154), l[0:128])
+	l = sub_l + l[128:]
+	return ''.join(l)
+
+def encode(data):
+	rot = init_rotor()
+	#print 'original data:'
+	#print repr(data)
+	data = reverse_string(data)
+	#print '_reverse string data:'
+	#print repr(data)
+	data = zlib.compress(data, 9)
+	#print 'zlib compressed data:'
+	#print repr(data)
+	data = rot.encrypt(data)
+	#print 'rot encrypt data:'
+	#print repr(data)
+	return data
+
+file = open(sys.argv[1], 'rb')
+save = open(sys.argv[2], 'wb')
+data = file.read()
+save.write(encode(data))
+file.close()
+save.close()

extract.py

@@ -0,0 +1,41 @@
+import struct
+import os
+import redirect
+import marshal
+import pyc_decryptor
+
+print('Usage: unpack the apk file using npktool and execute this script. Scripts stored in decompile/python_file/pyc')
+
+path = 'python_file'
+if not os.path.exists(path):
+    os.makedirs(path)
+    os.makedirs(path + '/pyc')
+
+file = open('original_script.npk', 'rb')
+file_size = os.path.getsize('original_script.npk')
+file.seek(0x14)
+base, = struct.unpack('<L', bytes(file.read(4)))
+encryptor = pyc_decryptor.PYCEncryptor()
+while base < file_size:
+	base += 0x4
+	file.seek(base)
+	py_addr, = struct.unpack('<L', bytes(file.read(4)))
+	py_size_ptr = base + 0x8
+	file.seek(py_size_ptr)
+	py_size, = struct.unpack('<I', bytes(file.read(4)))
+	file.seek(py_addr)
+	
+	py_encrypted = file.read(py_size)
+	try:
+		pyc_original = redirect.decrypt(py_encrypted)
+	except:
+		print 'File at 0x%x failed to decrypt.' % py_addr
+
+	file_name = path + '/' + hex(py_addr)
+	save_file = open(file_name, 'wb')
+	marshal.dump(pyc_original, save_file)
+	save_file.close()
+	encryptor.decrypt_file(file_name, path + '/pyc/' + hex(py_addr) + '.pyc')
+	base += 0x18
+
+file.close()

npktool.py

@@ -0,0 +1,92 @@
+import os
+import sys
+import shutil
+import struct
+import marshal
+
+def search_bytes(src, dat):
+	t = len(src) - len(dat) + 1
+	for i in range(t):
+		ret = True
+		for j in range(len(dat)):
+			if src[i + j] != dat[j]:
+				ret = False
+				break
+		if ret:
+			return i
+	return -1
+
+def i2bytes(integer):
+	l = []
+	_ = integer
+	for i in range(4):
+		l.append(_ & 0xFF)
+		_ = _ >> 8
+	return bytes(bytearray(l))
+
+if len(sys.argv) == 1:
+	print('usage:')
+	print('python npktool.py d filename.apk - unpack the apk file.')
+	print('python npktool.py c file.py 00ABCDEF - compile file.py and insert it at offset 00ABCDEF in script.npk and build the APK.')
+	print('python npktool.py b path file.apk - build the APK file and sign.')
+	sys.exit()
+option = sys.argv[1]
+
+if option == 'd':
+	filename = ''.join(list(sys.argv[2])[:-4])
+	if not os.path.exists(filename):
+		os.system('apktool d ' + sys.argv[2])
+	else:
+		print('APK already disassembled.')
+	shutil.copyfile(filename + '/assets/script.npk', 'original_script.npk')
+elif option == 'c':
+	filename = sys.argv[2]
+	offset, = struct.unpack('>L', bytearray.fromhex(sys.argv[3]))
+	offset_dat = i2bytes(offset)
+
+	name = ''.join(list(filename)[:-3])
+	os.system('python -m py_compile ' + filename)
+	os.system('python pyc_encryptor.py ' + name + '.pyc ' + name + '.pycfix')
+	os.system('python encode.py ' + name + '.pycfix ' + name + '.pyn')
+	
+	bin_size = os.path.getsize(name + '.pyn')
+	new_bin = open(name + '.pyn', 'rb')
+	original_script = open('original_script.npk', 'rb')
+	original_script.seek(0x14)
+	table_addr, = struct.unpack('<L', bytes(original_script.read(4)))
+	original_script.seek(table_addr)
+	offset_table = original_script.read()
+	index_in_table = search_bytes(offset_table, offset_dat)
+	size_addr = []
+	size_addr.append(index_in_table + table_addr + 4)
+	size_addr.append(size_addr[0] + 4)
+	original_script.seek(size_addr[0])
+	old_size = original_script.read(4)
+	old_size, = struct.unpack('<L', old_size)
+	print ('original size: ' + repr(old_size))
+	print ('new size: ' + repr(bin_size))
+	original_script.seek(0)
+	new_script_body = original_script.read(offset)
+	new_script_body = new_script_body + new_bin.read()
+	original_script.seek(offset + bin_size)
+	new_script_body = new_script_body + original_script.read(table_addr - offset - bin_size)
+
+	new_bin_size_dat = i2bytes(bin_size)
+	original_script.seek(table_addr)
+	new_table = original_script.read(size_addr[0] - table_addr)
+	new_table = new_table + new_bin_size_dat
+	new_table = new_table + new_bin_size_dat
+	original_script.seek(size_addr[1] + 4)
+	new_table = new_table + original_script.read()
+
+	new_script_dat = new_script_body + new_table
+	new_bin.close()
+	original_script.close()
+	new_script_file = open('new_script.npk', 'wb')
+	new_script_file.write(new_script_dat)
+	new_script_file.close()
+elif option == 'b':
+	path = sys.argv[2]
+	shutil.copyfile('new_script.npk', path + '/assets/script.npk')
+	os.system('apktool b ' + path)
+	os.system('java -jar signapk.jar testkey.x509.pem testkey.pk8 ' + path + '/dist/' + path + '.apk ' + sys.argv[3])

pyc_decryptor.py

@@ -0,0 +1,54 @@
+import os  
+import zlib  
+import rotor  
+import marshal  
+import binascii  
+import argparse  
+import pymarshal  
+class PYCEncryptor(object):  
+    def __init__(self):
+        self.opcode_encrypt_map = {
+            1: 38, 2: 46, 3: 37, 4: 66, 5: 12, 10: 35, 11: 67, 12: 81, 13: 32, 15: 9, 19: 63, 20: 70,
+            21: 44, 22: 36, 23: 39, 24: 57, 25: 10, 26: 52, 28: 49, 30: 86, 31: 87, 32: 88, 33: 89,
+            40: 24, 41: 25, 42: 26, 43: 27, 50: 14, 51: 15, 52: 16, 53: 17, 54: 8, 55: 21, 56: 55,
+            57: 82, 58: 34, 59: 22, 60: 65, 61: 6, 62: 58, 63: 71, 64: 43, 65: 30, 66: 19, 67: 5,
+            68: 60, 71: 53, 72: 42, 73: 3, 74: 48, 75: 84, 76: 77, 77: 78, 78: 85, 79: 47, 80: 51,
+            81: 54, 82: 50, 83: 83, 84: 74, 85: 64, 86: 31, 87: 72, 88: 45, 89: 33, 90: 145, 91: 159,
+            92: 125, 93: 149, 94: 157, 95: 132, 96: 95, 97: 113, 98: 111, 99: 138, 100: 153, 101: 101,
+            102: 135, 103: 90, 104: 99, 105: 151, 106: 96, 107: 114, 108: 134, 109: 116, 110: 156,
+            111: 105, 112: 130, 113: 137, 114: 148, 115: 172, 116: 155, 119: 103, 120: 158, 121: 128,
+            122: 110, 124: 97, 125: 104, 126: 118, 130: 93, 131: 131, 132: 136, 133: 115, 134: 100, 135: 120,
+            136: 129, 137: 102, 140: 140, 141: 141, 142: 142, 143: 94, 146: 109, 147: 123
+        }
+        self.opcode_decrypt_map = {self.opcode_encrypt_map[key]: key for key in self.opcode_encrypt_map}
+        self.pyc27_header = "\x03\xf3\x0d\x0a\x00\x00\x00\x00"
+    def _decrypt_file(self, filename):
+        os.path.splitext(filename)
+        content = open(filename).read()
+        try:
+            m = pymarshal.loads(content)
+        except:
+            try:
+                m = marshal.loads(content)
+            except Exception as e:
+                print("[!] error: %s" % str(e))
+                return None
+        return m.co_filename.replace('\\', '/'), pymarshal.dumps(m, self.opcode_decrypt_map)
+    def decrypt_file(self, input_file, output_file=None):
+        result = self._decrypt_file(input_file)
+        if not result:
+            return
+        pyc_filename, pyc_content = result
+        if not output_file:
+            output_file = os.path.basename(pyc_filename) + '.pyc'
+        with open(output_file, 'wb') as fd:
+            fd.write(self.pyc27_header + pyc_content)
+def main():  
+    parser = argparse.ArgumentParser(description='onmyoji py decrypt tool')
+    parser.add_argument("INPUT_NAME", help='input file')
+    parser.add_argument("OUTPUT_NAME", help='output file')
+    args = parser.parse_args()
+    encryptor = PYCEncryptor()
+    encryptor.decrypt_file(args.INPUT_NAME, args.OUTPUT_NAME)
+if __name__ == '__main__':  
+    main()

pyc_encryptor.py

@@ -0,0 +1,58 @@
+import os  
+import zlib  
+import rotor  
+import marshal  
+import binascii  
+import argparse  
+import pymarshal  
+class PYCEncryptor(object):  
+    def __init__(self):
+        self.opcode_encrypt_map = {
+            38: 1, 46: 2, 37: 3, 66: 4, 12: 5, 35: 10, 67: 11, 81: 12, 32: 13,
+            9: 15, 63: 19, 70: 20, 44: 21, 36: 22, 39: 23, 57: 24, 10: 25,
+            52: 26, 49: 28, 86: 30, 87: 31, 88: 32, 89: 33, 24: 40, 25: 41,
+            26: 42, 27: 43, 14: 50, 15: 51, 16: 52, 17: 53, 8: 54, 21: 55,
+            55: 56, 82: 57, 34: 58, 22: 59, 65: 60, 6: 61, 58: 62, 71: 63,
+            43: 64, 30: 65, 19: 66, 5: 67, 60: 68, 53: 71, 42: 72, 3: 73,
+            48: 74, 84: 75, 77: 76, 78: 77, 85: 78, 47: 79, 51: 80, 54: 81,
+            50: 82, 83: 83, 74: 84, 64: 85, 31: 86, 72: 87, 45: 88, 33: 89,
+            145: 90, 159: 91, 125: 92, 149: 93, 157: 94, 132: 95, 95: 96, 113: 97,
+            111: 98, 138: 99, 153: 100, 101: 101, 135: 102, 90: 103, 99: 104, 151: 105,
+            96: 106, 114: 107, 134: 108, 116: 109, 156: 110, 105: 111, 130: 112, 137: 113,
+            148: 114, 172: 115, 155: 116, 103: 119, 158: 120, 128: 121, 110: 122, 97: 124,
+            104: 125, 118: 126, 93: 130, 131: 131, 136: 132, 115: 133, 100: 134, 120: 135,
+            129: 136, 102: 137, 140: 140, 141: 141, 142: 142, 94: 143, 109: 146, 123: 147
+        }
+        self.opcode_decrypt_map = {self.opcode_encrypt_map[key]: key for key in self.opcode_encrypt_map}
+    def _decrypt_file(self, filename):
+        os.path.splitext(filename)
+        file = open(filename)
+        file.seek(8)
+        content = file.read()
+        try:
+            m = pymarshal.loads(content)
+        except:
+            try:
+                m = marshal.loads(content)
+            except Exception as e:
+                print("[!] error: %s" % str(e))
+                return None
+        return m.co_filename.replace('\\', '/'), pymarshal.dumps(m, self.opcode_decrypt_map)
+    def decrypt_file(self, input_file, output_file=None):
+        result = self._decrypt_file(input_file)
+        if not result:
+            return
+        pyc_filename, pyc_content = result
+        if not output_file:
+            output_file = os.path.basename(pyc_filename) + '.pyc'
+        with open(output_file, 'wb') as fd:
+            fd.write(pyc_content)
+def main():  
+    parser = argparse.ArgumentParser(description='onmyoji py decrypt tool')
+    parser.add_argument("INPUT_NAME", help='input file')
+    parser.add_argument("OUTPUT_NAME", help='output file')
+    args = parser.parse_args()
+    encryptor = PYCEncryptor()
+    encryptor.decrypt_file(args.INPUT_NAME, args.OUTPUT_NAME)
+if __name__ == '__main__':  
+    main()