[Q] Angry Birds Rio encrypts settings/highscores with AES

Search This thread

meltwater

Inactive Recognized Developer
Jan 28, 2009
2,070
325
So I want to thank you, Goddchen, for giving me an opportunity to learn & play :)

Wow sounds like you've done some deep digging, thanks for sharing the info, might open up something else for someone.

I hope you don't mind, but I was wondering the following:
Is the use of lua files common on android and android apps, I'm only starting out with Android and I wasn't aware that lua is used at all. Still learning and taking baby-steps at the moment.

It is particularly interesting to me since I've spent lots of time working with lua files for WM sense so it would be good to know if lua can also be used for other things in android.

Thanks in advance, sorry for going slightly offtopic, but it is one of those questions which would probably never be seen in another thread.
 

meltwater

Inactive Recognized Developer
Jan 28, 2009
2,070
325
Fair enough, just caught my eye when lua files were mentioned, donno why, they are a pain to work with anyway! :D
 

javideslomao

Member
May 20, 2011
49
53
Hello! Anyone has a highscores.lua with the first 2 worlds of Rio completed? I just reflashed my rom without backing things up first, so I lost all my progress... :(
 

Ahuge

New member
May 13, 2011
1
0
Hey Everyone I am really new to all of this and I was wondering how you decrypted the lua files I tried to open them in AES Crypt and the key keeps givng an error.


I am using the Iphone versions of the levels do you guys think that it make a difference?



If possible could someone pm me with a few of the levels?
 

16k

Member
Mar 29, 2011
47
8
first 2 worlds 3 stars all fruits :)

Hello! Anyone has a highscores.lua with the first 2 worlds of Rio completed? I just reflashed my rom without backing things up first, so I lost all my progress... :(

I am a new user so i can post links yet (spam rules and stuff)
go to youtube and search for "angry birds rio savegame"
you will find first 2 levels 3 stars and all fruit.
Also the second result will have the third level as well :)

Enjoy !
 

Jaara

Member
Aug 26, 2006
24
3
angry birds seasons encryption key

The original angry birds share the same key, however the seasons version do not.. Would be quite handy as well.
 
  • Like
Reactions: nicobo

nicobo

Member
Jul 23, 2010
18
1
www.nicobo.net
Hi all,


I'm using the instructions of Brut.all to understand android native code debugging ; half for learning, half as a challenge ;-)

I've successfully reproduced all steps with angry birds seasons up to the gdb shell, except that I didn't bother to disassemble the .so (so I have the original, non-debug version of the library).

The game launches, but no shared lib seems to be loaded according to gdb so I can't set breakpoints.
Does anybody have an idea ?

I'm using the latest SDKs and an 2.3.1 emulator on Windows XP/cygwin :

Code:
nicobo@localhost /cygdrive/c/Temp/ab/abs
$ $NDK/ndk-gdb -e --verbose --launch=com.rovio.ka3d.App
Android NDK installation path: /cygdrive/c/WINDOWS/android-ndk-r6b
Using default adb command: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb
ADB version found: Android Debug Bridge version 1.0.29
Using final ADB command: '/cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e'
Using auto-detected project path: .
Found package name: com.rovio.angrybirdsseasons
ABIs targetted by application: armeabi
Device API Level: 9
Device CPU ABI: armeabi
Compatible device ABI: armeabi
Found debuggable flag: true
Found device gdbserver: /data/data/com.rovio.angrybirdsseasons/lib/gdbserver
Using gdb setup init: /cygdrive/c/Temp/ab/abs/libs/armeabi/gdb.setup
Using toolchain prefix: /cygdrive/c/WINDOWS/android-ndk-r6b/toolchains/arm-linux-androideabi-4.4.3/prebuilt/windows/bin/arm-linux-androideabi-
Using app out directory: /cygdrive/c/Temp/ab/abs/obj/local/armeabi
Found data directory: '/data/data/com.rovio.angrybirdsseasons'
Launching activity: com.rovio.angrybirdsseasons/com.rovio.ka3d.App
## COMMAND: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e shell am start -n com.rovio.angrybirdsseasons/com.rovio.ka3d.App
Starting: Intent { cmp=com.rovio.angrybirdsseasons/com.rovio.ka3d.App }
## COMMAND: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e shell sleep 2
Found running PID: 1754
Launched gdbserver succesfully.
Setup network redirection
## COMMAND: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e shell run-as com.rovio.angrybirdsseasons lib/gdbserver +debug-socket --attach 1754
## COMMAND: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e forward tcp:5039 localfilesystem:/data/data/com.rovio.angrybirdsseasons/debug-socket
## COMMAND: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e pull /system/bin/app_process C:/Temp/ab/abs/obj/local/armeabi/app_process
Attached; pid = 1754
Listening on sockaddr socket debug-socket
353 KB/s (5660 bytes in 0.015s)
Pulled app_process from device/emulator.
## COMMAND: /cygdrive/c/WINDOWS/android-sdk-windows/platform-tools/adb -e pull /system/lib/libc.so C:/Temp/ab/abs/obj/local/armeabi/libc.so
1069 KB/s (273868 bytes in 0.250s)
Pulled libc.so from device/emulator.
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i586-mingw32msvc --target=arm-elf-linux".
Warning: /cygdrive/c/WINDOWS/android-ndk-r6b/platforms/android-9/arch-arm/usr/include: No such file or directory.
Warning: /cygdrive/c/WINDOWS/android-ndk-r6b/sources/cxx-stl/system/file: No such file or directory.
warning: C:/Temp/ab/abs/obj/local/armeabi/app_process is not a directory.
0xafd0c738 in ?? ()
(gdb) info shared
No shared libraries loaded at this time.


I don't understand the reasons of the warning messages, as the "missing" files they refer to are actually existing at the exact given path !

Code:
Warning: /cygdrive/c/WINDOWS/android-ndk-r6b/platforms/android-9/arch-arm/usr/include: No such file or directory.
Warning: /cygdrive/c/WINDOWS/android-ndk-r6b/sources/cxx-stl/system/file: No such file or directory.
warning: C:/Temp/ab/abs/obj/local/armeabi/app_process is not a directory.
0xafd0c738 in ?? ()
 
Last edited:

Jaara

Member
Aug 26, 2006
24
3
Hi nicobo, I successfully applied Brut.all instructions, however it was pain in the ass I must say.
The warnings: you can ignore them.
To load shared libraries do the following:
- to gdb setup put one line:
"set solib-search-path lib"
and to lib folder in your working directory put libraries from \system\lib (from android) and also the angrybirds*.so


It should work then.
 
  • Like
Reactions: nicobo

andreacorti

Senior Member
Apr 27, 2011
314
105
Lecco
Hey everyone,
i used to edit/backup my angry birds files. It worked fine with angry birds and angry birds seasons. But now with angry birds rio rovio encrypts the files with AES.
what i know so far from IDA pro:
for example GameLua::loadLuaFileToObject does
=> io::FileInputStream::read
=> lang::AESUtil::AESUtil(...)
=> lang::AESUtil::decrypt(...)

So,
are any IDA excperts here who might help me figuring out the arguments to that decrypt call( the AES key). Or do you have any ideas on how to figure out the AES key at all?

Greets, Goddchen

contact me in private ;)
 

nicobo

Member
Jul 23, 2010
18
1
www.nicobo.net
I was finally able to reproduce the steps described by Brut.all to root up the codes inside angrybirds seasons.

To whom may be interested, I strongly recommend to use a full branded Linux to debug / reverse engineer android apps, not cygwin... I had a handful of problems with cygwin that I never had with Ubuntu. It could be gdb, the OS, the libs, the ndk,... but it you're short in time, just use a full Linux system.

Also, using an emulator, many times the problem was just wrong sizing of the emulator's RAM or screen (too big = too much memory).

Thanks Brut.all and others !
 

SilverbackNet

New member
Oct 21, 2012
1
1
All assets/*/*.lua files are encrypted using AES, CBC mode with empty initial vector and 256-bit key = 'USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2' (yes, ascii only). After decryption you will see 7z file with real *.lua file inside.

Example in Python:

Code:
from Crypto.Cipher import AES
AES.new('USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2', AES.MODE_CBC, '').decrypt(open('MainMenuPage.lua', 'r').read())

You should see a string starting with "7z" and after saving it to a file you should be able to open it using any 7z archiver.

Still I don't know about highscores.lua and settings.lua - these files are different. I'm afraid they aren't 7z files, so even if I'll decrypt them successfully, I'll just get some unknown binary files.

I just wanted to contribute that PyCrypto is a little more strict now and you have to specify the all-zero IV or it barfs, plus not using 'rb' makes it fail on 3.x.

Code:
key = 'USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2' # '44iUY5aTrlaYoet9lapRlaK1Ehlec5i0' for high scores

from Crypto.Cipher import AES
decrypted = AES.new(key, AES.MODE_CBC, [b]''.join(chr(0) for i in range(16))[/b]).decrypt(open('highscores.lua', 'r[b]b[/b]').read())

But thank you, it works perfectly when the right key is used. =D
 
  • Like
Reactions: ogurets

XlAfbk

Senior Member
Aug 11, 2010
1,484
440
here's a openssl way:
Code:
openssl aes-256-cbc -d -in highscores.lua -K 3434695559356154726c61596f6574396c6170526c614b3145686c6563356930 -iv 0 -out o.txt
openssl aes-256-cbc -e -in o.txt -K 3434695559356154726c61596f6574396c6170526c614b3145686c6563356930 -iv 0 -out highscores.lua
 
Last edited:

Arkkeeper

New member
Jan 5, 2013
1
0
I followed to instructions posted by Brut.all, but no luck :(
gdb starts, it attaches to Angry Birds process, I set a breakpoint, but either it's not hit, or I get "Cannot access memory at address 0x0" error then.
I don't see fun in finding keys for myself anymore, I've already spent too much time for it.
If someone here has decrypt keys for highscores.lua/settings.lua from Angry Birds Seasons, Space or Star Wars, please post them.
I've read this thread through carefully. There are no necessary keys for those games here unfortunately.
Google also knows just one decrypt key for highscores.lua, it works for the first game of Angry Birds series and for AB Rio.
Thanks in advance!
 

Dash24x7

Member
Aug 4, 2009
6
1
I am also having trouble debugging and finding the keys myself.

I found all the keys for the level files on google, but no luck on the keys for settings.lua / highscores.lua for AB Seasons / Space / Star Wars. If anybody is willing to share them, I would be really thankful as I am just frustrated from trying to find them myself. If you do not want to post them publically, PM me and I keep them for myself.
 

escribblings

Member
Jul 21, 2012
40
7
Well... I have attached a debugger to native code, set breakpoints, analyzed registers, memory, etc. It wasn't that easy though. It took me several days to start debugging and get first key, but I got second one in about 1 hour.

Actually I don't really need that key, I can't even play Angry Birds Rio on my old G1, but it was challenging and I love challenges ;) Plus I have learnt a LOT about gdb, assembler, ARM architecture, etc.

So I want to thank you, Goddchen, for giving me an opportunity to learn & play :)

Ok, let's move on...

First, I have disassembled libangrybirds.so using IDA Pro 5.5 . I was able to examine code and attach IDA to gdbserver on a device, but unfortunately it wasn't working properly. IDA was thinking that libangrybirds.so is a main binary of a process it attached to, but it should look into loaded shared libs instead. Weird, but I didn't find a way to attach it properly. And this is pity, because IDA is a great tool and it would make debugging a pleasure, but I had to use gdb instead.

Second, Android has problems with debugging multi-threaded native code. MT support was added in NDK r5 and because of some bug it's not possible on a system older than Gingerbread.

Third, you could attach gdb manually, but ndk-gdb script does great work for you. You will have to do some tricks to use it with 3rd party app though.

Fourth, it seems libangrybirds.so is a Java code compiled to native or something like that. There are objects like FileInputStream, ByteOutputStream, etc., but there are also some API differencies. We'll see String and Array<uchar> objects, but it's usually easy to find a pointer to simple uchar[].

Steps to start native code debugging:

  1. Upgrade to Gingerbread (Yeah, I had to do that. Hacking requires you to sacrifice yourself a bit ;) ). Or you could use an emulator.
  2. Install NDK >= r5 .
  3. Decode Angry Birds Rio using apktool. You could just unzip it, but decoded app is much more similiar to original sources, so it's more compatible with NDK. For example ndk-gdb reads AndroidManifest.xml to get package name. Of course you could fake simple AndroidManifest.xml and other files if you want.
  4. Rename lib dir to libs.
  5. Fake jni/Android.mk file. I have copied one from hello-jni sample and didn't even bother to modify module name: http://pastebin.com/HMBXt5cm .
  6. Copy libs/armeabi*/libangrybirds.so to obj/local/armeabi*/ . Normally this is done by ndk-build command.
  7. Fake libs/armeabi*/gdb.setup file. It should be something like: http://pastebin.com/BYm13RKz , but second line isn't that important.
  8. Angry Birds Rio apk contains old gdbserver and you need one from NDK r5. Grab ${NDK_ROOT}/toolchains/arm-linux-androideabi-4.4.3/prebuilt/gdbserver and push it to /data/data/com.rovio.angrybirdsrio/lib .
  9. Ufff... you could now try to run: ndk-gdb --verbose --launch=com.rovio.ka3d.App .
  10. After few seconds you should see "(gdb)" prompt and game should be paused on the device.
  11. Run 'info shared' and check if libangrybirds.so is loaded. If not then something is wrong.

Ok, let's find a key for levels lua files:

  1. Set a breakpoint for GameLua::loadLevel() - find this method in IDA Pro and copy its EXPORT name:
    Code:
    (gdb) br _ZN7GameLua9loadLevelEN4lang6StringE
    Breakpoint 1 at 0x80468e4c
  2. Resume game and open some level. You should hit a breakpoint:
    Code:
    (gdb) c
    Continuing.
    [New Thread 5857]
    [Switching to Thread 5857]
    
    Breakpoint 1, 0x80468e4c in GameLua::loadLevel () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
  3. Look into IDA and note there are 2 lang::String objects passed as first arguments to method, so pointers are in R1 and R2 registers. We need to examine these objects and find pointers to raw char[]. Fortunately lang::String is very simple wrapper around char[], so pointer is first (and only one, I think) member of String:
    Code:
    (gdb) x/4x $r1
    0x4395e66c:	0x00a405f0	0x00153b28	0x804ec778	0x00000000
    (gdb) x/s 0x00a405f0
    0xa405f0:	 "levels/warehouse/Level190"
    Yey, finally we see something :)
  4. Let's move to lang::AESUtil::decrypt() method. It's named _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_, so:
    Code:
    (gdb) advance _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_
    0x80539894 in lang::AESUtil::decrypt () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
  5. As you can see decrypt() gets 3 Array<uchar> objects and 2 of them are const. It's quite easy to guess they're: key, encrypted data and container for decrypted data. Let's check this:
    Code:
    (gdb) x/4x $r1
    0x1592b0:	0x00159528	0x00000020	0x00000020	0x7b206e65
    0x00000020 = 32 - yes, length of AES key :) First 4 bytes of an Array object is a pointer to raw char[] and second 4 bytes contain length of an array. Now we could read contents of an Array:
    Code:
    (gdb) x/s 0x00159528
    0x159528:	 "USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2a"
    :) As you can see there are 33 chars instead of 32. This is because Array stores its length, so char[] isn't null-terminated. Ignore last "a" char.
  6. We could also look into second const Array to be sure that encoded string is exactly the same as contents of lua file:
    Code:
    (gdb) x/4x $r2
    0x4395d6f4:	0x009ca248	0x000004a0	0x000004a0	0x00000378
    (gdb) x/4x 0x009ca248
    0x9ca248:	0x3347b5dc	0x26048446	0x1a0c1231	0x35d3f99c
    First 16 bytes are the same, length of data is also ok.

As you can see there is AES::BlockMode passed to AES::Decrypt(). It would be quite hard to interpret it without headers, so I was trying various block modes and I found that CBC with empty initial vector decodes to string starting with '7z'. For me that meant: mission successfull :)

Ok, highscores.lua and settings.lua files now. Technique is very similar, but there are some differences:

  • Different keys.
  • They aren't loaded using GameLua::loadLevel(), but GameLua::loadPersistentFile(). You could find this very easily, searching for "highscores.lua" in IDA.
  • If you examine GameLua::loadPersistentFile() method you will see it doesn't load files using FileInputStream, but io::AppDataInputStream, so we have to be sure, what exactly is being decrypted.
  • Annoying thing is that gdb can't catch highscores/settings loading, because they're loaded too soon - before gdb attach itself.

Maybe there is a better solution to last problem, but I've decided to add some Thread.sleep() call just after System.loadLibrary(), so gdb will attach before highscores.lua loading.

  1. Open smali/com/rovio/ka3d/App.smali, and add 2 lines of code just after loadLibrary() call in onCreate() method:
    Code:
        invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
    
        const-wide/16 v0, 5000
        invoke-static {v0, v1}, Ljava/lang/Thread;->sleep(J)V
  2. Run ndk-gdb --verbose --launch=com.rovio.ka3d.App .
  3. Set a breakpoint for GameLua::loadPersistentFile() method and check which file is being loaded:
    Code:
    (gdb) br _ZN7GameLua18loadPersistentFileERKN4lang6StringE
    Breakpoint 1 at 0x80457030
    (gdb) c
    Continuing.
    [New Thread 6735]
    [Switching to Thread 6735]
    
    Breakpoint 1, 0x80457030 in GameLua::loadPersistentFile () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
    (gdb) x/s $r2
    0x4395e3b8:	 "highscores.lua"
    I'm not sure why it's R2, not R1 and why there is no lang::String, but char[] directly. I think this isn't a pointer to String, but String itself, passed to method in registers, so its char[] is in R2.
  4. Now advance to lang::AESUtil::decrypt() method and read key as usual:
    Code:
    (gdb) advance _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_
    0x80539894 in lang::AESUtil::decrypt () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
    (gdb) x/4x $r1
    0x159294:	0x00159620	0x00000020	0x00000020	0x00159518
    (gdb) x/s 0x00159620
    0x159620:	 "44iUY5aTrlaYoet9lapRlaK1Ehlec5i0"
  5. Because of that AppDataInputStream object, we need to check if encrypted data is the same as file contents. Pull highscores.lua file from a device and run:
    Code:
    (gdb) x/4x $r2
    0x4395ddc4:	0x0015bc00	0x00000040	0x00000040	0x00000001
    (gdb) x/16x 0x0015bc00
    0x15bc00:	0x2271b777	0xe6f19f4c	0x2489a316	0xfae1aee2
    0x15bc10:	0x82e0ef38	0xe84fc25d	0xb196adac	0xbf030439
    0x15bc20:	0xb6b9bade	0x3046af12	0xe8eeeb0d	0x20e8037c
    0x15bc30:	0x1a405edf	0xc218f7f6	0xc29209e2	0x9ad03e8c
    Yeah, this is my highscores.lua file.
  6. Same for settings.lua file to check if it's encrypted with the same key. It is.
  7. After decrypting these files we'll see some weird chars at the end of decoded data. Few seconds on the Wikipedia and we'll know this is just PKCS7 padding scheme.

Now we have got everything we want :)

Ahh, not exactly everything... I would be really happy to know, how to properly attach IDA for debugging - it would be much easier, even if gdb interface is also very good.

here's a openssl way:
Code:
openssl aes-256-cbc -d -in highscores.lua -K 3434695559356154726c61596f6574396c6170526c614b3145686c6563356930 -iv 0 -out o.txt
openssl aes-256-cbc -e -in o.txt -K 3434695559356154726c61596f6574396c6170526c614b3145686c6563356930 -iv 0 -out highscores.lua

I would like to try and follow Brut.all's instructions, but I just don't have the faintest clue what I am doing?

I found some keys elsewhere (XeNTax Game Research Forum > Angry Birds (*.LUA) Decrypting (All versions))

Code:
Angry Birds
Quote:
Str = USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2
Hex = 55534361505170413454534E56784D49317639534B39554330795A75416E6232


Angry Birds: Rio
Quote:
Str = USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2
Hex = 55534361505170413454534E56784D49317639534B39554330795A75416E6232


Angry Birds: Seasons
Quote:
Str = zePhest5faQuX2S2Apre@4reChAtEvUt
Hex = 7A65506865737435666151755832533241707265403472654368417445765574


Angry Birds: Space
Quote:
Str = RmgdZ0JenLFgWwkYvCL2lSahFbEhFec4
Hex = 526D67645A304A656E4C466757776B5976434C326C5361684662456846656334


Angry Birds: Star Wars
Quote:
Str = An8t3mn8U6spiQ0zHHr3a1loDrRa3mtE
Hex = 416E3874336D6E38553673706951307A4848723361316C6F44725261336D7445

I tried using the OpenSSL method on my Android Seasons 3.1.1 backup

Code:
openssl aes-256-cbc -d -in highscores.lua -K 7A65506865737435666151755832533241707265403472654368417445765574 -iv 0 -out highscores.lua.txt

But I get the response
Code:
bad decrypt
2282524:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:

If it helps, here is a link to the .tar

AngryBirdsSeasons_311.tar
 
  • Like
Reactions: ogurets

Dash24x7

Member
Aug 4, 2009
6
1
The keys you posted are for the LUA level files, highscores.lua / settings.lua use different keys. If you happen to find the keys for highscores.lua / settings.lua for Seasons / Space / Star Wars, I would appreciate it, if you could share them.

With best regards,
Dash24x7
 
Last edited:
  • Like
Reactions: escribblings

Top Liked Posts

  • There are no posts matching your filters.
  • 11
    Well... I have attached a debugger to native code, set breakpoints, analyzed registers, memory, etc. It wasn't that easy though. It took me several days to start debugging and get first key, but I got second one in about 1 hour.

    Actually I don't really need that key, I can't even play Angry Birds Rio on my old G1, but it was challenging and I love challenges ;-) Plus I have learnt a LOT about gdb, assembler, ARM architecture, etc.

    So I want to thank you, Goddchen, for giving me an opportunity to learn & play :)

    Ok, let's move on...

    First, I have disassembled libangrybirds.so using IDA Pro 5.5 . I was able to examine code and attach IDA to gdbserver on a device, but unfortunately it wasn't working properly. IDA was thinking that libangrybirds.so is a main binary of a process it attached to, but it should look into loaded shared libs instead. Weird, but I didn't find a way to attach it properly. And this is pity, because IDA is a great tool and it would make debugging a pleasure, but I had to use gdb instead.

    Second, Android has problems with debugging multi-threaded native code. MT support was added in NDK r5 and because of some bug it's not possible on a system older than Gingerbread.

    Third, you could attach gdb manually, but ndk-gdb script does great work for you. You will have to do some tricks to use it with 3rd party app though.

    Fourth, it seems libangrybirds.so is a Java code compiled to native or something like that. There are objects like FileInputStream, ByteOutputStream, etc., but there are also some API differencies. We'll see String and Array<uchar> objects, but it's usually easy to find a pointer to simple uchar[].

    Steps to start native code debugging:

    1. Upgrade to Gingerbread (Yeah, I had to do that. Hacking requires you to sacrifice yourself a bit ;-) ). Or you could use an emulator.
    2. Install NDK >= r5 .
    3. Decode Angry Birds Rio using apktool. You could just unzip it, but decoded app is much more similiar to original sources, so it's more compatible with NDK. For example ndk-gdb reads AndroidManifest.xml to get package name. Of course you could fake simple AndroidManifest.xml and other files if you want.
    4. Rename lib dir to libs.
    5. Fake jni/Android.mk file. I have copied one from hello-jni sample and didn't even bother to modify module name: http://pastebin.com/HMBXt5cm .
    6. Copy libs/armeabi*/libangrybirds.so to obj/local/armeabi*/ . Normally this is done by ndk-build command.
    7. Fake libs/armeabi*/gdb.setup file. It should be something like: http://pastebin.com/BYm13RKz , but second line isn't that important.
    8. Angry Birds Rio apk contains old gdbserver and you need one from NDK r5. Grab ${NDK_ROOT}/toolchains/arm-linux-androideabi-4.4.3/prebuilt/gdbserver and push it to /data/data/com.rovio.angrybirdsrio/lib .
    9. Ufff... you could now try to run: ndk-gdb --verbose --launch=com.rovio.ka3d.App .
    10. After few seconds you should see "(gdb)" prompt and game should be paused on the device.
    11. Run 'info shared' and check if libangrybirds.so is loaded. If not then something is wrong.

    Ok, let's find a key for levels lua files:

    1. Set a breakpoint for GameLua::loadLevel() - find this method in IDA Pro and copy its EXPORT name:
      Code:
      (gdb) br _ZN7GameLua9loadLevelEN4lang6StringE
      Breakpoint 1 at 0x80468e4c
    2. Resume game and open some level. You should hit a breakpoint:
      Code:
      (gdb) c
      Continuing.
      [New Thread 5857]
      [Switching to Thread 5857]
      
      Breakpoint 1, 0x80468e4c in GameLua::loadLevel () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
    3. Look into IDA and note there are 2 lang::String objects passed as first arguments to method, so pointers are in R1 and R2 registers. We need to examine these objects and find pointers to raw char[]. Fortunately lang::String is very simple wrapper around char[], so pointer is first (and only one, I think) member of String:
      Code:
      (gdb) x/4x $r1
      0x4395e66c:	0x00a405f0	0x00153b28	0x804ec778	0x00000000
      (gdb) x/s 0x00a405f0
      0xa405f0:	 "levels/warehouse/Level190"
      Yey, finally we see something :)
    4. Let's move to lang::AESUtil::decrypt() method. It's named _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_, so:
      Code:
      (gdb) advance _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_
      0x80539894 in lang::AESUtil::decrypt () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
    5. As you can see decrypt() gets 3 Array<uchar> objects and 2 of them are const. It's quite easy to guess they're: key, encrypted data and container for decrypted data. Let's check this:
      Code:
      (gdb) x/4x $r1
      0x1592b0:	0x00159528	0x00000020	0x00000020	0x7b206e65
      0x00000020 = 32 - yes, length of AES key :) First 4 bytes of an Array object is a pointer to raw char[] and second 4 bytes contain length of an array. Now we could read contents of an Array:
      Code:
      (gdb) x/s 0x00159528
      0x159528:	 "USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2a"
      :) As you can see there are 33 chars instead of 32. This is because Array stores its length, so char[] isn't null-terminated. Ignore last "a" char.
    6. We could also look into second const Array to be sure that encoded string is exactly the same as contents of lua file:
      Code:
      (gdb) x/4x $r2
      0x4395d6f4:	0x009ca248	0x000004a0	0x000004a0	0x00000378
      (gdb) x/4x 0x009ca248
      0x9ca248:	0x3347b5dc	0x26048446	0x1a0c1231	0x35d3f99c
      First 16 bytes are the same, length of data is also ok.

    As you can see there is AES::BlockMode passed to AES::Decrypt(). It would be quite hard to interpret it without headers, so I was trying various block modes and I found that CBC with empty initial vector decodes to string starting with '7z'. For me that meant: mission successfull :)

    Ok, highscores.lua and settings.lua files now. Technique is very similar, but there are some differences:

    • Different keys.
    • They aren't loaded using GameLua::loadLevel(), but GameLua::loadPersistentFile(). You could find this very easily, searching for "highscores.lua" in IDA.
    • If you examine GameLua::loadPersistentFile() method you will see it doesn't load files using FileInputStream, but io::AppDataInputStream, so we have to be sure, what exactly is being decrypted.
    • Annoying thing is that gdb can't catch highscores/settings loading, because they're loaded too soon - before gdb attach itself.

    Maybe there is a better solution to last problem, but I've decided to add some Thread.sleep() call just after System.loadLibrary(), so gdb will attach before highscores.lua loading.

    1. Open smali/com/rovio/ka3d/App.smali, and add 2 lines of code just after loadLibrary() call in onCreate() method:
      Code:
          invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
      
          const-wide/16 v0, 5000
          invoke-static {v0, v1}, Ljava/lang/Thread;->sleep(J)V
    2. Run ndk-gdb --verbose --launch=com.rovio.ka3d.App .
    3. Set a breakpoint for GameLua::loadPersistentFile() method and check which file is being loaded:
      Code:
      (gdb) br _ZN7GameLua18loadPersistentFileERKN4lang6StringE
      Breakpoint 1 at 0x80457030
      (gdb) c
      Continuing.
      [New Thread 6735]
      [Switching to Thread 6735]
      
      Breakpoint 1, 0x80457030 in GameLua::loadPersistentFile () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
      (gdb) x/s $r2
      0x4395e3b8:	 "highscores.lua"
      I'm not sure why it's R2, not R1 and why there is no lang::String, but char[] directly. I think this isn't a pointer to String, but String itself, passed to method in registers, so its char[] is in R2.
    4. Now advance to lang::AESUtil::decrypt() method and read key as usual:
      Code:
      (gdb) advance _ZN4lang7AESUtil7decryptERKNS_5ArrayIhEES4_RS2_
      0x80539894 in lang::AESUtil::decrypt () from /home/brutall/t-angrybirds/com.rovio.angrybirdsrio-1/obj/local/armeabi/libangrybirds.so
      (gdb) x/4x $r1
      0x159294:	0x00159620	0x00000020	0x00000020	0x00159518
      (gdb) x/s 0x00159620
      0x159620:	 "44iUY5aTrlaYoet9lapRlaK1Ehlec5i0"
    5. Because of that AppDataInputStream object, we need to check if encrypted data is the same as file contents. Pull highscores.lua file from a device and run:
      Code:
      (gdb) x/4x $r2
      0x4395ddc4:	0x0015bc00	0x00000040	0x00000040	0x00000001
      (gdb) x/16x 0x0015bc00
      0x15bc00:	0x2271b777	0xe6f19f4c	0x2489a316	0xfae1aee2
      0x15bc10:	0x82e0ef38	0xe84fc25d	0xb196adac	0xbf030439
      0x15bc20:	0xb6b9bade	0x3046af12	0xe8eeeb0d	0x20e8037c
      0x15bc30:	0x1a405edf	0xc218f7f6	0xc29209e2	0x9ad03e8c
      Yeah, this is my highscores.lua file.
    6. Same for settings.lua file to check if it's encrypted with the same key. It is.
    7. After decrypting these files we'll see some weird chars at the end of decoded data. Few seconds on the Wikipedia and we'll know this is just PKCS7 padding scheme.

    Now we have got everything we want :)

    Ahh, not exactly everything... I would be really happy to know, how to properly attach IDA for debugging - it would be much easier, even if gdb interface is also very good.
    2
    All assets/*/*.lua files are encrypted using AES, CBC mode with empty initial vector and 256-bit key = 'USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2' (yes, ascii only). After decryption you will see 7z file with real *.lua file inside.

    Example in Python:

    Code:
    from Crypto.Cipher import AES
    AES.new('USCaPQpA4TSNVxMI1v9SK9UC0yZuAnb2', AES.MODE_CBC, '').decrypt(open('MainMenuPage.lua', 'r').read())

    You should see a string starting with "7z" and after saving it to a file you should be able to open it using any 7z archiver.

    Still I don't know about highscores.lua and settings.lua - these files are different. I'm afraid they aren't 7z files, so even if I'll decrypt them successfully, I'll just get some unknown binary files.
    2
    After latest Angry Birds StarWars update crashed and it just wipe my progress, I decided to get the key for highscores.lua myself. I was not going to repeat the whole Hoth system, the game progress of almost the last two months, the time of my last Titanium Backup.

    After some fighting with adb, ndk-gdb, apktool, etc, I got it! e83Tph0R3aZ2jGK6eS91uLvQpL33vzNi. Some more python and now I'm just after Hoth system again!!!
    1
    Is the use of lua files common on android and android apps

    I don't know. AFAIK there is no lua support in Android itself, but of course anyone could use some external libraries and seems this isn't a big problem. Lua scripts are quite popular among game developers, I think.
    1
    I tried to follow this on nexus 4 with kitkat and latest NDK, but I noticed there have been some changes, ndk-gdb refuses to attach to an activity which has android.debuggable not set to true in the manifest (so I changed that and recompiled+resigned apk), but even that way there's no way to make it load the angry birds .so. Among the shared libraries, I can only see the android system libraries:
    Code:
    macbook-pro:seasons Aurora$ /Volumes/Dati/android-ndk-r9d/ndk-gdb --verbose --launch=com.rovio.fusion.App
    Android NDK installation path: /Volumes/Dati/android-ndk-r9d
    Using default adb command: /Volumes/Dati/Nexus/adb
    ADB version found: Android Debug Bridge version 1.0.31
    Using ADB flags: 
    Using JDB command: /usr/bin/jdb
    Using auto-detected project path: .
    Found package name: com.rovio.angrybirdsseasons
    ABIs targetted by application: armeabi-v7a
    Device API Level: 19
    Device CPU ABIs: armeabi-v7a armeabi
    Compatible device ABI: armeabi-v7a
    Using gdb setup init: ./libs/armeabi-v7a/gdb.setup
    Using toolchain prefix: /Volumes/Dati/android-ndk-r9d/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-
    Using app out directory: ./obj/local/armeabi-v7a
    Found debuggable flag: true
    Found data directory: '/data/data/com.rovio.angrybirdsseasons'
    Found device gdbserver: /data/data/com.rovio.angrybirdsseasons/lib/gdbserver
    Launching activity: com.rovio.angrybirdsseasons/com.rovio.fusion.App
    ## COMMAND: adb_cmd shell am start -D -n com.rovio.angrybirdsseasons/com.rovio.fusion.App
    Starting: Intent { cmp=com.rovio.angrybirdsseasons/com.rovio.fusion.App }
    ## COMMAND: adb_cmd shell sleep 2
    Found running PID: 13175
    Launched gdbserver succesfully.
    ## COMMAND: adb_cmd shell run-as com.rovio.angrybirdsseasons /data/data/com.rovio.angrybirdsseasons/lib/gdbserver +debug-socket --attach 13175
    Setup network redirection
    ## COMMAND: adb_cmd forward tcp:5039 localfilesystem:/data/data/com.rovio.angrybirdsseasons/debug-socket
    ## COMMAND: adb_cmd pull /system/bin/app_process ./obj/local/armeabi-v7a/app_process
    Attached; pid = 13175
    Listening on Unix socket debug-socket
    2713 KB/s (9560 bytes in 0.003s)
    Pulled app_process from device/emulator.
    ## COMMAND: adb_cmd pull /system/bin/linker ./obj/local/armeabi-v7a/linker
    3225 KB/s (63664 bytes in 0.019s)
    Pulled linker from device/emulator.
    ## COMMAND: adb_cmd pull /system/lib/libc.so ./obj/local/armeabi-v7a/libc.so
    2794 KB/s (310584 bytes in 0.108s)
    Pulled libc.so from device/emulator.
    Setup JDB connection
    ## COMMAND: adb_cmd forward tcp:65534 jdwp:13175
    Set uncaught java.lang.Throwable
    Set deferred uncaught java.lang.Throwable
    Initializing jdb ...
    > Input stream closed.
    GNU gdb (GDB) 7.3.1-gg2
    Copyright (C) 2011 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "--host=x86_64-apple-darwin --target=arm-linux-android".
    For bug reporting instructions, please see:
    <http://source.android.com/source/report-bugs.html>.
    Warning: /Volumes/Dati/Nexus/seasons/<NDK_ROOT>/platforms/android-19/arch-arm/usr/include: No such file or directory.
    Warning: /Volumes/Dati/Nexus/seasons/<NDK_ROOT>/sources/cxx-stl/systemfile: No such file or directory.
    warning: /Volumes/Dati/Nexus/seasons/./obj/local/armeabi-v7a/app_process is not a directory.
    Remote debugging from host 0.0.0.0
    0x400b7ad8 in ?? ()
    (gdb) info shared
    Error reading attached process's symbol file.
    com.rovio.angrybirdsseasons: No such file or directory.
    From        To          Syms Read   Shared Object Library
    0x4006fa60  0x4007a79c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/linker
    0x400a3198  0x400d3b0c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libc.so
    0x400f1828  0x400f19c8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstdc++.so
    0x400f6940  0x40109258  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libm.so
    0x40091f50  0x40093490  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/liblog.so
    0x400883ec  0x4008cb50  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libcutils.so
    0x4012ab1c  0x4012d20c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libgccdemangle.so
    0x401261d0  0x401274ac  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libcorkscrew.so
    0x40119780  0x4011ff24  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libutils.so
    0x40149c50  0x40153ba4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libbinder.so
    0x402135f0  0x4021385c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libhardware.so
    0x402105d0  0x40210834  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libmemtrack.so
    0x40239bf0  0x4024980c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libz.so
    0x40222240  0x402303fc  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libandroidfw.so
    0x40254774  0x402633a0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libexpat.so
    0x402863a8  0x4029c684  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstlport.so
    0x4026aca0  0x4026c058  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libnativehelper.so
    0x402a553c  0x402a7c34  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libnetutils.so
    0x402b658c  0x402b6730  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libsync.so
    0x402afc70  0x402b2b2c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libui.so
    0x4036d210  0x40394aa0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libGLES_trace.so
    0x4030258c  0x4032ca68  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libEGL.so
    0x4039ffb4  0x403a1d60  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libGLESv2.so
    0x402dac70  0x402e97fc  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libgui.so
    0x403ae3a8  0x403b509c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libinput.so
    0x403f23f4  0x403f4264  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libcamera_metadata.so
    0x403da0a0  0x403e3780  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libcamera_client.so
    0x4062d240  0x40643a78  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libpng.so
    0x405dc444  0x406144a8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libft2.so
    0x4064cad8  0x40673638  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libjpeg.so
    0x40779b84  0x40779fcc  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libgabi++.so
    0x406a6380  0x4072d868  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libicuuc.so
    0x407cc570  0x4089a932  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libicui18n.so
    0x40490210  0x4058dcd0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libskia.so
    0x408baa10  0x408fa720  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libsqlite.so
    0x4090b180  0x4090c890  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libGLESv1_CM.so
    0x4090f50c  0x409100a4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libETC1.so
    0x4091b120  0x4091ba64  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libwpa_client.so
    0x4091483c  0x40916288  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libhardware_legacy.so
    0x40920cc8  0x40926a28  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libselinux.so
    0x4092e798  0x4093f530  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libsonivox.so
    0x409b2be0  0x40a30bf0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libcrypto.so
    0x40a7abf0  0x40a9db1c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libssl.so
    0x40b3eea8  0x40b44a64  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright_foundation.so
    0x40b4d9a8  0x40b506c4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libspeexresampler.so
    0x40b49b78  0x40b4a7c8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libaudioutils.so
    0x40af09f0  0x40b11440  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libmedia.so
    0x40b53ed0  0x40b548f4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libusbhost.so
    0x40b5abf0  0x40b91514  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libharfbuzz_ng.so
    0x40d96e38  0x4135c3f8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libLLVM.so
    0x40c58318  0x40c7cc9c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libbcinfo.so
    0x40c1586c  0x40c266b8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libbcc.so
    0x40bf1250  0x40c04328  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libRS.so
    0x414aaeac  0x414b2c3c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libRScpp.so
    0x40bae318  0x40bccfb0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libhwui.so
    0x4019fd38  0x401e80f4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libandroid_runtime.so
    0x415a7f48  0x415a88e4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libqc-opt.so
    0x41500280  0x41579fa2  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libdvm.so
    0x6fe8caa8  0x6fea6ec8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libjavacore.so
    0x714045f0  0x71404828  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/memtrack.msm8960.so
    0x72fba0f8  0x72fbf6c8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libdrmframework.so
    0x72fa8380  0x72fa9dfc  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libdrmframework_jni.so
    0x71649ac8  0x71649ce8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libconnectivitymanager.so
    0x73138cc4  0x7313f420  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright_omx.so
    ---Type <return> to continue, or q <return> to quit---
    0x73147d00  0x731485e0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright_yuv.so
    0x7314cc50  0x73157b18  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libvorbisidec.so
    0x73166aa4  0x73166fac  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libpowermanager.so
    0x7316a514  0x7316a618  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright_enc_common.so
    0x7316e0a0  0x73170ef4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright_avc_common.so
    0x73080de0  0x730f3720  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright.so
    0x7317b99c  0x73180d44  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libmtp.so
    0x7318e728  0x73199674  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libexif.so
    0x731b55c4  0x731b82f8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libstagefright_amrnb_common.so
    0x73015ea8  0x7302c2f0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libmedia_jni.so
    0x731c79e8  0x731cbccc  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libjhead.so
    0x731c2b70  0x731c38c8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libjhead_jni.so
    0x7322b198  0x7322d870  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libcommon_time_client.so
    0x73236790  0x73238308  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libnbaio.so
    0x7323ba84  0x7323c714  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libeffects.so
    0x731f9158  0x732138c4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libaudioflinger.so
    0x73278ce4  0x7327a85c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libvideoeditor_osal.so
    0x7327d66c  0x7327f018  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libvideoeditor_videofilters.so
    0x7328dcd0  0x73298bb4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libvideoeditorplayer.so
    0x7324ab08  0x7326db94  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libvideoeditor_core.so
    0x731d9488  0x731dfc94  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libvideoeditor_jni.so
    0x732abce0  0x732adc40  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/librs_jni.so
    0x7473e9d0  0x74741450  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libandroid.so
    0x74746510  0x7474668c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libjnigraphics.so
    0x73467120  0x741d35f0  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libwebviewchromium.so
    0x7474a008  0x7474a600  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libwebviewchromium_plat_support.so
    0x74792de8  0x7479a04c  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libjavacrypto.so
    0x748d4170  0x748e6390  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libgsl.so
    0x7141b8c4  0x7141c0ac  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libadreno_utils.so
    0x748ae144  0x748c92a4  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libEGL_adreno.so
    0x748fd5d8  0x749158e8  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libGLESv1_CM_adreno.so
    0x7495a700  0x749e7b20  No          /Volumes/Dati/Nexus/seasons/obj/local/armeabi-v7a/libGLESv2_adreno.so
    (gdb)
    Any help? And has anyone managed to get the savegame key for seasons or space?