Comments (8)
ajinabraham
commented on May 23, 2024
1
If APKiD does the scanning only at DEX level, it makes sense to not support additional format out of the box.
However, here is an example of missed detection from a converted DEX using d8.
(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.jar
(venv-py3.10) ➜ ls classes.dex
classes.dex
(venv-py3.10) ➜ apkid classes.dex
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
|-> compiler : unknown (please file detection issue!)
(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.aar
(venv-py3.10) ➜ apkid classes.dex
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
|-> compiler : unknown (please file detection issue!)
from apkid.
strazzere
commented on May 23, 2024
What are you trying to net out of this?
If you build the dex yourself, you would know what created it and you
wouldn't be interested in the binary level details of it.
If you just want to grep for strings, you can do so or run the string yara
rules over the jar contents/aar.
I'm not sure exactly what you're trying to get or what failed in your dex
file creation.
…On Fri, Sep 1, 2023, 11:18 Ajin Abraham ***@***.***> wrote:
APKiD currently supports APK and DEX files. Can the support be also
extended to AAR/JAR.
I tried converting AAR/JAR to DEX and scanning with APKiD, but the binary
features are not being detected.
—
Reply to this email directly, view it on GitHub
<#360>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYIRW7JWOTYHVE5BGXHXLXYIKE7ANCNFSM6AAAAAA4H3CBOU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
from apkid.
ajinabraham
commented on May 23, 2024
Trying to ID AAR/JAR just like we do on DEX or APK. I did the DEX conversion to see if APKiD can work with the converted DEX format.
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] MTestApp-1.0.0-Android-release-r8.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
|-> compiler : r8
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.aar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.jar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
All these binaries share pretty much same code and compiler but are built differently as APK, JAR and AAR.
from apkid.
strazzere
commented on May 23, 2024
Right. So what is missing? Can you show an example of the missed detection?
I don't see the use on supporting the extra formats as we specifically are
looking for binary differences in a dex file specifically.
If you're just looking to leverage the tool to scan what is wasn't intended
to scan.... Then it sounds like you found your solution - convert to the
format that is supported...
…On Fri, Sep 1, 2023, 10:44 Ajin Abraham ***@***.***> wrote:
Trying to ID AAR/JAR just like we do on DEX or APK. I did the DEX
conversion to see if APKiD can work with the converted DEX format.
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] MTestApp-1.0.0-Android-release-r8.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
|-> compiler : r8
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.aar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.jar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
All these binaries share pretty much same code but are built differently
as APK, JAR and AAR.
—
Reply to this email directly, view it on GitHub
<#360 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYIRWOPC77MYY6I3WLDSTXYINJJANCNFSM6AAAAAA4H3CBOU>
.
You are receiving this because you commented.Message ID:
***@***.***>
from apkid.
strazzere
commented on May 23, 2024
Correct.
If you'd like to profile the dex file of the d8 compiler, a PR would be
greatly appreciated for that!
…On Fri, Sep 1, 2023, 11:07 Ajin Abraham ***@***.***> wrote:
If APKiD does the scanning only at DEX level, it makes sense to not
support additional format out of the box.
However, here is an example of missed detection from a converted DEX using
d8.
(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.jar
(venv-py3.10) ➜ ls classes.dex
classes.dex
(venv-py3.10) ➜ apkid classes.dex
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
|-> compiler : unknown (please file detection issue!)
(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.aar
(venv-py3.10) ➜ apkid classes.dex
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
|-> compiler : unknown (please file detection issue!)
—
Reply to this email directly, view it on GitHub
<#360 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYIRVHM37MOSBDQW26CB3XYIP5TANCNFSM6AAAAAA4H3CBOU>
.
You are receiving this because you commented.Message ID:
***@***.***>
from apkid.
enovella
commented on May 23, 2024
If APKiD does the scanning only at DEX level, it makes sense to not support additional format out of the box.
However, here is an example of missed detection from a converted DEX using
d8.(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.jar (venv-py3.10) ➜ ls classes.dex classes.dex (venv-py3.10) ➜ apkid classes.dex [+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [*] classes.dex |-> compiler : unknown (please file detection issue!) (venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.aar (venv-py3.10) ➜ apkid classes.dex [+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [*] classes.dex |-> compiler : unknown (please file detection issue!)
Hi @ajinabraham,
It would be great to add this compiler in APKiD. I don't think I will have the time to work on this in the near future, but maybe someone else wants to dig into it. Thanks for opening the ticket!
Best,
Edu
from apkid.
dustty0
commented on May 23, 2024
R8 (and / or d8, L8) compiler leaves string artifacts inside dex.
eg.
~~R8{"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":24,"pg-map-id":"5820188","r8-mode":"full","version":"8.0.46"}
Such artifacts can be retrieved by using r8's ExtractMarker feature.
Refs:
- https://r8.googlesource.com/r8/+/refs/heads/main/src/main/java/com/android/tools/r8/ExtractMarker.java
- https://stackoverflow.com/questions/67158123/how-to-determine-which-dx-d8-version-was-used-for-apk-creation
Matching signatures like ~~R8 can detect newer dex compilers (I think).
from apkid.
CalebFenton
commented on May 23, 2024
We already do something like this.
https://github.com/rednaga/APKiD/blob/master/apkid/rules/dex/compilers.yara#L178
Anyone want to take a stab at it? I may have time next week.
from apkid.
Related Issues (20)
- [DETECTION] Add libmsaoaidsec.so (no idea about name) HOT 1
- [DETECTION] Add Unknown Packer/Protector
- [DETECTION] New DexGuard v9.x version
- [DETECTION] Unknown protector
- [DETECTION] Risk & anti-fraud Shield SDK
- [DETECTION] NHNent AppGuard improve ELF rule (`libloader.so`)
- [DETECTION] Improve Ijiami packer ELF rule
- [ENHANCEMENT] Improve rule `is_apk` HOT 5
- [DETECTION] Unknown packer (classes.dex) detection HOT 7
- [DETECTION] Flutter App Packed with unknown Packer (classes.dex) HOT 6
- [DETECTION] Add Unknown Packer HOT 2
- [DETECTION] compiler : unknown HOT 4
- [DETECTION] JiaguK packer (classes.dex) detection HOT 7
- [Installation Problem] FileNotFoundError: [Errno 2] No such file or directory: 'yara-python/README.rst' HOT 1
- [DETECTION] Add Naga Reinforcement HOT 1
- [DETECTION] Missing DexGuard 9.x rule (in combo with Promon)
- Bat command no execution. HOT 2
- [DETECTION] Blackmod modder HOT 1
- [DETECTION] AndResGuard resource protection HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apkid.