Comments (8)
If APKiD does the scanning only at DEX level, it makes sense to not support additional format out of the box.
However, here is an example of missed detection from a converted DEX using d8
.
(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.jar
(venv-py3.10) ➜ ls classes.dex
classes.dex
(venv-py3.10) ➜ apkid classes.dex
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
|-> compiler : unknown (please file detection issue!)
(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.aar
(venv-py3.10) ➜ apkid classes.dex
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
|-> compiler : unknown (please file detection issue!)
from apkid.
from apkid.
Trying to ID AAR/JAR just like we do on DEX or APK. I did the DEX conversion to see if APKiD can work with the converted DEX format.
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.apk
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] MTestApp-1.0.0-Android-release-r8.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
|-> compiler : r8
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.aar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
(venv-py3.10) ➜ testfiles apkid MTestApp-1.0.0-Android-release-r8.jar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
All these binaries share pretty much same code and compiler but are built differently as APK, JAR and AAR.
from apkid.
from apkid.
from apkid.
If APKiD does the scanning only at DEX level, it makes sense to not support additional format out of the box.
However, here is an example of missed detection from a converted DEX using
d8
.(venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.jar (venv-py3.10) ➜ ls classes.dex classes.dex (venv-py3.10) ➜ apkid classes.dex [+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [*] classes.dex |-> compiler : unknown (please file detection issue!) (venv-py3.10) ➜ ./d8 --release MTestApp-1.0.0-Android-release-r8.aar (venv-py3.10) ➜ apkid classes.dex [+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [*] classes.dex |-> compiler : unknown (please file detection issue!)
Hi @ajinabraham,
It would be great to add this compiler in APKiD. I don't think I will have the time to work on this in the near future, but maybe someone else wants to dig into it. Thanks for opening the ticket!
Best,
Edu
from apkid.
R8 (and / or d8, L8) compiler leaves string artifacts inside dex.
eg.
~~R8{"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":24,"pg-map-id":"5820188","r8-mode":"full","version":"8.0.46"}
Such artifacts can be retrieved by using r8's ExtractMarker feature.
Refs:
- https://r8.googlesource.com/r8/+/refs/heads/main/src/main/java/com/android/tools/r8/ExtractMarker.java
- https://stackoverflow.com/questions/67158123/how-to-determine-which-dx-d8-version-was-used-for-apk-creation
Matching signatures like ~~R8
can detect newer dex compilers (I think).
from apkid.
We already do something like this.
https://github.com/rednaga/APKiD/blob/master/apkid/rules/dex/compilers.yara#L178
Anyone want to take a stab at it? I may have time next week.
from apkid.
Related Issues (20)
- [DETECTION] Add libmsaoaidsec.so (no idea about name) HOT 1
- [DETECTION] Add Unknown Packer/Protector
- [DETECTION] New DexGuard v9.x version
- [DETECTION] Unknown protector
- [DETECTION] Risk & anti-fraud Shield SDK
- [DETECTION] NHNent AppGuard improve ELF rule (`libloader.so`)
- [DETECTION] Improve Ijiami packer ELF rule
- [ENHANCEMENT] Improve rule `is_apk` HOT 5
- [DETECTION] Unknown packer (classes.dex) detection HOT 7
- [DETECTION] Flutter App Packed with unknown Packer (classes.dex) HOT 6
- [DETECTION] Add Unknown Packer HOT 2
- [DETECTION] compiler : unknown HOT 4
- [DETECTION] JiaguK packer (classes.dex) detection HOT 7
- [Installation Problem] FileNotFoundError: [Errno 2] No such file or directory: 'yara-python/README.rst' HOT 1
- [DETECTION] Add Naga Reinforcement HOT 1
- [DETECTION] Missing DexGuard 9.x rule (in combo with Promon)
- Bat command no execution. HOT 2
- [DETECTION] Blackmod modder HOT 1
- [DETECTION] AndResGuard resource protection HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apkid.