Comments (7)
strazzere
commented on May 12, 2024
1
This "packer" can be solved in a semi-interesting way;
[98%]diff@rocksteady:[1] $ xortool -l 32 -c 00 decoded
1 possible key(s) of length 32:
0e1f2686790e7ee7794ca0089cac50f7
Found 0 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv
( Using the tool found https://github.com/hellman/xortool )
If you simply look at the file - we know where to expect null bytes in a dex file (link section, etc) and can also predict specific parts (magic bytes, endian tag, etc) and if you just simply look for repeating bytes you'll see them. If you Base64 decode the xor'ed asset - you'll see that the key 0e1f2686790e7ee7794ca0089cac50f7 pops 29,461 times.
from apkid.
strazzere
commented on May 12, 2024
1
This is a decent pattern match for all the samples I've been able to find:
120b // const/4 v11, #int 0 // #0
6f20 0100 fe00 // invoke-super {v14, v15}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001
2206 ??00 // new-instance v6, Ljava/io/File; // type@0006
6e10 ??00 0e00 // invoke-virtual {v14}, Lyxlhycuqv/weudayy;.getFilesDir:()Ljava/io/File; // method@0019
0c09 // move-result-object v9
1a0a 2f00 // const-string v10, "lllllllllllllllllllllllllllllllllllllllll.zip" // string@002f
7030 ??00 960a // invoke-direct {v6, v9, v10}, Ljava/io/File;.<init>:(Ljava/io/File;Ljava/lang/String;)V // method@000a
1a09 1900 // const-string v9, BASE64_ENCODED_ZIP_FILE
7120 ??00 b900 // invoke-static {v9, v11}, Landroid/util/Base64;.decode:(Ljava/lang/String;I)[B // method@0003
0c02 // move-result-object v2
2205 ??00 // new-instance v5, Ljava/io/FileOutputStream; // type@0007
7020 ??00 6500 // invoke-direct {v5, v6}, Ljava/io/FileOutputStream;.<init>:(Ljava/io/File;)V // method@000c
2201 ??00 // new-instance v1, Ljava/io/BufferedOutputStream; // type@0005
7020 ??00 5100 // invoke-direct {v1, v5}, Ljava/io/BufferedOutputStream;.<init>:(Ljava/io/OutputStream;)V // method@0006
6e20 ??00 2100 // invoke-virtual {v1, v2}, Ljava/io/BufferedOutputStream;.write:([B)V // method@0009
6e10 ??00 0100 // invoke-virtual {v1}, Ljava/io/BufferedOutputStream;.flush:()V // method@0008
6e10 ??00 0100 // invoke-virtual {v1}, Ljava/io/BufferedOutputStream;.close:()V // method@0007
6e10 ??00 0600 // invoke-virtual {v6}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@000b
0c03 // move-result-object v3
6e10 ??00 0e00 // invoke-virtual {v14}, Lyxlhycuqv/weudayy;.getFilesDir:()Ljava/io/File; // method@0019
0c09 // move-result-object v9
6e10 ??00 0900 // invoke-virtual {v9}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@000b
0c07 // move-result-object v7
6e10 ??00 0e00 // invoke-virtual {v14}, Lyxlhycuqv/weudayy;.getClassLoader:()Ljava/lang/ClassLoader; // method@0018
0c00 // move-result-object v0
2204 ??00 // new-instance v4, Ldalvik/system/DexClassLoader; // type@0004
1209 // const/4 v9, #int 0 // #0
7050 ??00 3497 // invoke-direct {v4, v3, v7, v9, v0}, Ldalvik/system/DexClassLoader;.<init>:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V // method@0004
1a09 ??00 // const-string v9, "yabno/blkngwigpd" // string@003d
6e20 ??00 9400 // invoke-virtual {v4, v9}, Ldalvik/system/DexClassLoader;.loadClass:(Ljava/lang/String;)Ljava/lang/Class; // method@0005
0c09 // move-result-object v9
120a // const/4 v10, #int 0 // #0
23aa ??00 // new-array v10, v10, [Ljava/lang/Class; // type@0016
6e20 ??00 a900 // invoke-virtual {v9, v10}, Ljava/lang/Class;.getConstructor:([Ljava/lang/Class;)Ljava/lang/reflect/Constructor; // method@000d
0c09 // move-result-object v9
120a // const/4 v10, #int 0 // #0
23aa ??00 // new-array v10, v10, [Ljava/lang/Object; // type@0017
6e20 ??00 a900 // invoke-virtual {v9, v10}, Ljava/lang/reflect/Constructor;.newInstance:([Ljava/lang/Object;)Ljava/lang/Object; // method@0013
0c09 // move-result-object v9
5be9 0000 // iput-object v9, v14, Lyxlhycuqv/weudayy;.aaa:Ljava/lang/Object; // field@0000
54e9 0000 // iget-object v9, v14, Lyxlhycuqv/weudayy;.aaa:Ljava/lang/Object; // field@0000
6e10 ??00 0900 // invoke-virtual {v9}, Ljava/lang/Object;.getClass:()Ljava/lang/Class; // method@0012
0c09 // move-result-object v9
1a0a ??00 // const-string v10, "attachBaseContext" // string@0022
121b // const/4 v11, #int 1 // #1
23bb ??00 // new-array v11, v11, [Ljava/lang/Class; // type@0016
120c // const/4 v12, #int 0 // #0
1c0d ??00 // const-class v13, Landroid/content/Context; // type@0002
4d0d 0b0c // aput-object v13, v11, v12
6e30 ??00 a90b // invoke-virtual {v9, v10, v11}, Ljava/lang/Class;.getDeclaredMethod:(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method; // method@000e
0c09 // move-result-object v9
54ea 0000 // iget-object v10, v14, Lyxlhycuqv/weudayy;.aaa:Ljava/lang/Object; // field@0000
121b // const/4 v11, #int 1 // #1
23bb ??00 // new-array v11, v11, [Ljava/lang/Object; // type@0017
120c // const/4 v12, #int 0 // #0
4d0e 0b0c // aput-object v14, v11, v12
6e30 ??00 a90b // invoke-virtual {v9, v10, v11}, Ljava/lang/reflect/Method;.invoke:(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; // method@0015
0e00 // return-void
0d08 // move-exception v8
6e10 ??00 0800 // invoke-virtual {v8}, Ljava/lang/Exception;.printStackTrace:()V // method@000f
28fb // goto 0073 // -0005
from apkid.
enovella
commented on May 12, 2024
Hi Guys,
I've just pull-requested a new rule in order to detect this new packer (8097cb5 & 0edb9a9)
[*] /tmp/RootBeer Sample_v0.6.apk!classes.dex
|-> anti_vm : Build.TAGS check, possible ro.secure check
|-> compiler : dx (possible dexmerge)
|-> manipulator : dexmerge
[*] /tmp/RootBeer Sample_v0.6-apkguarded.apk!classes.dex
|-> compiler : dexlib 2.x
|-> packer : ApkGuard
It still needs to be tweaked a little bit more. Here the samples if you want to investigate it further.
Cheers
Samples: (Rename them to APK extension.)
RootBeerSample_v0.6-apkguarded.zip
RootBeerSample_v0.6.zip
RootBeerSample_v0.6-apkguarded-2time.zip
Notes:
- DEX file is decrypted from assets/IcYJpfWskg
Unpacking
package cdnnxte;
import android.app.Application;
import android.content.Context;
import android.util.Base64;
import dalvik.system.DexClassLoader;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.lang.reflect.InvocationTargetException;
public class wskluqhihar extends Application {
Object aaa;
public void onCreate() {
super.onCreate();
try {
this.aaa.getClass().getDeclaredMethod("onCreate", new Class[0]).invoke(this.aaa, new Object[0]);
} catch (IllegalAccessException e) {
e.printStackTrace();
} catch (InvocationTargetException e2) {
e2.printStackTrace();
} catch (NoSuchMethodException e3) {
e3.printStackTrace();
}
}
protected void attachBaseContext(Context context) {
super.attachBaseContext(context);
File llllllllllllllllllllllllllllllllllllllllll = new File(getFilesDir(), "lllllllllllllllllllllllllllllllllllllllll.zip");
byte[] lllllllllllllllllllllllllllllllllllllllllll = Base64.decode("UEsDBBQAAAAIAIeoVUt96nUNXRQAAGArAAALABwAY2xhc3Nlcy5kZXhVVAkAA06261lOtutZdXgLAAEEAAAAAAQAAAAAvVprcBvXdT53F48FsHiTErEkAZCUbdKSTcaSbDqUZAMkQIAkSAJ8iJbSRCAAgaBAgCJAkVReztOOPc44ttIkk2TqxnYcJ07jcZxnk2k66XSa2pPmh9NJJ30knbrjTtKMp+l03DzsfvfuggRFKXUcJ9J8OHfPPefcc8/j7i6BfGHTPnD4KI3Pfjd/e991jx3quPST+/9h2Pr2LxY2vvmda6UzB4lWiWhz/oiPjH9PX0/0Z6Tz24FemSgMeglUAm0xEx0FPQDKQJ+1ENUPEP3UouNnwH8DvwIsVqI2oAe4ARgCUsBbgHXgncB9wBeA7wOyQvQGYAY4D9wJfBB4CPgs8FXgu8BLgGSDbeBGIAHMA2Xg3cD9wKeBp4G/Bf4R+BngsRO9EZgFloG7gaeA54B/BV4CLA7IAX4gAHQAYeAaoA+4ETgMvBG4HTgNXAAeAB4HvgF8H/gpt6NCDxgFTgNV4APAI8C3gecBi5OoCzgOvAlYAR4EHgGeAr4JPAP8GPg58L+A1UXUCVwPHAaOA8NAHBgDpoAZYB44BVSA9wDvB+4FPgx8EngC+CLw18B3gL8DngdeAF4CfgkwN5ENaAE6gBDQAxwFjgExYByYBs4Ay0AdeC9wCfg08DXg28D3gB8CPwF+we16iFRgHxAEuoHrgDcAg0AcmAHeDOSAIlAH3gG8B3g/8CHgU8BjwJPAl4CvAt8A/hL4HvBD4EfAvwM/B34NWLxErcAB4CbU8THgOHACuA24HYgAUWAYGAFiQBwYBRJAEhgDJoAUMAlMAdNABngLkAPyQAE4S/pajX9HSO+pxthsjG8xxnd6db6lScbRJMPH05B5ozG+G+NbjfGmd0fmEcOOaugeNcZL4N9sjG835FVj3cb4jDF2NvFdxrqNcYOPsNInjLHX4HN/+OGyYPD9Bp/HZp/hzxljvAp+1hgPYLxojC95d2TOGHtpa4pDm2Fz0BgnvDv8M4YPfDyIMY4xehNgQ4TfTPwM2ydywGg/rQjK6J0G/2OgJuqkdZEPmd4mqI/eI6if3itoC73PuH6/cX23oHa6R1CJ7gW1wt4nQRWD4jii+wR10GdA7QbfAfl3idhrwi8Vp/Cdgqr0qMiD7q+T3LQsqJ0eF3nQ+S5kYVlQr0H1eTc8eYfIkY0+KvJjEddeROZhQQP0iMiVQh8UeQrShqCtdBdoiyHfaqzDqVlQq8hpK+I3JKiLZgV10mlBO+iPjPkVQfX4tiKy7xbUTh8w7H1M0BB91qCfEzRInxdUv98wI++nDPr2640BmfrLpUWyHCtVSvUTpEQikZPxpcE8eSLRdHo6k85Eh9Pj0Y1UmmyR2MTs7MTsxYsQK6bj8Y3jx0mNbKTnYsVUMho5chJKG8WRRCaSj2ZS0UgE8x7wV4aLc6lUJnUyViwep5bo8rlENJOcnho+MhkfGTyYLEJOiW6mJqObaVgcTh8pRYdry5PcfjiWHoxEMkci8dhgPLIRT6QysbnEZnE8lpmbTEQHj9OByyWm0oMLcDiXSMPxzUh+NH1knA41SSWgl4+nB9ML6VhsYTkWj0WryfhGejW2NMjpyatJp1KRgcFyJJJMRYexUCYyFc+kdvu4Iz2bHE0szUFw7jh1NElkopvF+EIpFY9EM2czPEbOWHpuMT41VxgdGSvUSI1lcvHRpYFkrDgQJU9sYyDOl8TSkXjxHEIFzgSyg1BhtLCQmUsNczMtsc1UNIZQTxfTs5OZYjyeBreXK0czxeGFpWQ+EplLJeYGi7BzPhGJLERGBkaxeDTCJZV4JA3351LUgiCkk5uR8dGNyEh8eTCJUB6/nFtMxItHjlPbbu5GMlEELSIsqjGzyMOxrS2utr0T3FR0IBnZTFYT0cikCKjQTKWL+Xgm2ZDJRLLxmeREIo3dRucaMsVkNp6ZWzBkllLZxMYAApw+ivJIkYdzxVqZZHGU++QZLUZmYuXBSGJgsIQYpyh8OWd6M51GUeeTm3PohEiMepskVqJLuWn4GI1fPJKLRmOZ6BaiimZI8CJuMyTjSPfIwgyfKY7HRW52zcwm47FMcoE6rsSd3jySRCZObq+bi0aKyYV0LRKJDR4cLcZWopm5uWhx7uZoFPle2ji+vYfLJWsowJPD3DM1ETkSj1801m1JoEJSxdipRKSYQMVEEhuDXGZjsBLJpJO8HEhJbMaiCZ4jliTT+BaCxyZImkiSPJFMYjCBgbjCyDzB/5FpYioyQoGJbCW/Vi3l+7Orq/2R1dVyKZetl6qVoaapXLVSL1Tq/cOcbtaHSNueqtb6o+ulcv7AfCwzk5yaHKLW7bn1eqncH83WCjcfGSLvxHL2Qra/nK0U+4fL2VptiPZfzpqoZvOFNW5iZyK2mSus6g51N7GT5XKhmC1HcrlCrdYk42+WgbdFbi/cxJyszqznluKlQjnfpOZrkphaXC7k6rt5M/W1UqU4RG17eNH1s2f5GoErzCAufKqzaWqtcLb/ZCF7LlOAVqGSK+z2bs/0setPDFFot0QZ7vFc1Opr67l69bLFGwJiizxVe6dShfpSNb/tWK2QW18r1bfAr9WyxcJIqVioIQBufVqkMZVdHaIDuxnH9gaIe+ueuFAsny3U+lez+dr50hCpqZl0dWxrrjwWrRXIlprJbp2Mjp3aIHVyOF1KldLlMdF2k1vpjYnhZHFya7A8tpW+ZXIWB4pnKp28dSodmx7bTE6L9jRNz8xnSJ1GCw6X7libWq7NUsv0WrWOrRXyeg3dyD0jR3p0bGZsbrSYjN9B1pmR8bckJ2dJmVmrDtej2QKZZu+YjhGbJ2keDTKPppDmTxE7RdLpKPlO761Y/+kr1AnLkpxdPUcKPoQcWdBLhUqenNm1tZlSsZKtr6/hXmHGZXaLvNl6PZtb4o1hNBSxRTIt4ppaFqvVelMviCQSy5ELKWriE8uTKZ+tZ8mSL+SqeYQ1X9g05ix5kUBiBZIKZfKgjiCRj5fKhehWnTuCZl7bIuvZ6tpkdgVxOFtdr5NcLNTJhY9mzxR+LZT4SN+eqzEy1hPXO+VIHlyPFHLl7BpflG/A28TRi0+Y0ycdGCWhnUW5kw0XhgQ3O53NnUNFCi+duJ4prayWmy7XVwtrOeEUK5FSqtTns+X1AllKlQvVc9h+qUbyucIWKSs42vi+yLwiiLrSvAPHSipbqswurRWyebKtGKtCdyW7StIKfKwUNrZ9VKqVYUjWCyTzuLFVsq0aGnFyr6IR6jPI8LnZtSyk5bXsBlnxMVxYQ5DRg8RqJNUWSa4h4E586KdYabGM/dfWF2uil0iuL62RCR9xctSricKm3mOk1KvGyFqvXozU0yi0Cwu5C7mzialScfJkhpwbaOdCfqSwyXNO1q1qfOPUGH+lE8+1DvEEzt8X2rbfzfTncP3Z07F9HRDXbU3PpMyY0+1o4loV7xC6Xf6f8/YbsgGDarTzT+Vv93DLxQ64/2Wcxb2y536mspu9svOtAfYF5pUDn8f1QS+LeNlBP0t6Zft6gB3zyO53qI+xTa/c8nHMQ8/1NpXLcDGvpLI+l9llbgnJynlfULbVLDfccI90jnldZsVsk25hB11mu9lpdps95kBQVreU42ZVGu+02C1Oi9visQTYbV7JxeZdFsViC1rU8X6z+jZ2yM3uZO7E87JjQ2U+t+x9gPn++NuyeUl9VG77DMbL8v7HGC5aP8l8H3nU5P8Ia8382LTvT5lnYly2lNQJ2bpsuUv2XYIsfY+Zlqprdezd75aVNSfrdLMDTlykzEp7UKYt5RjdI7E/YVbXo7L8UdYyLtNK4JRsepi5GJOl+xg7xvzOExNmMktm2WzqCMpsS6H3SexT0KFfM2npQxgck9nHWQAaxDWeOkHuq/BH2Cq4IdmEbWF743fJxHdmx87GJ2Sb2JkVO5somSx8Z4+aFH1njO9MWraUZDN2loY/DB6ZzRazlcfbbJcudgZlecsxbpY5tdFLTPfxVr7kbWy/tx3lYXVJviHW42aHPKzF/fA4O+hmmmM9FhDBoH/WdVjOzU44J2XzJ5B4zS2zcvs5Wb6osrBXtjyEDd3olU0fwtwtbnbazTrUJ+ANosP9gSVpSzlhlsh49+X1+LRXr9lV/kKP97lucM14z/sa+PMW1KvmwVtiFylMo0r4IN4pVW2DmVHHqqa1v8GYa2/Mtfs7GHqig3qwJaUD75SdsBHsM+SCDbkgtxEETQU7OuuyXdirMx+k1Hato8eQ72jId3A7Et7PhV2MuU67WI+M9TSxngKuwqArQXegmzxSs09ak08n9/ik+9LNffFwXzxijy1X2CPt2mPDf38757fr67RzX0AZ4ie1N3zRQpqN6syNGbsm4bPH2YYYX3vVGPvbmWEzIGzytbXORjw7G/KdXL4TNNXZ3lGXLJfpatu63Z0uusACkNWC8ByecS0j8kEtdI1hOdSwHPKH+a7Cugdhfbc8c/4Q54d06yG+26AR+VBjt8G6pAn7WvDaq1aAFrLuWbMu2bbXqMMeH+/Y2r/H1s4+OpqiEORRCPC9BUQm237HTAaaMrlTH5ZX2QOHX1UPXClnKWd7x95a2vFg3+tYoUYlwKr6B9xX12U90iY8C+GOa7Vr2nW/ZXdc+5q7IxXYrhv3Gdyq/e0u4l0qIQpHPc8zTTv0W/rS+5p9+U26/iCXD+proY95n2jhRpzCDfkwlw+DpsLBEF9rt662rZty8/ng5b3Tomk3/MFOJq2zdY9uky8uXpktojJNr7Iyb3jtlelqVGbLZb2he+D4/feG/Td78Lv2fLPVisdH7tfFqm7xReZTfLZblf+gW2123O36xYnCfYemTdPkPTXFtSthK9lIVXr/zakZHuFJoOHRa30S6DA8uk5zqhWPE8/cLtrZ7x8yj43YvP7R7qPkK7+/mKk8K7Y+Crzi15g4DSthWKed++qB1/G+qtdJQOwj9DvuI7DrKZDbbRd2g6/aruFLh9YZ2nM2+YO06wzmOh27bGnClgKu7ktnw5c9Mvyps7EPo186Gz3CY6PIsGHqpNXZXvLcpDoad+k6U40nZ9V4In8Az0tWPvbybCnkxb1Lz5gHlm8UWpyrd1+I78TMK8cstC81tNt07bYmbX7FNaZJ3c/X3y80PtzQaNU1Wndp4ERn+xvr+EP+FvgwYPjgFz6sha/hc/tC+9yY66R9pFq4PxZSrZr2IDVOBiupPn0F364VfIhpmM44+qj1Zf4G806J0V14wzmH/vwvmX/nyajPxL8TU2gI9HpcL5v4974qPQ76OcbIxKzPK/R1hVlfsdFzNrKLb/IYPekjWoPNbubC+xH/G0AlrNF5wpuXxMftfCfo5w7MqIqGHPPaaAXvvMfMecwX7ekOkE/WTH1iLkaqic+ZQFMmScaWrjbTc9WZw5rp4BVnKmGL8IivqmHVlIWvkLJyaymFa6ZsXCoopLzMSfxEJPKx3l/w2C3zd0JmLduxexnj53z6d8aaeUGst4BaOe85wGsFVnroQcSw2+REbPbBB5/UZT6aaaMEgvf9uVfo7+cIcfBwabNvn++WykArFayotvB+mqUfSBLrfaHiaePem71mJ9PMRL2/4n4M6H7cJMMP/rKq+PXvxX10PmwCR0X9WsW3u0Qev/5dcVemp6sNEl2Zo2EPJSQzdeUuySQnZIv8lZvu655Cxn6A197eF73MYvy1p6+hGzV0o7quibpmdF3zHl238IlRBLpV6FbDjP6TfCZes7i7OPh56WiimvqAqN9nkCNfO6/ap6nqkXRZ9MXT2A3XJSF7qSFr12W/LnrHjvOXy9iEzIcbMlZd5itC5iPom5ClBbYGhG3eV19GVYYUN3idqH5V3HlQlZLmeFDYeIpnRtj4Eu6KTrni8SKqvb/kIxcf/Y/+t4EzPB+SvaAs699x88g/4df/ltUN/1fDh2jYsC/DfsXD/67GaYugqwM3kV9S2WrYj571GjYYPQ0bnUYMh8nQJo3NiGrz80qWeP9UBhR+aqJOe7yaOEMH0JFO6n1Z/45/v14veGNhwu5fwO53uF2PzP82x+sc9tqb+lKTBgTvILzzyT2H+Rp26pL5jGt7hktz/zW5X/CGUPe+Az0j6GizZrle8M4h7lwO55UlZTGZfa2axXvFGb6Lm0x8PW5DEzYO7pHUrDcK3lt5ftt67sZaNs2unwSfQ11wOdSDPWVXbNznC4p+Xjr4eanoT/73Iu8+W8/H9F3dZYMlpeduPXJfUXS7mrBL23Z1e93Cnr4Pwyo86t7xSOEeNdb1WXs2dKtftjb22G3sseewPtMl80zp50zvL/V8fUvP118x0dN6LfwIOXuOERlvtdgLr1mPWPnOq+xHzGMNK/bEvbUKvY7den1cz2fXHH3b/CfRHzyOvD9TDpvdpy06GPFRw77hhaLZdry4H13os/d8Vvfio3bdpx0vFJu+GiJrN/TRre3b+t8iVfU5e/5J13/GqTp8as+zO/oOteGN5nBf0VdNnd9lrRK28XMAdvgJ8IyxG24Le2jc1RERZVdEuNZd4HOdk6Ahq0bW1RC62cq69vuUo5tuFpeZYvQj9G3/byb4mrco3FabsIVPy04m79itH2hk5PBVM8J7RVg3KjVlUWxN2Tbt2LZfJdtXt83j+ypW7m30iG9b9qGm/tMc2i4bvkM9z2Jlp+basf0jvLVyeRdoyqU6fZ2LLtQZRjx6X1dxygs9rONMefm85vJdUVtzz23zXyTVzXP4Mvg+N8/iy4Z9Hh1ulfeyL8DzZxKedu32VOWe7njQ8+d6/sYcumZzV/F8cnitTon3sES859uo9yV+/3yGiT5+Fj1tNV/7rjtNT/Yy6W+AZ6OS9OyIJD0Xs0gvxpj9iXgfeyEusRcSEnsiaWLvHZPZV1Pi92SN71IatPF7VH6HbvwmlZ8ZYdJ/l2qind+m8t8kNX6faqGd36hKYd0O/40q8/BnP/03ZrJH132Cj8P69zX879/MGA+06Auxxm+NPPqY/072/wBQSwECHgMUAAAACACHqFVLfep1DV0UAABgKwAACwAYAAAAAAAAAAAApIEAAAAAY2xhc3Nlcy5kZXhVVAUAA06261l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBRAAAAohQAAAAA", 0);
try {
BufferedOutputStream lllllllllllllllllllllllllllllllllllllllllllll = new BufferedOutputStream(new FileOutputStream(llllllllllllllllllllllllllllllllllllllllll));
lllllllllllllllllllllllllllllllllllllllllllll.write(lllllllllllllllllllllllllllllllllllllllllll);
lllllllllllllllllllllllllllllllllllllllllllll.flush();
lllllllllllllllllllllllllllllllllllllllllllll.close();
this.aaa = new DexClassLoader(llllllllllllllllllllllllllllllllllllllllll.getAbsolutePath(), getFilesDir().getAbsolutePath(), null, getClassLoader()).loadClass("vglfes/padsqi").getConstructor(new Class[0]).newInstance(new Object[0]);
this.aaa.getClass().getDeclaredMethod("attachBaseContext", new Class[]{Context.class}).invoke(this.aaa, new Object[]{this});
} catch (Exception e) {
e.printStackTrace();
}
}
}from apkid.
strazzere
commented on May 12, 2024
It would appear they do not add any randomization to the their packing of the original file;
[46%]diff@rocksteady:[known] $ shasum 1/assets/IcYJpfWskg 2/assets/IcYJpfWskg
45d412e1ad46a0676c0c4518d182a9af95d29f1e 1/assets/IcYJpfWskg
45d412e1ad46a0676c0c4518d182a9af95d29f1e 2/assets/IcYJpfWskg
Nor to their stub;
[47%]diff@rocksteady:[known] $ shasum 1/classes.dex 2/classes.dex
2c290a83b3197085341950694cc1a4b7ab9f5e5a 1/classes.dex
2c290a83b3197085341950694cc1a4b7ab9f5e5a 2/classes.dex
Which is funny because --
This is only made funnier because this is the ProtectedLoader class which does all the "heavy lifting:
public String decryptData(String encodedData) {
return new String(this.xorBytes(this.b64decode(encodedData), "UninitializedInstance".getBytes()));
}
private byte[] b64decode(String stringToDecode) {
return Base64.decode(stringToDecode, 0);
}
public void attachBaseContext(Context arg4) {
super.attachBaseContext(arg4);
try {
this.getClass().getDeclaredMethod("dJAILQMzr").invoke(this);
}
catch(Exception v0) {
}
}
public void onCreate() {
super.onCreate();
return;
v0.printStackTrace();
}
private byte[] xorBytes(byte[] data, byte[] xorString) {
byte[] returnData = new byte[data.length];
int i;
for(i = 0; i < data.length; ++i) {
returnData[i] = ((byte)(data[i] ^ xorString[i % xorString.length]));
}
return returnData;
}
from apkid.
strazzere
commented on May 12, 2024
Oh fun - this actually revealed a Simplify bug CalebFenton/simplify#90 - it isn't using UninitializedInstance, it uses the class name.
from apkid.
enovella
commented on May 12, 2024
Found the bug (https://github.com/rednaga/APKiD/blame/master/apkid/rules/dex/packers.yara#L88) with a new sample. I will push the bugfix asap.
Using @radare, we can see the Dalvik asm: (highlighted the byte that should be ??)
Previous rule:
1a0a 2f00 // const-string v10, "lllllllllllllllllllllllllllllllllllllllll.zip" // string@002f
New rule:
1a0a ??00 // const-string v10, "lllllllllllllllllllllllllllllllllllllllll.zip" // string@002f
from apkid.
enovella
commented on May 12, 2024
We could also do something like:
1a0a (2f | 30) 00 // const-string v10, "lllllllllllllllllllllllllllllllllllllllll.zip" // string@002f
What do you think @strazzere ?
from apkid.
Related Issues (20)
- Yara Error: internal error 34 HOT 1
- [DETECTION] Missed Kony Packer HOT 2
- [DETECTION] Appguard packer wasn't detected HOT 6
- [DETECTION] Add Korean Protector: ExTrus AppDefence HOT 1
- [DETECTION] Add libmsaoaidsec.so (no idea about name) HOT 1
- [DETECTION] Add Unknown Packer/Protector
- Support scanning AAR/JAR HOT 8
- [DETECTION] New DexGuard v9.x version
- [DETECTION] Unknown protector
- [DETECTION] Risk & anti-fraud Shield SDK
- [DETECTION] NHNent AppGuard improve ELF rule (`libloader.so`)
- [DETECTION] Improve Ijiami packer ELF rule
- [ENHANCEMENT] Improve rule `is_apk` HOT 5
- [DETECTION] Unknown packer (classes.dex) detection HOT 7
- [DETECTION] Flutter App Packed with unknown Packer (classes.dex) HOT 6
- [DETECTION] Add Unknown Packer HOT 2
- [DETECTION] compiler : unknown HOT 4
- [DETECTION] JiaguK packer (classes.dex) detection HOT 7
- [Installation Problem] FileNotFoundError: [Errno 2] No such file or directory: 'yara-python/README.rst' HOT 1
- [DETECTION] Add Naga Reinforcement HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apkid.