Comments (4)
strazzere
commented on May 20, 2024
2
Confirmed hits - not seeing any FPs;
2f47d66dd1ef9265c78066a3204bb9a985cbedf287cf40ff234ec1090888e903
3a8edf23aa2710ca1fd19b006acd5d581c7274120515f62383bfd6342934c4d7
e1a480745d4d95ee71e541578f58adcd11fa033b8405f8f6efb8cf9d241c56e7
54dee3db7c0900e1364dd0719f2aa0585eef4cd1ef97d5de21fec3cfec022d5a
e2d8f23415c9bd3645a942b5e7d75f07a56dd1bbb063dab138b82aeaea923be3
643fe47141a2584799e8a07ddff3653d22ea2647f517e23747c9ee376cee9811
e330cfe37bc308dfdb0985feab842982772085b4e1d7b1b84acbede9ec2b3f0a
84ca2cbf09eddae07f616090f6f7ffac1ac4b165d9762639e4d52ff6eb0c6d47
e77acfc441944f61f0d42d7c81836ea8a17b963eb8cac8bcc25bf35a9cef186f
b032cf2580d88c6bf591d857c7bc9b93093b805e03dbb7ffd062cc43ee488738
f51386516f005fe18ca9723c9ab4e683bdea6c38a82f71a053b19db8f6be9e28
f7f77061858da62fda00df47c274a42c0c3cecd773ea724ea6cbdd4beed00a8c
c1bc0e5e8fe90213574ec6308ad40929688ae841019e3354868b53dc26ad905a
f9f413ee41e637d14831a7051e3fd8151e5521384970644506c0dfcb271426dc
Adding as "CNProtector" unless we figure out the tools proper name.
from apkid.
strazzere
commented on May 20, 2024
Potentially we can track this protector using;
02 00 01 00 00 00 00 00 ** ** ** ** 11 00 00 00
Which is from the code segment of the injected methods;
This combined with what appears to be a static debug segment:
0C 00 07 0E 00
The injected opcodes appear to be "random" junk but always 17 bytes long.
from apkid.
strazzere
commented on May 20, 2024
This seems to be a bit common, need to include some extra data - it would appear the first injected byte is always attempted to be parsed as an opcode (at least by dexlib) which if we look at all the classes it tried to parse, gives us all these "illegal opcodes";
unknown opcode: 0x1000
unknown opcode: 0x1100
unknown opcode: 0x1200
unknown opcode: 0x1300
unknown opcode: 0x1400
unknown opcode: 0x1500
unknown opcode: 0x1600
unknown opcode: 0x1700
unknown opcode: 0x1800
unknown opcode: 0x1900
unknown opcode: 0x1a00
unknown opcode: 0x1b00
unknown opcode: 0x1c00
unknown opcode: 0x1d00
unknown opcode: 0x1e00
unknown opcode: 0x1f00
unknown opcode: 0x2000
unknown opcode: 0x2100
unknown opcode: 0x2200
unknown opcode: 0x2300
unknown opcode: 0x2400
unknown opcode: 0x2500
unknown opcode: 0x2600
unknown opcode: 0x2700
unknown opcode: 0x2800
unknown opcode: 0x2900
unknown opcode: 0x2a00
unknown opcode: 0x2b00
unknown opcode: 0x2c00
unknown opcode: 0x2d00
unknown opcode: 0x2e00
unknown opcode: 0x2f00
unknown opcode: 0x3000
unknown opcode: 0x3100
unknown opcode: 0x3200
unknown opcode: 0x3300
unknown opcode: 0x3400
unknown opcode: 0x3500
unknown opcode: 0x3600
unknown opcode: 0x3700
unknown opcode: 0x3800
unknown opcode: 0x3900
unknown opcode: 0x3a00
unknown opcode: 0x3b00
unknown opcode: 0x3c00
unknown opcode: 0x3d00
unknown opcode: 0x3e
unknown opcode: 0x3e00
unknown opcode: 0x3f
unknown opcode: 0x3f00
unknown opcode: 0x40
unknown opcode: 0x400
unknown opcode: 0x4000
unknown opcode: 0x41
unknown opcode: 0x4100
unknown opcode: 0x42
unknown opcode: 0x4200
unknown opcode: 0x43
unknown opcode: 0x4300
unknown opcode: 0x4400
unknown opcode: 0x4500
unknown opcode: 0x4600
unknown opcode: 0x4700
unknown opcode: 0x4800
unknown opcode: 0x4900
unknown opcode: 0x4a00
unknown opcode: 0x4b00
unknown opcode: 0x4c00
unknown opcode: 0x4d00
unknown opcode: 0x4e00
unknown opcode: 0x4f00
unknown opcode: 0x500
unknown opcode: 0x5000
unknown opcode: 0x5100
unknown opcode: 0x5200
unknown opcode: 0x5300
unknown opcode: 0x5400
unknown opcode: 0x5500
unknown opcode: 0x5600
unknown opcode: 0x5700
unknown opcode: 0x5800
unknown opcode: 0x5900
unknown opcode: 0x5a00
unknown opcode: 0x5b00
unknown opcode: 0x5c00
unknown opcode: 0x5d00
unknown opcode: 0x5e00
unknown opcode: 0x5f00
unknown opcode: 0x600
unknown opcode: 0x6000
unknown opcode: 0x6100
unknown opcode: 0x6200
unknown opcode: 0x6300
unknown opcode: 0x6400
unknown opcode: 0x6500
unknown opcode: 0x6600
unknown opcode: 0x6700
unknown opcode: 0x6800
unknown opcode: 0x6900
unknown opcode: 0x6a00
unknown opcode: 0x6b00
unknown opcode: 0x6c00
unknown opcode: 0x6d00
unknown opcode: 0x6e00
unknown opcode: 0x6f00
unknown opcode: 0x700
unknown opcode: 0x7000
unknown opcode: 0x7100
unknown opcode: 0x7200
unknown opcode: 0x73
unknown opcode: 0x7300
unknown opcode: 0x7400
unknown opcode: 0x7500
unknown opcode: 0x7600
unknown opcode: 0x7700
unknown opcode: 0x7800
unknown opcode: 0x79
unknown opcode: 0x7900
unknown opcode: 0x7a
unknown opcode: 0x7a00
unknown opcode: 0x7b00
unknown opcode: 0x7c00
unknown opcode: 0x7d00
unknown opcode: 0x7e00
unknown opcode: 0x7f00
unknown opcode: 0x800
unknown opcode: 0x8000
unknown opcode: 0x8100
unknown opcode: 0x8200
unknown opcode: 0x8300
unknown opcode: 0x8400
unknown opcode: 0x8500
unknown opcode: 0x8600
unknown opcode: 0x8700
unknown opcode: 0x8800
unknown opcode: 0x8900
unknown opcode: 0x8a00
unknown opcode: 0x8b00
unknown opcode: 0x8c00
unknown opcode: 0x8d00
unknown opcode: 0x8e00
unknown opcode: 0x8f00
unknown opcode: 0x900
unknown opcode: 0x9000
unknown opcode: 0x9100
unknown opcode: 0x9200
unknown opcode: 0x9300
unknown opcode: 0x9400
unknown opcode: 0x9500
unknown opcode: 0x9600
unknown opcode: 0x9700
unknown opcode: 0x9800
unknown opcode: 0x9900
unknown opcode: 0x9a00
unknown opcode: 0x9b00
unknown opcode: 0x9c00
unknown opcode: 0x9d00
unknown opcode: 0x9e00
unknown opcode: 0x9f00
unknown opcode: 0xa00
unknown opcode: 0xa000
unknown opcode: 0xa100
unknown opcode: 0xa200
unknown opcode: 0xa300
unknown opcode: 0xa400
unknown opcode: 0xa500
unknown opcode: 0xa600
unknown opcode: 0xa700
unknown opcode: 0xa800
unknown opcode: 0xa900
unknown opcode: 0xaa00
unknown opcode: 0xab00
unknown opcode: 0xac00
unknown opcode: 0xad00
unknown opcode: 0xae00
unknown opcode: 0xaf00
unknown opcode: 0xb00
unknown opcode: 0xb000
unknown opcode: 0xb100
unknown opcode: 0xb200
unknown opcode: 0xb300
unknown opcode: 0xb400
unknown opcode: 0xb500
unknown opcode: 0xb600
unknown opcode: 0xb700
unknown opcode: 0xb800
unknown opcode: 0xb900
unknown opcode: 0xba00
unknown opcode: 0xbb00
unknown opcode: 0xbc00
unknown opcode: 0xbd00
unknown opcode: 0xbe00
unknown opcode: 0xbf00
unknown opcode: 0xc00
unknown opcode: 0xc000
unknown opcode: 0xc100
unknown opcode: 0xc200
unknown opcode: 0xc300
unknown opcode: 0xc400
unknown opcode: 0xc500
unknown opcode: 0xc600
unknown opcode: 0xc700
unknown opcode: 0xd00
unknown opcode: 0xe00
unknown opcode: 0xf00
So if we look for;
02 00 01 00 00 00 00 00 ** ** ** ** 11 00 00 00 [illegal opcode]
We should have a pretty good detection on this.
from apkid.
strazzere
commented on May 20, 2024
This ends up covering it pretty well and isn't very slow;
02 00 01 00 00 00 00 00 ?? ?? ?? ?? 11 00 00 00 00 (1? | 2? | 3? | 4? | 5? | 6? | 7? | 8? | 9? | a? | b? | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7)
Running a retro hunt to ensure I don't hit FPs.
from apkid.
Related Issues (20)
- [DETECTION] Unknown Ollvm Version HOT 1
- [DETECTION] Missed LiAPP Detection HOT 2
- APKiD yara rules are not compatible in BlackArch repositories HOT 5
- [DETECTION] Add rule for Zimperium HOT 6
- [DETECTION] Missed Dexguard Detection HOT 1
- [DETECTION] HOT 1
- [DETECTION] separate XPOSED detection from the rest HOT 3
- [DETECTION] Detect Open-Obfuscators: O-MVLL & dProtect HOT 1
- [DETECTION] Add PlutoObfuscator
- [DETECTION] Uranium Packer
- [DETECTION] Missed Promon Shield HOT 5
- [DETECTION] Google Play protection? HOT 57
- [DETECTION] Add Detection For protectt HOT 3
- [Error] yara.Error: internal error: 34 HOT 3
- [DOCKER] yara-python-dex fails when building on macOS HOT 6
- After executing apkid, there is no output from the command line HOT 3
- code confusion HOT 5
- [DETECTION] Unknown lib packers HOT 19
- [DETECTION] Add Beebyte Obfuscator HOT 1
- [DETECTION] Yara issue on dex HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apkid.