Hi,
Thanks for the cool project.

I tried using unpacker on some bangcle samples, and get following error (i printed additional details about the parameters to pread),

+++++++++++++

[+] Attempting to detect packer/protector...
[*] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xb6f1c000 to 0xb6f1d000
[!] pread seems to have failed!, fd : 3, read : -1, act : 4096, errno : 22
[!] An issue occured trying to dump the memory to a file!

+++++++++++++

Sample sha2's
841edbbe1afe874b2376c3a46d7a890ab068ea2f69c68ac397b3984446c7d6e2
d99b428c95ee0d29660282133659e70b7b0c6c192dc5ac00ab43b50c5eedb168

Any idea on this error? I use ARM emulator, Platform 4.4.2, API SDK 19.

Regards,
Ram

via rednaga/APKiD#29

Hi dev , i don't own a pc to compile the unpacker , if you or some great guys can upload a precompiled version that will be great. Only can use adb from friends pc . Thanks

Hello. This APK https://play.google.com/store/apps/details?id=com.autel.maxiap200.ht200

root@Tab2A7-10F:/data/local/tmp # ./kisskiss com.autel.maxiap200.ht200
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.autel.maxiap200.ht200
[+] 11094 is service pid
[+] 11148 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, hunting for all dex and odex magic bytes...
[] No packer found on clone_pid 11148, falling back to service_pid 11094
[+] Attempting to detect packer/protector...
[] Nothing special found, hunting for all dex and odex magic bytes...
[!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

Reported via twitter that the packer is "not working" (https://twitter.com/0xr0ot/status/511822872684560384) -- no confirmed version of the package which the author was talking about. Did some searching and turned up a few samples;

"Defence version 0.9.5.6.5" does not currently work - though "0.9.7.9" does.

Guessing it's bangcle based on libsecmain.so
sha1 : 3646c8361252876012402878b84763403928b588

https://blog.lookout.com/blog/2016/06/27/leveldropper/

[+] Hunting for com.xuhdx.lev
[+] 7827 is service pid
[+] 8112 is clone pid
[+] Attempting to detect packer/protector...
[*] Nothing special found, assuming Bangcle...
[!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

lib/armeabi/libsecmain.so
res/color/common_google_signin_btn_text_da
res/color/common_google_signin_btn_text_li
res/color/common_plus_signin_btn_text_dark

New sample packer found ITW which doesn't currently get unpacked properly. More details to follow.

Got error like title.
I'm using real device Google nexus 4
followed steps in readme
What can possibly be wrong?

https://ufile.io/c7915
hi please someone download this file https://ufile.io/c7915 and unpack this file and create Training video for me
I do not know unpack
I need my instructional video for unpack
plz help me My English is bad.
thanks

Hi,

I need to use unpacker to analyse protected applications but the installation process is not clear. I read the readme file of "native-unpacker" but I am not clear what the prerequisite etc are.

Its first step says, "Assumes ndk-build and $ANDROID_NDK_SYSROOT are properly set". Can you please elaborate it? What does it mean to be "set"?
Also step "Push to the device", is it the android device/emulator?

Can we use this tool on emulators or just devices? And is proper root and busybox required?

Can you please explain the setup in simple words so that people who do not have NDK experience can also benefit from this tool.

Thanks,

Could someone can unpack this . it has qihoo protection and iwant to unpack the apk . here the link

https://2speed.net/file/DF8268ADC0CD

This is my Makefile:
build: ndk-build NDK_PROJECT_PATH=C:/Users/admin/AppData/Local/Android/sdk/ndk-bundle/build/ndk-build.cmd APP_BUILD_SCRIPT=./Android.mk

Can you help me?

On a sample (29B06874BAFA07CD204DCCF2AE302F9E52DC2F78E463924E15B9767596559E1A) that is probably packed with Bangcle and APKProtect (??), the tool extracts the usual ~23kb main Bangcle dex file.
I cannot set this (100%) as an issue, but it will be great if the tool can handle this "weird" sample.

Some info bellow:

Starting: Intent { cmp=com.google.android.ebk.hana.avaffafa/com.google.android.ebk.hana.kakao.MainActivity }
[*] Android Dalvik Unpacker/Unprotector - <[email protected]>
 [+] Hunting for com.google.android.ebk.hana.avaffafa
 [+] 6448 is service pid
 [+] 6475 is clone pid
 [+] Attempting to detect packer/protector...
  [*] Found APKProtect!
 [+] Unpacked odex found in memory!
 [+] Attempting to dump memory region 0x4a73b000 to 0x4a741000
 [+] Unpacked/protected file dumped to : /data/local/tmp/com.google.android.ebk.hana.avaffafa.dumped_odex

4a738000-4a73a000 r--s 00015000 1f:01 570        /data/app/com.google.android.ebk.hana.avaffafa-1.apk
4a73a000-4a73b000 r--s 0012f000 1f:01 570        /data/app/com.google.android.ebk.hana.avaffafa-1.apk
4a73b000-4a741000 r--p 00000000 1f:01 908        /data/dalvik-cache/data@[email protected]@classes.dex
4a741000-4a742000 rw-p 00000000 00:07 79497      /dev/ashmem/dalvik-aux-structure (deleted)
4a742000-4a746000 rw-p 4a742000 00:00 0 
4a746000-4a747000 ---p 4a746000 00:00 0 
4a747000-4a846000 rw-p 4a747000 00:00 0 
4a847000-4a84a000 r-xp 00000000 1f:01 603        /data/app-lib/com.google.android.ebk.hana.avaffafa-1/libsecexe.so
4a84a000-4a86e000 rw-p 4a84a000 00:00 0 
4a86e000-4a86f000 ---p 4a86e000 00:00 0 
4a86f000-4a870000 r--p 00018000 1f:01 603        /data/app-lib/com.google.android.ebk.hana.avaffafa-1/libsecexe.so
4a870000-4a871000 rw-p 00019000 1f:01 603        /data/app-lib/com.google.android.ebk.hana.avaffafa-1/libsecexe.so

D-dragon (dyuen) created a gdb script for finding and dumping the dex file form memory;
00c1c87

This should be replicated in native code, hopefully to improve the speed.

Hi dev , i am executing adb shell ./data/local/tmp/kisskiss com.android.vendinz (its my own private app so no issue with writing name here) but it show permission denied . I tried 755 , 777, 644 and many common chmod permission but not worked (sometime magic 7e45 elf problem). Please tell me excact way to run this . Thanks

As it appears people are actually using this project, there are issues coming in. In an attempt to make solving these issues easier -- need to try and generate some identifying information on what actually went wrong with instructions to post/create an issue.

@strazzere
I've tried using the native-unpacker on the following apk: APK
packer : Jiagu

Please help me

Hi, recently I was using android-unpacker to de-obfuscate apps that have been modified by APKProtect offline tool. A problem occurred when I try to run executable 'kisskiss' on AVD, always got the message:
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for org.jessies.dalvikexplorer
[+] 240 is service pid
[+] 245 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xb000d000 to 0xb0016000
[!] pread seems to have failed!
[!] An issue occured trying to dump the memory to a file!

Where the region 0xb000d000 to 0xb0016000 is the last blank section in /proc/[pid]/maps, should be the place contained odex.

                              ...

afd42000-afd4d000 rwxp afd42000 00:00 0
b0001000-b000c000 r-xp 00001000 1f:00 615 /system/bin/linker
b000c000-b000d000 rwxp 0000c000 1f:00 615 /system/bin/linker
b000d000-b0016000 rwxp b000d000 00:00 0
bed8e000-beda3000 rwxp befeb000 00:00 0 [stack]

Is there anything I misunderstood causing the function 'peek_memory' doesn't work?

I am also wondering if it is a experiment environment setup problem, here is my setup information:
AVD provided by Google sdk
API level 10, Android 2.3.3
CPU/ABI: ARM (armeabi)
RAM 512; VM Heap 32
Storage 200MB, SD Card 100MB

and the native-unpacker is build with ndk version android-ndk-r10d.

Thanks!

Hi,
I'm trying to reverse engineer the following application.
https://play.google.com/store/apps/details?id=cn.ninebot.ninebot

Based on the content of the main dex file it looks like that use secneo apkwrapper.

It looks like contains anti-debug tricks and other things similar to APKProtect.

Any advice?

the log is:

[*] Android Dalvik Unpacker/Unprotector - <[email protected]>
 [+] Hunting for (hiding the package name as I have no intention to ask you do free unpack work :) )
 [+] 11103 is service pid
 [+] 11326 is clone pid
 [+] Attempting to detect packer/protector...
  [*] Nothing special found, hunting for all dex and odex magic bytes...
  [*] No packer found on clone_pid 11326, falling back to service_pid 11103
 [+] Attempting to detect packer/protector...
  [*] Nothing special found, hunting for all dex and odex magic bytes...
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error

and in the same time the app froze and no response at all.
does this means qihoo recognized the unpacker and stopped it?

HI，

An error came across with me while i unpacking an APKProtect.com based app

+++++++++++++++++++++

255|root@A0001:/ # /data/local/tmp/kisskiss com.huawei.cloudwifi
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.huawei.cloudwifi
[+] 4185 is service pid
[+] 4218 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xbea9c000 to 0xbea9c000
[!] pread seems to have failed!
[!] An issue occured trying to dump the memory to a file!'''

+++++++++++++++++++++

and Why kisskiss think this is an bangcle based app?(I unpacked it as common app and saw "apkprotect.com" folder . )

Sha-1:bf7a31fc4920d9b0dfafe3e78f29fe4be3751c0
Other information:
ARMv7 Processor rev 1(v7I)
Android 4.4.4 (CM-11.0)
SELinux:Enabled

By the way, you can download this apk form http://pan.baidu.com/s/1i3zwf8h

Hello. I try it, but need help.
Copy the unpacker to the root android device and run there, or connect the root android device to just any linux distro and run the unpacker there? or I can find some simple tutorial? Thanks

I was running this unpacker against com.teamblind.blind and received the error message:
Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

I found the dex manually by dumping the process memory manually, searching for application strings in the dump, then resolving the dump address to the page address and finally trimming the dump file. I found that:

1. The dex file doesn't start off on a page boundary, it actually starts at offset 0x10 on this page. The first 0x10 bytes appear to be junk, atleast to me
2. The magic signature is dex\n035 instead of dey\n036 that the unpacker looks for

The line in the maps file is:
{start_address}-{end_address} rw-p 00000000 00:00 0 [anon:libc_malloc]

Like I said, I did this all manually but at some point I might try to code up a formal pull for this repro. Until then, somebody might beat me to the coding or at the very least I hope this helps somebody.

Plz help me
I run
adb shell ./data/local/tmp/kisskiss com.package.name.to.unpack
Will not run properly
https://s11.postimg.org/l9qqlzfsj/Untitled.png

@goodhacker mentioned the following;

<<
root@ubuntu:~/Desktop/native-unpacker# adb shell /data/local/tmp/kisskiss com.MobileTicket
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.MobileTicket
[+] 695 is service pid
[+] 737 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

Sample I was able to track down appears to be using "secneo" which is supposedly the commercial version of Bangcle. Further investigation needed.

Hi
pread seems to have failed!
an issue occurred trying to dump the memory to a file!
https://s21.postimg.org/899408yif/Untitled2.png

Where can i get the gdb binary file for gdb-scripts?

Hi
something unexpected happened, new version of packer/protectors? or it wasn't packed/protected!
https://s11.postimg.org/cuo4v24b7/Untitled1.png

Package Name: livetvstream.thoptv.com.thoptv

Download link

Finally got a malicious sample ITW -- will assess shortly

Hello,

I have managed to compile and use adb to push kiskiss to a rooted galaxy s3 with android 4.3. However, when I try the last adb command

adb shell ./data/local/tmp/kisskiss com.package.name.to.unpack

I get a error Not root, quitting although the device is rooted.

What can be the problem?

Easily identified by the class;

com/tencent/StubShell/ProxyShell

Also usually included
libmain.so
libshell.so

Lots of references to tx_shell.

Appears to support ART as well as Dalvik.

My android tools packed with DexProtector.
How unpack this protector ? Can you add unpack this protector in your tool ?

I compiled kisskiss successfully. But when I ran kisskiss, I got following error message.

I want to know what is problem and how to view error log.

every time i use this i got this error

[*] Android Dalvik Unpacker/Unprotector - <[email protected]>
 [+] Hunting for com.package.name
 [+] 21270 is service pid
 [+] 21313 is clone pid
 [+] Attempting to detect packer/protector...
  [*] Nothing special found, hunting for all dex and odex magic bytes...
  [*] No packer found on clone_pid 21313, falling back to service_pid 21270
 [+] Attempting to detect packer/protector...
  [*] Nothing special found, hunting for all dex and odex magic bytes...
 [!] pread seems to have failed : I/O error
 [!] Error peeking at memory : I/O error
 [!] Something unexpected happened, new version of packer/protectors? Or it wasn't packed/protected!

Maybe is my phone with android 8.0 i dont know

i have tried with an android emulator and i got this

` [+] 4351 is service pid
 [+] 15838 is clone pid
 [+] Attempting to detect packer/protector...
  [*] Nothing special found, hunting for all dex and odex magic bytes...
  [*] No packer found on clone_pid 15838, falling back to service_pid 4351
 [+] Attempting to detect packer/protector...
  [*] Nothing special found, hunting for all dex and odex magic bytes...
 [+] Found 1 potentially interesting memory locations...
 [+] Attempting to search inside memory region 0x95ecd000 to 0x9630f000
  [-] Likely a system file found, ignoring..

i'm using this on jiagu app
I dont know why but if i use apktool to decompile the apk i found qihoo360 but if i go to /data/data/com.example
is see a file called classes.dex (is crypted) in a folder called .jiagu
also in assests folder of the apk there is a file called .appkey

another problem is makefile compile the kisskiss file in all except amerabi so when i use the command make install it give me error

Steps to reproduce:

1. trying to unpack this: https://play.google.com/store/apps/details?id=com.zhiliaoapp.musicallylite
2. ./data/local/tmp/kisskiss com.zhiliaoapp.musicallylite

Screenshot

Using:
Nox Player (x86)
API Version 19 (4.4.2)

SHA1: 0c4d6be2dc5de92bcb0a87b2bcd4108a7634d0a6

I am using android-ndk-r10d,
under "native-unpacker " dir,
using "make" command, at first it prompts:
[armeabi] Compile thumb : kisskiss <= kisskiss.c

./kisskiss.c: In function 'main':
./kisskiss.c:110:3: error: 'for' loop initial declarations are only allowed in C99 mode
   for(int i = 0; i < found; i++) {
   ^
./kisskiss.c:110:3: note: use option -std=c99 or -std=gnu99 to compile your code

then I added "LOCAL_CFLAGS += -std=c99" in Android.mk
and it passed, but when I "make" again, it says:

[armeabi] Compile thumb  : kisskiss <= kisskiss.c
./kisskiss.c: In function 'peek_memory':
./kisskiss.c:341:3: warning: implicit declaration of function 'pread64' [-Wimplicit-function-declaration]
   int read = pread64(memory_file, buffer, 8, address);
   ^
[armeabi] Executable     : kisskiss
./kisskiss.c:341: error: undefined reference to 'pread64'
./kisskiss.c:378: error: undefined reference to 'pread64'
collect2: error: ld returned 1 exit status
make[1]: *** [obj/local/armeabi/kisskiss] Error 1

any suggestion?

Hi,

I've tried using the native-unpacker on the following APK: https://www.apkmonk.com/app/com.beikang/

As far as I can tell this is using qihoo360 (contains libjiagu_art.so, the com.quhoo.util.* classes)

Output from APKiD:

[+] APKiD 1.0.0 :: from RedNaga :: rednaga.io
[] com.beikang_2017-08-04.apk
|-> packer : Jiagu
[] com.beikang_2017-08-04.apk!classes.dex
|-> compiler : dexlib 2.x

Output from kisskiss:

adb shell ./data/local/tmp/kisskiss com.beikang
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.beikang
[+] 867 is service pid
[+] 902 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xb6f18000 to 0xb6f19000
[!] pread seems to have failed!
[!] An issue occurred trying to dump the memory to a file!

Hi!

I couldn't get the native unpacker to work, it gave me the following error:

error: only position independent executables (PIE) are supported.

Is this a known issue? After some googling I found the fix. These lines need to be added to Android.mk:

APP_PLATFORM := android-16
LOCAL_CFLAGS += -pie -fPIE
LOCAL_LDFLAGS += -pie -fPIE

This will only work on Android 4.1+.

Cheers!

While it is trying to test the android-unpacker when tested in the following circumstances: a memory dump error has occurred.
Perhaps there may be a permissions problem, or AVD version?
Do you know why?

The sample is a malware collected in February 2015.
Aside from January 2015, two bangcle are the same error.

< Test Environment >

• Base OS : Kali Linux
• AVD 1. Android 4.4.2 (API 19) Google API ARM
• AVD 2. Android 5.0.1 (API 21) Google API ARM

< Error Log >
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.zhiqupk.root
[+] 2076 is service pid
[+] 2171 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xbe572000 to 0xbe572000
[!] pread seems to have failed!
[!] An issue occurred trying to dump the memory to a file!

< Test Sample >
https://www.virustotal.com/en/file/bf6c13323521eb064a116d0322351ff6a24fb1554e5608c8e94065e0cf4c6293/analysis/

[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.brazil.vod
[+] 1949 is service pid
[+] 2003 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xb7781000 to 0xb7782000
[!] pread seems to have failed!
[!] An issue occured trying to dump the memory to a file!

I'm using Nox Emulator to do this since I don't have a rooted device.

I tried to use cygwin to make this program in windows.
But I found that the NDK path can't be find by cygwin.

I am using Android Studio with NDK Installed but there seems to be a problem, Android Studio wont detect what type of project its using because theres no file like build.gradle indicating something. So its unclear for me too to go on with the project. If someone would help, it would be much appreciated.

Hello
Please, where is the error?
http://boris.fanatix.sk/dji.png

app: https://www.apkmirror.com/apk/dji-technology-co-ltd/dji-go-4/dji-go-4-4-1-15-release/dji-go-4-for-drones-since-p4-4-1-15-2-android-apk-download/

thank you for any advice

Hi,

It is unclear where to find gdb binary to push to "/data/local/tmp/".

I am using android emulator and I had no issues in building and using "native-unpacker" but I am unable test "gdb-scripts" because I can't find gdb binary to use.

Thanks.

Compiled this on x86 and tried it on Genymotion just for fun - pread() seems to fail - Any idea how to fix?

root@vbox86p:/data/local/tmp # uname -a
Linux localhost 3.10.0-genymotion-g1d178ae-dirty #1 SMP PREEMPT Mon Apr 27 11:57:12 CEST 2015 i686 GNU/Linux
root@vbox86p:/data/local/tmp # ./kisskiss com.android.mms
[] Android Dalvik Unpacker/Unprotector - [email protected]
[+] Hunting for com.android.mms
[+] 6589 is service pid
[+] 6998 is clone pid
[+] Attempting to detect packer/protector...
[] Nothing special found, assuming Bangcle...
[+] Unpacked odex found in memory!
[+] Attempting to dump memory region 0xb7745000 to 0xb7746000
[!] pread seems to have failed!
[!] An issue occured trying to dump the memory to a file!