[DETECTION] Unknown lib packers
Closed this issue ยท 19 comments
I encounted some modded APK that contained packed lib, that Apkid didnt detect. I barely can find any info about Android lib packers. Most modders using XMprotect, ollvm and UPX. Ollvm and Upx are detected by ApkID, and XM can be easly be identified so not a big deal for me.
Sample 1: libbmt.so is very large lib packer. Code section is short, OnLoad function is very large, making IDA fail to decompile it. I'm not sure whether OnLoad is obfuscted or they just put large data in it, but there are additional 5 mb of data not read by IDA
Apk: https://mega.nz/file/LAYEBIrT#BqojL9gWUxge6XidHHI0fnOvm_O30dpkfOMAKIt2zx0
Sample 2: libRMS.so is the small lib packer. Code section is short and simple without obfuscation. IDA throws an error "Unexpected attribute section format ('" when opening it but it can be igored
Apk: https://mega.nz/file/qVYD0IKC#MFsHhQxC6hm-IbMxKT6D3VAJ6CJp40__9gwXoiRgGK4
Thanks for the report, I will try to find time soon to take a crack at it. Any idea about the names or maintainers?
I'm not happy to disclose it, but there is nothing much to hide anyway, so the first sample is from blackmod.net and second sample is from 5play.ru
Hey @Yehh22,
could you provide more samples of Sample1 and Sample2?
Thanks ๐
Sure
Sample 1
https://mega.nz/file/uB4lzKhI#iEIyi3YajrfS4OuEQaZMw7OthnZbAAohBmGheu-89hE
https://mega.nz/file/KFBXRZ6S#T0Yb0PqkUM5svvpsfHQ-Ktnn6Nor1-bm5Klhi3czQR4
Sample 2
https://mega.nz/file/LAZ2gLLC#9cuMHqeQlmg-3HOYdED5olxyOHna6KEDGfm3eWHXXPQ
https://mega.nz/file/KUBlRKjS#HKEq6Hmi8A0WP6YqE2vHqSNnTthj_gnXfM4BftEVpYI
Hi,
I auto-assigned this ticket to me for whenever I got the time to check this out. Could you also provide samples for XMProtect?
Many thanks for the INTEL :)
Hi, I auto-assigned this ticket to me for whenever I got the time to check this out. Could you also provide samples for XMProtect? Many thanks for the INTEL :)
Sure, I posted the samples on the separated issue #293
@Yehh22 Please check this rule for Samples 1: 4c7d737
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] Sample1/Legend Of Heroes Sample1-BM.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : possible Build.SERIAL check
|-> compiler : unknown (please file detection issue!)
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes2.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, subscriber ID check
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes3.dex
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes4.dex
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes5.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes6.dex
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!classes7.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/Legend Of Heroes Sample1-BM.apk!lib/armeabi-v7a/libbmt.so
|-> packer : BlackMod
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes.dex
|-> anti_vm : Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, device ID check, network operator name check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes2.dex
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes3.dex
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes4.dex
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes5.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes6.dex
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!classes7.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/OUTERPLANE Sample1-BM.apk!lib/armeabi-v7a/libbmt.so
|-> packer : BlackMod
[*] Sample1/OUTERPLANE Sample1-BM.apk!lib/armeabi-v7a/libGvt.so
|-> obfuscator : Obfuscator-LLVM version unknown (string encryption)
[*] Sample1/OUTERPLANE Sample1-BM.apk!lib/armeabi-v7a/librhcore.so
|-> obfuscator : Obfuscator-LLVM version unknown (string encryption)
[*] Sample1/Sample1.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> compiler : unknown (please file detection issue!)
[*] Sample1/Sample1.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check, ro.hardware check, ro.kernel.qemu check
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes2.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes3.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes4.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, possible VM check
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes5.dex
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes6.dex
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible Build.SERIAL check
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes7.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes8.dex
|-> compiler : dexlib 2.x
[*] Sample1/Sample1.apk!classes9.dex
|-> compiler : unknown (please file detection issue!)
[*] Sample1/Sample1.apk!lib/armeabi-v7a/libbmt.so
|-> packer : BlackMod
@Yehh22 We can always remove the Arm32 only syscall opcode to match other architectures. Have you seen samples based on ARM64?
$ apkid hollywood-story\ Sample2-5play.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] hollywood-story Sample2-5play.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> compiler : unknown (please file detection issue!)
[*] hollywood-story Sample2-5play.apk!classes.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible Build.SERIAL check
|-> compiler : dexlib 2.x
[*] hollywood-story Sample2-5play.apk!classes2.dex
|-> anti_vm : Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check
|-> compiler : dexlib 2.x
[*] hollywood-story Sample2-5play.apk!classes3.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, SIM operator check, network operator name check, possible VM check, ro.hardware check, ro.kernel.qemu check
|-> compiler : dexlib 2.x
[*] hollywood-story Sample2-5play.apk!classes4.dex
|-> anti_vm : Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible VM check
|-> compiler : dexlib 2.x
[*] hollywood-story Sample2-5play.apk!classes5.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check, possible VM check
|-> compiler : dexlib 2.x
[*] hollywood-story Sample2-5play.apk!classes6.dex
|-> compiler : dexlib 2.x
[*] hollywood-story Sample2-5play.apk!lib/armeabi-v7a/libRMS.so
|-> packer : 5play.ruSorry for late reply. Yes, I have seen arm64 apks, I'm gonna find them
Sorry for late reply. Yes, I have seen arm64 apks, I'm gonna find them
In this case, I can make the rule more generic. Please let me know. Thanks!
Here is arm64 samples:
Blackmod (libbmt.so):
https://mega.nz/file/KJBRTAhZ#hsjDHigK76fkboJFAiTWjhiv3k8zoZozlw7OsTMuTKA
https://mega.nz/file/mJxGiKaC#BZp2-Erxvwn6OJn40_zOG1U0XCsdWUlfCfytfz9jwas
5play (libRMS.so):
https://mega.nz/file/6UYmFZIJ#kr1_wYQHb-aWwU3CSnq1azRA9ssOqJcyMX00rTzd3_A
https://mega.nz/file/6Vxh2J7Y#5u9jeMgUPf88tF67D0bFUhZdsACRmX5iIGRrKp3119c
I'm getting error trying to compile apkid. It seems it can't find yara-python-dex even tho it exists. Any idea why? I'm using Python 3.11.3 on Windows 11
Obtaining file:///E:/Github/APKiD
Installing build dependencies ... done
Checking if build backend supports build_editable ... done
Getting requirements to build editable ... done
Preparing editable metadata (pyproject.toml) ... done
INFO: pip is looking at multiple versions of apkid[dev,test] to determine which version is compatible with other requirements. This could take a while.
ERROR: Could not find a version that satisfies the requirement yara-python-dex>=1.0.1 (from apkid[dev,test]) (from versions: none)
ERROR: No matching distribution found for yara-python-dex>=1.0.1
Hi @Yehh22,
I am using Windows but with WSL2. Can you use the Docker instead?
Hi @Yehh22,
I am using Windows but with WSL2. Can you use the Docker instead?
I'm not going to use WSL2 or Docker because it runs Hyper-V that breaks my Android emulators. So i'm looking other way to get it work
Ended up using Linux on VM, everything works like a charm.
@Yehh22 Do you have more samples from other packers or modders?
@Yehh22 Do you have more samples from other packers or modders?
Yes, I'm going to post more samples