rednaga/APKiD

[DETECTION] AndroidRepublic Modder: Unknown lib obfuscator / dex packer

Yehh22 opened this issue · 9 comments

Yehh22 commented

The samples from Android Republic.

Unknown lib obfuscator
Lib file /assets/emt.androidrepublic/monkey.png (IDA identified as libemtrepublicv3.so). Looks like Ollvm obfuscator
In 2016-2020, they used Obfuscator-LLVM version 3.4, so it is possible they are using newer ollvm version

https://mega.nz/folder/jVYDkYDC#0vprSB4BxQ2oPgDDnLeaJA

Samples from VIP section.
Possible files

  • assets/androidrepublic.org/dragon.png
  • lib/XXX/libteteetet.so
  • lib/XXX/libandroidrepublic.so

https://mega.nz/folder/iYZE3KCT#b3iXBbnaVDnl40H_GxkTMQ

Unknown dex packer with obfuscated/packed libs?
Encrypted dexes stored as /assets/emtXXX.so/ and assets/libemt_XXX.so probably decrypts them. The libemt_XXX.so has some weird instructions and breaks IDA decompiler. Unclear if it is obfuscated or packed.

https://mega.nz/folder/7Nx02DRB#o2OEsMR7UL8k6Gk_cNd99A

@Yehh22 how would you like to name this packer? Would you like to create a pull-request with this rule?

@Yehh22 how would you like to name this packer? Would you like to create a pull-request with this rule?

I think just "Android Republic" until then.

I'm not sure what should I do with pull-request? I never pull-request before

The samples from Android Republic.

Unknown lib obfuscator Lib file /assets/emt.androidrepublic/monkey.png (IDA identified as libemtrepublicv3.so). Looks like Ollvm obfuscator In 2016-2020, they used Obfuscator-LLVM version 3.4, so it is possible they are using newer ollvm version

https://mega.nz/folder/jVYDkYDC#0vprSB4BxQ2oPgDDnLeaJA

$ for f in `ls`; do echo $f; unzip -l $f|egrep -i "monkey|androidrepublic|dragon";done
com.YoStar.AetherGazer.027977-armv7.mod.apk
     2060  2023-06-30 16:56   assets/emt.androidrepublic/config.png
  3191376  2023-06-30 16:56   assets/emt.androidrepublic/monkey.png
    17548  2023-06-30 16:56   assets/emt.androidrepublic/system.png
      140  2023-06-30 16:56   assets/emt.androidrepublic/system_000.png
     1500  2023-06-30 16:56   assets/emt.androidrepublic/system_001.png
       92  2023-06-30 16:56   assets/emt.androidrepublic/system_002.png
     1804  2023-06-30 16:56   assets/emt.androidrepublic/system_003.png
      252  2023-06-30 16:56   assets/emt.androidrepublic/system_004.png
       76  2023-06-30 16:56   assets/emt.androidrepublic/system_005.png
com.sega.ErrorGameReset.110.mod-arm64.apk
     2060  2023-06-12 16:22   assets/emt.androidrepublic/config.png
  4392600  2023-06-12 16:22   assets/emt.androidrepublic/monkey.png
    17548  2023-06-12 16:22   assets/emt.androidrepublic/system.png
      140  2023-06-12 16:22   assets/emt.androidrepublic/system_000.png
     1500  2023-06-12 16:22   assets/emt.androidrepublic/system_001.png
       92  2023-06-12 16:22   assets/emt.androidrepublic/system_002.png
     1804  2023-06-12 16:22   assets/emt.androidrepublic/system_003.png
      252  2023-06-12 16:22   assets/emt.androidrepublic/system_004.png
       76  2023-06-12 16:22   assets/emt.androidrepublic/system_005.png
com.spicyteam.likeheroes2.242.mod-armv7.apk
     2060  2023-06-22 12:32   assets/emt.androidrepublic/config.png
  3191376  2023-06-22 12:32   assets/emt.androidrepublic/monkey.png
    17548  2023-06-22 12:32   assets/emt.androidrepublic/system.png
      140  2023-06-22 12:32   assets/emt.androidrepublic/system_000.png
     1500  2023-06-22 12:32   assets/emt.androidrepublic/system_001.png
       92  2023-06-22 12:32   assets/emt.androidrepublic/system_002.png
     1804  2023-06-22 12:32   assets/emt.androidrepublic/system_003.png
      252  2023-06-22 12:32   assets/emt.androidrepublic/system_004.png
       76  2023-06-22 12:32   assets/emt.androidrepublic/system_005.png
global.ngelgames.tog.2113.mod-arm64.apk
     2060  2023-06-21 10:16   assets/emt.androidrepublic/config.png
  4392600  2023-06-21 10:16   assets/emt.androidrepublic/monkey.png
    17548  2023-06-21 10:16   assets/emt.androidrepublic/system.png
      140  2023-06-21 10:16   assets/emt.androidrepublic/system_000.png
     1500  2023-06-21 10:16   assets/emt.androidrepublic/system_001.png
       92  2023-06-21 10:16   assets/emt.androidrepublic/system_002.png
     1804  2023-06-21 10:16   assets/emt.androidrepublic/system_003.png
      252  2023-06-21 10:16   assets/emt.androidrepublic/system_004.png
       76  2023-06-21 10:16   assets/emt.androidrepublic/system_005.png

@Yehh22 This sample is also protected with Aegis. Is this okay?

$ apkid com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
 |-> packer : Aegis - Android Republic Mods
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!classes.dex
 |-> compiler : r8 without marker (suspicious)
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : possible Build.SERIAL check
 |-> compiler : unknown (please file detection issue!)
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/aegis/nmsscr.nmss
 |-> packer : Aegis
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/aegis/nmssey.nmss
 |-> anti_hook : syscalls
 |-> packer : Aegis
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/aegis/nmsskc.nmss
 |-> packer : Aegis
$ for f in `ls`; do echo ${f}; unzip -l ${f}|egrep -i "teteetet|androidrepublic|dragon";done
com.YoStarEN.Arknights_16.9.21_30052023_162839_MenuMod-libandroidrepublic.so-arm64.apk
Archive:  com.YoStarEN.Arknights_16.9.21_30052023_162839_MenuMod-libandroidrepublic.so-arm64.apk
      940  2023-05-30 16:20   assets/androidrepublic.org/config.png
  1087868  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64.png
      188  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64_000.png
   101308  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64_001.png
      108  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64_002.png
    82876  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64_003.png
    85516  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64_004.png
       92  2023-05-30 16:20   assets/androidrepublic.org/eclipse_arm64_005.png
  1067388  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64.png
      188  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64_000.png
   101292  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64_001.png
      108  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64_002.png
    82764  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64_003.png
    86380  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64_004.png
       92  2023-05-30 16:20   assets/androidrepublic.org/sunrise_arm64_005.png
    17548  2023-05-30 16:20   assets/androidrepublic.org/system.png
      140  2023-05-30 16:20   assets/androidrepublic.org/system_000.png
     1500  2023-05-30 16:20   assets/androidrepublic.org/system_001.png
       92  2023-05-30 16:20   assets/androidrepublic.org/system_002.png
     1804  2023-05-30 16:20   assets/androidrepublic.org/system_003.png
      252  2023-05-30 16:20   assets/androidrepublic.org/system_004.png
       76  2023-05-30 16:20   assets/androidrepublic.org/system_005.png
   226188  2023-05-30 16:20   assets/androidrepublic.org/xray.png
 15679496  2023-05-30 16:20   lib/arm64-v8a/libandroidrepublic.so
com.bandainamcoent.saoifww_2.1.7_26012023_152452_mod_x64-dragon.png-arm64.apk
Archive:  com.bandainamcoent.saoifww_2.1.7_26012023_152452_mod_x64-dragon.png-arm64.apk
    17548  2020-11-23 20:48   assets/androidrepublic.org/system.png
      140  2020-11-23 20:48   assets/androidrepublic.org/system_000.png
     1500  2020-11-23 20:48   assets/androidrepublic.org/system_001.png
       92  2020-11-23 20:48   assets/androidrepublic.org/system_002.png
     1804  2020-11-23 20:48   assets/androidrepublic.org/system_003.png
      252  2020-11-23 20:48   assets/androidrepublic.org/system_004.png
       76  2020-11-23 20:48   assets/androidrepublic.org/system_005.png
   226188  2020-11-23 20:48   assets/androidrepublic.org/xray.png
 15679496  2021-11-18 23:37   assets/androidrepublic.org/dragon.png
      684  2023-01-26 15:09   assets/androidrepublic.org/config.png
  4182428  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64.png
      188  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64_000.png
   189676  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64_001.png
      108  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64_002.png
   235884  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64_003.png
   378124  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64_004.png
       92  2023-01-26 15:09   assets/androidrepublic.org/sunrise_arm64_005.png
com.clovergames.lordofheroes_1.1.093009_01102021_231127_mod-libteteetet.so-armv7.apk
Archive:  com.clovergames.lordofheroes_1.1.093009_01102021_231127_mod-libteteetet.so-armv7.apk
      860  2017-08-24 23:19   assets/androidrepublic.org/config.png
  1087628  2017-08-24 23:19   assets/androidrepublic.org/eclipse.png
      140  2017-08-24 23:19   assets/androidrepublic.org/eclipse_000.png
   102076  2017-08-24 23:19   assets/androidrepublic.org/eclipse_001.png
       92  2017-08-24 23:19   assets/androidrepublic.org/eclipse_002.png
    61308  2017-08-24 23:19   assets/androidrepublic.org/eclipse_003.png
    25260  2017-08-24 23:19   assets/androidrepublic.org/eclipse_004.png
       76  2017-08-24 23:19   assets/androidrepublic.org/eclipse_005.png
    17548  2017-08-24 23:19   assets/androidrepublic.org/system.png
      140  2017-08-24 23:19   assets/androidrepublic.org/system_000.png
     1500  2017-08-24 23:19   assets/androidrepublic.org/system_001.png
       92  2017-08-24 23:19   assets/androidrepublic.org/system_002.png
     1804  2017-08-24 23:19   assets/androidrepublic.org/system_003.png
      252  2017-08-24 23:19   assets/androidrepublic.org/system_004.png
       76  2017-08-24 23:19   assets/androidrepublic.org/system_005.png
   226188  2017-08-24 23:19   assets/androidrepublic.org/xray.png
 11796308  2017-08-24 23:19   lib/armeabi-v7a/libteteetet.so
com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
Archive:  com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
 11796308  2021-08-31 23:10   lib/armeabi-v7a/libandroidrepublic.so
      140  2021-08-31 23:11   assets/androidrepublic.org/system_000.png
       92  2021-08-31 23:11   assets/androidrepublic.org/system_002.png
     1804  2021-08-31 23:11   assets/androidrepublic.org/system_003.png
       76  2021-08-31 23:11   assets/androidrepublic.org/system_005.png
      748  2021-08-31 23:11   assets/androidrepublic.org/crab_003.png
      428  2021-08-31 23:11   assets/androidrepublic.org/crab_001.png
    22236  2021-08-31 23:11   assets/androidrepublic.org/crab.png
      140  2021-08-31 23:11   assets/androidrepublic.org/crab_000.png
    17548  2021-08-31 23:11   assets/androidrepublic.org/system.png
      652  2021-08-31 23:12   assets/androidrepublic.org/config.png
     1500  2021-08-31 23:11   assets/androidrepublic.org/system_001.png
      412  2021-08-31 23:11   assets/androidrepublic.org/crab_004.png
       92  2021-08-31 23:11   assets/androidrepublic.org/crab_002.png
   226188  2021-08-31 23:11   assets/androidrepublic.org/xray.png
      252  2021-08-31 23:11   assets/androidrepublic.org/system_004.png
       76  2021-08-31 23:11   assets/androidrepublic.org/crab_005.png

Confirmed! This monkey.png is an obfuscated ARM 32bits ELF
image

image

@Yehh22 This sample is also protected with Aegis. Is this okay?

Looks all good.

Also I found more samples of unknown dex packer. I guess we can call them EMT

I'm assuming the class org.androidrepublic.is.the.best.btg.emtApp in the smali is a dex loader

image

APK Link: https://mega.nz/folder/jBxjgZSb#HV_klLsDchZJXinmdSusgw

@Yehh22 This sample is also protected with Aegis. Is this okay?

Looks all good.

Also I found more samples of unknown dex packer. I guess we can call them EMT

I'm assuming the class org.androidrepublic.is.the.best.btg.emtApp in the smali is a dex loader

image

APK Link: https://mega.nz/folder/jBxjgZSb#HV_klLsDchZJXinmdSusgw

The previous rules are already matching in here. Any suggestions?

UnknownDexPacker$ apkid .
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk
 |-> obfuscator : AndroidRepublic VIP
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> compiler : unknown (please file detection issue!)
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk!assets/libemt_a64.so
 |-> anti_hook : syscalls
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk!classes.dex
 |-> anti_vm : Build.MANUFACTURER check
 |-> compiler : dexlib 2.x
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk
 |-> obfuscator : AndroidRepublic VIP
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!assets/libemt_a64.so
 |-> anti_hook : syscalls
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!classes.dex
 |-> compiler : dexlib 2.x
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!lib/armeabi-v7a/libandroidrepublic.so
 |-> obfuscator : AndroidRepublic VIP
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!lib/armeabi-v7a/libandroidrepublicz.so
 |-> anti_vm : possible VM check
 |-> obfuscator : AndroidRepublic VIP
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk
 |-> obfuscator : AndroidRepublic VIP
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!assets/audience_network.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> compiler : unknown (please file detection issue!)
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!assets/libemt_a64.so
 |-> anti_hook : syscalls
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!classes.dex
 |-> compiler : dexlib 2.x
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!lib/armeabi-v7a/libandroidrepublic.so
 |-> obfuscator : AndroidRepublic VIP
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!lib/armeabi-v7a/libandroidrepublicz.so
 |-> anti_vm : possible VM check
 |-> obfuscator : AndroidRepublic VIP

I was proposing adding dex packer check. Other than that it's good