[DETECTION] AndroidRepublic Modder: Unknown lib obfuscator / dex packer
Yehh22 opened this issue · 9 comments
The samples from Android Republic.
Unknown lib obfuscator
Lib file /assets/emt.androidrepublic/monkey.png (IDA identified as libemtrepublicv3.so). Looks like Ollvm obfuscator
In 2016-2020, they used Obfuscator-LLVM version 3.4, so it is possible they are using newer ollvm version
https://mega.nz/folder/jVYDkYDC#0vprSB4BxQ2oPgDDnLeaJA
Samples from VIP section.
Possible files
- assets/androidrepublic.org/dragon.png
- lib/XXX/libteteetet.so
- lib/XXX/libandroidrepublic.so
https://mega.nz/folder/iYZE3KCT#b3iXBbnaVDnl40H_GxkTMQ
Unknown dex packer with obfuscated/packed libs?
Encrypted dexes stored as /assets/emtXXX.so/ and assets/libemt_XXX.so probably decrypts them. The libemt_XXX.so has some weird instructions and breaks IDA decompiler. Unclear if it is obfuscated or packed.
@Yehh22 how would you like to name this packer? Would you like to create a pull-request with this rule?
@Yehh22 how would you like to name this packer? Would you like to create a pull-request with this rule?
I think just "Android Republic" until then.
I'm not sure what should I do with pull-request? I never pull-request before
The samples from Android Republic.
Unknown lib obfuscator Lib file /assets/emt.androidrepublic/monkey.png (IDA identified as libemtrepublicv3.so). Looks like Ollvm obfuscator In 2016-2020, they used Obfuscator-LLVM version 3.4, so it is possible they are using newer ollvm version
$ for f in `ls`; do echo $f; unzip -l $f|egrep -i "monkey|androidrepublic|dragon";done
com.YoStar.AetherGazer.027977-armv7.mod.apk
2060 2023-06-30 16:56 assets/emt.androidrepublic/config.png
3191376 2023-06-30 16:56 assets/emt.androidrepublic/monkey.png
17548 2023-06-30 16:56 assets/emt.androidrepublic/system.png
140 2023-06-30 16:56 assets/emt.androidrepublic/system_000.png
1500 2023-06-30 16:56 assets/emt.androidrepublic/system_001.png
92 2023-06-30 16:56 assets/emt.androidrepublic/system_002.png
1804 2023-06-30 16:56 assets/emt.androidrepublic/system_003.png
252 2023-06-30 16:56 assets/emt.androidrepublic/system_004.png
76 2023-06-30 16:56 assets/emt.androidrepublic/system_005.png
com.sega.ErrorGameReset.110.mod-arm64.apk
2060 2023-06-12 16:22 assets/emt.androidrepublic/config.png
4392600 2023-06-12 16:22 assets/emt.androidrepublic/monkey.png
17548 2023-06-12 16:22 assets/emt.androidrepublic/system.png
140 2023-06-12 16:22 assets/emt.androidrepublic/system_000.png
1500 2023-06-12 16:22 assets/emt.androidrepublic/system_001.png
92 2023-06-12 16:22 assets/emt.androidrepublic/system_002.png
1804 2023-06-12 16:22 assets/emt.androidrepublic/system_003.png
252 2023-06-12 16:22 assets/emt.androidrepublic/system_004.png
76 2023-06-12 16:22 assets/emt.androidrepublic/system_005.png
com.spicyteam.likeheroes2.242.mod-armv7.apk
2060 2023-06-22 12:32 assets/emt.androidrepublic/config.png
3191376 2023-06-22 12:32 assets/emt.androidrepublic/monkey.png
17548 2023-06-22 12:32 assets/emt.androidrepublic/system.png
140 2023-06-22 12:32 assets/emt.androidrepublic/system_000.png
1500 2023-06-22 12:32 assets/emt.androidrepublic/system_001.png
92 2023-06-22 12:32 assets/emt.androidrepublic/system_002.png
1804 2023-06-22 12:32 assets/emt.androidrepublic/system_003.png
252 2023-06-22 12:32 assets/emt.androidrepublic/system_004.png
76 2023-06-22 12:32 assets/emt.androidrepublic/system_005.png
global.ngelgames.tog.2113.mod-arm64.apk
2060 2023-06-21 10:16 assets/emt.androidrepublic/config.png
4392600 2023-06-21 10:16 assets/emt.androidrepublic/monkey.png
17548 2023-06-21 10:16 assets/emt.androidrepublic/system.png
140 2023-06-21 10:16 assets/emt.androidrepublic/system_000.png
1500 2023-06-21 10:16 assets/emt.androidrepublic/system_001.png
92 2023-06-21 10:16 assets/emt.androidrepublic/system_002.png
1804 2023-06-21 10:16 assets/emt.androidrepublic/system_003.png
252 2023-06-21 10:16 assets/emt.androidrepublic/system_004.png
76 2023-06-21 10:16 assets/emt.androidrepublic/system_005.png
@Yehh22 This sample is also protected with Aegis. Is this okay?
$ apkid com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
|-> packer : Aegis - Android Republic Mods
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!classes.dex
|-> compiler : r8 without marker (suspicious)
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : possible Build.SERIAL check
|-> compiler : unknown (please file detection issue!)
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/aegis/nmsscr.nmss
|-> packer : Aegis
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/aegis/nmssey.nmss
|-> anti_hook : syscalls
|-> packer : Aegis
[*] com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk!assets/aegis/nmsskc.nmss
|-> packer : Aegis
$ for f in `ls`; do echo ${f}; unzip -l ${f}|egrep -i "teteetet|androidrepublic|dragon";done
com.YoStarEN.Arknights_16.9.21_30052023_162839_MenuMod-libandroidrepublic.so-arm64.apk
Archive: com.YoStarEN.Arknights_16.9.21_30052023_162839_MenuMod-libandroidrepublic.so-arm64.apk
940 2023-05-30 16:20 assets/androidrepublic.org/config.png
1087868 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64.png
188 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64_000.png
101308 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64_001.png
108 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64_002.png
82876 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64_003.png
85516 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64_004.png
92 2023-05-30 16:20 assets/androidrepublic.org/eclipse_arm64_005.png
1067388 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64.png
188 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64_000.png
101292 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64_001.png
108 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64_002.png
82764 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64_003.png
86380 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64_004.png
92 2023-05-30 16:20 assets/androidrepublic.org/sunrise_arm64_005.png
17548 2023-05-30 16:20 assets/androidrepublic.org/system.png
140 2023-05-30 16:20 assets/androidrepublic.org/system_000.png
1500 2023-05-30 16:20 assets/androidrepublic.org/system_001.png
92 2023-05-30 16:20 assets/androidrepublic.org/system_002.png
1804 2023-05-30 16:20 assets/androidrepublic.org/system_003.png
252 2023-05-30 16:20 assets/androidrepublic.org/system_004.png
76 2023-05-30 16:20 assets/androidrepublic.org/system_005.png
226188 2023-05-30 16:20 assets/androidrepublic.org/xray.png
15679496 2023-05-30 16:20 lib/arm64-v8a/libandroidrepublic.so
com.bandainamcoent.saoifww_2.1.7_26012023_152452_mod_x64-dragon.png-arm64.apk
Archive: com.bandainamcoent.saoifww_2.1.7_26012023_152452_mod_x64-dragon.png-arm64.apk
17548 2020-11-23 20:48 assets/androidrepublic.org/system.png
140 2020-11-23 20:48 assets/androidrepublic.org/system_000.png
1500 2020-11-23 20:48 assets/androidrepublic.org/system_001.png
92 2020-11-23 20:48 assets/androidrepublic.org/system_002.png
1804 2020-11-23 20:48 assets/androidrepublic.org/system_003.png
252 2020-11-23 20:48 assets/androidrepublic.org/system_004.png
76 2020-11-23 20:48 assets/androidrepublic.org/system_005.png
226188 2020-11-23 20:48 assets/androidrepublic.org/xray.png
15679496 2021-11-18 23:37 assets/androidrepublic.org/dragon.png
684 2023-01-26 15:09 assets/androidrepublic.org/config.png
4182428 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64.png
188 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64_000.png
189676 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64_001.png
108 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64_002.png
235884 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64_003.png
378124 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64_004.png
92 2023-01-26 15:09 assets/androidrepublic.org/sunrise_arm64_005.png
com.clovergames.lordofheroes_1.1.093009_01102021_231127_mod-libteteetet.so-armv7.apk
Archive: com.clovergames.lordofheroes_1.1.093009_01102021_231127_mod-libteteetet.so-armv7.apk
860 2017-08-24 23:19 assets/androidrepublic.org/config.png
1087628 2017-08-24 23:19 assets/androidrepublic.org/eclipse.png
140 2017-08-24 23:19 assets/androidrepublic.org/eclipse_000.png
102076 2017-08-24 23:19 assets/androidrepublic.org/eclipse_001.png
92 2017-08-24 23:19 assets/androidrepublic.org/eclipse_002.png
61308 2017-08-24 23:19 assets/androidrepublic.org/eclipse_003.png
25260 2017-08-24 23:19 assets/androidrepublic.org/eclipse_004.png
76 2017-08-24 23:19 assets/androidrepublic.org/eclipse_005.png
17548 2017-08-24 23:19 assets/androidrepublic.org/system.png
140 2017-08-24 23:19 assets/androidrepublic.org/system_000.png
1500 2017-08-24 23:19 assets/androidrepublic.org/system_001.png
92 2017-08-24 23:19 assets/androidrepublic.org/system_002.png
1804 2017-08-24 23:19 assets/androidrepublic.org/system_003.png
252 2017-08-24 23:19 assets/androidrepublic.org/system_004.png
76 2017-08-24 23:19 assets/androidrepublic.org/system_005.png
226188 2017-08-24 23:19 assets/androidrepublic.org/xray.png
11796308 2017-08-24 23:19 lib/armeabi-v7a/libteteetet.so
com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
Archive: com.perblue.disneyheroes_3.3.01_31082021_232042_modded-libandroidrepublic.so-armv7.apk
11796308 2021-08-31 23:10 lib/armeabi-v7a/libandroidrepublic.so
140 2021-08-31 23:11 assets/androidrepublic.org/system_000.png
92 2021-08-31 23:11 assets/androidrepublic.org/system_002.png
1804 2021-08-31 23:11 assets/androidrepublic.org/system_003.png
76 2021-08-31 23:11 assets/androidrepublic.org/system_005.png
748 2021-08-31 23:11 assets/androidrepublic.org/crab_003.png
428 2021-08-31 23:11 assets/androidrepublic.org/crab_001.png
22236 2021-08-31 23:11 assets/androidrepublic.org/crab.png
140 2021-08-31 23:11 assets/androidrepublic.org/crab_000.png
17548 2021-08-31 23:11 assets/androidrepublic.org/system.png
652 2021-08-31 23:12 assets/androidrepublic.org/config.png
1500 2021-08-31 23:11 assets/androidrepublic.org/system_001.png
412 2021-08-31 23:11 assets/androidrepublic.org/crab_004.png
92 2021-08-31 23:11 assets/androidrepublic.org/crab_002.png
226188 2021-08-31 23:11 assets/androidrepublic.org/xray.png
252 2021-08-31 23:11 assets/androidrepublic.org/system_004.png
76 2021-08-31 23:11 assets/androidrepublic.org/crab_005.png
@Yehh22 This sample is also protected with Aegis. Is this okay?
Looks all good.
Also I found more samples of unknown dex packer. I guess we can call them EMT
I'm assuming the class org.androidrepublic.is.the.best.btg.emtApp
in the smali is a dex loader
APK Link: https://mega.nz/folder/jBxjgZSb#HV_klLsDchZJXinmdSusgw
@Yehh22 This sample is also protected with Aegis. Is this okay?
Looks all good.
Also I found more samples of unknown dex packer. I guess we can call them EMT
I'm assuming the class
org.androidrepublic.is.the.best.btg.emtApp
in the smali is a dex loaderAPK Link: https://mega.nz/folder/jBxjgZSb#HV_klLsDchZJXinmdSusgw
The previous rules are already matching in here. Any suggestions?
UnknownDexPacker$ apkid .
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk
|-> obfuscator : AndroidRepublic VIP
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> compiler : unknown (please file detection issue!)
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk!assets/libemt_a64.so
|-> anti_hook : syscalls
[*] ./7BillionZombies-VIPHero_1.4.2-signeddexpacker.apk!classes.dex
|-> anti_vm : Build.MANUFACTURER check
|-> compiler : dexlib 2.x
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk
|-> obfuscator : AndroidRepublic VIP
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!assets/libemt_a64.so
|-> anti_hook : syscalls
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!classes.dex
|-> compiler : dexlib 2.x
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!lib/armeabi-v7a/libandroidrepublic.so
|-> obfuscator : AndroidRepublic VIP
[*] ./ExoRaisingGoblins_1.39.4-signedlib-dexpacker.apk!lib/armeabi-v7a/libandroidrepublicz.so
|-> anti_vm : possible VM check
|-> obfuscator : AndroidRepublic VIP
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk
|-> obfuscator : AndroidRepublic VIP
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!assets/audience_network.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> compiler : unknown (please file detection issue!)
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!assets/libemt_a64.so
|-> anti_hook : syscalls
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!classes.dex
|-> compiler : dexlib 2.x
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!lib/armeabi-v7a/libandroidrepublic.so
|-> obfuscator : AndroidRepublic VIP
[*] ./IdleAnomalyAlienControl_0.9.2-signeddexpacker.apk!lib/armeabi-v7a/libandroidrepublicz.so
|-> anti_vm : possible VM check
|-> obfuscator : AndroidRepublic VIP
I was proposing adding dex packer check. Other than that it's good