Closed enovella closed 4 years ago
< off-topic >Someone need to do a full write up on this packer< /off-topic >
found another sample @ https://koodous.com/apks/54bbf69e6f5529b548526857f5595d7015fc72802cddad3b74ee3a21bb064dca
Probably an older version
You'll find more samples in the Asian side of world. It's not hard to reach the vendor
I believe that this packer must be Crackproof
(Android SO version). However, I could be maybe wrong. @P0r0 Do you remember something from your research?
This obfuscator has several flavours:
FYI; I already created a rule for it and it's running at Koodoous to find new samples.
Another video-game https://koodous.com/apks/b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608
[+] APKiD 1.2.1 :: from RedNaga :: rednaga.io
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk!classes.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible vm check
|-> compiler : dx
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk!lib/armeabi/lib__57d5__.so
|-> packer : Nutspacker (Chinese)
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk!lib/armeabi-v7a/lib__57d5__.so
|-> packer : Nutspacker (Chinese)
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk
Yeah Unity library has been found to be packed too. Diaphora helped me to auto-rename all my previous manual RE work done.
Another clear example with all the native libraries packed:
[02:19 edu@l0v3 crackproof] > apkid 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4
[+] APKiD 1.2.1 :: from RedNaga :: rednaga.io
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!classes.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check
|-> compiler : dx
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libAVProLocal.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libopus.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libAudio360.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libencoder.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libmain.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libAudio360-JNI.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libil2cpp.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libopusJNI.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libFirebaseCppMessaging.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libFirebaseCppApp-5.2.1.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/lib__6dba__.so
|-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4
Are the rules for crackproof
submitted anywhere yet for review?
Done!
[+] APKiD 2.1.0 :: from RedNaga :: rednaga.io
[*] ./com.square_enix.android_googleplay.khuxww.apk!classes.dex
|-> anti_debug : Debug.isDebuggerConnected() check
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check
|-> compiler : dx
|-> obfuscator : unreadable field names, unreadable method names
[*] ./com.square_enix.android_googleplay.khuxww.apk!lib/armeabi/lib__57d5__.so
|-> packer : CrackProof
[*] ./com.square_enix.android_googleplay.khuxww.apk!lib/armeabi-v7a/lib__57d5__.so
|-> packer : CrackProof
[*] ./jp.co.cygames.princessconnectredive.apk!classes.dex
|-> anti_vm : Build.BOARD check, Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, device ID check, emulator file check, network operator name check, possible Build.SERIAL check, possible VM check, ro.kernel.qemu check, ro.product.device check, subscriber ID check
|-> compiler : dx
[*] ./jp.co.cygames.princessconnectredive.apk!lib/armeabi-v7a/libcri_mana_vpx.so
|-> packer : CrackProof
[*] ./jp.co.cygames.princessconnectredive.apk!lib/armeabi-v7a/libil2cpp.so
|-> packer : CrackProof
[*] ./com.square_enix.android_googleplay.StarOceann.apk!classes.dex
|-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check
|-> compiler : dx
[*] ./com.square_enix.android_googleplay.StarOceann.apk!lib/armeabi-v7a/lib__57d5__.so
|-> packer : CrackProof
Rule pushed
I did
@iGio90 how you did sir , where is your blog regarding unpacking crackproof ?
Folks - let's use the issues in APKiD to talk about exactly that, APKiD.
Please move discussions about unpacking somewhere else. We do NOT condone cracking or piracy. Please stop asking for help in the issue sections of APKiD.
In my blog is the one with "cracking the uncrackabls" as back in the days they were claim themselves as uncrackable xD
Native packer with several layers of unpacking. Whitebox crypto, inline assembly syscalls, mmap-and-mprotect over and over.
Info: (@iGio90) http://www.giovanni-rocca.com/cracking-the-uncrackables-reverse-engineering-supercell-part-7/
More info: https://twitter.com/enovella_/status/1074101448537985026 https://pbs.twimg.com/media/DugxvdVW4AMk0Iz.jpg https://pbs.twimg.com/media/Dugvth_XcAASSAz.jpg