search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.02k stars 297 forks source link

New native packer used in BrawlStars #139

Closed enovella closed 4 years ago

enovella commented 5 years ago

Native packer with several layers of unpacking. Whitebox crypto, inline assembly syscalls, mmap-and-mprotect over and over.

Info: (@iGio90) http://www.giovanni-rocca.com/cracking-the-uncrackables-reverse-engineering-supercell-part-7/

igio90-ismy-her0 dugxvdvw4amk0iz dugvth_xcaassaz duf31w-wsau8tqi

More info: https://twitter.com/enovella_/status/1074101448537985026 https://pbs.twimg.com/media/DugxvdVW4AMk0Iz.jpg https://pbs.twimg.com/media/Dugvth_XcAASSAz.jpg

fs0c131y commented 5 years ago

< off-topic >Someone need to do a full write up on this packer< /off-topic >

enovella commented 5 years ago

found another sample @ https://koodous.com/apks/54bbf69e6f5529b548526857f5595d7015fc72802cddad3b74ee3a21bb064dca

Probably an older version

iGio90 commented 5 years ago

You'll find more samples in the Asian side of world. It's not hard to reach the vendor

enovella commented 5 years ago

More samples: https://koodous.com/apks/9d46bbb2321bdf738e65e2b7af17ea4bc43bfef6e844c36f2120cfb85a4ca541

enovella commented 5 years ago

I believe that this packer must be Crackproof (Android SO version). However, I could be maybe wrong. @P0r0 Do you remember something from your research?

This obfuscator has several flavours:

  1. Android DEX.(Java) https://www.hypertech.co.jp/en/products/crack-proof-for-android
  2. Android SO. (Native)https://www.hypertech.co.jp/en/products/crackproof-for-android-so
  3. Unity Android (Gaming) https://www.hypertech.co.jp/en/products/cp-unity-android

FYI; I already created a rule for it and it's running at Koodoous to find new samples.

enovella commented 5 years ago

Another video-game https://koodous.com/apks/b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608

[+] APKiD 1.2.1 :: from RedNaga :: rednaga.io
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible vm check
 |-> compiler : dx
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk!lib/armeabi/lib__57d5__.so
 |-> packer : Nutspacker (Chinese)
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk!lib/armeabi-v7a/lib__57d5__.so
 |-> packer : Nutspacker (Chinese)
[*] b4dd87422eb1003c6409b408e6b06bde6aae11da15a10b70a6ab5505becf3608.apk
enovella commented 5 years ago
enovella commented 5 years ago

Yeah Unity library has been found to be packed too. Diaphora helped me to auto-rename all my previous manual RE work done.

unity-packed

enovella commented 5 years ago

Another clear example with all the native libraries packed:

[02:19 edu@l0v3 crackproof] >  apkid 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4 
[+] APKiD 1.2.1 :: from RedNaga :: rednaga.io
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, network operator name check
 |-> compiler : dx
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libAVProLocal.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libopus.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libAudio360.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libencoder.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libmain.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libAudio360-JNI.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libil2cpp.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libopusJNI.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libFirebaseCppMessaging.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/libFirebaseCppApp-5.2.1.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4!lib/armeabi-v7a/lib__6dba__.so
 |-> packer : CrackProof
[*] 312243d9133ced054a850fa933d1f62adb717a232b79469ab2f58be77c9377a4
strazzere commented 4 years ago

Are the rules for crackproof submitted anywhere yet for review?

enovella commented 4 years ago

Done!

strazzere commented 4 years ago 
[+] APKiD 2.1.0 :: from RedNaga :: rednaga.io
[*] ./com.square_enix.android_googleplay.khuxww.apk!classes.dex
 |-> anti_debug : Debug.isDebuggerConnected() check
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, network operator name check, possible VM check
 |-> compiler : dx
 |-> obfuscator : unreadable field names, unreadable method names
[*] ./com.square_enix.android_googleplay.khuxww.apk!lib/armeabi/lib__57d5__.so
 |-> packer : CrackProof
[*] ./com.square_enix.android_googleplay.khuxww.apk!lib/armeabi-v7a/lib__57d5__.so
 |-> packer : CrackProof
[*] ./jp.co.cygames.princessconnectredive.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.BRAND check, Build.DEVICE check, Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, SIM operator check, device ID check, emulator file check, network operator name check, possible Build.SERIAL check, possible VM check, ro.kernel.qemu check, ro.product.device check, subscriber ID check
 |-> compiler : dx
[*] ./jp.co.cygames.princessconnectredive.apk!lib/armeabi-v7a/libcri_mana_vpx.so
 |-> packer : CrackProof
[*] ./jp.co.cygames.princessconnectredive.apk!lib/armeabi-v7a/libil2cpp.so
 |-> packer : CrackProof
[*] ./com.square_enix.android_googleplay.StarOceann.apk!classes.dex
 |-> anti_vm : Build.BOARD check, Build.FINGERPRINT check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, Build.TAGS check, network operator name check
 |-> compiler : dx
[*] ./com.square_enix.android_googleplay.StarOceann.apk!lib/armeabi-v7a/lib__57d5__.so
 |-> packer : CrackProof

Rule pushed

iGio90 commented 4 years ago

I did

apkunpacker commented 4 years ago

@iGio90 how you did sir , where is your blog regarding unpacking crackproof ?

strazzere commented 4 years ago

Folks - let's use the issues in APKiD to talk about exactly that, APKiD.

Please move discussions about unpacking somewhere else. We do NOT condone cracking or piracy. Please stop asking for help in the issue sections of APKiD.

iGio90 commented 4 years ago

In my blog is the one with "cracking the uncrackabls" as back in the days they were claim themselves as uncrackable xD