search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
2.05k stars 296 forks source link

Add Nike obfuscator #227

Open enovella opened 4 years ago

enovella commented 4 years ago

Perhaps a simple AES encrypt/decrypt for strings:

[11:01 edu@xps arm64-v8a] >  r2 libnike-obfuscator.so 
Dynamic tag 14 not handled
Dynamic tag 26 not handled
Dynamic tag 28 not handled
Dynamic tag 1879047925 not handled
 -- There are 5 minutes from WTF to FIX in r2land
[0x00000f60]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x00000000 to 0x00004868 (aav)
[x] 0x00000000-0x00004868 in 0x0-0x4868 (aav)
[x] Emulate code to find computed references (aae)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00000f60]> afl
0x00000f60    1 12           entry0
0x0000199c    9 248          sym.ai
0x000018c4    1 120          sym.p
0x00000ed0    1 16           sym.imp.malloc
0x00000ee0    1 16           sym.imp.memcpy
0x00000f10    1 16           sym.imp.memset
0x00001008   63 1336         sym.Java_com_nike_clientconfig_NativeObfuscator_decrypt
0x00003270   50 1452         sym.a
0x000017b8    3 132          sym.r
0x00001ca8    9 1784         sym.aee
0x00002564   11 1916         sym.ade
0x0000193c    3 96           sym.u
0x00002f2c   63 836          sym.bdx
0x0000176c    1 76           sym.g
0x00000f20    1 16           sym.imp.fopen
0x00000db0    1 16           sym.imp.fread
0x0000183c    9 136          sym.x
0x00001540    9 556          sym.Java_com_nike_clientconfig_NativeObfuscator_encrypt
0x00002f24    1 8            sym.bd
0x00001c94    1 20           sym.ad
0x00002ce0   22 580          sym.be
0x0000381c    4 68           sym.validate_utf8
0x00000f9c    3 108          sym.throwException
0x00000d90    1 16           sym.imp.realloc
0x00000da0    1 16           sym.imp.__cxa_finalize
0x00000e30    1 16           sym.imp.snprintf
0x00000e40    1 16           sym.imp.memcmp
0x00000e50    1 16           sym.imp.fclose
0x00000e60    1 16           sym.imp.__stack_chk_fail
0x00000e90    1 16           sym.imp.memmove
0x00000ec0    1 16           sym.imp.strlen
0x00000ef0    1 16           sym.imp.isalnum
0x00000f40    1 16           sym.imp.free
0x00000f50    1 16           sym.imp.__cxa_atexit
0x00000f70    2 8            entry.fini0
0x00000dd0    1 16           fcn.00000dd0
0x00000f00    1 16           fcn.00000f00
0x00000df0    1 16           fcn.00000df0
0x00000ea0    1 16           fcn.00000ea0
0x00000eb0    1 16           fcn.00000eb0
0x00000e80    1 16           fcn.00000e80
0x00000de0    1 16           fcn.00000de0
0x00000e20    1 16           fcn.00000e20
0x00000dc0    1 16           fcn.00000dc0
0x00000e00    1 16           fcn.00000e00
0x00000e70    1 16           fcn.00000e70
0x00000f30    1 16           fcn.00000f30
0x00001a94    1 512          fcn.00001a94
0x000023a0    1 452          fcn.000023a0
0x00000e10    1 16           fcn.00000e10
0x00000d70    1 20           fcn.00000d70
[0x00000f60]> izzq
0x34 10 4 @8\b@
0x212 6 5 \b\v$2\f
0x3c4 24 5 "$%&(
0x3f3 5 4 %wT<
0x851 15 14 __cxa_finalize
0x860 13 12 __cxa_atexit
0x86d 52 51 Java_com_nike_clientconfig_NativeObfuscator_decrypt
0x8a1 52 51 Java_com_nike_clientconfig_NativeObfuscator_encrypt
0x8d5 17 16 __stack_chk_fail
0x8f8 5 4 free
0x8ff 7 6 malloc
0x906 7 6 memcpy
0x90d 8 7 memmove
0x915 7 6 memset
0x91e 9 8 snprintf
0x927 7 6 strlen
0x92e 15 14 throwException
0x93f 14 13 validate_utf8
0x94d 7 6 fclose
0x954 6 5 fopen
0x95a 6 5 fread
0x960 8 7 realloc
0x96b 8 7 isalnum
0x973 7 6 memcmp
0x97a 10 9 liblog.so
0x984 8 7 libm.so
0x98c 9 8 libdl.so
0x995 8 7 libc.so
0x99d 7 6 _edata
0x9a4 12 11 __bss_start
0x9b0 14 13 __bss_start__
0x9be 12 11 __bss_end__
0x9ca 8 7 __end__
0x9d2 5 4 _end
0x9d7 22 21 libnike-obfuscator.so
0x9ed 5 4 LIBC
...
...
0x3860 20 19 java/lang/Exception
0x3874 20 19 appContext was null
0x3888 20 19 ciphertext was null
0x389c 24 23 Couldn't b64 decode: %s
0x38b4 29 28 Invalid keyspace! All NULLs!
0x38d1 24 23 Invalid key! All NULLs!
0x38e9 39 38 Unable to malloc output_aes_decrypted!
0x3910 41 40 Invalid output_aes_decrypted! All NULLs!
0x3939 50 49 pkcs7 unpadding failed to allocate enough memory!
0x396b 32 31 Decrypted value is invalid UTF8
0x398b 35 34 Unable to allocate output_jstring!
0x39ae 46 45 Invalid Access: Device info reported to Nike.
0x39ef 10 7 ˀ\eu C=q
0x39fe 15 14 :n/dev/urandom
..
...
0x41c8 15 14 getPackageName
0x41d7 21 20 ()Ljava/lang/String;
0x41ec 18 17 getPackageManager
0x41fe 38 37 ()Landroid/content/pm/PackageManager;
0x4224 34 33 android/content/pm/PackageManager
0x4246 15 14 GET_SIGNATURES
0x4257 15 14 getPackageInfo
0x4266 54 53 (Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
0x429c 11 10 signatures
0x42a7 32 31 [Landroid/content/pm/Signature;
0x42c7 12 11 toByteArray
0x42d3 5 4 ()[B
0x4368 51 50 \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\b\b
0x43cd 12 11 \b\b\b\b\b\b\b\b\b\b\b
0x47dc 8 7 Android
0x4828 8 7 5594570
0x0 264 263 Android (5220042 based on r346389c) clang version 8.0.7 (https://android.googlesource.com/toolchain/clang b55f2d4ebfd35bf643d27dbca1bb228957008617) (https://android.googlesource.com/toolchain/llvm 3c393fe7a7e13b0fba4ac75a01aa683d7a5b11cd) (based on LLVM 8.0.7svn)
0x1 10 9 .shstrtab
0xb 19 18 .note.gnu.build-id
0x1e 10 9 .gnu.hash
enovella commented 4 years ago

https://github.com/tmasto/nike-deobfuscator