Closed ghost closed 1 year ago
enovella
commented
1 year ago Hi @BoomboomDada ,
Thanks for your detailed ticket. Quick questions:
dex2c?Thanks in advance!
ghost
commented
1 year ago Because the same developer who developed the apps MitID, Kørekort and Sundhedskortet. Just the MitID one that is quite different because some smali codes moved to native lib (we called it dex2c'd)
I did but I didn't understood much in the native side, and it is obfuscated.
However, I have some more details:
Both Kørekort and Sundhedskortet uses same filename "libnnggbjhifdlh.so", Mitid uses shorter scramble filename "libsdfgebg.so". The lib "libnnggbjhifdlh.so" is packed while "libsdfgebg.so" isn't but probably with broken ELF segment or something. It has the "jumpout" thing too
I could be wrong, but I suspect it's Promon
enovella
commented
1 year ago Hi @BoomboomDada,
dex2c but I cannot see any information about Promon & dex2c in the internet.$ apkid MitID_2.3.7_apkcombo.com/lib/arm64-v8a/libsdfgebg.so
[+] APKiD 2.1.4 :: from RedNaga :: rednaga.io
[*] MitID_2.3.7_apkcombo.com/lib/arm64-v8a/libsdfgebg.so
|-> protector : Promon Shield (dex2c)This is the WIP rule so far:
rule promon_dex2c : protector
{
meta:
description = "Promon Shield (dex2c)"
url = "https://promon.co/"
sample = "edb939d77adba5ef5c536c352a4bc25a3a5ff2fe15408c5af9f08b5af583224c" // dk.mitid.app.android v2.3.7
author = "Eduardo Novella"
strings:
/**
.mfrt:0000000000AFCC98 ; Segment type: Pure data
.mfrt:0000000000AFCC98 AREA .mfrt, DATA
.mfrt:0000000000AFCC98 ; ORG 0xAFCC98
.mfrt:0000000000AFCC98 04 EC 82 5F+ DCQ 0x4BDB66335F82EC04
.mfrt:0000000000AFCCA0 FA 45 E6 0C DCD 0xCE645FA
.mfrt:0000000000AFCCA0 ; .mfrt ends
*/
// Sample contains 25 inlined syscalls
$svc_0 = {
01 00 00 D4 // SVC 0
}
/**
do
{
__asm { SYS #3, c7, c11, #1, X12 }
i += c;
}
while ( i < len );
}
v30 = (unsigned int)(4 << (StatusReg & 0xF));
v31 = v3 & -v30;
__dsb(0xBu);
for ( ; v31 < len; v31 += v30 )
__asm { SYS #3, c7, c5, #1, X10 }
__isb(0xFu);
ret = ((__int64 (__fastcall *)(_QWORD *))v3)(v33);
linux_eabi_syscall(__NR_munmap, (void *)v3, 0x4000u);
*/
$asm_sys_dsb_isb = {
2C 7B 0B D5 // SYS #3, c7, c11, #1, X12
[12-64]
9F 3B 03 D5 // DSB ISH
[0-4]
2A 75 0B D5 // SYS #3, c7, c5, #1, X10
[12-64]
DF 3F 03 D5 // ISB
}
$libname = /lib[a-z]{7}\.so/
condition:
elf.machine == elf.EM_AARCH64
and $asm_sys_dsb_isb
and $libname
and #svc_0 >= 15
and for any i in (0..elf.number_of_segments): (elf.segments[i].type == elf.PT_LOAD)
and for any i in (0..elf.number_of_sections): (elf.sections[i].name matches /\.mfrt/)
}Hi @BoomboomDada ,
the sample seems to be obfuscated with InsideSecure Verimatrix:
ghost
commented
1 year ago Oh, didn't know it was InsideSecure Verimatrix, so it turns out the company used 2 different services. Honestly, this is my first time reporting this
Can you confirm that these two apps are the ones you're talking about?
Yes, and I meant i'm calling it a "dex2c". I forgot to mention that both dex and resources (res folder) were obfuscated too
APKiD doesn't de-obfuscate protected samples, only does INTEL
I understand it doesn't, i'm just giving details
Provide the file
File: https://anonfiles.com/q9gbh2Ldy2/MitID_2.3.7_apkcombo.com_apk
Virustotal: https://www.virustotal.com/gui/file/edb939d77adba5ef5c536c352a4bc25a3a5ff2fe15408c5af9f08b5af583224c/details
Describe the detection issue APKiD missed Promon Shield protection with dex2c.
APKiD current results... Please provide current output from APKiD on this file. Include the APKiD header which provides the version, e.g. -
Additional context The other apps with same protection but without dex2c detects perfectly fine
https://www.virustotal.com/gui/file/f5962a93a6506d1b7184895b9b6e960339912f48481af9862499a99be000859d/details