search

rednaga / APKiD

Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
Other
1.98k stars 289 forks source link

[DETECTION] Add Unknown Packer #370

Open ReBensk opened 9 months ago

ReBensk commented 9 months ago

Samples: Sample1.zip Sample2.zip

APKiD current results...

[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [] ./com.rihjzvyvdmwsz.wfglmgpoijgnc.apk!classes.dex |-> compiler : dexlib 2.x [] ./com.zxqlzbjtkwugo.oekyzihfuspse.apk!classes.dex |-> compiler : dexlib 2.x [*] ./classes.dex |-> compiler : dexlib 2.x

rule CustomMultiDexPacker : packer { meta:

description = "Custom packer"
sample1      = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993"
sample2      = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552"

strings:

$cipher = {

    1a00 ????   //const-string v0, "UTF-8" // string@023c
    7110 ???? 0000  //invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@016d
    0c00        //move-result-object v0
    6900 ????   //sput-object v0, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.defaultCharset:Ljava/nio/charset/Charset; // field@0115
    1a00 ????   //const-string v0, "ⁱʻʽⁱˈˈᵢᵔˈᴵٴʼᐧˈˋʽᵢʽᴵᐧיʾʽﹶˊ゙ˉʾⁱʼⁱʿʽיⁱᐧˎʾˈ" // string@047d
    7110 ???? 0000  // invoke-static {v0}, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@01f4
    0c00        //move-result-object v0
    6900 ????   //sput-object v0, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.globalPass:Ljava/lang/String; // field@0116
    0e00        //return-void
    1201        //const/4 v1, #int 0 // #0
    2203 ????   //new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a
    6e10 ???? 0700  //invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f
    0c04        //move-result-object v4
    1a05 ????   //const-string v5, "AES" // string@001e
    7030 ???? 4305  //invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.<init>:([BLjava/lang/String;)V // method@0072
    1a04 ????   //const-string v4, "AES" // string@001e
    7110 ???? 0400  //invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070
    0c00        //move-result-object v0
    1224        //const/4 v4, #int 2 // #2
    6e30 ???? 4003  //invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071
    6e20 ???? 6000  //invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f
    0c01        //move-result-object v1
    1101        //return-object v1
    0d02        //move-exception v2
    6e10 ???? 0200  //invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043
    28fb        //goto 001a // -0005
    7110 ???? 0300  //invoke-static {v3}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD5:(Ljava/lang/String;)Ljava/lang/String; // method@0084
    0c00        //move-result-object v0
    1301 0800   //const/16 v1, #int 8 // #8
    1302 1800   //const/16 v2, #int 24 // #18
    6e30 ???? 1002  //invoke-virtual {v0, v1, v2}, Ljava/lang/String;.substring:(II)Ljava/lang/String; // method@0055
    0c00        //move-result-object v0
    1100        //return-object v0

}

condition:

is_dex and $cipher

}

enovella commented 9 months ago

Could you open this rule into a pull-request? Thanks

ReBensk commented 9 months ago

rule opened into a pull-request