Open ReBensk opened 9 months ago
Samples: Sample1.zip Sample2.zip
APKiD current results...
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [] ./com.rihjzvyvdmwsz.wfglmgpoijgnc.apk!classes.dex |-> compiler : dexlib 2.x [] ./com.zxqlzbjtkwugo.oekyzihfuspse.apk!classes.dex |-> compiler : dexlib 2.x [*] ./classes.dex |-> compiler : dexlib 2.x
rule CustomMultiDexPacker : packer { meta:
description = "Custom packer" sample1 = "b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993" sample2 = "fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552"
strings:
$cipher = { 1a00 ???? //const-string v0, "UTF-8" // string@023c 7110 ???? 0000 //invoke-static {v0}, Ljava/nio/charset/Charset;.forName:(Ljava/lang/String;)Ljava/nio/charset/Charset; // method@016d 0c00 //move-result-object v0 6900 ???? //sput-object v0, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.defaultCharset:Ljava/nio/charset/Charset; // field@0115 1a00 ???? //const-string v0, "ⁱʻʽⁱˈˈᵢᵔˈᴵٴʼᐧˈˋʽᵢʽᴵᐧיʾʽﹶˊ゙ˉʾⁱʼⁱʿʽיⁱᐧˎʾˈ" // string@047d 7110 ???? 0000 // invoke-static {v0}, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.encodePass:(Ljava/lang/String;)Ljava/lang/String; // method@01f4 0c00 //move-result-object v0 6900 ???? //sput-object v0, Lˆʿⁱᐧʾﹶ/ˑᵢـיـˉ/ـⁱᵔᵎᵎʾ/ˈⁱᐧᐧˊᐧ/ᴵᵎʾˑﹶﹶ;.globalPass:Ljava/lang/String; // field@0116 0e00 //return-void 1201 //const/4 v1, #int 0 // #0 2203 ???? //new-instance v3, Ljavax/crypto/spec/SecretKeySpec; // type@006a 6e10 ???? 0700 //invoke-virtual {v7}, Ljava/lang/String;.getBytes:()[B // method@004f 0c04 //move-result-object v4 1a05 ???? //const-string v5, "AES" // string@001e 7030 ???? 4305 //invoke-direct {v3, v4, v5}, Ljavax/crypto/spec/SecretKeySpec;.<init>:([BLjava/lang/String;)V // method@0072 1a04 ???? //const-string v4, "AES" // string@001e 7110 ???? 0400 //invoke-static {v4}, Ljavax/crypto/Cipher;.getInstance:(Ljava/lang/String;)Ljavax/crypto/Cipher; // method@0070 0c00 //move-result-object v0 1224 //const/4 v4, #int 2 // #2 6e30 ???? 4003 //invoke-virtual {v0, v4, v3}, Ljavax/crypto/Cipher;.init:(ILjava/security/Key;)V // method@0071 6e20 ???? 6000 //invoke-virtual {v0, v6}, Ljavax/crypto/Cipher;.doFinal:([B)[B // method@006f 0c01 //move-result-object v1 1101 //return-object v1 0d02 //move-exception v2 6e10 ???? 0200 //invoke-virtual {v2}, Ljava/lang/Exception;.printStackTrace:()V // method@0043 28fb //goto 001a // -0005 7110 ???? 0300 //invoke-static {v3}, Lᵔˎʻᐧـˏ/יﹳﹶˆˆ/ˊ゙ᵔٴʼי/ᴵˆᵔᵎˑʾ/ʼˈˏ゙ˎˉ;.encodeToMD5:(Ljava/lang/String;)Ljava/lang/String; // method@0084 0c00 //move-result-object v0 1301 0800 //const/16 v1, #int 8 // #8 1302 1800 //const/16 v2, #int 24 // #18 6e30 ???? 1002 //invoke-virtual {v0, v1, v2}, Ljava/lang/String;.substring:(II)Ljava/lang/String; // method@0055 0c00 //move-result-object v0 1100 //return-object v0 }
condition:
is_dex and $cipher
}
Could you open this rule into a pull-request? Thanks
rule opened into a pull-request
Samples: Sample1.zip Sample2.zip
APKiD current results...
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io [] ./com.rihjzvyvdmwsz.wfglmgpoijgnc.apk!classes.dex |-> compiler : dexlib 2.x [] ./com.zxqlzbjtkwugo.oekyzihfuspse.apk!classes.dex |-> compiler : dexlib 2.x [*] ./classes.dex |-> compiler : dexlib 2.x
rule CustomMultiDexPacker : packer { meta:
strings:
condition:
}