Open ReBensk opened 11 months ago
Please format the code properly ( I edited your post, please edit and observe how to format code properly)
This rule could match many other apps. Could you please find unique patterns with this packer?
Can you pull-request this rule?
This rule could match many other apps. Could you please find unique patterns with this packer?
Yes, I agree, These apps are using a unique xor key value 0x69 and also i noticed this string "Virbox" in all the samples (classes.dex), if you want to add this string I will, so the detection logic becomes ( jiagu packer + virbox protector ) Is it ok ?
Created pull-request for the rule - jiagu_k : packer https://github.com/rednaga/APKiD/pull/375
This rule could match many other apps. Could you please find unique patterns with this packer?
Yes, I agree, These apps are using a unique xor key value 0x69 and also i noticed this string "Virbox" in all the samples (classes.dex), if you want to add this string I will, so the detection logic becomes ( jiagu packer + virbox protector ) Is it ok ?
Unique fingerprints are crucial to avoid false positives, if you always encountered the string Virbox
or whateverStringYouWantToThinkOf
please combine it with your opcodes in the rules.
Included the class name "Lvirbox/StubApp"
Sample Sample1.zip Sample2.zip
Describe the detection issue The apk samples classes.dex files are packed but this is not detected by APKiD 2.1.5 From the classes.dex file structure -> data_size(offset 0x68) + data_off(offset 0x6C) > file_size (offset 0x20) packer code starts after the end of the data directory. The packer using xor key 0x69 to decrypt data
APKiD current results...
Detection rule: